Q&A: Federal Agencies Turn to Multiple Security Tools for Defense in Depth

FEDTECH: What are agencies up against when it comes to cyberthreats?

HARTSOOK: Due to the nature of federal agencies’ missions and the value of the data inside their environments, enterprises are facing near-constant bombardment from threat actors. At CISA, we’re especially concerned about threats posed by nation-state adversaries. They’re very determined and generally highly skilled, and their motives and tactics vary.

SPAETH: The threat landscape is evolving at an extremely rapid pace. Threat actors come out with new tactics all the time, and we’re concerned about many of the same cyberthreats everyone sees in the news, including ransomware attacks and social engineering. The threats are also becoming much more sophisticated in their use of technologies like artificial intelligence.

HERNANDEZ: The Department of Education is unique in that, while our primary mission is making sure that everybody has educational opportunity and the civil rights of students are protected, we’re also a very large bank with our federal student aid portfolio and our grants programs — and that makes us a big target.

FEDTECH: Defense in depth involves relying on multiple platforms in combination to reduce the risks associated with cyberattacks. From your perspective, how important is this approach to securing IT systems?

HARTSOOK: When we talk about defense in depth, we’re looking at the entire IT enterprise and recognizing the value of having layers of protection to detect and block malicious activity. The operating environments of agencies are much more decentralized now with mobile devices, the move to the cloud and people working anywhere and everywhere. This means the attack surface is much larger for cyber adversaries, and from a defender’s perspective, the ‘protect surface’ is more complicated and more sprawling than ever. That’s driving the need for multiple cybersecurity capabilities, including tools that are often specific to the systems you’re protecting. The challenge is, how do you tie everything together to create an integrated set of technologies that aren’t duplicative?

SPAETH: Zero-trust architecture is the VA’s North Star, and we’ve built our cybersecurity strategy around it. Defense in depth is part of that strategy, and it starts at the perimeter with the systems we’ve deployed to protect it. We have firewalls, boundary routers with special rules, email proxies and other defenses. We then start layering down: We have tools on our networks applying more protections, access controls and analyzing traffic flows. Our endpoints and servers are protected with multifactor authentication and cybersecurity toolsets to ensure full defense in depth. We have robust vulnerability scanning capabilities for the internal and external networks and also have additional scanning through CISA’s Cyber Hygiene services. We have different types of assessments that test these controls and identify any weakness to be remediated within the enterprise. Our cybersecurity operations center has full 24/7/365 capabilities teamed with different toolsets to give them telemetry to identify and respond to incidents. Overall, we have somewhere between 50 and 75 different platforms and toolsets we’re using for cybersecurity.

HERNANDEZ: Defense in depth and diversity of defenses have always been important in cybersecurity; it’s just that now we have all of these new technologies we can use to make the approach more effective. We have the agility, speed and elasticity of the cloud, and we have the power of AI and machine learning. And when we take those advanced capabilities and apply them to traditional defense-in-depth security, that’s when we start to move toward zero trust. One core element we’ve put in place is secure access service edge, which lets us encrypt all traffic at all times and make sure that traffic is available for security inspection. Security orchestration, automation and response is a second area we’ve focused on, and then the last area is identity and access management. We use different vendors for SASE and SOAR, and we have three vendors for authentication, depending on the technology.

RELATED: Keep access management simple and secure.

FEDTECH: If best practice is to depend on multiple security platforms, how do you ensure you’ve deployed the right mix and aren’t using tools you don’t need?

HARTSOOK: Sometimes we see situations where tools aren’t fully integrated and operationalized, and cybersecurity staff aren’t using them to their greatest benefit. And sometimes you have certain tools that play more nicely with others. One thing we recommend is to have a process for tool rationalization. You want to have the right balance to get coverage across the full IT protect surface, but in such a way that it’s harmonized and isn’t just layering for the sake of layering.

SPAETH: We’re currently doing a full tool rationalization: inventorying all the technologies the VA owns and identifying capabilities that either cross over or where we have gaps, where a tool is really needed. Part of that also entails tuning the technologies so we’re sure we’re getting the most out of them.

HERNANDEZ: I like the term “requisite diversity.” What diversity of platforms and vendors do we need to be successful? When we were on our journey toward maturing with zero trust, we eliminated 25% to 30% of our security tooling because it overlapped with the capabilities we were bringing on board. In certain places, it makes sense to deliberately introduce some diversity, while in others you will find there are risks to managing and maintaining multiple capabilities while trying to get them to play well together.

FEDTECH: Can you share any multiplatform defense success stories?

HARTSOOK: I think our Continuous Diagnostics and Mitigation Program is doing a great job with what we call “gap fill,” where we help agencies close gaps in tooling for specific cybersecurity capabilities. Through CDM, we’re also better able to respond to cyberthreats in a coordinated way across multiple federal agencies.

SPAETH: We stop millions of malware attempts daily on our network. We encrypt 97% of our data in transit and 93% percent at rest. We’ve got great tools out there for data exfiltration blocking, and by tuning our tools and using orchestration and automation, we’ve been able to reduce our mean time to identify and respond to threats from hours to minutes.

HERNANDEZ: In a recent meeting, an assistant secretary told us how happy she was with the exceptional user experience around phishing-resistant authentication. She said, “I know there’s security happening behind the scenes, but I don’t see it. It’s nice being able to get my work done and not have to worry about it.”

UP NEXT: Employ these eight methods for making zero-trust tools interoperable.