Securing the Digital World

Pervasive network visibility: driving the Federal security mission

Apr 26, 2016 | by Mike Brown, Rear Admiral, USN (Ret.) |

Reports over the last year about catastrophic cyber breaches to Federal IT systems have been so frequent that we have been somewhat numbed to them. We have come to an almost dazed acceptance that our adversaries will continue to access and obtain highly sensitive information - on Federal employees, their families, the public, our marketplace, and defense assets.

This constant barrage of attacks has brought to light the reality that no system can ever be fully safe, and no technology, team, or policy will ever be able to stop every attack. This understanding, however, does not mean that government and industry can accept the damage these attacks cause nor are they willing to see them continue to be inflicted at the current rate.

Further, we must keep in mind that our adversaries are not "just" able to disrupt access to or deface a website; or even to "just" steal private, sensitive or otherwise protected data. Our adversaries are able to manipulate, add, and delete data that are critical to our missions.

We can turn the tide on the vast majority of breaches. DHS, in describing the Continuous Diagnostics and Mitigation CDM program, cited a study that concluded that 96% of today's attacks could be rendered harmless with appropriate controls.

By-and-large, this failure to contain and mitigate attacks once they occur is due to a continued focus on preventative and perimeter-based approaches. While important, these approaches are ultimately always successfully thwarted. From Hadrian's Wall, to the Great Wall of China, to the Maginot Line in France, to today's IDS, IPS and Firewalls - focusing entirely on a preventive perimeter strategy leaves a population very vulnerable when, unavoidably, a breach happens.

We need to accept the high probability, or even certainty, that an adversary will breach our defenses and look at the adversary's dwell-time (i.e. the time after an attacker has successfully breached a network and conducts activity on it). Minimizing or mitigating this time is the new metric to assess our cyber maturity.

Increasingly in today's successful breaches, we're seeing insider threat as a major threat vector. Either maliciously or unknowingly - authenticated Federal users have caused damaging security incidents in a short amount of time. This has been caused by both rogue employees and criminals using the stolen credentials of unwitting authorized user victims. To contain this threat, spotting anomalies quickly is fundamental. Federal agencies need to ensure that their security teams have tools in-place to monitor and track activity on their networks effectively and in real time.

Agencies need insight into what normal activity is on their networks. A user who does not normally access a specific system, who starts to download gigabytes of data, in the dark of night, from unusual locations, should set off all kinds of alarms. Conversely however, another user who works remotely, during a night shift, and customarily accesses this same system for valid purpose, should not trigger the same alerts. These false-positives are now a big problem as they waste precious and critically limited security analyst time.

Federal IT security teams are under incredible pressure to address the plethora of threats they face. At the same time, the Federal workplace is struggling to recruit, train, and retain these critical resources. The technology community can help address this situation with improved tools. Federal leaders need to ensure that their agencies have deployed modern solutions that are easy-to-use and purpose built for the task of security. The team on the front line should be able to address most threats through pervasive visibility and analytics that combine contextual information from multiple sources. In the parlance of a Federal Security Operation Center, security platforms must allow their Tier-1 analysts to adjudicate tickets that Tier-2 resources must perform today (and so on).

Our collective vulnerability to attacks against public and private institutions is growing. So, the question of our time is: How do we limit the effectiveness of the cyber adversary and reduce the implications to us? No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through them. Visibility into what's going on in Federal networks is a critical area where organizations need to rethink what they're doing today.

Technology alone doesn't solve the visibility problem. We also face a mindset problem. Some organizations don't even want to know what's going on in their networks, and others face inertia from either acquiring or fully utilizing and deploying solutions.

Each one of us in government and industry has a role in the Federal cybersecurity mission. And it is a battle we can't afford to lose.

Learn more about pervasive visibility with RSA Security Analytics.