OPM orchestrates cyber protections through automation

Jeff Wagner, director of IT security, OPM & Paul Nguyen, president, CSG Invotas

Jason Miller | April 18, 2015 3:05 am

The Office of Personnel Management is pushing the bounds of cybersecurity. It’s moving from the idea of defense in-depth or even the popular continuous monitoring to a concept called orchestration.

Jeff Wagner, OPM’s director of IT security, said orchestration isn’t just about protecting network or systems, but understanding in real time what’s happening and who is on your IT infrastructure, and then being able to react to any potential or real problem immediately.

“We’ve changed our perspective about how cybersecurity works. It’s not that defense in-depth is dead. I’ll never take away from doing defense in-depth or FISMA audits or controls of that nature, but audit by visibility is what we call it,” Wagner said in an interview with Federal News Radio. “It’s really changing security from being these are the requirements and these are pieces you have to go to I accept that users are going to screw up, that users are going to make mistakes, and I accept that business trumps security. So, I go by visibility and create security controls that let me know when things are not the way they are supposed to be. I look for behavior changes.”

Wagner said behavior changes include the insider threat and, more broadly, changes in the network that show there’s something unusual or abnormal going on.

Advertisement

Part of how OPM is moving forward with what some are calling the next logical and better approach to cybersecurity, is through the concept of orchestration.

Paul Nguyen, the president of CSG Invotas, which is helping OPM implement this concept of real-time data analysis, said orchestration isn’t a new idea for the broader IT community, specifically the telecommunications sector, but companies such as his have adapted it for cybersecurity managers.

“How do you turn that data into action and how do you react and respond faster?” Nguyen said. “I think the realization is that there are so many attacks that are happening right now — whether they are intentional or unintentional from the users — as Jeff said, our people just can’t keep up with the volume anymore, and that needle in the haystack, that impactful incident, is sneaking through. We are using automation orchestration with OPM to try to fully leverage his resources. For example, if an analyst can only handle 100 events, we want to automate so he can handle 200 events to get a higher efficiency in terms of their time, in terms of their resources as well as be more effective on the risk mitigation side. This is a relatively new concept, but I think the problem is we are seeing more attacks and how do we keep up with them. That is the problem today.”

Nguyen said the goal for any agency is to make sure they are taking action on the right events at the right time and within the right priority.

“Our goal is to help get the events, contextualize them to say ‘This is a very serious threat that is high impact to your environment and this needs to go to the top,” he said. “We want to give them control so they can put actions into place quickly to remediate the issue. That involves anything from firewall blocks to quarantining users to kicking off user accounts that may have been compromised. As the complexity of the IT environment grows, the complexity of responding is a bigger challenge.”

Wagner said that’s why orchestration makes a huge difference for OPM because automating changes when there is a potential or real problem saves time and better protects the agency.

“We flow chart everything. I’ve told the guys ‘Put things in flow charts. If it can be flow-charted, it came be automated. If it’s not flow-charted, it won’t be followed,'” he said. “We try to simplify our processes as much as possible and then you can look through your flow chart and see where you can leverage orchestration and where can I stop having humans do simple things?”

Wagner said one example of where orchestration works well is addressing an employee who has clicked on a link with malware because of a phishing attack. He said what to do when that happens is something that can be easily flow charted.

“What do you do? You start to send [help desk] tickets everywhere? Orchestration is a point in which we identify the user has been infected, create the ticket, alert the help desk, issue a reimage command or kick the user off the network,” he said. “These are the kind of things you can do instantaneously so an infected user doesn’t infect the environment. It protects the enterprise instantaneously and it notifies everybody at the same time.”

OPM’s move to orchestration around cyber coincides with the Homeland Security Department’s governmentwide implementation of the continuous diagnostics and mitigation (CDM) program.

OPM is part of Group B under task order 2 for services and products, which should be awarded in the coming month or so.

Wagner said CDM is looking at specific controls and to report for cyberscope. He said OPM’s current approach also can feed DHS more information than what comes under CDM.

“CDM is a great first step,” he said. “I see them moving more into the centralized security operations center view, which is kind of what we really need. But we are seeing a lot of stuff down on the deck plates that CDM isn’t even looking at, not at the fault of CDM. It’s not just the scope or the purpose at this time.”

RELATED STORIES:

Report: Chinese hackers hit OPM networks

DHS, GSA kick off CDM task order 2 with $29M deal