As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need.

The news is not earth shattering.

Cyber experts from Guidance Software, HP, Juniper Networks, SafeNet and Symantec all agree government faces a daunting task managing and protecting data at rest and in motion, whether it is on an internal server or a mobile device.

But these experts also agree there are practical, cost-effective ways to minimize risk and maximize protection—and they have solutions working in the field to back them up.

These experts—Sam Chun, HP; Cary Moore, Guidance Software; Bob Dix, Juniper Networks; Pete Engel, SafeNet; and John Bordwine and Jason Meinhart from Symantec—made their comments during a recent Roundtable hosted by the publishers of On The FrontLines.

Getting A Grip

Everyday there are more and more attacks. Every day, the time we have to respond grows smaller.

“Customers are having a hard time having a sense of what’s going on and having a true command picture of their environment,” said HP’s Chun.

“That’s because of so many different technologies being deployed, along with the volume and speed that information is coming in. We are working hard to address that in a near real time way to drive quicker decisions.”

Guidance Software’s Cary Moore sees a similar trend. “Many of our customers are being hit with more sophisticated attacks and advanced persistent threats. They need the intelligence to respond quickly and get networks healthy in much faster way.”

As threats increase, SafeNet’s Engel said he is seeing an increasing move to securing the end points—the mobile devices and telework situations—as well as a move to securing the data itself; so that if the network is compromised there is another layer of security around the data itself.

He added that includes studying how the data is being used on the network and on those mobile devices. “We are seeing what the users are doing with these devices and bringing that together in the overall profile and the picture of what’s happening on our network.”

Symantec’s Jason Meinhart brought up another point often talked about, but where there has been little action.

“The chief challenge is dealing with outmoded forms of regulation, the challenge of certifying systems, coming to grips with the limitations of the C&A process,” said Meinhart.

“With all the mobile devices, you can’t govern their use by same policies that were written five years ago when a desktop computer attached to classified or unclassified system may have been the norm. It’s a whole new ball game today with mobile; the rules are outdated.”

All agree that government managers understand the magnitude of problem they face. But they also point out that in government there are very few people who understand the full scope of the problem because it is so complex.

So where does that lead us?

“The government is making a strong effort to address cyber hygiene and low hanging fruit issues such as: regular updates to antivirus signatures, password management, configuration management, patch management and a commitment to regular cyber education and training,” explained Juniper’s Dix.

“We need to get back to basics; have solid and sound policies; make sure users know policy and if there is an enforcement arm, that those policies are truly being enforced. We need to be proactive,” said Moore from Guidance. “Training has to be a big part of that and there has to be a change in mindset and security is a big part of that—every user needs to take that responsibility.”

Where There’s Work To Be Done

“We as an industry don’t have a really rigorous way of modeling risk,” said HP’s Chun. “We make IT decisions crudely compared to other industries. For example the financial industry has the data to give you a number, to quantify your risk.”

“Our customers need the tools and capabilities that allow them to do trade off analysis between very specific technologies that are not similar,” he added. “The economic condition is ripe for this type of approach; if I had to choose between antivirus versus intrusion protection, what is the better choice for my environment to invest in?”

SafeNet’s Engel noted that “one of the areas we see developing very rapidly is back office identity and privilege management—the CAC cards and the PIV cards. Agencies are now looking at how they can take advantage of the technologies that are on the card from both a security and business process perspective.”

At Guidance, Moore said they are building off their forensic tools to deliver faster actionable intelligence that can be passed on to the decision-maker.

“We are building technologies to be able to deal with new threats like poly- and metamorphic malware. We are getting better visibility into the network and into the systems to find what truly is out there.

This means finding out what the differences are between a “good” system and a system that has been hit and bring this in a way that clients can see information as fast as possible.”

Symantec’s John Bordwine talked about the importance of integrating technology around the SCAP environment and paying more attention to Data/Loss Prevention or DLP technologies—both of which have the attention of OMB.

According to NIST, “the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

Bordwine said this is a key initiative across government due to the fact that agencies know they are understaffed and may not have the right skill sets in-house. Thus along with a need to increase the knowledge base, it needs to automate security processes as much as possible.

Juniper’s Dix said, “we’re seeing more focus on standardizing configuration management across the enterprise, such as the Federal Desktop Core Configuration (FDCC) initiative, as OMB now requires verification of FDCC compliance via SCAP. We also see greater attention to the top 20 security controls in the Consensus Audit Guidelines (CAG), which now includes NIST 800-53 Revision 3 mappings.”

It is also clear that utilization of enterprise-wide solutions and ‘Center of Excellence’ skills and best practices represent a more holistic approach to cyber attack risk identification, prevention, mitigation and response said Dix.

###

Wanted: Trained Cyber Defenders

DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy. 
 

Enabling Cyber Defenders

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples. 
 

Cyber Implementers

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More

Published In Partnership With