Providing cybersecurity that is adequate to meet increasing threats has proven to be a perpetual catch-up process. Public sector agencies are particularly sensitive targets, with high visibility not only to the citizens they serve, but also to cyberattackers.
Despite the emphasis on cyberprotection spurred by a major breach at the federal Office of Personnel Management in 2015, government agencies have struggled to maintain adequate levels of protection. A recent survey uncovered two major vulnerabilities: lack of speed in detecting and responding to attacks; and weak defenses of the full range of possible attack channels.
The velocity of cyberintrusions has become a significant factor in detecting and countering attacks effectively, according to the MeriTalk survey, which polled 150 federal cybersecurity professionals.
Federal security operation teams “ingest” an average of 25 external threats daily, notes the report, which received support from Palo Alto Networks.
“To address today’s threats and prevent successful cyberattacks, it’s imperative to automate the creation and distribution of new protections in near-real time and predict the attacker’s next step,” said Pamela Warren, director of government and industry initiatives at Palo Alto Networks
Time Is of the Essence
Timing has become a critical element in cyberprotection, given how fast threats can spread within a network. However, only 15 percent of survey respondents said their agencies could implement protection against a new threat within 15 minutes.
Seventy-two percent of respondents said it would take a few hours to a few days to assess if a unique threat were present and to determine if action would be required, and 80 percent said it would take just as long to create actionable changes in their organization’s security posture.
“Despite these time-intensive processes, federal security operations teams continue to allocate precious manpower and financial resources to tasks that can be automated,” the report observes.
The survey findings do not support the conclusion that federal agencies are woefully deficient in cybersecurity. The takeaway is that there are ways agencies can build on existing efforts to make their cyberprotection efforts more efficient and effective.
For example, federal policy recently has emphasized the use of continuous monitoring, or CM, as a key deterrent to cyberattacks.
“The focus of the survey was in line with CM techniques, such as through the government’s continuous diagnostics and mitigation (CDM) goals,” Warren told the E-Commerce Times.
The results of the survey did not suggest that CM or CDM have been ineffective, she noted. Instead, those ongoing programs should be enhanced.
The CDM process involves a program to identify, prioritize and mitigate cybersecurity risk — much like the techniques currently in use at federal agencies, Warren explained.
“The first phase focuses on what and who are on my network. The next steps for CDM are putting in place boundary controls or network access controls,” she said.
Vendors React to Federal Requirements
With the emergence of new cyberchallenges, vendors have bolstered their offerings in the federal market. For example, Accenture Federal Services this fall entered into an agreement to acquire Defense Point Security, a privately held cybersecurity company that supports federal agencies with security operations expertise, security engineering and cyberanalytics.
Accenture noted the “velocity and ferocity” of cyberthreats as a factor in adding DPS capabilities to its offerings.
“We see the federal government making a deliberate and substantial investment to improve the cyber posture in federal agencies, and we expect that trend to continue,” said Gus Hunt, head of the cyberpractice at Accenture Federal Services.
“We believe that Defense Department investments will grow at a rate faster than other agencies in the federal sector due to the importance of cybertechnology to our warfighters,” he told the E-Commerce Times.
In another move to enhance market offerings, Accenture this summer teamed up with Palo Alto Networks, Splunk and Tanium to create an integrated advanced cyberdefense platform. The service is applicable to global networks and a wide range of endpoints for both the commercial and government markets.
The gaps uncovered in the survey of federal agencies are not necessarily unique to government.
“Some of these same challenges exist within the commercial sector as well,” said Palo Alto Networks’ Warren, “but depending on the size of the organization and the culture, they may be faster at adapting to new innovations in technology than their public-sector counterparts.”
Automation Can Save Time and Money
“The key to the success of a continuously monitored environment — and what we point to as the challenges indicated by the survey results — is how successfully you can automate operational decisions and shift away from manual processes. This speeds up your time to address a never-before-seen threat,” Warren said.
While automation could add the element of speed to the cyberprotection process, 55 percent of survey respondents said their agency did not use automated techniques to correlate threat information ascertained from different locations.
Thirty percent of respondents reported that they used tedious and time consuming manual efforts, while another 25 percent said they didn’t engage in such correlation activities at all.
Another element that needs attention is the range of potential channels for cyberintrusions. Federal agencies may be missing key indicators of an attack — a pathway into their networks — and be unable to link threat data points, according to the report.
While the majority of agencies monitor traditional entry points such as mail servers, the Web, and Internet gateways, fewer than half guard data centers, SaaS enforcement points, and mobile endpoints, based on the survey results.
“This may impede the organization’s ability to spot discrete malicious behaviors,” the report points out.
To improve cybersecurity performance, agencies need data, tools and a process, the report says. Agencies have plenty of data but fall short on using adequate tools and processes.
On a positive note, 71 percent of survey respondents said that when they did engage in analytical efforts, they used some form of automated procedures to reduce the volume of data and to focus efforts on hunting targeted attacks.
However, many federal security professionals have not utilized critical advanced threat capabilities, the report found. Fewer than half used advanced techniques. Just 48 percent used dynamic analysis, while only 32 percent used static analysis, and only 19 percent turned to machine learning.
“Despite the need for the automation of prevention, only 30 percent of federal security operations professionals are willing to invest in the automation of signature creation and distribution,” the report says.
To assess threats as quickly and efficiently as possible, federal agencies should consider following these MeriTalk and Palo Alto Networks recommendations:
- Ensure detection and enforcement across all potential attack vectors into the network to detect any anomalies that could be new threats.
- Correlate isolated tactical behaviors as a sign of a bigger attack pattern, as well as isolate network segments to reduce the effectiveness of attacks.
- Prevent new attacks by first analyzing and accurately predicting the next step in the attack before it occurs.
- Leverage new techniques, like machine learning, and dynamic and static analysis, preferably in conjunction with teach other.
“Then, swiftly create new protections and reprogram enforcement points faster than the attack can spread in the network,” the report suggests.
Federal cyberprofessionals estimated that more efficient techniques, such as using automation wherever possible, could create savings amounting to 27 percent of agencies’ cybersecurity spending — or about $5 billion per year, based on survey feedback.