Amid the furor over massive data breaches at the Office of Personnel Management that compromised the personal information of millions of current, former and potential federal employees and their families, the agency discovered one small bright spot: Advanced security tools deployed during the response consistently detected malicious code.
But the tools were installed too late to stop the breaches from happening. Traditional anti-virus software already in place didn’t prevent the attack.
Such tools could have alerted OPM to the developing problem, which took months to discover, if they had been used in the first place, according to a 2016 congressional report.
Since then, agencies have reinforced and improved endpoint protection. Many improved their grades on a Government Accountability Office assessment of compliance with the Federal IT Acquisition Reform Act, which covers cybersecurity and other areas of IT.
The Office of Personnel Management deployed cutting-edge endpoint security solutions from Cylance that incorporate artificial intelligence and machine learning. And federal procurement data shows that agencies, including the departments of Agriculture and Transportation, recently made significant investments in endpoint security solutions.
“We’re finding gaps too often where things either aren’t configured the way they need to be, or they’re not fully deployed, and it’s potentially exposing the agency," says Beau Houser, the Small Business Administration’s CISO.
No tool is 100 percent effective, but federal cybersecurity professionals hope that the mix of advanced endpoint protection tools, defense-in-depth strategies and constant improvement will prevent another large-scale breach.
SBA Streamlines Agency Endpoints
After the OPM breaches were made public, a September 2015 survey of federal IT managers conducted by MeriTalk found many agencies were not adequately reinforcing endpoints.
As much as 44 percent of endpoints in federal agencies were unknown or unprotected; barely half of agencies surveyed had taken critical steps to secure endpoints, such as scanning for vulnerabilities or installing real-time patching.
That’s changing. The Small Business Administration is upgrading its employee endpoints, replacing a variety of aging devices with HP EliteBooks and Microsoft Surface Pros. The agency is also streamlining its approach to endpoint security, consolidating and reducing the number of device types connected to the network.
“We’ve had various tools doing different things,” says Houser. “I’d call it a disjointed approach. It’s a typical problem you see in cybersecurity. You have an incident that highlights a specific gap, so you bring in a tool to close that gap, but there isn’t a higher-level view of the program to do a more comprehensive implementation. It’s like whack-a-mole.”
The SBA has been happy with endpoint protection tools from vendors such as FireEye and McAfee, Houser says. Agency turnover has led to substantial shadow IT, however, and not all employee devices deploy the highest levels of protection.
“Where we struggled was centralized management of the tools and ensuring comprehensive implementation,” he says.
HHS Shifts Security Strategy to Enterprisewide Solutions
As the agency updates its devices, Houser will closely follow how Microsoft’s endpoint protection tools — including Windows Defender Advanced Threat Protection and Office 365 Advanced Threat Protection, which feature advanced capabilities like endpoint detection and response (EDR) — perform against sophisticated cyberattacks.
“Right now, we’re lucky, because we have the other products in place, so we will be able to do an analysis between what Defender ATP is catching and what the existing tools would catch,” Houser says. “Then we can see whether we need to do more to cover our bases. I’m not going to take any undue risks. We’re going to take advantage of this period where we have overlapping products to make this decision. We don’t have endless dollars, and we don’t have the luxury to overlap tools unnecessarily.”
The Health and Human Services Department employs tools provided by the Department of Homeland Security’s Continuous Diagnostics and Mitigation program to better secure its endpoints. Those tools include IBM BigFix and tools from ForeScout and Splunk.
“A combination of tools is required to handle the needs of automated inventory, patching and improving our incident response,” says Chris Wlaschin, HHS’s outgoing CISO. “We’re also using mobile device management tools for endpoints such as smartphones and tablets.”
HHS is “rapidly shifting to more comprehensive, enterprisewide solutions,” Wlaschin says.
While the agency does not yet use endpoint security solutions with artificial intelligence or machine learning features, that may change. “We are constantly looking at emerging technologies to see how we can adapt to better protect our network,” he says.
It’s important for organizations to adopt endpoint security solutions with advanced features, but it’s as vital to test and configure solutions to ensure they will perform as expected, says Robert Westervelt, research manager at IDC.
“You don’t just flip a switch and turn on anti-virus,” Westervelt says. “You turn on the basic functionality first, and then slowly ramp it up to a level you’re comfortable with, so that you’re getting as much value as possible out of the product. Some organizations turn on what’s recommended, and that’s it. They don’t explore the other capabilities that offer added protection.”
Security professionals should not rely only on third-party testing of endpoint security solutions, but should also evaluate how tools perform on their systems, Westervelt says. “Every enterprise, and every government agency, might be running different types of applications and have users who are using different processes,” he says. “You have to really test endpoint protection tools thoroughly.”
Phishing Attacks Become More Sophisticated
Attackers are becoming more skilled at making their misdeeds look like normal activity, says Lawrence Reed, acting deputy director for the Cybersecurity Services Staff division at the Justice Department. Within federal agencies, such understanding of the evolving nature of endpoint-targeting attacks continues to grow.
“Over the past few years, we have seen endpoint attacks become more sophisticated,” Reed says. “The most common attack is still social engineering, often deployed via phishing. The techniques used have evolved from traditional email attachments and links to the use of dynamic URLs, memory-only exploits and other evasion tactics.”
DOJ uses a number of tactics to protect endpoints, including patching, anti-virus tools, data encryption, sandboxing and EDR, along with user training, Reed says.
At SBA, Houser hopes to combat the “barrage of spam and malicious messages” bombarding endpoints with a unified endpoint protection strategy. If the agency can consolidate its endpoint security solutions, he says, security administrators will be able to avoid the “swivel chair” problem of having to move from tool to tool as they investigate suspicious behavior.
But he acknowledges that agencies also require a layered approach that incorporates additional tools such as multifactor authentication.
“It’s still a defense-in-depth approach, combined with a threat-based approach,” Houser says. “It’s never simple. Even when you have all that, you still need to be able to detect when things break down and have a strong incident response in place. There’s no magic bullet.”