In the wake of major breaches involving insiders and external threat actors ¯ from the National Security Agency leaks five years ago to the Office of Personnel Management breach in 2014 — most would agree an agency’s data is its most valuable asset. From personnel records to strategic plans and top-secret intelligence, your agency’s sensitive information must be handled just as carefully as its systems.
The good news is, data protection is top-of-mind in both civilian and defense agencies. In fact, in a recent survey, 82 percent of federal decision makers ranked data protection as a top priority. However, securing data within federal agencies presents a unique set of challenges. Legacy systems and servers hold vast amounts of information, and thousands of users create countless opportunities for information to be viewed, altered or exfiltrated.
So, where do you begin?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a repeatable, consistent and measurable approach to protecting critical infrastructure. This comprehensive framework can also serve as a guide in helping you protect your agency’s critical data. Just as the framework helps IT and security personnel manage and defend systems and applications, it can help these same teams prepare for security events targeting your data. With proper planning, agencies can respond intelligently and swiftly in the event of a security incident.
Here’s how you can use the NIST Framework to better protect data within your agency:
Step 1: Identify all users and groups
Start by taking an inventory of the data and the users on your network. Identify sensitive information that must be restricted on a need-to-know basis. Seek out old data offering little or no value. Next, identify all the users and groups within your organization. Map which employees and groups have access to what. Look for oversubscribed folders and global access: If an employee were to start clicking around your agency’s servers, what could they open, copy or resave? Next, flag stale “ghost” user accounts belonging to employees that have left the organization yet still retain access to your servers.
Step 2: Protect your data
After identifying all data and users in your environment, you can then be proactive in protecting your critical information assets. Reduce risk by quarantining, archiving or deleting old data in keeping with your agency’s policy on data retention and disposition. Limit access to sensitive information by reviewing global access groups and eliminating unused or empty user groups. Fix inconsistent or broken access control lists. Remove expired “ghost” users. Ensure all user passwords expire periodically based on your organization’s security policy.
Step 3: Detect unusual activity
Next, monitor and detect who is accessing what on your file servers. Watch for unusual patterns. These incidents could indicate a hostile insider looking to steal important information, a snooping employee seeing what they can find your servers or a threat actor escalating privileges and quietly gathering reconnaissance. Create or refine your incident response plan by training staff on day-to-day management, reporting and user permissions and active directory management. Determine what events require immediate investigation and remediation.
Step 4: Respond to security incidents
Investigate potential security incidents and respond according to your incident response plan created in Step 3. Notice and act when a user accesses information in an unusual way that’s not in keeping with the other members of their team or group. External attackers are skilled and continue to hone their abilities. They are capable of hiding in the network environment for weeks or even months. If an incident should occur, you must be in the position to identify the suspicious activity and prevent data exfiltration.
Step 5: Recover and improve
After an incident, take action by archiving, deleting or migrating data to secure locations. Stay on top of threats, investigate and correct inappropriate activities by users according to your agency’s security policy, and secure critical information to a least-privilege model. Continuously monitor and quarantine files as well as ensure your agency’s sensitive and stale data is handled appropriately. Empower data owners to control access to their data via authorization workflows. Provide periodic entitlement reviews in accordance with your agency’s policy. Data security is an iterative process: strive for continuous improvement.
In building your security to follow the NIST Framework, don’t forget your data. With the framework as your guide, you can work with your team to develop a game plan that prioritizes the protection of your agency’s critical information.
George DeLisle is the federal director of Varonis.
Follow the NIST framework to protect your critical data
George DeLisle, federal director of Varonis, outlines five steps to create a repeatable process to improve your cybersecurity.
In the wake of major breaches involving insiders and external threat actors ¯ from the National Security Agency leaks five years ago to the Office of Personnel Management breach in 2014 — most would agree an agency’s data is its most valuable asset. From personnel records to strategic plans and top-secret intelligence, your agency’s sensitive information must be handled just as carefully as its systems.
The good news is, data protection is top-of-mind in both civilian and defense agencies. In fact, in a recent survey, 82 percent of federal decision makers ranked data protection as a top priority. However, securing data within federal agencies presents a unique set of challenges. Legacy systems and servers hold vast amounts of information, and thousands of users create countless opportunities for information to be viewed, altered or exfiltrated.
So, where do you begin?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a repeatable, consistent and measurable approach to protecting critical infrastructure. This comprehensive framework can also serve as a guide in helping you protect your agency’s critical data. Just as the framework helps IT and security personnel manage and defend systems and applications, it can help these same teams prepare for security events targeting your data. With proper planning, agencies can respond intelligently and swiftly in the event of a security incident.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
Here’s how you can use the NIST Framework to better protect data within your agency:
Step 1: Identify all users and groups
Start by taking an inventory of the data and the users on your network. Identify sensitive information that must be restricted on a need-to-know basis. Seek out old data offering little or no value. Next, identify all the users and groups within your organization. Map which employees and groups have access to what. Look for oversubscribed folders and global access: If an employee were to start clicking around your agency’s servers, what could they open, copy or resave? Next, flag stale “ghost” user accounts belonging to employees that have left the organization yet still retain access to your servers.
Step 2: Protect your data
After identifying all data and users in your environment, you can then be proactive in protecting your critical information assets. Reduce risk by quarantining, archiving or deleting old data in keeping with your agency’s policy on data retention and disposition. Limit access to sensitive information by reviewing global access groups and eliminating unused or empty user groups. Fix inconsistent or broken access control lists. Remove expired “ghost” users. Ensure all user passwords expire periodically based on your organization’s security policy.
Step 3: Detect unusual activity
Next, monitor and detect who is accessing what on your file servers. Watch for unusual patterns. These incidents could indicate a hostile insider looking to steal important information, a snooping employee seeing what they can find your servers or a threat actor escalating privileges and quietly gathering reconnaissance. Create or refine your incident response plan by training staff on day-to-day management, reporting and user permissions and active directory management. Determine what events require immediate investigation and remediation.
Step 4: Respond to security incidents
Investigate potential security incidents and respond according to your incident response plan created in Step 3. Notice and act when a user accesses information in an unusual way that’s not in keeping with the other members of their team or group. External attackers are skilled and continue to hone their abilities. They are capable of hiding in the network environment for weeks or even months. If an incident should occur, you must be in the position to identify the suspicious activity and prevent data exfiltration.
Step 5: Recover and improve
After an incident, take action by archiving, deleting or migrating data to secure locations. Stay on top of threats, investigate and correct inappropriate activities by users according to your agency’s security policy, and secure critical information to a least-privilege model. Continuously monitor and quarantine files as well as ensure your agency’s sensitive and stale data is handled appropriately. Empower data owners to control access to their data via authorization workflows. Provide periodic entitlement reviews in accordance with your agency’s policy. Data security is an iterative process: strive for continuous improvement.
In building your security to follow the NIST Framework, don’t forget your data. With the framework as your guide, you can work with your team to develop a game plan that prioritizes the protection of your agency’s critical information.
George DeLisle is the federal director of Varonis.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Combating insider threat in government
OMB tries again to define a major cyber incident
For first time, OMB can paint the governmentwide cyber risk picture