Advanced Threat Protection in the Public Sector: Addressing 3 Critical Shortfalls Industry Perspective
INTRODUCTION: UNDER SIEGE Federal networks and systems today are under unrelenting attack by persistent, sophisticated and resourceful adversaries who operate on behalf of nation states or criminal groups with the aim of stealing sensitive data, causing harm or exploiting federal and military systems. Furthermore the problem is worsening: The Government Accountability Office reported that cyber incidents affecting federal systems spiked from 5,503 in 2006 to 67,168 in 2014 — an incredible 1,121% increase.
Many of these incidents are likely from advanced persistent threats, or APTs. This category of cyberthreat is particularly difficult to detect and protect against for several reasons. For one thing, APTs are tailored to penetrate specific targeted networks or organizations. For example, an attacker may insert malicious code via an email customized to a specific person with access to a targeted network. The email will be designed to appear as though from a friend, relative or colleague so as to gain that person’s trust in disclosing a password or opening a malicious attachment. Or an attacker may rely on other sophisticated means, sometimes employing so-called “zero day” tactics, which exploit vulnerabilities in software or hardware that are not publicly known. Also, APTs approach from multiple vectors, such as email, a Web page or a shared file. They are often the product of extensive planning and resources. They take the form of a campaign over time, not just a single piece of malware, which increases the chances of success. They enter a network quietly and remain stealthy long afterward. If and when they are detected, it is often already too late to prevent damage. The proliferation of cyber incidents reported by federal agencies reflects many challenges confronting government. For example, many agencies struggle to assess risks and develop and implement security controls. Many are also vulnerable due to poor basic cyber hygiene, budget constraints, excessive access points to the Internet, cyber skills shortages and the prevalence of legacy IT systems ill-designed for security. These are generally well-known challenges that policymakers are working to address. But there also are technical challenges that complicate the government’s ability to counter advanced threats. Three industry experts— Ken Durbin, Unified Security Practice Manager, and Tom Blauvelt, Security Architect, both at cybersecurity company Symantec, and Don Maclean, Chief Cybersecurity Technologist at DLT Solutions — discussed these technical challenges with GovLoop and how federal managers can address them. They agree that federal agencies can contain advanced threats if they bolster identification and authentication capabilities, implement data loss prevention, and automate cybersecurity functions as much as possible. This Industry Perspective will assess each of these challenges and offer insights into how existing solutions and technologies can help agencies address them effectively.
2
Advanced Threat Protection
3 Critical Capabilities for Fending off Cyberthreats Defending any vast enterprise against advanced, persistent cyberthreats requires a holistic and layered approach that integrates the smart use of policy, processes, technology, strategy, education, skillsets and architecture. In this report, we examine three specific technical dimensions of the problem that federal agencies are struggling to master and offer insights into how they might better address them.
The ability to ensure that only the right people have access to the right information
The ability to prevent the catastrophic loss of critical data, either from outside or within
The ability to automate many aspects of cyberthreat detection, analysis and response
Industry Perspective
3
IDENTITY AUTHENTICATION & ACCESS MANAGEMENT One of the biggest technical weaknesses plaguing federal agencies is the inability to authenticate the identities of people logging on to their networks. The Office of Management and Budget concluded that nearly a third of federal cybersecurity incidents reported “are related to or could have been prevented by strong authentication implementation.” Many agencies are strengthening their identity authentication regimes by requiring multiple factors of identification for those who must access a privileged network. These factors include: (1) something the user has, such as a Personal Identity Verification (PIV) card or Common Access Card (CAC); (2) something the user is, such as a fingerprint or iris scan and (3) something the user knows, such as a password, key code or answers to security questions. Across the government, the goal today is to stand up two-factor authentication regimes — typically, the swipe of a PIV or CAC card and a password — to provide network access to their workforces. Many agencies made progress at this during the 2015 Cybersecurity Sprint initiative directed by OMB. But in many quarters of government, network access still rests on single-factor authentication: the password. The problem is that passwords are fairly easily hacked. People choose weak passwords because they are easier to remember or because they underestimate the need for security. When agencies do impose tighter rules for more complex passwords, help desk call volumes spike, prompting some organizations to relax password standards. Shorter, less complex passwords can often be cracked in minutes through so-called “brute force attacks” in which specialized software is employed to guess millions of combinations of letters and words per second. Hackers also employ keyloggers, guessing, sifting through password dumps or conning an IT customer support agent into resetting it, among other tricks.
4
Advanced Threat Protection
Multi-factor Authentication But even as some federal agencies are still working to stand up two-factor identity authentication regimes, the landscape is shifting. The increasing sophistication of APTs is prompting more security-savvy organizations to adopt three-factor identity authentication and even to abandon the use of passwords entirely because they have proven unreliable as a security device. “[Federal agencies] are just getting to two-factor authentication when there are plenty of three-factor authentication solutions that would exponentially increase the ability to make sure the person logging in is who they say they are and should be granted access,” Symantec’s Durbin said. So what does three-factor authentication look like? It could work like this, Symantec’s Blauvelt said: A federal employee logs into a network and enters a password (Factor 1: Something she knows). Then a prompt is sent to her smart phone, which contains a digital certificate verifying the phone belongs to her (Factor 2: Something she has). The prompt asks the employee to confirm she is trying to access the network. She responds to the prompt by scanning her fingerprint on the smart phone (Factor 3: Something she is). “The problem in the past with getting people away from username and password has been they don’t want to add any more complexity to their login process,” said Blauvelt. “But with this new technology, it’s simply using your username and password and then putting your thumbprint on your phone, or just pressing the ‘accept’ pop-up button [on the smartphone]. That adds very little additional overhead to the user’s process and for the amount of security this buys you, it’s well worth it.” These capabilities are embodied in Symantec Identity Access Manager, which enables an agency to enforce identity and/or context-based (identity, group, device, IP range) policies that allow enterprises to shift applications to the cloud without loss of control. It supports integration with strong authentication technologies, such as Validation and ID Protection (VIP) Service, one-time-password (OTP) and Managed PKI Service digital certificates, to validate user access. Strong authentication can be implemented at initial login, in addition to a “step-up” policy for any Web application that warrants it. Identity Access Manager provides user-friendly authentication options to enable employees to access agency apps and data to work anywhere, anytime, and is available as an on-premise or hosted cloud-based service.
DATA-LOSS PREVENTION Cyber attackers are usually after one thing: data. And their intent is to steal it, alter it or eliminate it. Guarding against and preventing the loss or manipulation of mission-critical and sensitive data is a complex challenge for federal agencies. “One of the big difficulties for federal agencies is simply identifying what data they actually have and the sensitivity level of that data,” said DLT’s Maclean. “That sounds like it would be fairly fundamental — and it is — but it’s not as easy to know what you have as you might think.” An agency does not need to devote resources to data that is not sensitive or important. However, agencies need to be able to identify where all of their data is stored; classify that data in terms of mission-importance and impact if stolen; set appropriate monitoring and security controls for how varying classifications of data are accessed and used and have automatic responses in place to block inappropriate actions. Federal agencies have been slow to do these things, instead placing greater emphasis on strengthening identity authentication and access management protocols to ensure that only the right people are gaining access to sensitive data. While good, this approach does little to prevent privileged employees from inappropriately moving sensitive data to non-secure devices or platforms, whether the intentions are malicious or not. Durbin and Blauvelt note that there is no explicit federal policy to deploy data-loss prevention technology, and that’s part of the problem. However, federal policies and regulations– such as NIST 800-53, and the DHS CDM program – do mandate inventory of assets, including data. They also require identification and documentation of data flows between systems. Symantec’s DLP capability can therefore do double duty: come for the data inventory, stay for the loss prevention.
What Data-Loss Prevention Delivers Deploying data-loss prevention (DLP) capabilities is important for several reasons. First, DLP can help agencies identify data, its location, and its sensitivity levels. In addition, it can inform managers when someone with privileged access is doing something inappropriate with critical data, such as downloading it to a thumb drive or including it in an email. DLP can also counter advanced threats by enabling security managers to prioritize incident response— a vital capability for federal agencies who face thousands or hundreds of thousands of attacks per day. Blauvelt explained: “We can use the inventory of sensitive data from our data-loss prevention system, and mesh that with an incident-response process. This enables us to prioritize the incidents that are affecting systems that have our crown jewels, our sensitive information. Let’s bring those incidents to the top of our to-do list, and if we don’t get to anything else today because limited resources force us to let stuff drop, we can at least prioritize the events with the potential to do the most damage to our organization or to our mission.” The Symantec Data Loss Prevention (DLP) solution offers this kind of comprehensive approach to information protection that embraces today’s cloud- and mobile-centered realities. Symantec’s bestof-breed DLP solution enables IT managers to discover where data is stored across all cloud, mobile, network, endpoint and storage systems; monitor how data is being used, whether employees are on or off the network and protect data from being leaked or stolen — no matter where it’s stored or how it’s used. Symantec DLP employs a combination of advanced technologies that can accurately detect critical and sensitive data throughout the enterprise, whether it’s at rest, in motion or in use. It also features a unified management console, the DLP Enforce Platform, and a business intelligence reporting tool, IT Analytics for DLP, that allows agency security managers to write policies once and then enforce them everywhere, measurably reducing information risks.
Industry Perspective
5
CYBERSECURITY AUTOMATION The scale and speed of the cyberthreat landscape that federal agencies face is far too complex and fast to address manually. To keep pace, cybersecurity functions and tasks, such as incident detection, categorization, prioritization and response orchestration, must happen at machine speed. “[Agencies] have lots of devices that are collecting logs, but you can get inundated with information,” Durbin said. “So how do you comb through all of that to find out if something is going on, if something bad is happening or is about to happen? Tools that can help ease that burden through automation are widely recognized as the key to moving forward to addressing the advanced threat. Different control points across the network need to be able to communicate, report and, when necessary, respond without having to wait for a human being to intervene. That’s a huge challenge.” An example of this kind of automation exists with Symantec Data Loss Prevention (DLP) in terms of its ability to discover where critical data is stored, monitoring how that data is being used and protecting that data from being leaked or stolen. But automation is needed at all levels of the cybersecurity lifecycle. Threat data, for example, needs to be merged from multiple sources to provide a more complete picture and then shared in a relevant way with other nodes in the security community for analysis or collation with other data streams.
The Many Levels of Cybersecurity Automation “The analysis of cyberthreats and vulnerabilities also needs to be automated”, Blauvelt said. “Once we get the information about threats, how do we quickly analyze and prioritize that information? Today for most agencies this is a manual effort. What if we want to share cyberthreat information with a colleague? That’s often a manual effort as well. So there’s a lot of emails going back and forth,” he said. The same goes for the investigation phase that follows a breach — it too needs to be automated. That includes gathering and analyzing relevant evidence to understand what was compromised and to what extent. The same for the process of remediating the environment after a breach to make sure it is threat-free and safe to operate in. “All that work is manual. If we can automate any and all of those efforts, we’re going to enable greater protection against advanced threats for our organizations,” Blauvelt said. Automation at all of these levels is available. Symantec’s DeepSight Intelligence solution, for example, provides in-depth threat intelligence on current and emerging threats to spot and block threats before they hit, enabling agencies to react faster to changes in the threat environment. And by offering combined threat, vulnerability and reputation information, DeepSight Intelligence allows agencies to customize threat alerts based on their IT infrastructure and security policies. The most comprehensive level of automation can be found with Symantec’s suite of Advanced Threat Protection (ATP) offerings — Symantec™ Advanced Threat Protection: Email, Symantec™ Advanced Threat Protection: Network, Symantec™ Advanced Threat Protection: Endpoint and Symantec™ Email Security.cloud — which are capable of discovering and remediating advanced threats across the enterprise from a single console. Maclean said a particularly impressive feature of ATP is called Symantec Synapse, which automatically correlates related events across all protected end points to prioritize and block the most critical of suspicious threats confronting the enterprise. ATP automatically sends suspicious files to a cloud-based sandboxing and payload detonation service, called Symantec Cynic, for rapid detection and safe activation. Cynic is even capable of detecting the estimated 28 percent of advanced threats that are “virtual machine-aware,” meaning they are designed to evade detection by traditional sandboxing systems.
6
Advanced Threat Protection
CONCLUSION The cybersecurity landscape continues to evolve in scale
ABOUT SYMANTEC Symantec helps federal agencies develop and implement comprehensive and resilient security strategies to reduce risk and meet Cross-Agency Priority Goals, the NIST Cybersecurity Framework, the Joint Information Environment and other federal mandates.
and complexity. APTs are approaching federal agencies with unprecedented frequency, velocity and cunning. In this daunting environment, few capabilities will be more critical
ABOUT DLT SOLUTIONS For 25 years, DLT Solutions has been dedicated to solving public-sector IT challenges. Guided by our relentless focus, we have grown to be one of the nation’s top providers of world-class IT solutions. Leveraging our strategic partnerships with top IT companies, we develop best-fit solutions for our federal customers.
to federal agencies going forward than being able to effectively authenticate the identities and control access of their privileged network users; prevent the loss of their most critical data and automating most, if not all, aspects of the detection-to-response lifecycle.
ABOUT GOVLOOP GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
Industry Perspective
7
1152 15th Street NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com @GovLoop