Evaluating cybersecurity risk

INDUSTRY INSIGHT

Achieving 'guaranteed state' is critical to overcoming security and compliance risk

Government agencies face a harrowing situation when it comes to protecting endpoints against security breaches and compliance failures. IT staffers are continuously bombarded by security tools alerting them to potential risks, while compliance mandates are constantly changing, making it virtually impossible to keep machines up to date with the latest requirements.

Complicating matters further for IT departments, the number of remote workers is growing rapidly, with some 40% of office desks vacant on any given day. Already, more than 75% of IT pros say remote work will continue to be a security risk until they figure out how to rein in remote machines. That means more machines outside the firewall, connecting randomly to public/unsecured Wi-Fi out in the wild.

Certainly, the threat of routine audits by the Government Accountability Office incentivizes compliance, driving massive efforts to wrestle machines into spec. But even this often proves futile. According to a Verizon security report, over 70% of organizations fell out of compliance less than one year after being validated.

In fact, a recent federal cybersecurity survey shows that over half of IT professionals are complacent about security controls and mandates, treating them as box-checking exercises without realizing the real, measurable security outcomes that can be achieved. In other words, they’re just going through the motions.

This perfect storm is creating a crisis of control: Agencies know they need endpoint visibility and control, but regardless of their good intentions, it’s just not possible with current tooling.

The solution to the problem is, theoretically, simple: Government IT organizations must achieve a “guaranteed state,” an endpoint configuration status in which patches, security policies and system settings are monitored and applied in real-time automatically across every machine.

But, achieving this guaranteed state is essentially impossible with conventional tools. Why?

Ineffective monitoring. Security and group policy management tools simply do not provide the required level of real-time visibility over endpoint status. This is especially true with remote machines, which often connect “lightly” or for very brief periods of time -- users at an airport checking email or at home updating a document, for example. With insufficient connectivity to fully share their current status back to IT, these machines are essentially wildcards. IT has no way of knowing whether they adhere to defined policy requirements, and thus risk creeps in.

Poor software asset management. In most IT organizations, SAM essentially involves keeping track of software licenses to ensure they’re all paid up. However, this tells the agency nothing about the current status of those installations on each device. Are the machines running the latest version? Have security patches been applied? Is the software necessary for that user? Not only does poor SAM mean agencies could be overpaying for licenses they don’t even use -- a failure of fiduciary fiscal responsibility -- but it also creates a significant security risk. Without knowing what software is installed on users’ systems, there’s no way to keep security holes patched.

Configuration drift. Lack of visibility leads directly to configuration drift. A machine that left the office fully compliant can easily become high-risk with the first unapproved (and often unintentional) configuration change by the end user.  Moreover, most security tools were built for machines connected to local-area network. That means even if agencies have a rule preventing use of a USB drive, if a remote user works offline, the rules literally do not apply.

Overwhelmed IT staff. IT security and operations teams are inundated with tasks to merely maintain system uptime, user accessibility and productivity. Add in the additional pressure of audit preparation, and they can feel overwhelmed. But instead of inciting panic, this constant sense of being snowed under can actually breed complacency. As tasks pile up faster than they can be completed, the attitude becomes, “Take a number. I’ll get to it in a few days.” And thus begins the spiral of outdated, noncompliant machines -- a dangerous situation when the real-time nature of the threat landscape demands immediate action.

Lack of control. If achieving visibility over endpoints, their configuration status and the software running on them is a huge hurdle, gaining control is essentially impossible. Making even minor adjustments to settings, let alone applying major operating system patches, is a massive, manual effort, and inevitably many, many machines get lost in the shuffle. With the rapid pace of cybersecurity threat evolution, that means untold number of endpoints are vulnerable at any given moment. Without immediate remediation capabilities at scale, this leads to configuration drift, noncompliance and substantial security risk. The vicious cycle continues.

By leveraging real-time monitoring and automated remediation solutions to manage basic hygiene, government IT organizations can achieve a guaranteed state of security. With solutions that provide current state visibility, rather than last-known state, and automated maintenance of standards-based security controls, government organizations can avoid the configuration drift that sets them on a path of high-risk vulnerability.

Automation also can save a tremendous amount of time. IT teams can generate audit-ready reports in minutes and patch or remediate noncompliant machines en masse remotely, without impacting user productivity. And, with the right system, even “lightly connected” machines are no longer a problem -- the rules apply even in an offline state.

This capability gives IT teams the immediacy of control and response that ensures guaranteed state security and compliance across every endpoint.

About the Author

Sumir Karayi is the CEO of 1E.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.