BE FOR E, D UR I N G & A F T ER AN AT TAC K AN I N T E G R AT E D ST R AT E GY FOR CYBERSECURITY
I ND U ST RY P E RS PE CT I V E
I NT RO D U CT I O N The world of cybersecurity is immense. The jargon surrounding the subject is nearly as varied. There’s malware, damage, espionage, regulation, education, viruses, advanced persistent threats, partners, reputation insider threats – and that’s just a small sample. Unfortunately, adding to this complexity is a common disconnect between technology experts within the organization, and those who make business decisions across the enterprise. Often, this disconnect can lead to improper security planning and investments. To help public sector organizations navigate this process in a way that is understandable for business leaders but also actionable for techies, GovLoop and Cisco have produced this industry perspective on how to implement a comprehensive cybersecurity strategy.
The approach uses your existing network assets and proposes strategic tools to augment what you already have. To help understand these best practice methods, GovLoop sat down with Cisco’s Peter Romness, business development manager, Cisco Systems Inc., who focuses on cybersecurity in the U.S. public sector. “The idea of before, during and after is our way of explaining what is going on,” said Romness. “I think it gives people a great starting point, and lays the foundation for understanding the pieces that come after.” But first, it’s important to understand the current cyberthreat landscape.
TH E T H RE AT L A N DS CA PE : T WO IMPORTAN T DEVELOPMEN TS The complexity of our networks, coupled with the rapid advancement in technology, create two types of risks for organizations. The first is the increased sophistication of attacks from the outside. The second revolves around newer technologies like cloud and mobile.
T HE EX TERN AL THRE AT: A NEW CY BER ATTACK I NDUS TRY The current external cyberthreat is much more sophisticated and varied today than just a few years ago. “It amounts to what I call the industrialization of threats,” said Romness. In other words, hacking and cyberattacks have become their own industries, with eager buyers and sellers on each side. “For example, if someone doesn’t know how to write code, but still wants to attack, this person can go on the internet, find an attack, and then buy it,” said Romness. The proliferation of black market websites and networks are facilitating this industry, connecting malevolent actors from all over the world. Moreover, many attacks can now be easily reused, with the attacks coming faster and with greater frequency. This necessitates a response that goes far beyond the piecemeal approach organizations have adopted in the past.
1
Industry Perspective
N E W TE C H N OL OG IE S : IN C R E AS IN G TH E ATTAC K S U R F AC E Coupled with changes in external threats are the new technologies we’ve adopted to make our organizations more productive. This is not necessarily a negative development, as these technologies offer huge benefits. Cloud computing is undoubtedly the future of enterprise organizations, as mobile use will continue to grow. Furthermore, the proliferation of network sensors on everyday physical objects, from streetlamps to HVAC systems – the phenomenon known as the ‘Internet of Things’ – will add yet another layer of network complexity. All of these developments are increasing what’s known as the ‘attack surface’ of the organization. In other words, these new technologies are providing nearly as many openings for outside attack as there are devices floating in and around the network. “The borders of the personal or government network have become a lot fuzzier,” said Romness. “It’s not just at the gate of the end-user’s internet anymore. It’s been extended to wherever she has data traveling to and from any of her devices and connections in the cloud.” Ultimately, if public sector organizations wish to take advantage of the incredible productive value of these technologies, they must be prepared to join them with attendant security measures.
CYBER AT TAC KS BY THE NUMBERS
CY BER ACT I V I T I E S
COSTS OF A CYB ERB REACH
$145
Increase in reported incidents by U.S. Government Agencies 2009 - 2013
104%
The average cost per record lost in the United States, 2012
Increase in attacks against critical infrastructure 2011 - 2012
52%
Increase in incidents involving personal identifiable information (PII) 2009 - 2013
144%
$5-$6
Cost of Notification and Credit Monitoring alone (per record)
WHAT ’ S AT STA K E I N A L L OF THIS? There is a common misconception that breaches in the public sector primarily result in embarrassment or public relations fiascos, and that it’s the private sector that feels most of the financial pain. Unfortunately, this is not the case. For one, the government houses a large quantity of research data, and agencies have suffered a number of significant intellectual property losses over the last few years. Equally important is the loss of personal identifiable information (PII). This includes Social Security numbers, names, addresses, and birthdates. The cost to the organization per record varies, but a recent Ponemon Institute report places the average cost per lost record in the United States at around $145. These costs cover everything from free credit checks and notification campaigns to intellectual property and the reputation of the organization.
In light of this figure, a recent U.S. General Accountability Office (GAO) report provides a few case studies of major breaches – some of which include record losses in the millions. On the state and local side, one agency suffered an attack in 2012 that left over 3.5 million records – including Social Security numbers – exposed. These are not isolated cases of particularly negligent organizations. They simply represent the type of attacks that can hit any public organization – federal, state, local, education – in today’s threat environment. And in most cases, the money spent recovering from a cyberattack of this magnitude is not budgeted by government agencies.
Before, During & After an Attack
2
A N E W M OD E L FO R CY BE RS ECURIT Y: TA KI N G A CO MP R E H E N S I V E APPROACH Given this threat landscape, a new, integrated approach to cybersecurity is required. The idea with this holistic approach is to break the attack cycle down into three main phases: before the attack, during the attack, and after the attack. The specific tactics for each are discrete, but they all work together under a unified strategy that seeks to secure the organization during all phases.
BE F O RE: PREPARI NG F O R AN ATTA C K
DURING: EMPLOYING AN ACTIVE DEFENSE
The key to preparing for an attack is to ensure full visibility of the network and the devices that connect to it. This boils down to three main questions:
Just as passwords are an insufficient tool for managing the network, the traditional tools for defending the perimeter of the network – static firewalls, intrusion prevention systems and web security – simply aren’t enough to meet today’s sophisticated attacks.
1. Who do you let on the network and where do you let them go? 2. Who do you block? Where do you restrict access? 3. How do you differentiate between the two? By asking these questions, organizations are in a prime position to segment their networks and allow people access to different places and different resources within the enterprise. But this segmentation must go beyond the identity and password level. “It should be based on the kind of device [users are] on, where they’re connecting from, how they’re connecting to the network, and even the time of day,” said Romness. He cited the 2013 Target data breach as a prime example of the need for this approach. That attack took place through an opening provided to an HVAC contractor, and was able to infiltrate all the way down into sensitive customer databases. “If the network had been segregated, you would only allow that HVAC contractor to go to the resources he needed and nowhere beyond that,” explained Romness. By controlling, enforcing and hardening the network, organizations can actively reduce and reinforce their attack surface, which is a vital first step in the process.
The problem is that these mechanisms for blocking attacks can become outdated or insufficient minutes after implementation. What organizations need today is a mechanism to stay on top of the threats in near real-time. In this way, you’ll have visibility not only of your network, but the type of threats you can expect. “At Cisco, we have organizations that monitor the internet for potential threats,” said Romness. “We have over 3 million devices on the worldwide web that are constantly sending updates to the organization. This is combined with data feeds and other sources, aggregated and then pushed out to devices on people’s networks as often as every five minutes.” But what happens once a flagged object is identified on the network? This is where things get interesting. “Organizations now have the ability to disallow that object – a program or even an image file – regardless of whether it is coming from an internal computer or a smartphone out in the field,” said Romness. “We also have the ability to sandbox the object, run it in a test environment, and see what it does.” The important takeaway here is that you are taking an active approach by continuously updating, monitoring and taking preventative actions. “It is multilevel, and it is ongoing,” said Romness. “A proper approach is one that goes beyond the old ‘install and walk away’ model.”
3
Industry Perspective
AFTER: CON F RO NTI NG THE I NE V I TAB L E The idea behind the ‘after’ phase of the attack cycle is that something will invariably get through even the toughest, most vigilant defense. “Even our Attorney General, Eric Holder, says that there are two types or organizations – those that have been hacked and know it, and those who have been hacked but don’t know it,” said Romness. After acknowledging that things can get through, there are two ways of dealing with them. The first is the ability to track malicious files once they are inside. This goes back to the continuous monitoring piece. “No matter the determination we’ve made on that file – ‘good, bad, or don’t know’ – we’re continuously tracking it,” said Romness. Ultimately, if the file is deemed malicious, we have the ability to see exactly where it went and which areas of the network it touched. One of the worst outcomes is to recognize a breach but have no idea about the extent or range of the damage. This approach, which begins in the ‘during’ phase, helps organizations better respond to an incident once it has occurred.
The second component is the ability to monitor network traffic. The best part about this approach is that it capitalizes on what is already in the network. “You can turn every switch in the network into a censor,” said Romness. “You already have all of this stuff – you might as well use it.” Imagine having what Romness refers to as a ‘cellphone bill’ of packet activity on the network. Similar to a cellphone bill, which gives customers an itemized list of incoming and outgoing calls, you can make a record of every packet that goes across a switch, including: •
The time of day
•
The origin of the packet
•
The destination
•
The size of the packet
“You can set it up on your network, establish a baseline for activity, and if there is an anomaly from the baseline, you can trigger an alarm,” said Romness. This could be vital in preventing the exfiltration of data from an insider or outsider threat.
Before, During & After an Attack
4
THE B E N E F I TS O F A N I N T E GRAT ED APPROACH The benefits of this approach go beyond simply being able to avoid or effectively respond to an attack. Additional advantages include: •
5
Security Efficiency: The automation of many of these monitoring tasks means that security is much less labor intensive. It also means that security personnel are freed up to better respond, as opposed to being tied up in manual processes.
•
Reduced User Risk: The goal of automation is to ensure that everyone has to worry about security a little less. The red flag will go up if necessary, due to the active monitoring approach, but everyday knowledge workers are freed up to pursue their primary work duties.
•
A Unified Front: The benefit of this approach is that it does not rely on a single tool or a single security measure, but rather a combination of complementary tools that work together. “Be wary of the person who has the end-all and be-all solution,” said Romness. “Security is an ongoing process that’s multitier and multifaceted.” It takes the right approach to merge these technologies together into a united front.
Industry Perspective
“By taking advantage of the features already in your network, you probably already have 80 percent of what you need,” said Romness, “Then by strategically adding security specific devices, you can build out an effective cybersecurity posture. “ Cyberthreats attack in multiple ways and can target the enterprise in multiple places. In common industry jargon, there is no silver bullet solution; it’s more like silver buckshot.
AB O U T C I S C O
ABOUT GOVLOOP
Cisco provides a broad portfolio of integrated solutions that deliver unmatched visibility and continuous advanced threat protection across the entire attack continuum, allowing customers to act smarter and more quickly – before, during, and after an attack.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 100,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington D.C. with a team of dedicated professionals who share a commitment to connect and improve government.
Learn more at: www.cisco.com/go/uspscybersecurity
For more information about this report, please reach out to Adrian Pavia, Research Analyst, GovLoop, at adrian@govloop.com. Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com Twitter: @GovLoop
Before, During & After an Attack
6
1101 15th St NW, Suite 900 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com Twitter: @GovLoop