Cybersecurity must become a full partner with IT and get more aggressive in searching out threats in order to effectively fulfill its mission of supporting agency missions.
Agency cybersecurity teams have not been accepted by IT shops as full partners in the job of supporting agency missions and as a result are falling farther behind in efforts to detect and block threats, said security analyst Mischel Kwon.
“That’s our fault,” said Kwon, president of Mischel Kwon and Associates and a former government cybersecurity official.
Security needs to adopt a more aggressive posture, seeking out threats rather than just detecting them and working with IT departments to follow through on remediation. Breaking down the walls between security and IT could enable better risk management and risk mitigation, Kwon said in a presentation at the FOSE conference in Washington, D.C. Keeping threat detection and mission support functions in separate shops hampers security in the face of increasingly complex attacks, she said.
Cyber threats have evolved in recent years, with familiar exploits and tools being used in compound attacks that are becoming more effective in slipping through defenses.
These malicious tools also are being used in new ways, with hacktivists indulging in espionage and sabotage alongside nation-states and criminal groups. Denial of service attacks are seeing a resurgence in popularity and effectiveness, and the Defense Department has publicly identified China as a source of cyber intrusions against U.S. private- and public-sector assets.
These changes have raised both the profile and the stakes of cybersecurity, Kwon said. “Maybe it’s time we looked at it differently,” she said of the threat landscape.
Security needs to take a broader view of detection, doing more packet and traffic analysis to discover patterns and identify threats before they are inside the systems and follow through on the remediation of weaknesses that are being targeted.
Identifying and detecting an attack does little good when underlying vulnerabilities are not corrected, she said. Too often, patch and configuration management have a low priority with IT departments that are focused on keeping IT systems available to end users, leaving the security team to battle the barbarians at the gates.
Kwon said these attitudes are beginning to change, with some security operations centers being located in data centers in an effort to forge closer ties between security and IT operations. Colocation is not necessary technically, she said, but partnering in the effort to protect data and support missions can create a more effective environment.
Continuous monitoring can be a powerful tool in the evolution of security if, instead of stopping at threat and vulnerability detection, it also follows up on remediation of weaknesses being targeted. For this to work, security has to be accepted as a full partner in mission support rather than as a separate entity operating outside the IT perimeter, she said.