Technology has come a long way from the days of antivirus software installed on endpoints. Recently, the Agriculture Department migrated from a host-based security system to endpoint detection and response. The big difference, USDA Deputy Chief Information Security Officer Ignatius Liberto said, is that final word: response.

“In the old days, we had this mindset of ‘allow all, deny my exception.’ And then, if we had a threat signature, we’d load it in there and certainly go hunting for that specific threat signature. Now, with technology and the way we’ve generated our defense in depth for our enterprise network, we’re looking for anomalies,” Liberto said on Federal Monthly Insights — Improving Cybersecurity through Autonomous Endpoint Management.

“But at the end of the day, it’s these automated responses, the ability to isolate, contain and quarantine very rapidly — whether it be a threat signature coming in via email or from one of our many forward-facing websites. It’s the ability to understand as soon as possible that something is not normal so we can kick off an investigation.”

Liberto said his team uses log aggregators to collect, tag and categorize information to quickly get a picture of what normal network traffic looks like and spot the anomalies. In addition, he said that logging capability is being used to generate dashboards to increase situational awareness and drive critical thinking that helps security teams understand adversaries and their aims.

Those dashboards help separate the digital signal from the noise, giving Liberto and his team a better idea of what’s worth following up on and what isn’t.

“You can’t chase every false positive, and you don’t know it’s a false positive until you chase it,” he told the Federal Drive with Tom Temin. “We’re getting better and better at tuning our sensors. We’re getting better at understanding what normal bad behavior on our network looks like. So then, when we feel confident, when we get an alert, we can chase it.”

Adversaries may try to violate the confidentiality of data by exfiltrating it, manipulate the integrity by altering it or shut down access points to deny its availability. Those three items — confidentiality, integrity and availability — are what Liberto refers to as the “CIA triad.” He said USDA is working on incident response plans to protect those aspects of data.

Partnering to secure food, agriculture critical infrastructure

When it comes to cybersecurity, the more data an organization has, the easier it is to identify anomalies and stop adversaries. That’s why USDA is engaging in multiple partnerships, including with the Homeland Security Department  and private sector stakeholders.

“The National Security Council has identified the food and agriculture critical infrastructure,” Liberto said. “So what we’re doing now is figuring out ways to collaborate, cooperate and share information with the vendors and with these large industries that support food and agriculture, and going to discussions on how we’re going to work together to defend this critical infrastructure. This is a nascent capability, but we’re moving very rapidly in that direction.”

The idea, Liberto said, is that if an adversary can penetrate the systems of one of USDA’s peers, then it can probably cause problems for USDA as well. That’s why the department pays attention to major cyber incidents in both the public and private sectors, as well as availing itself of both commercial threat intelligence as well as information sharing from the intelligence community.

“The most important thing is, no matter how strong your policy is, how strong your compliance is, no matter how well you follow a law or a binding operational directive from the Cybersecurity and Infrastructure Security Agency, never underestimate the malicious cyber actor out there,” he said.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.