operations center (Gorodenkoff/Shutterstock.com)

INDUSTRY INSIGHT

Reducing cyber risk with managed threat detection and response

As cyberattacks continue to grow in quantity and sophistication, agencies are struggling to keep up. The federal government experienced 28,581 cyber incidents in FY 2019. Adversaries are sharpening their tactics and carrying out more calculated and destructive attacks – including ransomware, espionage, politically motivated social engineering and intellectual property theft.

In May 2018, the Office of Management and Budget highlighted systemic cybersecurity risk management challenges across the federal government, finding that a majority of agencies lack visibility into what is happening on their network. OMB mandated that agencies submit an enterprise-level cybersecurity operations maturation plan, as well as complete plan for maturation or consolidation of security operations centers (SOC) or migration to SOC-as-a-service by September 2020.

Unfortunately, many agencies do not have sufficient technology, manpower or in-house resources to take inventory of what’s occurring on their networks and act accordingly. Additionally, amid the pandemic, threats are only increasing as more employees work remotely and the attack surface expands.

How can agencies rise to the challenge and comply with this mandate, and what do they need to consider? Strategic agencies are embracing a shift to managed threat detection and response (MTDR) to augment their existing SOCs.

Managed threat detection and response for government

MTDR is a service that delivers advanced cybersecurity capabilities such as threat hunting, security monitoring, continuous security testing and incident response through a partner. It allows agencies to retain full visibility and control over their network, while benefiting from enterprise-level technology and expertise.

MTDR detects potentially malicious activity in the specific environment and eradicates threats in real time. It supports and augments existing resources by helping agencies automate security operations, such as the handling of repetitive tasks like monitoring network activity. It also helps filter thousands of alerts to provide precise actionable data, with a single view of all assets and threats, which affords trained investigators and threat hunters the time to take critical action as needed.

By moving to MTDR and embracing a hybrid SOC model, agencies can keep pace with the evolving threat landscape and comply with OMB’s risk management mandate.

Hybrid SOC considerations

There are four main categories that agencies must consider as they carefully craft their SOC maturation plans.

1. Budget

Budget remains an Achilles’ heel to innovation. Many agencies know what tools or partners they need to leverage to improve their cybersecurity posture, but their budget remains tied up in existing support and legacy systems, hindering growth and development.

Recommendation: Determine cyber needs based on current and potential risks – and comfort levels with these risks – and then maximize efficiencies to protect those investments. Leverage the agency’s existing cyber investments and only invest more to integrate the portfolio into one MTDR platform. This helps fill any gaps in cyber resilience.

2. Data automation

Agencies and SOC operators need access to the right data at the appropriate time for successful cyber investigations and response. The right kind of data improves alerts, security orchestration automation and response (SOAR) integration and device connectivity.

Recommendation: Collaborate with in-house and industry experts to determine what SOC processes to automate and ensure focus on the right efficiencies and advances.

3. People

SOC operators are tasked with managing complex security programs, services and products. They have access to a host of valuable data as they carry out their agency’s security strategy from the front lines. As a result, it’s critical that government SOC data is only accessed by trusted experts.

Recommendation: Evaluate technologies to make sure they are run completely in-country and that vendors support a “U.S. eyes only” policy. This will ensure that only those who are committed to keeping U.S. government data secure have access to agency SOCs – whether they be government employees, or contractors. 

4. Compliance

As always, agency initiatives to address critical challenges, boost security and expand visibility must comply with ongoing government security requirements. Developing a cybersecurity operations plan is no different – potential solutions must be tailored to the government market and fulfill strict regulatory requirements such as International Traffic in Arms Regulations, the Federal Risk and Authorization Management Program, Defense Federal Acquisition Regulation Supplement, Cybersecurity Maturity Model Certification and Defense Department Impact Levels.

Recommendation: Leverage solutions and platforms that not only support the hybrid SOC model, but also are built for government to ensure security compliance. Agencies should also consider solutions hosted on secure cloud environments for an added layer of security.

As threats against the government become more frequent and sophisticated, agencies must continue to reduce risk and gain increased visibility and control. Nation-state adversaries have ample resources to invest in the best technologies and manpower, and they have time to continuously attack critical government assets. Models like MTDR are essential to leveling the playing field.

About the Author

Bill Rucker is president of Trustwave Government Solutions.

Featured

  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected