The current dynamic between cyberattackers and defenders is a simple math problem that, up until now, has not been working in defenders’ favor.
Attackers are launching increasingly sophisticated, highly automated cyberattacks against defenders who still largely rely on manual response and legacy technologies.
Government agencies — like many of their commercial counterparts and, perhaps, like all of us — can often be creatures of habit. When tackling today’s security problems, they may do things the same way and stick to the approach in which they feel most comfortable.
Agencies Are Using Similar Cybersecurity Processes
For instance, agencies may use the same processes to address new cyberthreats, even if they occasionally add “quick fixes” or additional products that address one part of the security problem. This can happen in several places:
- Incoming threat intelligence feeds review and correlation: Agencies use personnel to manually review and correlate the incoming (purchased and/or free) feeds to look for what’s relevant.
- Incoming threat intelligence to action: Agencies use personnel to take what’s actionable from their above efforts and reprogram their security assets with those latest insights. For example, reducing duplicative indicators of compromise (IOCs), such as a new malicious link, a new malicious domain, a new piece of malware — anything that could be associated with a particular attack.
- Internal/sensor intelligence correlation: Agencies use personnel to correlate insights on different parts of the attack chain, each seen from the vantage point of their numerous security sensors.
- Internal/sensor intelligence to enforcement: Agencies use personnel to reprogram their enforcement points — across the entire network, at each attack vector monitored, based on those correlated insights.
What makes it particularly challenging for the federal government, probably more so than their commercial counterparts, is there are often different agencies or departments that are treated as “specialists” and focus exclusively on one of the aforementioned internal processes.
Additionally, agencies can often rely on different System Integrators (SIs) for each of the above processes, or for different attack vectors (i.e., the place in your network where an attacker may be able to penetrate it). For example, one SI may be responsible for an agency’s endpoints, while another may be responsible for the agency’s data centers.
A report released last month by MeriTalk, “Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation,” underwritten by Palo Alto Networks, also highlights some of the other cybersecurity challenges facing government, including the overload from a high number of threat intelligence subscriptions and the need for better protection in some important attack vectors.
How to Make Cybersecurity More Efficient
Where does this leave agencies?
First, the processes that agencies use to understand and protect against new threats are often manpower-heavy, using their precious few skilled resources. Even when government agencies outsource this work, personnel must oversee and interface with the SIs and contractors to sufficiently understand the agency’s security posture on an ongoing basis, which can often be inefficient.
Second, and perhaps most important, these processes are also time-consuming, which means agencies miss precious time to take action, translating into a missed opportunity to incorporate real prevention measures against the latest threats.
And what is the impact of that? It can mean the difference between whether that attack, that ransomware, or any other cyberthreat, is successful or not.
Agencies need to focus more on threat prevention, and to regain leverage and prevent successful breaches, we can actually flip the equation with automation. And this doesn’t have to be a “future” goal.
Automation — at each of these steps above, and across attack vectors, across incoming and internal sensor intelligence— is available today and has been for some time. And this automation means the ability to not only protect against a newly emerging threat as soon as it’s seen anywhere in the world, but also to predict the attacker’s next step.
Thinking About The Future of Cyberdefense
Earlier this month, President Obama’s Commission on Enhancing National Cybersecurity issued a report to the White House that outlined a set of recommendations to improve the nation’s cybersecurity. The Commission’s report deftly recognized that cybersecurity is not purely a technical challenge, and that a more holistic approach is needed to preserve our digital way of life, and all the social and economic benefits that come from it.
The report also highlighted the benefits of automation technology, noting that “near-term advances in machine learning, automation and artificial intelligence have the potential to address some of the persistent problems in cybersecurity.”
The report’s recommendations are useful input for the government to consider in its approach to cybersecurity, including that “our collective effort must focus on all stages of operations to protect and defend networks.” The report also noted the importance of developing a skilled IT- and security-savvy workforce as critical as we move into the era of the Internet of Things.
The more security-savvy we all are, the more our assets and networks benefit. Using our human capital in critical areas — such as the protection of Industrial Control systems and the Supervisory Control and Data Acquisition systems – will only grow in importance and immediacy.
Of course, the report’s recommendations are a long-term view of goals for the next administration to consider. In the meantime, agencies might consider the suggestions outlined above more expeditiously, particularly the adoption of automation, to improve their cybersecurity today.
Ultimately, we have the power to stunt the adversary’s growth, even though right now it might feel like we’re still losing the battle. We can and should recognize newly emerging threats to our infrastructure as swiftly as possible — with effective use of our resources — and focus that precious human talent that we have on the right aspect of the problem that technology cannot necessarily fix.
What this means is that we will continue to need our human capital — we absolutely need to continue to invest in our talent. This amounts to a commitment to invest in keeping their skills sharp and their responses swift with training, Cyber Ranges, and other tools.
Meanwhile, the right technology investment in automation can keep the heart beating, like a pacemaker, automatically reprogramming all of our government defenses, across all potential vectors into our government organizations within minutes. Because, as with our hearts, every minute is critical.