In protecting our homes, we purchase security systems like Google Nest because we want to know what’s happening in our houses at all times: If intruders break in, we need to see if they’re scoping out the environment for now, with the expectations of stealing something of significance later. They might, for example, stealthily take a spare key and inventory available electronics before launching a major heist a week or two down the road. Or it may take several attempts over time for them to crack the family safe combination.
Without internal cameras as part of our personal security system, we will never see this activity and, therefore, will not be aware of it until the thieves pull off “the big job.” But with the cameras, we identify the criminals and what they’re doing and can intervene to stop them before they do any substantial damage.
So if this works for our homes, why can’t federal agencies apply the same thinking to their cybersecurity strategies? Currently, they’re hyper-focused on threat intelligence to monitor for external attacks. But such intelligence is useless if you don’t know the lay of your own land – data-driven visibility into what’s actually happening inside your networks. With this, you can define what is trusted, spot threats and contain adversaries.
OMB indicated that a lack of visibility is creating many of the problems, as only 27% of agencies reported that they have the ability to detect and investigate attempts to access large volumes of data in their networks. In addition, they could not identify the method of attack or attack vector for 38% of incidents which led to the compromise of information or system functionality, revealing a lack of situational awareness. And just three of 10 agencies have put in place predictable, enterprise-wide incident response processes, with as little as 17% actually analyzing incident response data after these incidents occur.
Unfortunately, the stakes of these risks are growing increasingly high, as the global average cost of a breach has reached $3.92 million, up from $3.62 million two years ago, according to research from IBM and Ponemon Institute. It takes 279 days for organizations to identify and contain a breach, during which nearly 25,580 records are impacted.
Why do the breaches remain undetected for so long? Because organizations – including government ones – are investing most of their available resources into threat intelligence while dedicating little time to improve visibility. True, this increases their awareness of existing threats that could target them. But without absolute visibility into their network traffic, they’ll never see the “punch” coming until it is landed – as if they put on an eyepatch before entering a boxing ring.
Thus, hackers roam as freely in systems as the intruders do in homes without cameras, quietly exploring to find out where the most critical, valuable data is before they pull off a big strike. To prevent this, agencies must embrace a data-centric security approach that maximizes not only threat intelligence but also network and endpoint data – a larger breadth and depth of data to truly understand what’s going on and obtain better data-driven visibility. The tactics to support this approach are twofold – organizations can conduct verbose logging of only the systems that are deemed extremely critical and of high value. This may seem unnecessary and take up more storage capacity, but it is effective. The second tactic to consider is implementing a passive network monitor, so it won’t interfere with the production network.
With this approach and investing in the right network detection and response solutions to analyze network traffic, federal IT teams can more swiftly pivot through network logs that are available from a single, central source of truth, and then export them to security information and event management (SIEM) solutions for immediate response/mitigation. When combined with threat intelligence and endpoint information, agency cybersecurity teams are armed with the critical data components to fine tune alerting and work more efficiently.
Government leaders must focus more on data-driven network visibility as an IT investment priority. By seeing what is happening within their networks at all times, they will know when threat actors are “casing the house” and stop them before they can trigger a significant incident. It’s a simple matter of “defend from within” – an approach that works for our homes, and one that will work for federal agencies.
Richard Chitamitre is federal sales engineer at Corelight.