Reduce the noise to strengthen agency cybersecurity defenses
- By John Nemoto, Chris Lavergne
- May 26, 2021
Technology advances have given cyber criminals and hostile nation-states more tools to breach networks and gain access to sensitive data, relegating standard perimeter security tools and firewalls to mere first-layer status. Attacks are growing increasingly sophisticated, more devastating and much harder to identify and mitigate, especially in vast government agency networks with countless points of entry. Even with aggressive defenses, network perimeter breaches are inevitable.
Federal agencies must have robust tools and technologies in place to help administrators identify and contain irregular activity. The ability to quickly and reliably spot, resolve and protect against threats by reducing the noise is paramount.
That noise -- the enormous volume of network traffic -- is the problem. Noise can make it nearly impossible for a security analyst to differentiate between legitimate data exchanges and security risks. A comprehensive cybersecurity framework helps reduce the noise so anomalies are more readily apparent.
There are five crucial elements of a noise-cancelling cybersecurity framework:
1. Maintaining a security-focused approach to development
Not all networks are built with security as a primary objective. DevSecOps provides a security-focused approach throughout the development process when implementing new tools, resulting in a more secure end product.
For many years, a DevOps approach was the traditional way of implementing new software across government, because it prioritizes business functions to facilitate organizational decision-making. Security was important, but not a core consideration during development.
DevOps is effective, but by not building security into the process from the beginning, it can leave developers with security vulnerabilities that are too costly or too time consuming to address after-the-fact. DevSecOps helps to change the underlying business culture to one that embraces security and considers the downstream security impacts of decisions. Doing so helps organizations choose solutions and processes that are secure and helps close many cybersecurity vulnerabilities earlier in the development process.
2. Employing layered protection tools
With a security-focused approach to development, agencies start from a position of strength to defend against breaches. Adding protection tools helps to fortify an organization’s defenses further.
Securing organizational data is the primary goal of any cybersecurity framework. To do so effectively, agencies should employ security at multiple levels. Securing the network, and all the underlying systems and devices that access it, neutralizes the majority of threats. That makes it easier to spot nefarious activity.
There are several types of layered security approaches. Perimeter and endpoint security act as an initial barrier, protecting against the most common breach methods that hackers deploy. Perimeter security filters the most obvious network threats, reducing the amount of data traffic and making the threats that make it through simpler to flag.
Endpoint security allows agencies to understand how devices should behave while on the network and can help identify anomalous requests that can indicate someone has penetrated the network. Endpoint security policies, which define what capabilities employee devices should have and bind devices to only their necessary functionality, can prevent hackers from accessing and using employee devices to penetrate the network further.
Zero-trust authentication protocols can help ensure that hackers who have commandeered employee devices or breached the external network do not have free rein to access sensitive data. Zero-trust assumes that every attempt to access the system is from an unknown entity and requires proper credentials, every time, before granting access.
3. Engaging in effective, real-time threat monitoring
Real-time threat monitoring is effective only with security tools filtering out most of the more rudimentary attacks and ensuring devices and systems are behaving as they should. Because these tools have an understanding of each system’s intended function, they can more quickly detect and alert administrators to suspicious activity. As such, security teams can focus less on monitoring network traffic and more on anomalies requiring quick resolution.
Advanced approaches to real-time threat monitoring allow agencies to be proactive in the fight against cybersecurity threats. One such approach is a security operations center, which establishes a specific centralized function within an organization that is designed to continuously monitor and improve cybersecurity posture. With excess data filtered out and a team specifically dedicated to analyzing cyber threats, an organization’s administrators can become threat hunters.
4. Providing comprehensive cybersecurity education and training
Even the most robust cybersecurity tools work best alongside a strong, comprehensive cybersecurity training and education program.
Agencies should educate their workforce consistently on present-day cybersecurity threats. The social engineering schemes that hackers employ, designed to steal login information and install malware on systems, are much less likely to be effective when employees are aware of the methods cybercriminals are likely to use. A 2020 study highlighted that breaches due to insider risks have increased by 47% since 2018. Moreover, about 62% of the breaches that resulted from insider risks were due to employee negligence or inadequate training. Emphasizing the importance of vigilance against threats and making workforce training a priority throughout the agency reduces cybersecurity noise from within the organization, allowing administrators to keep the number of threats they face manageable.
5. Choosing the right strategic partner
With a combination of smart tools and an educated, engaged cybersecurity workforce, an agency has the building blocks of a strong cybersecurity posture. Even so, putting them all together to form a strong defense against cyberattacks requires guidance from the vendor providing or helping to implement the tools.
A strategic partner brings knowledge of what has worked for other agencies and what issues others have encountered, and it can prevent agencies from repeating mistakes others have made. Additionally, working with a vendor that can provide solutions, tools and the services that keep agencies secure creates a closed development process that results in more secure data exchanges between systems. There is also an inherent compatibility between systems that are designed to work together. Choosing the right strategic partner provides the context and expertise agencies need to put together all the pieces of a strong cybersecurity framework.
Preparing for emerging cybersecurity threats
Taking the steps outlined above, agencies can secure sensitive data effectively and ensure underlying systems prevent threats from penetrating other key areas. However, the battle does not end once an effective cybersecurity framework is in place. As threats and risks evolve, cybersecurity prevention tools and processes quickly become outdated. Agencies must be forward thinking, looking to continuously adapt to evolving risks and threats by educating their workforce and updating obsolete tools and processes. With up-to-date robust tools, detailed processes and policies and an involved cybersecurity workforce, agencies can reduce the noise and spot the hidden and more complex risks and threats.
John Nemoto is a vice president at CGI Federal.
Chris Lavergne is the lead systems integration manager for the Department of Homeland Security’s CDM DEFEND Group C, a part of DHS’ Continuous Diagnostics and Mitigation program.