Federal Agency Benefits from Continuously Discovering and Monitoring Internet-accessible Assets
April 20, 20223:05 pm
4 min read
A new report from the National Security Telecommunications Advisory Council makes a number of recommendations for how the Biden administration can follow up its existing zero trust guidance. One of those recommendations is for the Cybersecurity and Infrastructure Security Agency to develop a new shared service to assist agencies in discovering “internet-accessible assets” through continuous and dynamic asset mapping. The authors of the report found that keeping track of all these assets can be challenging...
A new report from the National Security Telecommunications Advisory Council makes a number of recommendations for how the Biden administration can follow up its existing zero trust guidance. One of those recommendations is for the Cybersecurity and Infrastructure Security Agency to develop a new shared service to assist agencies in discovering “internet-accessible assets” through continuous and dynamic asset mapping. The authors of the report found that keeping track of all these assets can be challenging for agencies.
“For federal civilian executive branch agencies to maintain a complete understanding of what internet-accessible attack surface they have, they must rely not only on their internal records, but also on external scans of their infrastructure from the internet. CISA will provide data about agencies’ internet-accessible assets obtained through public and private sources. This will include performing scans of agencies’ information technology infrastructure,” the report said.
External network discovery is necessary because, according to Joe Lin, vice president of product management at Palo Alto Networks, most large enterprises, including government agencies, are only aware of a fraction of their internet-exposed assets.
This amount of unknown assets becomes a more urgent issue with two recent cybersecurity directives. The first is an emergency directive for the Log4j vulnerability, which is comprehensive but assumes that agencies have an accurate picture of their own postures. The second is Binding Operational Directive 22-01, which directs CISA to maintain a log of known exploited vulnerabilities and directs agencies to patch against them.
But no federal civilian executive branch agency can patch assets they aren’t aware of.
“The underlying problem is that for sprawling attack surfaces, organizations simply don’t know what they don’t know,” Lin said. “So even when they are trying earnestly to be in perfect compliance, the reality is that, oftentimes, there are parts of their networks that are out of compliance. Due to human error, due to the federated nature of government agency networks, these things get misconfigured, they are forgotten about, they’re overlooked, and they’re misreported.”
Lin explained sometimes the assets created outside of security processes are shadow IT, or they are misconfigured internet-of-things devices, or redundant emergency remote access servers that weren’t secured correctly.
Lin believes that the first thing agencies must do to remediate the situation is to acquire some kind of internet operations management capability. This capability would have to continuously scour the entire global internet looking for assets belonging to the agency that are accessible. Lin said that while most agencies can discover substantially more assets than they knew about, Palo Alto Networks helped one agency discover twice as many assets as they were originally tracking.
“At a high level, we’re able to communicate with every single asset that’s exposed on the entire global internet,” Lin said. “And then based on how those assets and devices communicate back to us, we’re able through machine learning to automatically attribute each of those assets to the organizations that they belong to in a hyper granular way.”
This means being able to attribute the asset beyond just the agency or department level. Lin explained that machine learning allows Palo Alto Networks to attribute the asset to a specific server, router, or device owned by subcomponent organizations. It then assigns the asset for mitigation to specific individuals in specific offices.
“The fundamental idea here is that we shouldn’t be creating more work for an already overtaxed federal workforce,” Lin said. “We hear from security operations center analysts all the time that there’s a deluge of alerts and tickets and things that they need to do. And the reality is that 95% – maybe even 99% – of all those tasks can be automated in some way, shape or form, which then frees them up to really focus on only those parts of their workflow that require human judgment and human intuition.”
This gives federal agencies the ability to exercise greater command and control over their networks. This set of capabilities allows federal agencies to create a list of machine-readable policies at one end and follow that through to an operational conclusion; namely, how can agencies get these things addressed, mitigated and cleaned up as fast as possible?
“We cannot simply rely on manual reporting for accurate situational awareness across different components of large enterprises,” Lin said. “We really need a tool capable of continuously monitoring enterprise-wide compliance against any security policy that is centrally pushed out.