Agencies’ chief information security officers face a multitude of cyber challenges, but they all have risk and risk mitigation in common.

Cybersecurity risks exist at the enterprise level, where CISOs must deal with hybrid environments consisting of data centers and cloud presences. Risks also exist at the application level, and its associated patching issues. And at the individual and device levels, where identity management, access and physical security can create risks.

“They’re concerned very much with, what is the risk of my organization? Where am I vulnerable? Where do I have misconfigurations? But that risk has a bunch of components,” said David Abramowitz, chief technologist at Trend Micro Federal, during Federal News Network’s DoD Cloud Exchange 2023.

Abramowitz added that agency security people tend to seek answers to specific questions. “Tell me where all my devices are. Tell me if I have rogue IT running around the environment,” he offered as examples.. “Where are my vulnerabilities that aren’t patched? Because patch cycles are very challenging. Where do I have misconfigurations that, if not treated, might land me in the newspaper?”

The need for situational awareness

Beyond that, CISOs seek ways to correlate such information to gain complete situational awareness. That in turn guides them to “create policy and focus and resources in the right places,” Abramowitz said.

A clear situational awareness picture can become more difficult to establish when, over time, agencies have accumulated too many cybersecurity tools. Each might be best-in-class, but they can add up to chaos.

“That brings about the need for a security abstraction layer, which will bring all of those disparate pieces together and create a picture of what’s going on in the environment,” Abramowitz said.

An abstraction layer should be capable of integrating signals from disparate tools. It can save agency security teams from having to write multiple scripts or simply having to monitor 15 or 20 individual consoles. Abramowitz noted that patch alerting forms a particularly important piece of the consolidated picture. The longer vulnerabilities go unpatched, the greater the likelihood hackers will take advantage of them.

Cloud’s expanded attack surface

Use of commercial clouds brings many benefits, but it also expands an agency’s potential attack surface.

“I have to know not only about what’s on premise and what my exposures are there, but about all the stuff I have in the cloud,” Abramowitz said. The on-premise need for patching and access management applies equally to the cloud.

On the other hand, he said, clouds have developed effective cybersecurity services that can migrate to agency data centers. Adopting cloud protections locally also improves the cybersecurity posture for edge computing facilities, including those that might operate “air gapped,” disconnected temporarily from the enterprise. Abramowitz pointed out that certain critical Defense Department applications will likely never move to the cloud, yet could benefit from cloud-like protections.

As for patch management, CISOs have become cognizant of the need for vendors to maintain their own patch management. That’s because software supply chain security has become an important policy requirement, he said.

Above all, risk management approaches to cybersecurity are most effective when guided by thorough threat intelligence, Abramowitz said.

“If you think of a security solution as the car, threat intelligence is the engine,” he said. “Threat intelligence informs all of the behaviors that we’re looking for. It tells us what a particular threat actor’s tactics and techniques are. It tells us where else we have seen this kind of attack, what industries it targets.” Even, he added, what agencies an attack targets.

That’s why the cyber integration layer must pull in sensor and open source information on threats, Abramowitz said. The resulting picture then correlates threats with elements in the agency’s own enterprise, further informing risk management and mitigation decisions.

To read or watch other sessions on demand, go to our 2023 DoD Cloud Exchange event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.