IRS cybersecurity chief says agency has made ‘tremendous progress’ on logging

The Internal Revenue Service is gathering more network logs, automating many of its cybersecurity playbooks, and planning to conduct a tabletop exercise on artificial intelligence threats in the coming year, according to a top cyber official.

Rick Therrien, director of cybersecurity operations at IRS, said the agency has made “tremendous progress in the last year on the gathering of audit logs.” The White House Office of Management and Budget has directed agencies to capture more logging data to gain greater visibility into activities and potential threats on their networks.

“The IRS has made tremendous strides in that space,” Therrien said during a Nov. 16 webinar hosted by ACT-IAC. “We have tremendous diversity of technology platforms, the legacy systems and modern cloud systems. We’ve managed to do extensive data acquisition across the enterprise.”

The IRS is combining its log data with new security orchestration, automation and response technologies, known as a “SOAR” platform, to automate many of its cybersecurity response playbooks.

“We’ve taken a number of manual playbooks in the past year, and we’ve provided automation to those through our SOAR platform,” Therrien said. “You have to have the data, but then what’s your response to that data, and being able to do that in a repeatable way, and also being able to do it at the scale of a large enterprise.”

Therrien’s comments on improved logging come after the Treasury Department Inspector General for Tax Administration published a September report on the IRS’ logging practices. The report detailed several findings and recommendations from an audit TIGTA conducted on the IRS’ use of the Cyber Security Assessment and Management (CSAM) application last year.

TIGTA found the IRS could not provide 54% of the user audit log summary reports the watchdog requested between September and November 2022. TIGTA recommended the IRS ensure the CSAM audit logs are reviewed weekly and the results of review are documented, among other recommendations.

Zero trust progress

In a separate audit released this year, TIGTA found the IRS was making good progress on the federal zero trust mandate. In addition to logging, Therrien said the IRS is making advancements across other pillars of the zero trust architecture , including multifactor authentication.

More than 22 million taxpayers are now using the identity service provided by ID.me to create online IRS accounts, he said.

“And then internally for everyone who has access to IRS systems, we had them on multifactor authentication for a number of years, but the lift of converting the legacy systems to multifactor is something that we’ve made tremendous strides in the last 12 months,” he said.

Meanwhile, many agencies are now confronting how to better manage and secure their data using zero trust principles. The IRS started out by encrypting its data-at-rest, and it’s now looking to tag its data to make automated policy decisions about who can access different types of information, Therrien said.

“We are starting to take that to the next level as we explore how to take that last piece of that data pillar, and make policy decisions on what the data is tagged with,” he said.

Treasury PROTECTS contract

Meanwhile, the Treasury Department is planning to launch a blanket purchase agreement to streamline cybersecurity services across the department. In October, Treasury released a draft contract document for what it’s calling the “PROviding Treasury Enterprise Cybersecurity Technology & Services” or “PROTECTS” program.

Draft documents show the goal of the program is to “adapt and transform” security operations center services across the Treasury Department.

“We are, I think for the first time in my 17 years, working on a comprehensive set of security requirements across the department that any bureau — IRS, Fiscal Service, to departmental offices — could use and have a standard approach to security operations center services,” Therrien said.

While programs like Continuous Diagnostics and Mitigation (CDM) will continue to provide Treasury bureaus with cybersecurity platforms and capabilities, Theirrien said PROTECTS is “about the utilization of the things that programs like CDM deliver. And that could be through on-prem CDM capabilities to as-a-service capabilities where they exist.”

AI threats tabletop

In fiscal 2024, Therrien said “preventative, proactive cybersecurity” is his goal.

“We have  a backlog of playbooks to automate in ’24,” he said. “And we have more work to do in applying more fine grained policy enforcement points in the network space and the identity space and in the data space in ‘24.”

The IRS’ cybersecurity workforce is increasingly interested in “data and analytics,” he said, and in scrutinizing potential threats.

“So we move from a compliance focus to more of a threat analytics and risk analysis type approach,” Therrien said. “We start moving into a workforce that has taken their knowledge of security concepts and security technologies and security platforms, and is beginning to apply that foundational knowledge to data security.

The IRS conducts at least one tabletop exercise every year on data breach scenarios. The exercises  involve cyber operations personnel, privacy professionals and other stakeholders throughout the IRS’ business units.

Therrien said the fiscal 2024 exercise will feature a scenario involving “AI threats.”

“That’s going to be very exciting for us as we tabletop that, and then figure out what learnings will come out of that and take that forward,” But having a workforce that is grounded in those things — the security technologies and the process, but really focused on critical thinking around data — is where we’re heading.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.