Insight by Microsoft Federal

Taking a risk-based approach can help agencies, industry respond to rise in cybercrime

This content is sponsored by Microsoft Federal.

The past year has seen a significant rise in cybercrime activity, with adversaries running the gamut from independent actors to nation-states. Ransomware has proliferated, supply chains have been weaponized, and critical infrastructure revealed as one of the most vulnerable targets in the country. In response, the federal government leaned hard into cybersecurity, culminating in President Biden’s executive order that required agencies to begin implementing a zero trust architecture.

But the federal government isn’t acting alone in this endeavor; industry is also exploring ways to improve both its own cyber posture, and that of federal agencies. That’s one of the reasons Microsoft published its 2021 Digital Defense Report, detailing the trends it’s seen in the cyber domain over the past year, and some actionable insights to help agencies and partners improve their defense postures.

“[Improving cybersecurity] is a journey that a lot of our customers and government agencies are currently on. And a lot of times what we see them needing is guidance on where they should start. The digital defense report highlights the opportunities for organizations to take risk based planning initiatives on how to address cyber activities and their cyber posture,” said Jason Payne, chief technology officer for Microsoft Federal.

The report details three significant steps both agencies and industry can take together to achieve their cybersecurity goals. The first two are closely related. Number one is that government, law enforcement and the private sector all need to come together in a collaborative effort to combat ransomware. That means reducing its profitability, increasing barriers to entry for this crime, and better supporting victims through improved prevention and remediation efforts. The second step dovetails nicely with this, calling for increased transparency and information sharing around cyber incidents, especially between the public and private sectors.

But implementing both of these will require overcoming several barriers that have hamstrung similar efforts at collaboration in the past, not least of which is a general culture of secrecy within cybersecurity.

“Private and public organizations working in silos really don’t  bring to bear the signals that we’re receiving, the analytics that we’re applying against those signals, and the results that we’re seeing on attack patterns and attack vectors,” Payne said. “We have to find a way to share best practices both for defense and for hunting, and then for resolution of incidents as they occur as well.”

That will help erode those cultural barriers and demonstrate the value of collaboration, which could take the form of increased roles for Information Sharing and Analysis Centers (ISACS). These could become an avenue for government to share more data and findings about cybersecurity threats with industry, and encourage the private sector to reciprocate in kind.

The third step requires shifting to an “assume breach” mentality and moving beyond basic cyber hygiene to adopt a more holistic cybersecurity posture. That’s where the importance of adopting a zero trust security model comes into play.

“If we combine multi factor authentication with principles of least privilege, that at least prevents attackers — if they happen to get into your network or your applications — from spreading. You can contain an attack, and then mitigate and remediate,” Payne said. “Then organizations need to focus on what data they have, what are the elements of that data that make it sensitive? Are there some labeling practices that can be provided? Are there data loss principles and prevention practices that could be applied there, to make sure that you’re building the right sets of zero trust approaches around data itself?”

But for this to work, an organization can’t define security by its organizational chart. Cybersecurity has to be everyone’s responsibility. And the current hybrid nature of the workforce, which vastly expands the threat perimeter, only makes this more imperative. Organizations need to be thinking about DevSecOps principles and cloud-based technologies that improve security thresholds, as well as training and awareness. One way for both agencies and industry to improve awareness and the state of the workforce is to partner with educational institutions to incentivize cybersecurity education, like Microsoft is doing at community colleges.

“For this journey, you really want to begin from a risk based approach. Identify those places that are the highest risk to you. And then work from a security perspective to secure those first. “So whether that’s identity within your organization, or numerous types of devices or endpoints, legacy applications, network topology, the data itself, or, frankly, people and training. Look at all those aspects, those six pillars of zero trust, where the highest risks are and invest in mitigating those risks the quickest to improve our posture.”

For more on the current cybersecurity threat landscape and how agencies can meet those challenges, tune into Microsoft’s Public Sector Summit on December 2.

Comments