To slow down cyber attacks, know what you have and deceive them

Simplifying Cybersecurity Infrastructures

The big challenge for the community is the way security architectures have evolved over time, and it really doesn’t matter whether you are talking government or industry, they have been cobbled together. Every time there was a new attack, we essentially looked for a new product and those products were solely focused on a particular attack. If you look at a number of different industries out there, there could be 40 or 50 products in a stack. And just imagine the complexity of that.

Craig Harber

CTO, Fidelis Cybersecurity

The Attack Surface

All the agencies, whether federal or private sector, already have investments in hardware and software. They need to make a conscious decision about where do they eliminate costs and where do they add new capabilities, and how do they add them in an integrated and automated fashion

Craig Harber

CTO, Fidelis Cybersecurity

Just over a year ago, the Office of Management and Budget released the first ever cyber risk determination report.

The report was damning about the state of federal cybersecurity. OMB says the risk assessments showed that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources. That, in turn, creates enterprisewide network visibility gaps.

At the same time, the report also provided hope and optimism.

Initiatives such as the continuous diagnostics and mitigation (CDM) program and the DHS government cyber architecture (GovCAR) reviews are giving agencies more asset visibility into their networks than ever before. Policies such as the latest one in protecting high value assets are starting to have an impact as agencies focus their cyber protection efforts in these areas.

These and many efforts are giving agencies a path to consolidate and integrate their cyber tools.

To move further down this path, agencies need better, not necessarily, more threat intelligence, security operations centers that combines and makes sense of internal and external threat information and top it all with advanced analytics to help human cyber experts make sense of the mountains of data.

Craig Harber, the chief technology officer for Fidelis Cybersecurity, said there are several steps agencies can take to reduce their risks, starting by consolidating their security tools and architectures.

“The big challenge for the community is the way security architectures have evolved over time, and it really doesn’t matter whether you are talking government or industry, they have been cobbled together. Every time there was a new attack, we essentially looked for a new product and those products were solely focused on a particular attack,” said Harber, who retired after spending 30 years at the National Security Agency where he helped create the methodology around cyber architecture reviews. “If you look at a number of different industries out there, there could be 40 or 50 products in a stack. And just imagine the complexity of that. Vendor products that don’t share information well together, don’t work well together and aren’t integrated. As a result, we have effectively created more seams for the adversary to essentially attack through.”

The point of the architecture reviews is to better understand what the adversaries are doing while assessing an agency’s technology and ability to react and respond in real time.

Harber said private sector studies show that attackers get on the network for days, weeks or even years before the organization knows they are there and removes them from their systems because, in part, of the complexity of the networks

“How do we help agencies streamline those security stacks, to make them more effective and more reactive to the challenges ahead of them?” he said. “As you are looking at streamlining security stacks, the first thing you need to do is self assess. Where are we today? What capabilities do we have? Where do we have redundancy and where can we remove the duplication? And then, what is a holistic solution and how do you get complete coverage?”

For agencies to have a holistic solution or complete coverage means understanding their capabilities throughout the security stack based on their ability to protect against known attack techniques and being able to adapt to new ones.

Harber said the CDM program is a good first step to creating this holistic cyber systems because it forces agencies to know what they have and how the tools can integrate.

“All the agencies, whether federal or private sector, already have investments in hardware and software. They need to make a conscious decision about where do they eliminate costs and where do they add new capabilities, and how do they add them in an integrated and automated fashion,” he said. “Do the agencies and organizations have the skilled workforce to even operate these platforms that we are talking about? You will see across industry there are opportunities for managed services versus does the network owner and operator perform the analysis and operations themselves?”

By consolidating and integrating their infrastructure, an organization can then start to take advantage of advanced cybersecurity capabilities. These include everything from artificial intelligence and machine learning to deception technologies, sometimes known as dynamic honeypots.

Harber said deception technology helps change agencies’ point of view from reactive to proactive cyber defense.

“The attackers have always been able to look for one way in where the defenders had to be able to defend every possible combination of things that the attackers could do. What an attacker likes to see if an environment that is fairly static, that they understand and they essentially can develop their operations and they know exactly what they want to do,” he said. “What would be frustrating to an adversary is an environment that changes, that is dynamic and one where the attack surface is not in their favor. What if we introduced additional assets through deception that weren’t real, additional endpoint or internet of things assets so that what was potentially 100 endpoint devices suddenly became 1,000 or 10,000. The reality is if they engage those assets we know that it’s an attacker. They shouldn’t be there. It really creates a high-fidelity infrastructure for us to constantly monitor and look for.”

Harber said then the organization can gain intelligence about the tactics, techniques and procedures an attacker is using as well as use the information to evolve their cyber defenses.

“What you are seeing with some of the dynamic deception tools that are out there is their ability to sense the environment,” he said. “The fact that I understand what are my assets on the network allows me in a dynamic fashion to introduce additional ones. I don’t need someone to program those in but I can actually learn based on what’s on my environment and automatically deploy these capabilities. Where the technology has advanced to over the last couple of years allows this to be something that can be truly operationalized.”

Harber said several public and private sector companies have come to Fidelis over the last few years to pilot this concept of deception technology.

About Fidelis Cybersecurity

Fidelis Cybersecurity is a leading provider of threat detection, hunting and response solutions. Fidelis combats the full spectrum of cyber-crime, data theft and espionage by providing full visibility across hybrid cloud / on-prem environments, automating threat and data theft detection, empowering threat hunting and optimizing incident response with context, speed and accuracy. For more information, go to www.fidelissecurity.com.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.