Fall is here and the football season is upon us, as is the government’s focus on Phase 3 of the continuous diagnostics and mitigation (CDM) program run by the Homeland Security Department. No matter your NFL or collegiate team affiliation, we must all join together in rooting for a CDM win — and what should be considered the true “America’s Team.”
We have heard some agencies are reporting a 90 percent reduction in risk after implementing continuous monitoring — but what about the other 10 percent? How can agencies score the proverbial cyber touchdown?
When considering Phase 3, which focuses on boundary and event management, agencies must go beyond the traditional attack prevention model to a lifecycle defense that integrates security solutions more effective at attack detection, preparation, response and prevention. When building an advanced threat protection lifecycle defense, agencies need to focus on three key stages:
Stage 1 – Ongoing Operations
The first stage, ongoing operations, involves solutions that detect and block known threats. This stage must catch the majority of threats and eliminate “noise” by leveraging dynamic threat data. It also includes technologies that enable visibility into encrypted traffic. Events and files that are not known to perimeter blocking tools must be escalated to the second phase of the lifecycle defense.
This stage helps detect, analyze and interpret unknown threats in real-time for maximum incident containment. Alerts give administrators, analysts and others the opportunity to mitigate the effects of the attacks before major damage is done.
Stage 3 – Incident Resolution
The final stage focuses on security incident resolution and remediation. Government agencies can employ security analytics solutions to initiate fast incident analysis by providing associated attributes of indicators of compromise and zero-day threats as they occur. This real-time detection component helps to reduce the time to resolution and minimizes the agency’s window of exposure.
The Star Player
Until recently, government agencies have tended to bring security analytics into the play after a breach was detected, not before. Incorporating security analytics into the overall game plan will help deliver on the goals set forth in Phase 3 to limit unauthorized access that “would allow attackers to cross internal and external network boundaries and then pivot to gain deeper network access and/or capture network resident data at rest or in transit.” Analytics can detect network anomalies and provide alerts in real-time so that agencies can prioritize threats faster and remediate more efficiently.
Analytics capabilities also:
Give departments and agencies complete real-time visibility into ongoing attacks and extensive contextual data for incident response and post-breach analysis;
Allow agencies to expedite the discovery of security breaches and remediate even the most sophisticated attacks;
Use security technologies that employ behavioral analysis and dynamic analysis or next-generation sandboxing to detect advanced malware for which no signatures exist;
Implement cloud-based threat intelligence networks and knowledgebases that speed up the dissemination of real-time threat data so agencies can guard themselves as soon as new attacks appear;
Integrate these components with existing blocking and analysis tools to create a security ecosystem that offers comprehensive security against advanced threats.
The Winning Combination
Phase 3 of the CDM program has the ability to revolutionize the way federal agencies prepare for, and respond to incidents and contingencies, as well as detect suspicious events and patterns. Combined with an advanced threat protection lifecycle defense plan that incorporates security analytics, agencies will be able to provide more accurate and efficient threat detection; experience fewer successful attacks and suffer less damage from breaches that gain a foothold; and, lower costs associated with identifying and remediating the effects of attacks. Essentially, the government will be one step closer to winning the cyber game.
Chris Townsend is the vice president of federal for Blue Coat Systems.