Zero trust is not enough: The case for continuous control validation
- By Stacey Meyer
- Aug 30, 2021
From SolarWinds to the Colonial Pipeline and Kaseya ransomware incidents, there has been a notable uptick in the frequency and severity of cyberattacks. A complete cybersecurity overhaul is needed, and nowhere is that more apparent than with one of the most prominent targets in cyberspace -- the federal government.
In mid-May, President Joe Biden signed an executive order that calls for a zero-trust architecture for all federal agencies. While this move is an important step that gives security teams a pathway to achieving comprehensive control over their security, it is only half the battle. The other core capability is testing defenses continuously and at scale to generate performance data and validate security effectiveness.
The challenge of securing the federal government
Because agencies have been slow to modernize their technology infrastructures, a different security model is necessary. When Russian hackers accessed the SolarWinds software to enable a supply-chain enabled intrusion, the federal government’s multibillion-dollar detection system Einstein was unable to spot the attack.
Federal civilian agencies need a robust zero-trust architecture to stop intruders; as important, they also need visibility into their security program performance so they can tell how well their security program performs against advanced attacks. A lack of visibility leaves the security team in the dark, so it’s no surprise when cybercriminals come out on top.
Earlier this month, the Senate Homeland Security and Governmental Affairs Committee released a bipartisan report reviewing agency cybersecurity. The average grade of eight key government agencies, including the Department of Homeland Security, the State Department and the Social Security Administration, was a C-. This grade was based on several federally mandated standards not being met. The report outlined instances of outdated systems, overlooked required security patches and insufficient safeguards to protect sensitive data such as names, birthdays, salary, Social Security numbers and credit card accounts.
Shifting the mindset to a proactive defense
It is critical for every agency in the federal government to achieve a proactive -- rather than a reactive -- security posture. Agencies must assume they will be breached and invest in security solutions that can validate their security program’s effectiveness continuously and in an automated fashion. This includes zero-trust controls that prevent adversaries from moving laterally across a network.
Penetration testing once or twice a year is not sufficient, because it leaves room for an adversary to penetrate an untested security program at other times in the year.
By adopting automated testing, agencies can save money, improve their cybersecurity posture and increase their team’s productivity. Automation makes testing routine so that changes in the environment that impacts a security control’s effectiveness can be quickly recognized by security staff. Continuous security effectiveness evaluation allows agencies to detect gaps in investment and modify deficient programs. The goal for the federal civilian agency should therefore be a validated zero-trust environment in which all of the security controls work as intended.
Ensure the automated testing platform is aligned with the latest threat intelligence
Recognizing the leading threats and how defenses stack up against adversaries puts federal agencies in a better position to achieve cybersecurity effectiveness. This insight rests on each agency’s ability to think like an attacker. That is why security teams must ensure their cybersecurity solution aligns with the MITRE ATT&CK framework, a publicly available knowledge base of adversary tactics, techniques and procedures that helps users stay ahead of known threat behaviors. Utilizing the threat intelligence supplied by ATT&CK, agencies can run automated adversary emulations to evaluate precisely how well their security programs perform against current attack strategies.
Adopting a zero-trust strategy with automated, continuous testing will fundamentally alter how the federal government protects its critical assets. The continuous data flow from automated testing gives security leaders the insights they need to effectively modify inadequate security tools and programs and better prepare for future cyberattacks. As a result, they will be able to clearly communicate the effectiveness of their cybersecurity programs to Congress and the American people.
Stacey Meyer is VP of federal operations at AttackIQ.