Insight by VMWare Carbon Black

Why agencies are losing the cyber battle

This content is sponsored by VMWare Carbon Black.

Cybersecurity is an asynchronous battle; the defender always has to invest more time and resources. Consider the challenges of securing a home: The homeowner has to invest in an alarm system, security cameras, reinforced doors and locks. Meanwhile, a home invader only needs a hammer and an opportunity to use it. For cyber adversaries, malware and ransomware are hammers. They’re cheap and easy to deploy in such...

READ MORE

This content is sponsored by VMWare Carbon Black.

Cybersecurity is an asynchronous battle; the defender always has to invest more time and resources. Consider the challenges of securing a home: The homeowner has to invest in an alarm system, security cameras, reinforced doors and locks. Meanwhile, a home invader only needs a hammer and an opportunity to use it. For cyber adversaries, malware and ransomware are hammers. They’re cheap and easy to deploy in such numbers that they can create their own opportunities. To succeed in their mission, cyber defenders need to have the visibility, speed and accuracy to intercept them.

“There are some key questions that need to be asked of security stakeholders within an organization that, quite frankly, are no longer an option for them to have an answer to, but rather a requirement,” said Fawaz Rasheed, field chief information security officer at VMware Carbon Black. “How rich is your cyber defense posture? How mature is that posture to be able to defend against the attacker landscape? Do you have complete visibility into your cyber environment, to detect malicious activity?”

In answering these questions, Rasheed said, agencies often point to the controls they have in place to indicate a strong defense posture. But having those controls in place doesn’t necessarily mean they’re configured properly, and providing the immediacy of detection and response necessary to defend the network.

Agencies need to be able to understand not just the threat landscape, but their own defense landscapes as well. How mature and optimized are they? Asking those questions will go further toward helping agencies reach a fully mature secure state than simply procuring another cybersecurity solution.

The biggest adversary agency cyber teams face is time. First, they only have time to chase down so many incidents; they can’t possibly get to them all. So they need the visibility into their environments to be able to identify the incidents worth investigating as quickly as possible. Second, they need the ability to quickly pivot from awareness to remediation of an incident. Finally, they need to build resiliency into their operations through better governance to help reduce the number of incidents that exist.

“If you think of zero trust, that’s something pretty much every one of our customers we talked to is trying to model into their software enterprise, their cyber operations, etc.,” said Garrett Lee, director of federal security sales at VMware Carbon Black. “They are focused on adding richer visibility and policy-based governance to define and limit what is acceptable from a software and user perspective. So they are limiting their risk and they’re limiting their attack surface. They’re limiting the opportunity for an adversary to gain leverage in their environment. Not only curbing malware, but often it’s through logically limiting the use of known good tools as well.”

But asset management and visibility can only accomplish so much without the ability to affect policy. To truly reach a secure state, agencies have to execute on a layered set of defenses, rather than approaching zero trust the way they’ve approached cybersecurity in the past – as a set of complex progression points and components to procure. They can’t use yesterday’s defenses against today’s attacks.

That’s why it’s so important to optimize controls. Resources are burning out chasing due to ineffective controls. Rasheed said 70% of analysts currently are investigating 10 alerts a day. Agencies need to learn that zero trust means not trusting their own defense landscapes. They should constantly be trying to penetrate their own defenses and conducting internal threat hunting in order to mitigate risk in their defense postures.

“Cyber leaders are making progress. But it’s slow,” Lee said. “The cyber leaders we speak with, they’re under-resourced. They’re understaffed. They’re trying to make do with what they have. But they’re also forced into implementing tools under the guise of compliance, but often they’re not optimizing. So there’s a bit of frustration that they experience.  They are making progress, but it is slow. Meanwhile, cyber attackers are nimble and creative.”

But Lee said he is seeing some agencies focusing on the right fundamentals to help improve this situation. For example, he cited civilian agencies’ Continuous Diagnostics and Mitigation program, and the efforts to understand the software asset layer and how software behaves, implementing application execution control to bring zero trust principles to the software layer. On the Defense Department and intelligence community side, Lee said, they are taking the opportunity to modernize not only cyber defense tools but processes as well, which aims to make systems operate much more efficiently for the users and their mission.

Rasheed said one step agencies can take to improve their posture and mitigate their lack of resources is adopting automation to help them cut through all the noise of network and endpoint traffic, learn what normal looks like and better identify indicators of compromise. This can help them establish a watchtower-type approach, mimicking physical security in heavily populated areas like stadiums or festivals. Automation would occupy the watchtower position, spotting anomalies amongst all the network traffic, with boots on the ground moving to triage, isolate and mitigate those anomalies.

“From a defense perspective, it’s not just one thing, it’s not one layer. That’s why when we talk about zero trust, we don’t talk about it as a sum, but rather, we talk about it as parts. And those parts are critical in terms of the success ratio toward being able to defend,” Rasheed said. “It really comes down to those underlying controls. Have you tested them? Are they effective? To go back to that analogy of securing a home, you have organizations that probably think they have shatterproof glass across the board, but really, they have a single-paned glass in certain areas where any one of those hammers can make their mark.”