Oct 26 2021

How Should Federal IT Leaders Approach Cybersecurity Incident Response?

Deputy Federal CIO Maria Roat and former Air Force Deputy CIO Bill Marion offer their views on cybersecurity.

The federal government is evolving its approach to cybersecurity by shifting to a zero-trust model, but in the meantime, agency IT leaders still need to ensure that their defenses are robust and that they can respond to incidents effectively.

Doing so requires a mix of cybersecurity tools and approaches. FedTech recently conducted a poll on Twitter asking government IT professionals about the elements of cybersecurity incident response that are most important for their agencies.

The most popular response was disaster recovery tools (36.2 percent), followed by security information and event management (SIEM) tools (23.4 percent), purple teaming (21.3 percent), and network segmentation (19.1 percent).

FedTech asked several members of its 30 Federal IT Influencers Worth a Follow list to weigh in with their thoughts on the poll responses. Deputy Federal CIO Maria Roat says it was “interesting” that disaster recovery polled so highly, since agencies are required to have DR plans in place per the Federal Information Security Modernization Act of 2014.

Roat notes that there are many different areas where the federal government is pushing ahead on cybersecurity, especially in response to President Joe Biden’s May executive order on the topic, including the governmentwide adoption of end-to-end encryption, multifactor authentication, enterprise log management and the shift to zero trust.

Bill Marion, managing director and the growth and strategy lead for defense at Accenture Federal Services and former deputy CIO of the Air Force, says it is “a little bit disappointing” that disaster recovery was the top choice in the poll, because “it kind of implies that we’re going to get hit and we’re going to get hit hard.”

Click the banner below to read our IT Influencer List.

While all agencies need to ensure they have effective disaster recovery plans in place and that they are practiced regularly, Marion says he is more interested in SIEM tools coupled with security orchestration, automation and response (SOAR) platforms.

While SIEM tools ingest data and identify and aggregate threat intelligence, SOAR is a “game changer,” Marion says, because of SOAR tools’ ability to truly orchestrate and automate cybersecurity responses.

Purple Teaming, Network Segmentation Aid in Incident Response

Both Roat and Marion say that purple teaming is an important element of agencies’ approach to continuous monitoring and incident response. Red teams are made up of ethical hackers who use adversarial techniques to attempt to breach organizations’ networks. Blue teams defend against attacks launched by the red team — as well as real malicious actors.

Purple teaming brings these two teams together to get them to work better, including exercises they conduct together. A third party may analyze how the teams work together and recommend ways to improve communication. Agencies using purple teams must maintain an external focus and ensure continuous learning and communication.

Click below to get complimentary resources from CDW on building an incident response plan.

“They come in there like an adversary would in there, which is frankly what we’re fighting against,” Marion notes. “We’re not fighting against paper. We’re fighting against people. I think anything around the purple teaming concepts, including red and blue and all the variants thereof, has to be in our arsenal every single day.”

Roat adds that network segmentation should be a critical element of agencies’ incident response approaches. Segmenting networks, including down to the application level (as the government’s draft zero-trust strategy requires), ensures that attackers cannot move laterally across an agency’s network should an application or network segment become compromised.

“If you’re managing your network and you’re segmenting it and you’re being smart about it, it will at least be able to isolate,” she says. “If someone gets into your network, they’re not going to move all over the place. If somebody comes in through that open window in your house, they’re going to be stuck in that room and they’re not going to be able to go anywhere else in your house.”

anandaBGD/Getty Images