For those working in politics and government, a security breach can be a career killer.
“It’s that old saying,” said Agnes Kirk, chief information security officer of Washington state. “An attacker only has to be successful once. A defender has to be successful every time.”
Breaches are happening more often, with a particular spike in ransomware attacks, according to Dan Lohrmann, chief strategist for Security Mentor and former chief security officer of Michigan. Part of the reason is that there are simply more connected systems to hack, he said. Also, the threat actors — from nation states like Russia to individual criminals — are getting more sophisticated.
“It’s one of the few areas where what worked a month ago may not be the same problem you’re trying to solve today,” Kirk said.
High-profile breaches have shifted cyberconcerns from being the responsibility of siloed security teams to a top priority of government leaders. So while attacks are getting worse, Kirk said more attention is being paid to how agencies can prevent, detect and respond to them.
The vendor community routinely reaches out to government officials to sell the latest solutions, offering software aimed at blocking ransomware or deceiving bad actors. But it can be tough for public agencies to prioritize and decide which solutions merit an investment.
“A lot of people are looking for silver bullets,” said Dave Damato, chief security officer of Tanium. “In reality, what we see — and this has been a cycle over the years — is that a new technology is released, it’s effective for a short period of time, and then attackers understand and adapt to the technology, leaving customers searching for the next greatest thing.”
An example, he said, are intrusion prevention systems. They were very useful 10 years ago. But soon, Damato said, attackers found ways to get around them.
“A series of tried and tested security controls together are much more effective than attempting to beat attackers by buying the latest and greatest solution to detect a very singular use case like malware or lateral movement or whatever the specific attack of the day happens to be,” Damato said. “The organizations that are the most successful in defending their environments, the ones that don’t have incidents, are the ones that are following basic principles.”
That includes practicing cyberhygiene, like activating firewalls and regularly patching all programs. It includes doing a thorough risk assessment, having strategic defense and response plans, and regularly testing those plans for vulnerabilities. And it includes taking a “least privilege” approach, allowing users to only access information that’s necessary for them to do their jobs.
“They say on average 80 percent of the threats that hit government could have been avoided if people had done things that were known fixes,” Lohrmann said.
Another key is training everyone to take responsibility for his or her own digital footprint, Kirk said. A receptionist, she pointed out, is the first line of defense in phone phishing scams, with end user errors the No. 1 source of most breaches.
“A few years ago, security was an IT problem,” said Kirk. “Today, we’re trying to create awareness that security is everybody’s responsibility.”
Before agencies buy new solutions, Damato said they should be sure they’re taking advantage of capabilities baked into technology they already own. Many operating systems now come embedded with effective security tools, he pointed out, such as the application whitelisting built into Windows 10.
If governments discover they’re not using some solutions in their portfolios, said Lance Dubsky, chief security strategist for FireEye, they can harvest those funds to buy technology that’s evolved with the environment.
When it comes to new purchases, Damato said agencies should share notes on what works rather than rely on staged demos or which vendors can write the best proposals. But here are four cybersecurity technology solutions that many experts agree merit attention.
Endpoint Detection and Response
Intrusion detection systems leave agencies always trailing the bad guys because they require analysts who observe attacks and generate defenses that are sent out to clients.“You’ve got to use math on your side here so we can scale against the threats,” said Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks.
That’s where endpoint detection and response software comes into play. These solutions constantly find and act on both identified and zero-day threats by tracking anomalies in behavior to find early hints of breaches. A solution from Palo Alto Networks, for example, generates 1.1 million new prevention measures every week.
“Having real-time visibility into all of your endpoints is extremely important for the government,” Damato said. “The most successful organizations at preventing breaches are those that are able to detect them and respond to them within an hour.”
Security Orchestration and Automation
Government systems often include a mix of solutions that were purchased independently and don’t communicate well with one another, Dubsky said. That’s a challenge for security professionals to manage.“The fundamental problem that we’ve faced in cybersecurity for a long time is discrete individual products to solve one problem and then putting the onus on the network defender to figure out how to make all of those different things work together,” Gillis said. “And the result has been manual defense generally against automated attacks, which is unsustainable.”
Experts say it’s worth investing in security orchestration and automation technologies, which integrate diverse systems so defenses are coordinated from a security operations center. And Gillis said that integration should be extended to incorporate the Internet of Things and cloud technologies.
Cloud Access and Security Brokers
While most experts agree that government systems will never migrate entirely to the cloud, the trend is in that direction. The cloud presents its own set of data privacy issues since it requires an element of trust in a third-party provider.Workers often now take matters in their own hands by jumping on cheap cloud solutions. Handing data over to the likes of FreeChinaStorage.com isn’t a wise idea, but Lohrmann said he’s seen it happen.
“You can’t just throw the baby out with the bath water,” said Lohrmann. “You need to be innovative.”
Training is key here, but so are cloud access security brokers. These software tools act as gatekeepers, monitoring systems and confirming that security protocols are still in place as information moves to the cloud.
Threat Intelligence Sharing
As security solutions detect threats, Lubsky said it’s crucial for that data to be fed back into the systems so they can adjust and share any learning.“The future of protecting an enterprise depends on being able to use machine learning or machine-to-machine speed when it comes to developing signatures and adjusting profiles so that the organization stays protected,” he said.
Sharing threat intelligence across agencies is also important, Kirk said, with automated systems that send actionable information between governments.
“We’ll never eliminate the human factor,” she said. “But there’s so much information and there are so many attacks that come in that you couldn’t possibly respond with just human intervention. So we’ve really appreciated the new technologies that have come out.”
This story is published in the fall 2016 issue of Techwire magazine.
