The federal government is all in on a zero trust approach. Continued migration to the cloud; the move to mobile and bring-your-own-device; the convergence of IT, operational technology and Internet of Things; and the sharp increase in remote working due to the pandemic have changed how the government must approach cybersecurity.
But a lack of visibility threatens to undercut the effectiveness of zero trust before agencies even get there. Due to the explosion of endpoints in the past few years, many federal agencies are experiencing a “visibility gap” where IT security leaders can’t see all the vulnerable assets on their networks. The main problem is that legacy security tools can only see managed — not unmanaged — devices on the network. These unmanaged devices are a gigantic blind spot in federal network protection that zero trust cannot address.
To make matters worse, it is well-documented that unmanaged IoT and OT devices are now being actively targeted by nation states. Coupled with rising tensions between Russia and the rest of the world, this leaves U.S. critical infrastructure under increased threat of cyberattacks. These malicious cyberattacks can have damaging effects on lifeline services such as water, power, healthcare services and supply chains.
Traditional end point detection and response (EDR) systems don’t work on unmanaged devices because they can’t accommodate security agents. These unseen devices don’t generate logs, and it’s dangerous to try to scan them with a network scanner. As a result, these devices are pretty much invisible to security managers. Analyst firm Gartner estimates there will be 43 billion connected IoT devices by 2023.
The Continuous Diagnostics and Mitigation (CDM) program established the Federal Dashboard to consolidate summary information from each agency-level dashboard to form a picture of cybersecurity health across all civilian agencies. Comprehensive visibility across all IP addressable devices enabled by highly reliable data quality is a prerequisite for program success.
While it is expected that CDM DEFEND will be a significant programmatic and contractual mechanism for addressing improved asset visibility, the visibility gap is only getting bigger. This has been conclusively proven as the CDM program has upgraded to a new dashboard that implements Elasticsearch. Elasticsearch powers search solutions for thousands of companies worldwide to find documents, monitor infrastructure, and protect against security threats.
As agencies have transitioned to this new dashboard, more unmanaged and undermanaged devices never previously detected are being revealed. The biggest challenges to data quality include a lack of profiling of IT and OT devices and a lack of deduplication and rationalization of IP devices identified by different tools. It’s almost as if IT security managers are like astronomers looking at data from the new James Webb Space Telescope, seeing thousands of stars they never had the ability detect before.
The president’s FY23 budget — in addition to executive order 14028 and M-22-09 — calls for significant additional CDM funding to address current gaps in EDR tooling capabilities. That is a positive step, but better EDR systems are required. What agencies need is an agentless EDR security platform that can solve this problem by covering the gaps left by legacy, agent-based EDR solutions.
An agentless platform can continuously monitor the state and behavior of all devices on a network and in an airspace for indicators of attack. When a device operates outside of its known-good profile, an alert is issues that triggers automated actions. The alert can be caused by a misconfiguration, a policy violation or abnormal behavior such as inappropriate connection requests or unusual software running on a device.
It’s never been so important to understand exactly how every device connected to your network is behaving. For example, in 2019 the FAR 889 rule was published, prohibiting executive agencies to enter into contracts with suppliers who use telecommunications equipment from Huawei, ZTE and other manufacturers. An agentless EDR platform would be able to detect Huawei network components and out of bounds behavior, for example chips in hijacked IP cameras.
Agentless platforms simplify and speed deployment. It can quickly be integrated into whatever security systems an agency already has in place. And it is also completely passive so that it won’t disrupt the operations of devices. Everything works in real-time, so the discovery of assets, identification of issues, and automated enforcement are immediate and continuous.
It’s impossible to trust something you can’t see. Agencies must achieve a consolidated view of their risk posture. This requires a clear risk status and vulnerability posture for every device and possible attack path, and the ability to rapidly respond to incidents. Without closing the visibility gap, zero trust will fail to protect federal networks.