SPONSORED CONTENT
INNOVATION IN GOVERNMENT
THE ERA OF
CYBER RESILIENCE 2
Agencies Shift to Cyber Resilience
4
Ready for Next-Gen SIEM?
6
Pervasive Visibility is Critical
8
IntelligenceDriven Security
10
The Challenge of App Security
12
Cyber Resilience: Close Security Gaps
14
From Mission Impossible to Mission Success
16
One-on-One with Ron Ross
The evolving cyber threat landscape requires agencies to develop a more adaptive, comprehensive approach to securing the enterprise.
ï‚© Learn more at carahsoft.com/innovation
CYBER RESILIENCE SPONSORED CONTENT
AGENCIES SHIFT FOCUS TO CYBER RESILIENCE
In the post-Cyber Sprint era, agencies are taking a more holistic approach to improving their cyber posture.
I
N THE LAST 18 months, like never before, federal
agencies have come to terms with both the importance and complexity of cyber resilience. A number of high-profile data breaches in 2015—followed by the Cyber Sprint, a government-wide assessment of existing security measures—drove home the point that agencies need to think about cybersecurity in new ways. The traditional focus on preventing attacks, often called perimeter defense, clearly is still necessary, but it is not sufficient. Given the increasing sophistication of cyberattacks, agencies need to integrate security solutions throughout the enterprise. Agencies also need to recognize that cybersecurity is not just a product or service category. It is a discipline that must be integrated throughout an organization and throughout its key processes. This shift in focus from frontline cyber defense to a more holistic concept of cyber resilience will help agencies become more agile in how they identify, mitigate and, when necessary, recover from attacks. The case for resilience is urgent. According to the Government Accountability Office (GAO), the number of federal information security incidents increased by more than 1,000 percent between 2006 and 2015. Of particular concern are the attacks on what GAO calls high-impact systems, that is, those holding especially sensitive information. Those systems are frequent targets, according to GAO. In a recent study, GAO found that 18 major agencies reported more than 2,000 security incidents targeting high-impact systems, including nearly 500 incidents involving the installation of malicious code. “Increasingly sophisticated threats to information technology systems and the damage that can be generated underscore the importance of managing and protecting them,” the report states. One challenge is that many existing systems are based on outdated technology, according to the Cybersecurity Strategy and Implementation Plan, which the White House issued at the conclusion of the Cyber Sprint.
2
Over the years, these systems have grown increasingly complex with the proliferation of hardware and software configurations, “which introduces significant vulnerabilities and opportunities for exploitation,” the plan states. This concern with legacy systems has prompted several legislative proposals to help agencies fund modernization efforts. A bill introduced by Rep. Will Hurd (R-Tx.) and other lawmakers would allow agencies to create their own working capital funds to upgrade or replace old systems. Another bill, introduced by Rep. Steny Hoyer (D-Md.) and based on a White House proposal, would create a governmentwide $3.1 billion revolving fund for modernization. Meanwhile, the Office of Management and Budget (OMB) is pushing agencies to change how they monitor the security of their systems. In its recent revision of Circular A-130, the federal government’s overarching information management policy, OMB directs agencies to move away from “periodic, compliance-driven assessment exercises” and toward “the ongoing monitoring, assessment, and evaluation of federal information resources.” “In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds,” OMB officials wrote in a blog post announcing the new policy. “In such a setting, the government cannot afford to authorize a system and not look at it again for years at a time.” The administration also is trying to provide agencies with easier access to security services. There are a plethora of services available through the General Services Administration’s Schedule 70 contract vehicle, but they can be difficult to find. Under the administration’s Cybersecurity National Action Plan, GSA will create a special item number for such services as network mapping, penetration testing, phishing assessment, and vulnerability scanning. Unfortunately, modernization and policy changes can only go so far in addressing the vulnerability of federal systems. According to the GAO, some of the most perplexing security threats get through because of human error—employees clicking on malicious links or attachments, or reusing their passwords.
SPONSORED CONTENT
Ever since the Cyber Sprint, the administration has made teaching federal employees better cyber hygiene one of its top priorities. The State Department, for example, recently announced an initiative to test how its employees respond to phishing attempts. The administration also realizes that its opportunity to improve cyber resilience is drawing to a close. With the
impending election, they are trying to ensure that their cyber initiatives have enough momentum to continue into the new administration, said Trevor Rudolph, chief of OMB’s Cyber and National Security Unit, speaking at a June 15 presentation to the Information and Security Privacy Advisory Board. “We’re headed in the right direction,” Rudolph said.
THE CYBER RESILIENCE TOOLKIT SECURITY INCIDENT AND EVENT MANAGEMENT Agencies collect vast troves of security data through firewalls, vulnerability scanners, intrusion detection systems and other appliances and applications. SIEM analyzes and correlates that data, helping cybersecurity officials identify, prioritize, and respond to potential security threats across the enterprise.
NETWORK VISIBILITY The complexity of the federal IT enterprise presents a major challenge for cybersecurity experts. Most monitoring tools are system-specific; making it difficult to analyze, manage, and secure IT operations at the enterprise level. A new class of tools is providing IT leaders with pervasive visibility in real time.
INTELLIGENCE-DRIVEN SECURITY Agencies that focus their efforts on defending against attacks are fighting a losing battle. There is no way they can keep up with the constantly evolving cyber threat landscape. Intelligencedriven security leverages information on that threat landscape to help agencies proactively assess the risks they face and develop strategies for detecting and responding to attacks.
APPLICATION SECURITY With more services moving to the cloud, enterprise applications have become a potential cybersecurity flashpoint. Agencies need to ensure their applications and all associated data are secure no matter where it resides, whether in a traditional data center, a virtual data center, a managed cloud service environment, or in a public cloud.
DATA LOSS PREVENTION Cloud, mobility, and related trends in the enterprise have made it easier for employees to access data any time, from anywhere, using any device. While this ease of access is a boon for employee productivity, it complicates cybersecurity efforts. Data loss prevention tools provide a way to track and manage sensitive data wherever it resides or whenever it is in motion.
ENTERPRISE RISK MANAGEMENT Risk management is an essential discipline in cybersecurity. If agencies don’t understand the risks associated with given systems across their enterprise, they can’t make informed decisions about how to prioritize and protect them. An enterprise risk management system aggregates and visualizes risk-related data to create an integrated, holistic view of risks facing an enterprise.
3
CYBER RESILIENCE SPONSORED CONTENT
IS YOUR AGENCY READY FOR NEXT GENERATION SIEM? As data stores continue to grow, SIEM tools are stepping up with advanced monitoring and analysis capabilities.
G
TAMMY TORBERT WORLD WIDE SOLUTIONS ARCHITECT, FEDERAL, HPE
4
OVERNMENT AGENCIES
are generating and consuming more and more data. Their determination to perform the analytics required to pursue hacks and defuse security exploits across their networks is driving this data deluge. Now they may be asking themselves, though, is their big data diet getting too big? According to Gartner researchers, the amount of data expected to be pooled and analyzed by enterprise security providers will double through the end of this year. At that rate, data stores may tax the ability of agencies to perform sufficient threat analysis on their data early enough to prevent the next breach. Over the past decade, the workhorses of security data collection and analysis have been Security Incident and Event Management (SIEM)—a set of services offering real-time monitoring and correlation of security events as well as long-term storage and the reporting log data. SIEM combines security information management and security event management to analyze security alerts generated by network hardware and applications. These technologies also log security data and generate compliance reports. Given the amount of information being collected and analyzed, SIEM is under constant pressure to do more with less. Security researcher Marcus Ranuum recently suggested it was time to establish a next generation of SIEM capable of producing “less data that is more significant, while absorbing even more raw input.” Next generation SIEM technology will likely include advances in the data collection and analysis of contextual data. It will also have new algorithms for both historical and real-time data analysis and the ability to monitor cloud and other emerging virtual environments.
Gartner research director Anton Chuvakin says he envisions the debut of new and greatly improved analysis algorithms. These should also be able to operate in newer environments such as hypervisors and deep within applications, “where an IP address means nothing and logs are even more esoteric.” Next generation SIEM technologies are also likely to incorporate a variety of new analytics techniques, including ways to help Security Operations Center (SOC) managers identify threats by examining behavioral patterns across security datasets. For example, growing demand for security analytics reflects the expanding interest in bringing commercial business intelligence technologies into the SOC to help analyze security datasets. As agencies encounter more sophisticated adversaries, challenges remain across the SOC. These challenges include how to handle security at the big data scale and how to reduce the time to respond to security attacks. Other ongoing hurdles include improving consistency and efficiency within the SOC, and how to integrate analytics capabilities to produce high quality results. Ultimately, however, building the next generation SOC will depend on how well agencies use next generation SIEM. It also depends greatly on how well it’s executed by individual analysts. Looking ahead, agencies with large security programs may not be meeting the mark. In driving the capabilities of the SOC using next generation SIEM, however, as well as new analytical capabilities, agency security executives should be able to move cybersecurity programs much further downfield—and do a much better job. Tammy Torbert is World Wide Solutions Architect, Federal, HPE.
Fearlessly innovate Cybersecurity confidence you can depend on Your mission requires enterprise security that’s built-in, not bolted-on. Where analytics proactively detect and respond to threats, and risk and compliance solutions underpin recovery plans to maintain operational continuity. Hewlett Packard Enterprise helps deliver a measurable reduction in risk so you can innovate fearlessly. Learn more at Carahsoft.com/innovation/HPE-Cyber
Accelerating next Hewlett Packard Enterprise
CYBER RESILIENCE SPONSORED CONTENT
PERVASIVE VISIBILITY: KEY TO DATA SECURITY To keep ahead of potential attackers, agencies need to have a clear view of what is happening on their networks.
V DENNIS REILLY VICE PRESIDENT OF FEDERAL, GIGAMON
ISIBILITY INTO DATA is critical
for security. If you can’t see the data, you can’t protect it. Data is traversing the physical and virtual worlds and could be on-premises or in the cloud. For enterprises that have data in such heterogeneous environments, breaches are almost a foregone conclusion because any network will have blind spots and adversaries will find and exploit those weaknesses. Most advanced persistent threats (APTs) designed to steal data from victim networks will follow the APT Kill Chain Model, which breaks down attacker behavior into six stages: network reconnaissance; a phishing or zero-day attack; installing backdoor malware on victims’ computers; lateral movement to discover victim networks; data gathering; and finally data exfiltration. It’s important to look for malicious activities across all stages of the kill chain. This includes lateral movement such as victim computers contacting their command and control server and
Once considered a security mechanism, SSL has now become a dangerous threat vector. Again, what you can’t see, you can’t protect. That’s why it is critical both to see data that’s in the clear and to decrypt any encrypted data so nothing is missed. The problem is that many cybersecurity tools either aren’t capable of decryption or would take a major performance hit during the process. Instead, what’s needed is an effective and efficient way to offload SSL decryption and continue to provide your cybersecurity tools with full visibility of all traffic to detect and prevent malware and other attacks. Intelligent, Pervasive Visibility Across All Environments All is the key. Traditional security solutions will only perform at a limited level unless they’re informed by intelligent, pervasive data visibility across all traffic—including the physical network, the virtual space, software-defined networks, and in the cloud.
What you can’t see, you can’t protect. That’s why it is critical both to see data that’s in the clear and to decrypt any encrypted data so nothing is missed. malware making DNS queries to these servers. In these scenarios, organizations can look to network metadata to provide an early warning system. Through metadata analysis, they can hone in on suspicious activity and then proceed with SIEMs, behavioral analytics, and machine learning tools to uncover or predict behavior of bad actors. Resolving the Encryption Issue A few years ago, only about five percent of data was encrypted. Gartner forecasts by next year as much as 50 to 80 percent of data will be encrypted and more than half of the threats will come through encrypted channels like SSL.
6
Due to limited budgets, government agencies may be considering the cloud. However, they may also be delaying adoption because they are concerned that they’ll lack the necessary visibility to protect their mission-critical data. If they were guaranteed pervasive visibility before all else, they could defend data regardless of where it travels and where it resides and be more assured of keeping ahead of potential attackers at minimal cost. Dennis Reilly is Vice President of Federal, Gigamon.
Cybercriminals. Now there’s nowhere to hide. Bring the power of network visibility to the security fight with GigaSECURE®, the world’s first Security Delivery Platform. It’s time to turn the tables on the attackers. To learn more visit: Carahsoft.com/innovation/Gigamon-Cyber
CYBER RESILIENCE SPONSORED CONTENT
INTELLIGENCE-DRIVEN SECURITY ENABLES RESILIENCE
As more sophisticated adversaries emerge, agencies have to rethink security management practices.
N
TONY COLE VICE PRESIDENT AND GLOBAL GOVERNMENT CTO, FIREEYE
8
ation-states, organized crime and hacktivists have flipped the script on cybersecurity in the federal government. The threats posed by these groups are stealthier, more sophisticated and more ambitious than ever before. Agencies have to rethink how they prepare for and respond to cyberattacks. This new reality is captured in a powerful new documentary entitled “Zero Days,” which explores the ramifications of cyberwarfare between nationstates and the emergence of cyberterrorists. The risks posed by these new players are exacerbated by the arrival of digital natives in the federal workforce. These are individuals who have grown up in an interconnected world and whose proclivity for sharing could inadvertently provide adversaries with information needed to target government systems. In this new environment, federal agencies can’t rely on the traditional approach of revising cybersecurity strategies on a periodic, as-needed basis. Today, “as needed” means “continuously.” Agencies must continuously evolve their cybersecurity policies, processes, systems and expertise. Their adversaries are continuously evolving as well. They will exploit any gap that they see. And they will be successful. That hard truth—that even the best defense can and will be compromised—is why agencies must stop thinking in terms of cyberdefense and instead focus on cyber resilience. Once you accept that breaches are inevitable, the question is whether you can detect them quickly enough to mitigate the damage. And if damage is already done, can you continue operations? Banks are a good example of this. When banks are attacked, they don’t have the option of simply taking a server offline while they fix the problem. Banks have developed resilient
infrastructures that let them operate through a breach while it’s being resolved. Resilience encompasses more than just incident response. To improve the odds of anticipating and mitigating threats, agencies need to develop a deeper understanding of the threat landscape. If somebody is trying to break in, they need to understand who it is, how they are doing it, and why. This is what military leaders call situational awareness. In theory, situational awareness should be simple in the cyber domain. There’s an enormous amount of data generated on a continuous basis. Unfortunately, the sheer volume only clouds the picture. Security operation centers struggle to sift out true threats from the growing number of false positives. It’s like trying to find a needle in a haystack that is growing exponentially. This often results in what’s known as alert fatigue. Data is not enough on its own. Agencies need tools and processes to convert data into actionable intelligence. They must identify and respond to threats in real-time; develop a better understanding of their adversaries and prepare for emerging threats; and move to an adaptive defense that evolves as threats evolve. This is intelligence-driven security. This is how agencies can improve their odds of managing this new threat environment. Intelligence-driven security is a significant change from how agencies are used to managing security. Many agencies might find they lack the cyberexpertise to make this transformation, and may resist the push to quickly adopt new technology. The script has flipped though, whether we like it or not. We must all evolve. Tony Cole is Vice President and Global Government CTO at FireEye.
WHAT IS ‘GOOD ENOUGH’ SECURITY REALLY COSTING YOU? Truth is, good enough security is just not good enough. You simply can’t focus on just prevention or detection and call it a day. When — not if — a breach happens, who do you want on your side? The experts who are on the front lines of comprehensive detection, analysis and response or the other guys? FireEye. KNOW THE TRUTH. Carahsoft.com/innovation/FireEye-Cyber
© 2016 FireEye, Inc. All rights reserved.
CYBER RESILIENCE SPONSORED CONTENT
RISE TO THE CHALLENGE OF APPLICATION SECURITY
Long treated as an afterthought, application security is now a key component of an enterprise security strategy.
F
RANDY WOOD VICE PRESIDENT, FEDERAL, F5 NETWORKS
10
OR MANY organizations, application
security has long been a hidden vulnerability—one often overlooked in cyber-planning even though it poses a significant and growing threat. Government agencies have come a long way in recognizing that it’s not enough to defend the perimeter of the enterprise. Many are just beginning to realize the enormity of the security challenge presented by their enterprise applications. Left unprotected, these applications can serve as a back door to the enterprise, leaving mission-critical data dangerously exposed. The challenge can seem overwhelming. In many agencies, IT managers can’t even say how many applications they have. Also, the application environment has grown increasingly complex. As agencies use cloud and mobility to extend applications to users wherever they are and whatever device they might be using—they are further exposing their data. Unfortunately, application security defies an easy fix. Many legacy applications were developed at a time when application security was an afterthought at best. Retrofitting a security solution might be a necessity, but it’s far from ideal. This will become less of an issue over time as new applications are being architected with security in mind. In developing any solution, agencies must keep in mind the end-user application experience. Solutions that restrict access or impede performance won’t succeed. As we’ve seen in the past, when users get frustrated, they often look for work-arounds that compromise security. Still, as daunting as it seems, application security is achievable. Here are three thoughts to keep in mind when developing a strategy:
First: The best policy is zero trust. Trust no application, no user and no traffic flow. Instead, rely on strong, multi-factor authentication to provide access to all applications and related resources. At the same time, don’t make it overly complicated. A user should be able to sign on to the network once, with the backend system managing access control. Second: You can’t secure what you can’t see. For a long time, encryption has been the key. Developers rely on Secure Socket Layer (SSL) technology to protect data in transit. That has proven to be a double-edged sword. In some high-profile data breach cases, hackers used SSL to mask data they were exfiltrating, making it difficult for agencies to understand what was happening until it was too late. In the case of outbound traffic, it’s important to provide an “air gap” in which security teams can view encrypted data as clear text; then reencrypt it as it continues on its path. However, they must do this in a way that doesn’t tax performance too heavily. Third: Don’t treat all applications the same. No application should be left behind, but some applications clearly require a higher level of security than others. An agency should have a comprehensive set of security policies and services tailored to address the risk level of a given application, based on the nature of the data, the service it is supporting, the context in which end-users are working, and so on. Application security is clearly a complex challenge, and the stakes are high. But today more than ever, the tools and understanding are available to meet this challenge and strengthen the overall security of the federal enterprise. Randy Wood is Vice President, Federal, F5 Networks.
Secure User Access to Apps. Application-focused access and identity services are critical to maintaining a positive security posture while enabling users to access applications from anywhere at anytime. With access and identity architectures based on full user, application, and network context awareness, F5 enables single-sign on and federation of application access across the data center and into the cloud, while maintaining the integrity of data through comprehensive endpoint inspection and anti-malware services.
Learn more at carahsoft.com/innovation/F5-Cyber
CYBER RESILIENCE SPONSORED CONTENT
RISK AND CYBER RESILIENCE: CLOSING SECURITY GAPS
The manner in which agencies integrate technologies into infrastructure creates gaps and security holes that must be addressed.
A
ROBERT POTTER VICE PRESIDENT, AMERICAS SALES, SYMANTEC
12
s cyberthreats become more pervasive and harder to predict, organizations have to be prepared for any outcome. That’s why the concept of cyber resilience is so important. Cyber resilience isn’t about eliminating risk; but being able to detect and mitigate problems and maintain continuity in a reliable and trusted way to support citizens and the mission. At its earliest stage, the concept of cyber resilience meant blocking and keeping bad guys out. Over time, we’ve learned it’s the manner in which you integrate technologies into your infrastructure that actually creates gaps and security holes. Cyber resilience now means understanding those gaps. Agencies can take steps to close those gaps, starting with identifying people with valid access credentials. Even today, with the myriad threats out there, the misuse of a valid identity creates havoc through phishing attacks, ransomware and other approaches. Organizations must keep track of how they manage identities to ensure credentials grant appropriate access. They must monitor how network traffic is flowing and how devices are communicating with each other. And they must have intelligent data protection in the data center to recognize and protect information. Organizations must also know how to scale that protection—not just to endpoints, the network and the data center, but also to social media and the cloud as data moves back and forth. Is the multi-tenancy in those environments being protected? Deploy the best solutions to automate some of that capability, and carefully consider how to integrate those pieces. If your solutions don’t integrate, the gaps widen. There are other critical aspects to enhancing cyber resilience as well. One is having the network
intelligence to recognize anomalies. Full visibility into network communications is also essential. And most importantly, agencies need to establish policies and deploy technologies for data loss prevention and encryption. When someone infiltrates your network, make sure they can’t get away with any valuable data. Education is another critical factor. There is a lot of information about products, but not enough about solutions or how to integrate products into a platform. Many organizations acquire technology, but don’t necessarily have the skills to deploy it correctly. Vendors must do a better job informing customers how they integrate with other solutions, how they partner, and how they offer combined collaborative solutions. It’s incumbent on the vendor to integrate their technologies with other technologies to make the security stack more collaborative, more holistic, and elevate an organization’s security posture. At Symantec, security as a service leverages the intelligence vendors and partners bring to the table. This means access to our consumer division, our enterprise division, our government division, and in the investments we make globally in our global threat intelligence system. Building a strong public/private relationship is important because it fosters a strong sense of community. Not only is the infrastructure changing, but also the job responsibilities. As organizations build cyber resilience plans, it’s important to understand their touch points are going to evolve and expand far beyond where they are today. An agile and adaptable infrastructure will become critical. Robert Potter is Vice President, Americas Sales at Symantec.
TRACK, PURSUE, AND NEUTRALIZE THREATS.
The longer threats remain undetected, the more damaging they become. Take control of your information and fight threats on your terms. It’s time to start advancing security. Learn more at Carahsoft.com/innovation/Symantec-Cyber.
Copyright Š 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
CYBER RESILIENCE SPONSORED CONTENT
HOW TO GO FROM MISSION IMPOSSIBLE TO MISSION SUCCESS
Government agencies need to rethink the way they look at cyber defense to ensure that cyber policies and goals are integrated in day-to-day mission execution.
C
JACKLYN M. WYNN VICE PRESIDENT, STRATEGY AND MARKET DEVELOPMENT, GLOBAL PUBLIC SECTOR AT RSA, THE SECURITY DIVISION OF EMC
14
YBER DEFENSE IS mission-critical
for every public sector organization. Every federal, state and local government agency is responsible to defend security of data and IT systems in their care, and also to aid in the broader cyber defense of the homeland against disparate adversaries. Truly, the mission of cyber defense transcends government agency elements and organizations. Unfortunately, government agencies have experienced painful episodes underscoring that this security vision has not been operationalized. Government organizations are acknowledging the fact that they have not been fully effective at preventing or even reducing the impact of breaches in many respects. By-and-large, this failure is due to a continued focus solely on preventative approaches. These preventative and perimeterbased IT security systems – like all the castles built in history – are ultimately always breached. Throwing money at disjointed solutions (even if cutting edge or disruptively innovative) has not added to the safety and security of agency IT infrastructure or driven coherent cyber risk management and governance. Investments and capabilities in one area must be leverage-able and discoverable across the entire IT footprint. Unfortunately, many investments that have been made have not been integrated into the broader security mission. The government agencies at all levels face motivated, agile, and well-funded adversaries that want to cause significant harm. And in today’s world, they can. As the stakes in the battle have escalated, past models addressing cyber threats have, as noted, performed poorly in securing organizations from the threats they face. What’s needed is to fundamentally rethink the way that government agencies look at cybersecurity.
The first step is driving operationally relevant cybersecurity. This requires that the cyber policies and goals that government executives make are integrated in day-to-day mission execution. Today, there is a profound disconnect in this area. To address the gap, agencies must obtain effective cyber command and control capabilities. There are three key focus areas to attain this state: 1. Know what’s happening on your network, cloud infrastructure, and device footprint. Organizations need pervasive network visibility, from the endpoint to the cloud. This helps IT teams maximize the preventative power of perimeter tools and reduces the “dwell-time” of successful breaches. 2. Remove the blinders of silos and disjointed systems. For example, agencies must ensure that all monitoring teams from audit to security to HR can track, communicate, and defend across application, environment, and user device. 3. Deploy an effective identity management program. Minimize unauthorized access to devices and IT assets – with authentication capabilities that verify users with a high level of assurance, across a large range of devices and environments. There is no magic bullet or tool to winning in the cyber battle. That said, the three areas of cyber hygiene discussed above, if properly addressed, can deliver effective cybersecurity. This is borne out in data repeatedly cited by the US Department of Homeland Security and GSA that estimates that 96 percent of breaches could be mitigated through competent cyber hygiene. Clearly this approach can have a substantial impact in the battle for cybersecurity across the public sector. The cyber battle is the fight of this era, and a mission that the government cannot afford to lose. Jacklyn Wynn is Vice President, Strategy and Market Development, Global Public Sector at RSA, the Security Division of EMC.
CYBER RESILIENCE SPONSORED CONTENT
Executive Viewpoint
ONE-ON-ONE WITH RON ROSS
Fellow at the National Institute of Standards and Technology (NIST) and leader of the Federal Information Security Management Act Implementation Project shares his views on building cyber-resilient systems. Ron Ross recently spoke with Francis Rose, host of Government Matters on ABC 7 and News Channel 8, about how agencies need to look beyond simply protecting systems and data and instead consider how the enterprise responds to the constantly evolving threat landscape.
RON ROSS FELLOW, NIST
Rose: What are agencies and industry missing as they go about building the most cyber-resilient systems possible? Ross: We’re building a powerful and complex information technology infrastructure. You can see the direction we’re going by the convergence of computers and physical systems. The buzzword you hear a lot is the “Internet of Things.” That represents the vast deployment of computers, driven by firmware and software, in almost everything that you can imagine. Whether it’s critical infrastructure or otherwise, there’s this massive infusion now of computers bringing this world to great new heights as far as capability, productivity and all the things that we enjoy with this wonderful new technology. In the ocean, there are things below the waterline you can’t see. And there are things above the waterline you can see very clearly. A lot of the cyber work we’re doing today doesn’t
reach below the waterline. That’s where industry plays a major role, because they’re the ones building the hardware, the software, the systems and all the things upon which we depend. Rose: IT leaders within the government have reached the point of recognition that they will be hacked. How can they ensure their systems are resilient enough to recover? Ross: Most CIOs and CISOs worry about things above that waterline. We know from the empirical data we’ve gathered over more than two decades: there are certain percentages of adversaries that get into your system and do damage. How do you limit the damage they can do? Let’s use the OPM breach as an example. Let’s say they have 21 million records. In many cases, the adversary penetrates one system and then works its way in through privileged escalation. To protect those records, you may have some design decisions. One would be to decide on a mandate like: “The only records that are going to be accessible to our field agents are those that they have to work on every day—just onetenth of one percent of the records. Everything else is going to be taken offline, or into a different domain.”
“This is going to be an evolutionary process, because it’s culture, it’s technology, it’s people. It’s trying to get the message across in a world where many of these vulnerabilities are unknown vulnerabilities.” 16
SPONSORED CONTENT
“It’s not just personal information records. It’s information pertaining to intellectual property, national security, and economic security. That’s why all the things we’re working on at NIST with regard to cybersecurity issues are so important, because of this great dependence on the technology.” It’s not just personal information records. It’s information pertaining to intellectual property, national security, and economic security. That’s why all the things we’re working on at NIST with regard to cybersecurity issues are so important, because of this great dependence on the technology. Rose: Over the years, the focus for cybersecurity has shifted from perimeter defense to data defense. What can agencies do to better protect their data? Ross: Agencies need to focus on prioritizing their data. Now that we can collect so much data, it’s making the problem of data security worse. For example, if you only have a certain amount of space in your house, you have to go through every spring and do the house cleaning and get rid of stuff. With bits and bytes, data can pile up quickly because we’re only constrained by the technology of the storage devices, which is rapidly expanding. That’s why the concept of having a “safe deposit box” within your agency’s IT infrastructure is so powerful. There are certain things that we’re going to want to make sure we have extra, special protections. For these valuables, we have to take them to the bank or buy the safe deposit box. It costs more—it’s more work—but it’s worth the effort, but it also causes us to go through our things. We have to prioritize and make decisions about what’s important, what can be retrievable, and what things are so special that we absolutely have to go to that next level of protection. Rose: What do you expect to be the biggest resilience questions government will ask, both about its own security and in policy making? Ross: We’re working against a society compelled to use technology because it’s so powerful and affordable. You combine those two factors and people will tend to buy and use a lot of it. We’re trying to encourage people to do the right thing—to build in security. At the same time, we realize we
live in an imperfect world where you can’t have 100 percent confidence or assurance in every system or every component. Rose: What do you see as the next step for government agencies in this evolution towards cyber resilience? Ross: At NIST, we’re trying to address this problem of complexity and how we can build systems and components of systems that are more trustworthy and more secure going forward. Until we can manage that complexity and have the ability to understand the trustworthiness of the things we’re building and using in routine places and critical places, we are never going to be able to enjoy the fullest extent of that technology. The downside of all this is that it can result in catastrophic failure, which may be deeply hidden in the basic systems we’re building today. This is going to be an evolutionary process, because it’s culture, it’s technology, it’s people. It’s trying to get the message across in a world where many of these vulnerabilities are unknown vulnerabilities. That’s the other thing that makes it hard. It’s easy to look at your known vulnerabilities. With our vulnerability scans and all the tools we use, we can see our current, known vulnerabilities, but there’s an almost exponential growth in the number of unknown vulnerabilities hiding below the waterline just because the complexity continues to grow and that complexity is equivalent to what we call the “attack surface.” You’re just giving the adversary more opportunities to do damage. That’s again one of the major themes of our new security engineering guidelines: reducing and managing complexity, reducing and managing the attack surface.
This interview continues at carahsoft.com/innovation/Ross 17