Put security in the background to put security first
- By Jim Hansen
- Jan 23, 2019
The escalating threat landscape and the increasing complexities of federal IT networks are inevitably intertwined. Government IT professionals are tasked with providing access to network services for thousands of employees, using hundreds of thousands of devices, across the country and around the globe. Hackers see this as an opportunity -- all of those access points and devices represent potential vulnerabilities they can exploit.
Evolving government networks will continue to be an appealing target for both foreign and domestic adversaries. Network administrators must find ways to keep the wolves at bay while still providing uninterrupted and seamless access to those who really need it. Here are three things they can do to help maintain this delicate balance.
1. Gain visibility and establish a baseline
Agency network admins must realistically assess how many devices (and what types) are connected to their networks and who’s using those devices. This information can help establish visibility into the scope of activity that’s taking place, allow teams to expose shadow IT resources and root out unauthorized devices and users. Administrators may also wish to consider whether or not to allow a number of those devices to continue to operate. While maintaining a flexible number of devices can be beneficial for worker productivity, it can also limit the level of security that can be introduced.
Once that’s done, teams can gain a baseline understanding of what’s considered normal and monitor from there. They can set up alerts to help notify them of unauthorized devices or suspicious network activity that’s outside the realm of normal behavior.
All of this monitoring can be done in the background, without interrupting user workflows. The only time users might get notified is if their device or activity is raising a red flag. Everyone else can continue working without interruption.
2. Automate security processes
Many network vulnerabilities are caused by human error or malicious insiders. This is especially true in Department of Defense Department networks. These vast and highly distributed networks comprise many different users, devices and locations, and it can be difficult for administrators to detect when something as simple as a network configuration error occurs, particularly if they’re relying on manual network monitoring processes.
Administrators should create policies that outline approval levels and change-management processes so that configuration changes should not be made without approval and supporting documentation.
They can also employ an automated system running in the background that supports these policies and tracks unauthorized or erroneous configuration changes. The system can scan for unauthorized or inconsistent configuration changes that fall outside of the norm. It can also look for non-compliant devices, failed backups and even policy violations.
When a problem arises, the system can automatically correct the issue while the IT administrator surgically targets the problem. There’s no need to perform a large-scale network shutdown, thereby depriving the majority of the staff with critical access to connectivity and information. The network -- and those who rely on it -- can continue to operate as usual while security policies are enforced.
Automated and continuous monitoring for government IT can go well beyond configuration management, of course. Agencies can use automated systems to monitor user logs and events for compliance with agency security policies. They can also track user devices and automatically enforce device policies to help ensure that no rogue devices are using the network.
In the event of a vulnerability or attack, administrators can use forensic data captured by the automated system to trace the incident back to the source and directly address the problem. Similar to the joke about Schrödinger’s backup (the condition of a backup is unknown until a restore is attempted), security teams should ensure that they capture the correct data and forensic evidence should a legal investigation become necessary. Through artificial intelligence and machine learning, the system can then use that data to learn about what happened and apply that knowledge to better mitigate future incidents. Simultaneously, agency IT teams can use that information to develop new or augment current security policies as necessary.
3. Lock down security without compromising productivity
The systems and strategies outlined above can maintain network security without interfering with workers’ productivity. The systems are not focusing on individual users. Instead, they are looking for overall patterns and anomalies that deviate from an established baseline of activity. Only when and if something comes up is a user affected, and even then the response will likely be as unobtrusive as simply denying network access to that particular person.
In the past, that kind of environment has come with a cost. IT professionals have had to make a binary choice between providing users with unfettered access to the tools and information they need to work or tightening security to the point of restriction. The former can expose agencies to risks, while the latter can hinder productivity.
Fortunately, that approach is no longer necessary. Today, federal IT administrators can put security at the forefront by making it work for them in the background. They can let the workers work -- and keep the hackers at bay.
Jim Hansen is VP of products, security, at SolarWinds.