Agencies are modernizing their IT infrastructure, moving their data into cloud computing services and adopting modern software practices.
The IT efforts are all a step in a positive direction, but they also carry with them the burden of increasing network complexity, according to Cody Pierce, chief product officer at Looking Glass. Add in a post-pandemic, distributed workforce that is accessing services remotely, and secure teams are looking at a more complicated picture than ever before.
But efforts are underway to get a handle on that complexity. President Joe Biden’s cybersecurity executive order from last May and the resulting zero trust strategy published in February both direct agencies to inventory their devices, categorize and protect their data, and break down their network perimeters into isolated environments, among numerous other actions.
“It’s really good to have that direction and those orders,” Pierce said. “We have to think about cybersecurity, not just for the problems we have today, but the problems that we’re going to have in 10 years. How do we modernize our agencies, our infrastructure? How do we put cybersecurity front and center, so that it is a part of the planning and expansion process?”
Many of the administration’s efforts are tied into gaining greater visibility into the software and hardware that agencies are using. The executive order, for example, directed agencies to come up with a way to use Software Bills of Material, or SBOMs, to provide an inventory of a codebase used in any given product.
The potential necessity for such a measure was highlighted when agencies and other organizations had to grapple with the Log4Shell vulnerabilities discovered in the open source Apache software logging library Log4j last December. The discovery sent security teams scrambling to determine where they had instances of Log4j in their critical and Internet-facing systems.
Pierce said organizations should do a tabletop exercise to take away some lessons from the Log4j vulnerabilities, which are still active today, and determine how they can improve their defenses and response going forward. The newly established Cyber Incident Review Board at the Department of Homeland Security is in the midst of such a review, and it plans to issue a report on Log4j this summer.
“That was an interesting case of needing a software inventory, not just across your internally developed software, but the software that you use in your public facing, your vendors and suppliers, your cloud provider, your services, software-as-a-service,” Pierce said. “So we talk about attack surface, it’s a really great way to see how complicated that attack surface gets.”
The White House is now pushing agencies to adopt a “zero trust” security mindset through a new directive issued earlier this year. The federal zero trust architecture strategy looks to transition agencies away from a perimeter-based security model, to a construct where no user or device is trusted inside or outside a network.
“The intent is really strong,” Pierce said. “And that’s have good visibility about your external attack surface. Have a plan for authenticating everybody that gets access to that system. And then have a way to log and manage that access for your response teams.”