1. Inspect Encrypted Traffic While De-emphasizing Full Packet Capture
Agencies can be reluctant to move to modern, cloud-delivered security platforms because they cannot retain the full packet capture of the decrypted traffic. However, full PCAP is no longer as essential as it once was.
Agency employees can instead use metadata harvested from traffic flows to identify compromised hosts and then shift to endpoint capabilities — such as endpoint detection and response and forensic platforms — for further investigation.
PCAP systems that capture all user traffic are costly, inefficient and often depend on legacy network-centric security feeds that are hosted in the data center or at the network edge. Because full PCAP of all user traffic requires this backhauling, it also creates the user experience issue that agencies want to solve, an issue that the Trusted Internet Connections 3.0 initiative addresses.
The OMB’s zero-trust memo states, “Network traffic that is not decrypted can and should still be analyzed using visible or logged metadata, machine learning techniques, and other heuristics for detecting anomalous activity.”
Analyzing metadata about traffic flows is sufficient for agency incident response purposes and supports the administration’s zero-trust strategy. It also removes a commonly cited barrier to zero trust, since agencies do not need to route traffic back to centralized security stacks for decryption and storage.
2. Shift Agency Traffic to Encrypted DNS
Domain Name Systems are often abused and leveraged by advanced adversaries who increasingly possess sophisticated malware that threatens agencies’ legacy networks. Using DNS security is a win-win. It provides agencies like CISA with the ability to identify and prevent known domains derived from the unclassified and classified sources used by attackers.
If all agencies were using protective DNS, it would enhance CISA’s ability to respond to attacks that target multiple agencies and prevent further damage. Shifting to encrypted DNS protocols and configured endpoints that only use authorized agency DNS resolvers can prevent DNS spoofing and man-in-the-middle attacks in addition to stopping advanced DNS tunneling, malware and exfiltration attempts.
The Biden administration supports this approach. As the OMB memo notes, agencies should explicitly set up their endpoints to “use agency-designated encrypted DNS servers, rather than relying on automatic network discover.” It also notes that to support secure agency DNS traffic, “CISA’s protective DNS offering will support encrypted DNS communication and will scale to accommodate use from agency cloud infrastructure and mobile endpoints.”
3. Make Agency Applications Internet Accessible
When security technology sits at the perimeter of an agency’s network, it requires backhauling all traffic through the data center and VPN before accessing applications. This also creates a false dichotomy in which traffic from outside the perimeter is considered “untrusted,” while inside traffic is “trusted.”
CISA’s zero-trust strategy inherently does not trust any device, user or network location. It assesses each identity and device before granting access to an application. This reduces the attack surface since applications remain invisible to outsiders and accessible only to authorized users.
Federal agencies are encouraged to establish such safe internet connections. The OMB memo notes that making “applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel, is a major shift for many agencies.”
These are just a few of the steps agencies can take to move away from legacy thinking and shift toward cloud-based zero-trust solutions focused on connecting users to applications. Fortunately, the White House, OMB and CISA understand the challenges and are providing critical resources so agencies can finally make zero trust a reality. Our nation’s cybersecurity depends on it.