Insight by ExtraHop

Risk & Compliance Exchange 2024: ExtraHop’s Rob Mathieson on the cyber need to ‘see’ everything

Do you have visibility across your enterprise? You should, the ExtraHop public sector leader says.

Federal agencies and contractors must juggle a growing number of cybersecurity mandates in response to a relentless tide of cyberthreats and incidents.

President Joe Biden’s May 2021 cybersecurity executive order, issued on the heels of the SolarWinds hack, set off a flurry of action across agencies aimed at shoring up the security of the software and technology they rely upon.

And the federal zero trust strategy released in January 2022 set out a new architectural approach for agency cybersecurity programs.

Contractors also must meet a slew of new cybersecurity requirements. The Office of Management and Budget, for instance, now requires federal software vendors to attest to their compliance with the National Institute of Standards and Technology Secure Software Development Framework.

And the Defense Department for several years has been developing landmark Cybersecurity Maturity Model Certification requirements. The CMMC program seeks to ensure defense contractors meeting ever-evolving cyber requirements. CMMC is expected to take effect in 2025.

Rob Mathieson, director of public sector sales engineering at ExtraHop, said the increasing number of cyber mandates means many organizations need to take a broader view on their compliance with specific requirements.

“When we’re taking a look at it from the perspective of, ‘How can we adhere to these things?’ It becomes less about the tools and more about the capabilities,” Mathieson said during Federal News Network’s Risk & Compliance Exchange 2024.

“So that’s the biggest thing that I see most organizations struggling with and taking a few missteps on is they’re focusing on the tools and not on the capabilities that they need to implement the tool.”

Network visibility’s critical compliance role

Agencies have been increasingly focused on gaining more real-time visibility into risks and potential threats on their networks. Under Biden’s cybersecurity executive order, for instance, OMB set new requirements for how agencies should collect network security logs. But Mathieson argues network visibility needs to be considered holistically.

“It needs to be understood that visibility is not, ‘I get to see these logs,’ or ‘I get to see this transaction.’ Visibility is, ‘I see everything,’ ” he said. “ ‘I understand everything, and I can act on everything.’ And the only way you really get that is through understanding your network traffic.”

There are many ways to gain that understanding, Mathieson said. For instance, it can be done through logs and looking log repository. “You can do a whole lot of correlation based off of log data. But you can also manipulate logs,” he said.

Therefore, the best approach is end-to-end network visibility. Why? “Your network is designed to not be able to lie. It just can’t lie,” Mathieson said.

“A thing either happened, or it didn’t. Traffic exists, or it doesn’t. A pattern went away, or it didn’t. The network itself cannot lie. So when you take a look at all of your network traffic from Layer 2 through Layer 7, and you have the ability to decrypt that traffic, especially on the inside of your network, now you have visibility. You’re not relying on your point products, you’re not relying on your endpoints, you’re not relying on your firewalls, your intrusion detection systems or any of your NetFlow systems. You’re taking a look at your network holistically, and you’re not tied into one vendor’s ecosystem to make sure that you can meet your mandate.”

Mathieson said that level of visibility is stitched across many federal cyber mandates.

“When you can see everything on the network, you can understand every bit of the traffic pattern,” he said. “You’re able to do all of your asset discovery automatically because a printer is always going to act like a printer, regardless of whether or not it looks like a thermostat. A laptop is going to act differently than a domain controller. You can map out all of your assets automatically, passively. No agents involved, no man in the middle, nothing super complex to do there.

“You’re also able to define your traffic patterns and whether it’s normal. You’re able to define the deviation from norm. You’re able to understand the security posture of your network. And those are just three large examples. But if we tie each one of the mandates into very specific types of remediations or specific types of understanding, then you’ll find, as we go through each one of these line items, the visibility is kind of the undercurrent of every single thing that those directives are asking for.”

Discover more articles and videos now on Federal News Network’s Risk & Compliance Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Alyson Fligg/Labor DepartmentClare Martorana

    Why OMB’s human-centered policy design effort is paying off

    Read more