The daily headlines are no longer full of news on the Office of Personnel Management (OPM) breach, and agency executives across all levels of government want to keep it that way. They are determined to prevent the same thing from happening to them. We all know the truth; this wasn’t the first and it won’t be the last time a government agency is hacked and massive amounts of valuable data are lost. But federal agencies can take some basic steps to help reduce the risk of an attack and lessen the damage of a breach in the future.
Particularly, federal agencies need to reevaluate the traditional perimeter protection model of cybersecurity and pay more attention to data security.
OPM is a good example of both a cybersecurity and a data security incident, but we shouldn’t get the two confused. What’s the difference?
Cybersecurity is about protecting technology from disruption or unauthorized access. Data security is about protecting information from loss or theft. The two are inherently related since all of our information is accessed through technology. But, generally speaking, it is not the technology that hackers are interested in, it is the information.
Regardless, cybersecurity has been in the spotlight as the means to protecting our information. But data security is as important as cybersecurity, if not more so. Better data security, in fact, leads to better cybersecurity. Better data security could have lessened the impact of the OPM breach, and it can help federal agencies prepare for and strengthen their defenses against the next attack.
The best strategy for security for agencies is to employ a risk management framework to help assess what, why and how they should align their people, processes and technology to better protect their data. The National Institute of Standards and Technology Cybersecurity Framework is working to help agencies do just that.
Yet, there are three areas of the IT stack that agencies can take action on today to improve their data security and cybersecurity posture:
Data identification and classification — Data security starts with identifying and categorizing your data assets based on the sensitivity of the information. The protection you put in place for each category will vary based on the sensitivity of the information. The most sensitive information — your crown jewels — needs to be encrypted (at the very least).
Data accessibility — Agencies should have the ability to look at all of their data, particularly for data forensics, fraud analytics and behavioral analysis. This has been a costly endeavor for agencies in the past. Historically, data has been cheap to archive, but expensive to access if and when it is needed. Agencies should seek technology that allows them to both store and access all of their data without incurring extra costs, otherwise known as active archiving.
Analytics — The current cybersecurity focus relies too heavily on perimeter security — keeping the bad guys out. Yet our adversaries are savvy and know how to get around the fences we’ve put up to secure our perimeters. Behavioral analytics, the interaction of and between people and systems, can be used to predict threats. Machine learning can draw insights and identify patterns from massive amounts of historic data, turning it into valuable input for the operator as predictive analytics. Through analytics, federal agencies can put the very information they are trying to protect to work to inform and improve their cybersecurity.
Dave Bennett, director of the Defense Information Systems Agency’s implementation and sustainment center, spoke at our Federal Forum earlier this year, during which he noted, “If you’re looking five minutes behind you in terms of what’s going on, you’re six minutes late.”
He was speaking of communications, but the same is true for security.
Cybersecurity is ever changing with new threats and adversaries popping up every day, and the security environment — the data, the users and their activities — are too. What doesn’t change is the threat of losing your information, which is always what the bad guys are after. Behavioral analytics helps us predict what the next threat might look like, helping to focus attention on what is different and needs further scrutiny to determine intent and, potentially, stop attacks. In short, data can help our security analysis reduce the complexity of all the security telemetry and data points.
While the news cycle on this has faded, OPM served as a real wake up call for all federal agencies, spurring a much-needed shift in the way we think about and act on cybersecurity. With the number of connected devices and all of the data and information associated with each of them, the attack surface has gotten too large to focus primarily on perimeter security. You can’t build a fence that big.
Federal agencies should focus on data security and behavioral analytics as the next steps to bolstering their cybersecurity posture.
I can’t say with certainty that taking these three steps will prevent all attacks and breaches; however, I am confident that a more data-centric approach to security will make you better protected. Data security mitigates threats and attacks by rendering the information useless or making it inaccessible to the attacker. Not only will data security make it harder for adversaries to compromise your technology and information, but having access and the ability to use all of that data can better prepare you for the next threat, both within your agency and across other federal agencies.
Webster Mudge is a senior director for technology solutions for Cloudera.
Agencies applying threat intelligence to stem tide of cyber attacks