Where are all your assets on your network? That is the first question agency chief information security officers may want to ask on their journey toward a zero trust architecture.
Shane Barney, the chief information security officer at the U.S. Citizenship and Immigration Services in the Homeland Security Department, said the answer to this seemingly simple, but complex question is so important to truly move toward a zero trust architecture.
“Devices are a key piece of like any zero trust strategy and it really goes back to your this concept of an attack surface, which is your continuous discovery, inventory, classification, prioritization and security monitoring of all of your digital assets, as well as your hardware. From my perspective, having a 100% understanding of your devices on your network is critical for day one. You don’t do zero trust without it,” Barney said on Ask the CIO. “If you only have 50% of your known assets that you have control over, don’t even bother doing zero trust because you really got to fix that problem.”
Barney readily admits that knowing and managing an agency’s end points isn’t an easy task. He said USCIS has 160,000 to 170,000 end points and they are constantly changing because so much of their infrastructure, applications and workloads are in the cloud already.
“We have cloud assets that will generate 1,000 new endpoints every hour, and then shut them all down just as quickly. So staying on top of that is where automation becomes critical,” he said. “Automation is going to do a couple of things for you one. It’s going to verify and ensure that the things that are coming onto your network are yours and are verified. This is going to be done through your certificate automation and making sure you’ve got tokens issued on all the proper devices. It’s that first level authentication for you. There’s a behavioral component to this as well. There’s not enough humans on the planet to monitor this kind of stuff. You’re talking about terabytes upon terabytes of data being generated every day, just to monitor this. So your automation kicks in and starts asking these questions for you.”
Barney said the technology tools can highlight “bumps” on the curve that no human could see through all this data.
Micro segmentation as a future state
Barney said the move to automation to take control of your end points happens on an iterative, but constant basis as more applications move to the cloud. He said the entire effort takes a considerable amount of close coordination with development and engineering teams.
“It is a mind boggling problem to solve. And I say 100%, honestly, you’re iterating toward 100%. I’m not sure anyone ever truly achieved 100%. What you’re really striving to do is 100% of accountability to the extent that’s possible,” he said. “Now, I will say that hardened assets, things like laptops, hard servers, those are a little easier to do. They don’t tend to come and go as easy or as frequently and you can maintain a good solid inventory of those. You’ll often have stuff deployed to them and you’ll have your endpoint detection capabilities built in so that’s a little bit easier to do. I think there’s a lot of really great tool sets out there that’ll help you do that. Then a lot of it is just taking all the data, pulling it together into a single view and then generate the analytics. And then of course, having all your behavioral analytics running across that. Obviously, there’s a lot of workforce changes on the security side that has to go into play.”
When agencies move more and more applications and workloads to the cloud, the amount of data and the complexity to manage an organization’s assets increases significantly. But so do the benefits, tools and capabilities to manage, control and secure them.
Barney said one of the big benefits of moving to the cloud is the ability to do micro segmentation of the network.
“You may have 1,000 endpoints spin up in a single virtual private cloud in an hour, but you’re controlling the entire boundary of that to such a finite scale that really allows you that visibility, the capability to understand what’s going on. And hopefully, you’ll be able to spot anything that comes out the outside that’s outside the norm,” he said. “Now, this also means you’re working very, very closely with the development teams who are building stuff. You really have to get in front of this ahead of time. You have to build in the foundational elements, your cloud tools and monitoring how you’re going to do your endpoint detection, how you’re going to do your behavior analytics, and then work with the development teams to make sure they’re incorporating those elements in because they have to be foundational from the very beginning. And then as they build out, you’re helping build and structure those micro segmentations so that they actually make sense, you understand the traffic flowing across them and that you’re capturing it in your logs in the proper fashion.”
A quick convert to automation
Barney said he wasn’t initially sold on using automation, but quickly became a believer and now is expanding it to as many areas as possible.
USCIS started to automate cybersecurity capabilities about five or so years ago and it took a few years to really get it going.
“By about the third year, we started getting it right. In the first year, we are so excited because one of the things we would do is we’d say, ‘Okay, we’re going to automate the creation of tickets, no big deal.’ But when you generate 10,000 tickets in a year, it’s a big deal. We also know how much time it takes to generate a ticket, so we were able to factor in if every time we generate a ticket, it’s point five hours that we saved, and at $150 an hour labor rate, we know how much money we’re saving by doing this automations. I think in the first year, we hit like $900,000 in automation savings. That was the coolest thing since sliced bread. Well jump forward five years, and on average year, we’ll do $20 million in savings. That’s, that’s normal for us now. And it’s just accelerating faster and faster and faster because we quickly realized that that automation was so critical.”
Now, Barney said, he wants to automate risk management, governance and documentation. He said all of these efforts are key to moving USCIS into a threat hunting model for cybersecurity.
“What the automation has done is it’s removed all that sort of grunt work that needed to get done. It’s already making a bunch of decisions on our behalf based on what we’ve told it to do, and then it only pulls forward what’s relevant for the analysts,” he said. “So it did actually changed the very nature of not just my security operations center (SOC) and changed the actual workforce that we employ. Now they actually get to look at things almost as a complete package, a security package that they can make an assessment on, and then based on that assessment, they can tell the automation to go back and fix a problem, or maybe it’s something significant enough, we have to go further up the chain. But it’s really about making good decisions and providing them the right information to make that decision. That’s really where the automation comes in.”