It’s time for a better approach to cybersecurity
- By Brett Galloway
- Oct 19, 2020
The role of chief security officer has never been easy, especially in the complex bureaucracies of the federal government. Stakes are high, IT infrastructure is sprawling and Congressional oversight could lead to a hearing in an instant. Additionally, nation-states and criminals are increasing their attacks against government agencies, shifting from disruptive and destructive tactics to large-scale social manipulation through disinformation operations.
Security teams are tasked with defending U.S. government critical assets against cyberthreats, yet they often lack insight into the effectiveness of their security controls. Unless they are exercised regularly, security controls fail through misconfiguration or user mistakes. Security leaders can help solve this problem by focusing their teams on the threats that matter most and by shifting their approach to a data-driven strategy with performance effectiveness at the center.
The need for increased security effectiveness is clear. Today government agencies face elevating cyberthreats since the onset of COVID-19 and heightened tensions in American society, particularly in advance of the 2020 presidential election. Unemployment and civil unrest provide nation-state groups with preconditions for operations, as a recent Harvard University study on disinformation outlined. The FBI and Department of Homeland Security recently warned against Chinese and other state-sponsored attackers increasing malicious operations amidst the pandemic. Within government, the pandemic has strained workforces, leaving them ill-equipped to address the increasing number of threats. With Gartner forecasting global government IT spending will decline 0.6% in 2020, it’s unclear how agencies can remain secure on a leaner budget.
How to do more with less
Government IT managers need a way to optimize their security strategy by continuously validating their networks and gauging the effectiveness of current controls to ensure their investments work as intended.
Security optimization is the management practice of maximizing the efficiency and effectiveness of an organization’s total security program by ensuring that existing control investments are measured, monitored and modified continuously from a threat-informed perspective. Security optimization is not about cost cutting; it is about programmatically aligning security and risk services within the organization.
It all comes down to data. To achieve efficiency and effectiveness across a security program, government agencies must shift from a project-centric to a program-oriented mindset with performance data at the center.
What would that program look like? First, it would be underpinned by the MITRE ATT&CK framework. Second, it would include automated testing, pitting cyberdefenses against known threats. Third, it would use automated testing to generate real data about the security team’s operational performance.
This is a shift in security program strategy. By organizing teams around a shared view of threats, automation and performance data, security leaders can make programmatic improvements in people, process and technology to gain the best return on investment.
Traditionally, “blue team” network defenders focus their operations on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches and deploying best-in-class commercial products. If defenses are not oriented toward the most important threats, however, those resources are wasted. If they are not tested actively against probable threats, they are likely to fail when challenged by the adversary, letting the attacker slip past.
Security organizations typically turn to “red teams” and penetration testing to help secure the enterprise. Red teaming is the process of testing technologies, policies, systems and assumptions by adopting an adversary’s approach. Although red teams often discover faults in cyberdefense programs, red-team testing is notoriously sporadic, under-resourced and ineffective in validating security controls continuously and at scale to achieve real security effectiveness.
One way to improve the efficiency of this approach is by having blue- and red-focused teams adopt a purple team mindset for cyberdefense operations. Purple team doctrine ensures that organizations optimize their cybersecurity continuously by validating their controls against a library of known attack methods. Purple teams focus on the overarching threat landscape. They understand their security technologies, their organization and its operational attributes. When combined with automation, security teams can test these operations at scale, across the organization, and discover ways to improve security efficiency and effectiveness. The Defense Department has conducted purple team operations to achieve cybersecurity effectiveness for military networks. Other government agencies should adopt a threat-informed, purple team mindset to improve their cybersecurity effectiveness at a programmatic level.
By ensuring that existing security investments are measured, monitored and modified continuously from a threat-informed perspective, senior security leaders can use performance data to make sound investment decisions, improve the cybersecurity of government agencies and better protect Americans’ data.
Brett Galloway is CEO of AttackIQ.