When cybersecurity capabilities are paid for, but untapped
- By Dale McCloskey
- Oct 19, 2018
Government agencies, like too many large enterprises, have built out increasingly complex and overlapping technology stacks, and this problem is especially prominent in cybersecurity technology. Driven by contracting limitations, lack of manpower and limited training, agencies across government are using only a percentage of the cybersecurity capabilities they own.
There are cost, security and sanity benefits to simplifying the cybersecurity stack and fully using the solutions that remain. To rationalize, IT managers must know what leads to “over” stacking and how to get started in culling.
Over-buying and under-utilizing
Many agencies have security technology stacks with solutions from 10-20 different vendors, each with its own sustainment tail. Frequently, they’re using 30 percent or less of the capabilities in each offering. Most could get similar or better security coverage with a compressed and focused security stack.
How did this happen? It’s the culmination of contracting regulations and carryover, a cross-industry cybersecurity skills gap and the rapid evolution of security threats and solutions.
A typical security stack includes the following solutions: firewall, intrusion detection or prevention system (IDS/IPS), malware detection, data loss prevention (DLP), forensics and analytics as well as security and event information management (SEIM). Many agencies have multiple iterations of each solution, which often have overlapping capabilities.
Newer offerings merge tools from traditionally distinct categories, increasing overlap. It’s safe to say that if the security tech stack isn’t currently overloaded and under-functioning today, it will be in the near future. It’s time to look at vetting and acquiring solutions.
Carryover in an evolving market
Many solutions purchased under fixed price or LPTA -- lowest price, technically acceptable -- restrictions end up offering limited protection because they are purchased as a siloed tool versus part of a holistic security platform. For example, many malware solutions claim to be content-aware for DLP, meaning they can “see” and flag content such as sensitive or classified information hidden in email attachments, files that are heavily obfuscated or buried many layers within the payload, etc. However, malware solutions only run through three or four layers of decoding and inspecting -- if nothing is found, they assume that the content is safe. A DLP solution needs to dynamically unwrap and decode the entire session in real-time, particularly when highly sensitive or classified information is on the network.
Efforts to find the most affordable options can also lead agencies to purchases software without training or support. Security analysts are already overwhelmed, and they don’t have time to learn to get the maximum ROI out of every product in their stack. Too many solutions force analysts to go wide versus deep, leaving powerful capabilities untapped. For example, most users have SIEM solutions to collect log data emitted from every product in the security stack, but important SIEM correlation capabilities go largely unused.
Additionally, while large stacks align to a defense-in-depth strategy in theory, they slow down holistic analysis. Attacks can take advantage of the fact that security is managed from point-product or category expertise, versus orchestrated as a greater whole.
Contract requirements are often written by category specialists, leading to requests for proposals that are hyper-focused on specific categories to the detriment of end-to-end protection. This is exacerbated when departments issue new RFPs using an old template. As cybersecurity categories are beginning to converge, now is the time to refresh how they are purchased.
Culling the stack
What government agencies need for cybersecurity is contextual visibility across the entire cyber infrastructure -- cloud to network to endpoint. Security funding continues to increase in the government sector, but to truly improve security, acquisitions must be made more holistically.
To get there, IT managers must understand system requirements via a full requirement analysis, moving away from the category framework. Next, they should look at the tech stack and identify overlap and integration needs with a gap and overlap analysis.
Continuous, real-time asset classification must also be part of an integrated cybersecurity stack. While the internet of things is creating tremendous value, it also means that to protect a network, IT managers must know the status of each device at all times. After all, a new or unknown network device could be the entry point for potential threats.
Next, agencies should not underestimate the importance of training, both on the solutions in the stack and on general cybersecurity tactics and techniques. If hackers are doing it, the cyber analysts should be too. Training should be included with every acquisition of new technology, and funds and time should be set aside for ongoing cyber education training and certifications.
A better stack
We’ve seen procurements containing more than 10 different categories of cybersecurity technologies, with multiple vendor products in each category. This is too much for a typical security team to efficiently understand, integrate, maintain or leverage.
If agencies cull the stack and provide contextual visibility across all layers of the environment -- network, endpoint, lateral movement, cloud and IoT -- security teams will be more effective and efficient. Agencies will get better intelligence and gain a holistic view of network threats. Plus, they'll reduce the cost and frustration felt in too many enterprise environments.
It might take some time and new thinking in terms acquisition packages and contracting cycles, but it’s imperative agencies start thinking outside of the norm. Security is at stake.
Dale McCloskey is vice president, federal, with Fidelis Cybersecurity.