For years now, federal agencies have clung to a “defense-in-depth” model to protect their IT networks. Why? Because the concept essentially breaks down into two easy steps:
Buy lots of firewalls, anti-virus products and other traditional solutions.
Never mind that the products aren’t designed to work together. Or that government IT teams often cannot deploy defense-in-depth solutions in a manner which fully maximizes their vendor-advertised potential. None of this seemingly matters to tech purchase decision-makers, who walk away believing they’ve built layers of fortification. But what they really have are layers of Swiss cheese, protection-wise.
Research speaks to their ongoing state of vulnerability: The Government Accountability Office has reported that “persistent weaknesses” in cybersecurity programs exist at the 24 agencies studied, as nearly all or most agencies struggle with security management, access control and configuration management, among other critical tasks. Given this, it should come as no surprise then that three of five federal IT professionals admit that their agency has suffered a breach, according to a survey from 451 Research.
Why do the problems continue? In large part, it’s because of a wider industry problem that I call the “illusion of auditing.” Government organizations undergo reviews from Federal Information Security Management Act (FISMA) regulators, the Office of Inspector General and others that focus on a check-box approach. Unfortunately, this auditing method falls short of adequately assessing the entire security posture and can leave room for security gaps.
One of the biggest challenges is that the annual audit does not address real-time threats. From the time an audit begins to the time it finishes, the entire cybersecurity landscape changes. Even once-monthly meetings for continuous diagnostics can’t keep up with the shifting nature of network attacks. There are unfamiliar threats which emerge every day, after all. In addition, there are always new business decisions to make, and each one can impact your potential for compromise. If you open a satellite office in Wyoming, for example, you increase your exposure. If you launch a new social media program, you do the same.
The upshot: You cannot audit in real-time. Nor can you respond to threats in real-time by sticking firmly to a model based upon audits and defense-in-depth.
So how do you proceed with a better plan? By implementing these three recommendations:
Adopt a framework. Through a well-conceived and managed framework that works in conjunction with FISMA, such as the NIST Cybersecurity Framework, you rise above “toss everything at the wall” defense-in-depth approaches by launching a proactive, comprehensive cybersecurity program. Your framework should cover three, key stages – before a breach (prevention), during a breach (detection) and after a breach (recovery). You must develop a working plan for all three stages, to measure your framework in real-time. By staying up to date on external threat reports, you will know which threats exist out there. This knowledge – paired with continuous monitoring of your systems – will immediately establish effective prevention and detection techniques that also help you adhere to FISMA regulations. “Recovery” signifies that many agencies will still suffer from an incident – even with staunch prevention and detection. But they will also quickly respond to a compromise and remove the attack source, before it has a chance to do massive damage.
Get business involved. It’s very difficult to have a discussion within organizations about cyber defense – but you cannot measure your framework in real-time if you do not have the buy-in and support at the highest level. As indicated, any significant business decision can affect network protection. The framework enables you to report on the success of your security program and encourages the board to ask questions and make executive-level decisions as threats are happening. Without this, you’re left with defense-in-depth as your only resort.
Align your budget. You cannot ignore your budget, as no organization has an infinite amount of funding to allocate to cybersecurity. The framework allows for you to prioritize, because you can examine your tech investments more closely, and determine which ones may create redundancies (i.e., “do we really need cloud access control, network access control and this particular firewall product?”) It also helps to work with one vendor for your framework needs, to further eliminate redundancies and boost cost efficiencies.
When you proactively pursue these three steps, you position your agency as one that can respond to threats in real-time with continuous monitoring to ensure optimal prevention, detection and recovery.
In this sense, cyber defense is like staying in good, physical condition. Defense-in-depth is the equivalent of simply stepping on a scale every day, without addressing existing and new problems which are creating weight issues.
But the framework is akin to building a program around a Fitbit. Just as a Fitbit measures the number of steps you take, your heart rate, floors climbed, etc., the framework measures all of the threats, activities and developments which can impact your network. That’s when you’re building an unfaltering cybersecurity foundation, instead of just buying products and hoping bad things don’t happen.
Ron Gula is chairman and co-founder of Tenable Network Security, a global provider of next-generation cybersecurity solutions.