Page 38 - GCN, Feb/Mar 2018
P. 38

cent of agencies had invested in DLP. Analysts say the percentage of agen- cies with DLP has increased since then, but in a 2017 survey, only one-third of agencies gave themselves a grade of A for their DLP efforts. According to the same survey of 150 federal IT manag- ers, 50 percent said their agencies need to adopt multifactor user authentica- tion, 49 percent said real-time activity monitoring needed to be expanded, and 45 percent said their agencies needed to classify data and adopt DLP.
No agency, of course, can ensure that no adversary will access its network. As a result, vendors that have often been called in to help agencies perform vul- nerability assessments and respond to intrusions have begun to offer services for continuous proactive monitoring of clients’ networks to detect and respond to intruders. The services are called endpoint detection and response (EDR), which refers to the aim of determining the source of any suspected malicious activity on the network.
Symantec recently began offering an EDR service, and Townsend said the government has been slower to adopt EDR than the private sector. “We haven’t seen federal customers moving wholesale to EDR yet,” he said, though he is confident they will.
The basic principle behind EDR is for an organization to assume it has al- ready been breached. The average time between an intruder accessing federal networks and being discovered was 49 days last year, said Brian Hussey, vice president for cyberthreat protection and response at Trustwave, a cybersecu- rity company that offers EDR services. Given the damage that can be done in 49 days, “assume you have an attacker right now in your system, and it is our job to go and find it,” he added.
EDR services monitor all traffic be- tween the network and endpoints — computers and mobile devices — whether they are on premises or re-
motely accessing the network. “These tools give us the ability to monitor ev- ery single event that happens on a net- work,” Hussey said. “A thousand events may happen every single minute. You’re going to be able to monitor and capture every single one of those, bring them into our data center and correlate them not across just one computer but across entire networks.”
Backed up by human analysts, EDR software scans the traffic constantly looking for suspicious behaviors. “We have network forensics and artificial in- telligence capabilities that we can stop and absorb every single network callout, every single piece of traffic, and cull ma- licious activity from there,” Hussey said. “Once we have that, we can use our ac- cessed endpoints as a direct pivot point so we can do a deep-dive investigation and continue the hunt.”
Federal clients’ slow adoption might be due to the fact EDR requires con- tinuous monitoring of the agency’s net- works, something federal network ad- ministrators have been leery about.
“We know without a doubt that ev- erybody is territorial,” said Bill Rucker, president of Trustwave Government Solutions, but he added that those instincts are increasingly being out- weighed by concerns about intruders. And, of course, EDR service providers are required to have the same security clearances as in-house specialists.
Some agencies, however, are imple- menting EDR with their own employees manning the monitors. EDR has made incident response significantly more ef- fective at NIST, said James Fowler, the agency’s acting deputy CIO.
“Before we were using this kind of technology, we would have to pull a computer off the network that was suspected to be compromised, but we weren’t 100 percent sure and then we would do analysis,” he said. “Now we are able to actually go remotely into the box while it is still connected and make a determination as to whether or not it’s compromised. That has been a big im-
Much of EDR’s legwork is automated,
Fowler added, but NIST officials make the final decision when suspicious ac- tivity is detected. “We have set it up so that we get yellow alerts, orange alerts and red alerts based on the nature of the behavior that we are seeing,” he said. “If it’s an orange alert, that would typically mean a human \\\[will\\\] go in there and look at what is actually going on and make a decision as to whether or not ad- ditional attention is needed.”
Identity in hybrid networks
Another major challenge that comes with agencies moving more activities to the cloud and mobile devices is ensur- ing that users are who they say they are. The new infrastructure landscape “is certainly going to require some evolu- tion of the concept behind identity and access management,” Holgate said.
Although many on-premises net- works have long relied on two-factor authentication for identifying users and controlling access, it’s not clear that tra- ditional multifactor authentication is practical with users accessing the net- work via mobile devices and the cloud.
“You can either have an identity as a service that operates in the cloud environment, or you can have kind of a blended model where you connect your on-premises Active Directory with a cloud-hosted version of Active Direc- tory,” Holgate said. Choosing the best fit “requires some thought based on the portfolio of applications and the extent to which you need to have something like a single sign-on.”
According to NIST officials, despite their active use of cloud services for ap- plications and platforms, the agency is still relying on on-premises Active Di- rectory so that they can use two-factor authentication. That strategy, however, has limitations. Until NIST extends au- thentication services between on-prem- ises databases and cloud and mobile users — which officials are considering — those users are not allowed to reach

   36   37   38   39   40