Not a week goes by, it seems, without another news report of a government organization facing a major cyber threat — from ransomware to data leaks to interruption of critical infrastructure. Agency leaders would probably agree the stakes have never been higher.
But agencies recognize that security is no longer a matter of dodging the latest cyber bullet. They now must understand the importance of overall “digital sovereignty,” the ability to maintain control over the entire digital infrastructure, and develop a robust cyber strategy to achieve it. Preserving control over its organizations’ digital infrastructures allows the U.S. government to protect its citizens, support its economy, safeguard its interests, and assert its position in the digital realm.
The solution is a self-hosted technical collaboration platform. A purpose-built, on-premises collaboration solution gives your organization a secure environment to centralize the technology tools, content and communications needed to respond to and audit any incident that threatens your mission. In fact, such a platform is a key enabler of organizations’ digital sovereignty.
Incident response and auditability
Today, digital sovereignty is an imperative for all government organizations. It’s necessary to safeguard the privacy of the citizens and employees whose personal information is stored in government databases. It’s needed to protect the nation’s intellectual property to maintain competitiveness in the global marketplace. It’s required to shield international policy data that, if exposed, could have geopolitical repercussions. Ultimately, it’s essential to national security.
A key aspect of maintaining digital sovereignty is effective incident response. For example, cyber incidents need to be identified, investigated and remediated quickly and completely. That response includes subsequent reviews to gain insights that make future responses more effective.
Achieving that goal requires a complete audit trail of the incident itself and of the incident response. You should review system logs and other data sources to identify the vulnerability, exploit, attack vector and attacker. You should likewise track your team’s response, analyzing relevant communications and actions that occurred as the incident was resolved.
A retrospective of incident response enables you to benefit from lessons learned to achieve continual improvements. That’s true not only for cyber incidents but for any activity that impacts your mission. The principles apply whether you’re managing an application development project or dealing with threats to national security.
The security of self-hosted collaboration
A technical collaboration platform provides a single place to centralize and orchestrate incident response. What’s crucial is that the platform has the capability to be deployed on-premises — unlike general-purpose, cloud-based productivity and instant-message tools.
Many organizations operate with multi-cloud environments and software-as-a-service (SaaS) solutions. But not every workload is suited for a public cloud. For some organizations, sensitive data and communications need to be managed in an on-prem, air-gapped enclave.
A self-hosted collaboration platform enables you to securely collaborate in real time, with lower risk of compromise. And if it’s an open source solution, you can customize security settings to protect data at appropriate impact levels (ILs) — for example, from IL4 for DoD-controlled unclassified data to IL6 for DoD classified data up to Secret level.
Look for a solution that allows you to create as many event- or topic-specific communication channels as needed within the collaboration environment. Channels enable you to centralize relevant tools, data and conversations. That way, team members have the capabilities and information they need in a single location and context.
Just as important is the ability to automate incident-response workflows. An effective way to do that is through built-in, customizable playbooks — essentially digital checklists that empower teams to quickly, consistently and precisely take the right actions at the right time.
Finally, your collaboration platform should support auditability. How? By integrating and centralizing all the data you need to create a chain of custody and conduct a complete post-incident investigation. That will also help you comply with relevant regulations and National Archives and Records Administration guidance for records retention.
Best practices for collaborative incident response
When conducting an incident response audit, start by defining the objectives of the audit. Documents that you’ll review, the scope and parameters of the retrospective, and the insights you hope to achieve. The more carefully you consider the investigation upfront, the more useful the results will be later.
Next, establish the standards and criteria by which you’ll assess the incident. Criteria should include details such as timeframes, levels of accuracy and effectiveness of response. Those criteria will likely differ depending on the type of incident — a ransomware attack, a supply chain hack, credentials theft, and so on.
Of course, incident management begins long before an incident occurs. You need the right people to review the right information at the right time to spot potential problems early and accurately. That should also enable you to uncover patterns and trends that inform future incident responses. Your collaboration platform can help here, as well, because you can create playbooks to assign tasks and automate workflows so that steps aren’t missed.
An effective collaboration platform will enable you to respond to incidents and audit activities in the most demanding environments — in fact, multiple NATO organizations are using a self-hosted collaboration solution to support ongoing operations. If the approach is robust enough for stakes that high, it should offer the security and capabilities to help your organization manage incidents and maintain digital sovereignty.
Former U.S. Army Special Forces Officer Barry Duplantis is vice president and general manager of North America Public Sector for Mattermost.