There’s an unsettling reality that the federal technology community is facing: the SolarWinds and Kaseya breaches could have happened to almost any other company. The vulnerabilities exposed during the incident weren’t unique; in fact, it was the type of increasingly sophisticated supply chain attack that adversaries are using more and more. It continues to serve as a wake-up call for every government agency and organization working within the Defense industrial base.
Similar to a lion targeting the most vulnerable antelope in the herd, hostile cyber actors will continue to target the weakest links within our federal IT supply chains. The Biden administration is rightly focused on raising the cybersecurity bar for technology partners, issuing the executive orders on cybersecurity and supply chain resilience and the recent memorandums focused on providing CISA access to endpoint detection and response solutions/endpoint monitoring systems, improving cybersecurity for critical infrastructure control systems, and securing on-premise software.
These are essential roadmaps to holding contractors accountable for cyber hygiene best practices, but unfortunately, cyber risk management isn’t something you can check the box on and be done with it. It’s a continuous battle against constantly evolving adversaries. Even with the best cyber standards in place, compliance does not equal security.
Compliance requirements must be implemented thoughtfully to avoid being cost-prohibitive for smaller technology partners and without stifling the cyber innovation happening across the technology community. Below are three foundational cyber vigilance tenets that government agencies and the DIB must embrace beyond compliance:
Embrace a zero trust mindset & empower threat hunting
Every supplier that touches the federal supply chain and every government agency that buys from this supply chain must embrace a zero trust mindset to thwart today’s sophisticated threats. At its core, zero trust is a simple concept: trust nothing, assume you’ve been breached and maintain a proactive posture for seeking, finding and neutralizing risks.
Once security teams fully embrace this core methodology of going beyond reactive alerts, they are ready for threat hunting. Threat hunting isn’t monitoring, it’s assuming threats are there and searching through networks, endpoints and datasets to hunt malicious, suspicious or risky activities that have evaded detection by existing cyber tools. Emerging threat hunting tools are able to deliver this capability cost-effectively, helping prioritize where to look and analyze the intelligence fast enough to take action.
Collect all the data required for true observability
The foundation of zero trust and threat hunting is collecting and analyzing the right data. Solving physical crimes requires evidence. Investigators must collect information that not only helps them prioritize where to look but how to prove their case. It’s no different in cybercrime.
Every organization that touches the defense and government supply chains must be collecting the IT data that can deliver the visibility needed to identify anomalies and power threat hunting but also to understand how the adversary gained access and how to prevent it in the future.
This means information like log and telemetry data in a searchable, actionable format. In any crime, data is forensic information, and every contractor within the DIB must continuously collect and analyze this key intelligence because an attack can happen at any time.
Prioritize defending the endpoints
As the industry was collectively assessing the scope and damage of the SolarWinds attack, Gartner Research Vice President Peter Firstbrook honed in on the need for new technology tools.
“Endpoint detection and response (EDR) tools are critical to detecting these types of attacks and to search history,” he said to SearchSecurity. “Only 30% of endpoints have EDR capabilities so the industry has a long way to go.”
As more government agency and contractor computing takes place on the edge, endpoints have become increasingly attractive targets for hostile cyber actors looking for soft spots in supply chain defenses. EDR and extended detection and response tools have advanced significantly just since the SolarWinds breach and have become critical first lines of defense for any organization that hosts sensitive or valuable data. The recent White House Office of Management and Budget memo on improving incident detection by prioritizing EDR monitoring is a fantastic step in the right direction, and the contracting community needs to support that effort by going beyond monitoring and achieving threat hunting using available technology.
Supply chain threats across the DIB are only going to increase in number and sophistication. Standards and compliance can raise the baseline bar, and it’s imperative that we have them, but a true cyber defense strategy requires constant vigilance and innovation. The solution lies in a collective mindset shift towards proactive threat hunting, information sharing and getting the latest detection tools in the hands of the agencies and contractors that need them. As the SolarWinds attack showed, we’re only as strong as our weakest link.
John Harmon is regional vice president of cyber solutions at Elastic.