Private To Public Sector: Be Proactive.

Cyber experts from McAfee, Q1 Labs, Guidance Software, CA Technologies and Merlin offer practical cybersecurity advice.

Think about securing your IT assets, while at the same time enabling collaboration and increasing productivity.

You have to secure the network infrastructure itself, the routers and switches etc. Connected to the network are the servers, storage and other devices (real and virtual), desktops and their applications. Finally there are the mobile devices—laptops, PDAs and smartphones.

Government leaders have been forthright, asking the private sector to develop, install and maintain ever improving cyber defenses to help meet the mounting threats.

On The FrontLines queried experts at five leading providers of cybersecurity products and services asking what advice they have for government and what are some of the cybersecurity trends they see over the next 24 months.

Reactive To Proactive To Predictive

Cybersecurity technologies have moved from reactive, to proactive, to predictive according to McAfee’s Ed White. And over the next 24 months this trend is only going to grow.

White defined reactive as a scan; we see a Trojan and we get rid of it. Proactive is having tools employed that stop known threats before they attack a machine.

“Then there is predictive,” explained White. “How to you take information, analyze it and make a decision based on that information to actively predict what is going to happen next, because if you know where an attack may come from, then you can block that?”

The ultimate cybersecurity goal is to have real time response using predictive security through continuous monitoring. And to do that you need integrated systems at different layers—host, client, network or cloud—working together to take advantage of the information you have.

White says McAfee calls this predictive security capability “Global Threat Intelligence” and is gathered by sensors throughout the world. “It is a way for all the products to work together and be proactive in real time to thwart an attack or possible attack.”

An analogy is the up-to-the-second weather forecasts that are provided by ensors/satellites that gather information, analyze it and produce a forecast.

“This allows people to know ahead what is going on,” White said. “What we are doing is do the same thing. All these systems are sending information; you are becoming smarter because you have more touch points around the world.”

And an individual user working on their computer doesn’t have to do anything to gain the benefit of the technology that gathers information from 150 million users worldwide. “We want to make it as transparent to user to get best performing and most secure solutions without having to be a security expert,” said White.

To do this, White advices federal managers to invest in highly trained security professionals that have the analytical skills to take into consideration multiple forms of information coming from different data streams; and then determine where the threat really lies and take action.

White says the other big area that’s starting to draw more attention is mobile devices. The growth rates are astronomical.

“Because your data can live on a smartphone just as well as it can live on an enterprise, you’ve got to make sure that the data itself is protected and the actual device is protected. And you have to be able to secure and manage those devices in a form and function that’s going to be effective.”

Digging Through The Logs

Erich Baumgartner of Q1 Labs advises first of all you need to be able to know what is going on in your network in real time.

“Without that capability, without the ability to be able to analyze network regular log data and security log data, then you are fighting with one hand tied behind your back.”

Security devices are designed to stop a particular type of security attack; these could be firewalls, intrusion detection systems, intrusion prevention systems, encryption systems, etc.

“But one thing that they all have in common is they are all digital devices and they all log everything they do. They create billions of logs every day or week or month. It’s unbelievable the amount of information that comes out of this.”

What a SIEM (Security Information and Event Management System) will do is to take all of that logged information from all of those devices and correlate it to look for and determine if there is something going on that you need to be aware of, explained Baumgartner.

There may be tens of thousands of events each day. It is not practical for a security analyst to go and run down each of those to find out if it is a problem.

“But if you were to take that event and then start to link it with other events, you can very quickly, using sophisticated correlation capabilities, get down to what we call an actionable offenses,” Baumgartner added.

“We literally distill billions of network flows and hundreds of millions of security and log events down into about 35 actionable offenses a day. Those are the things we go after first.”

What’s important about the SIEM is it is really the founda­tion for providing security intelligence to an organization. And security intelligence covers the full life cycle of events from pre-exploit to the event itself and then to remediation afterwards said Baumgartner.

Cyber CSI

If you look on the Guidance Software website, you won’t find much about cybersecurity specifically Sam Maccherola told OTFL.

What you will find is a lot about digital forensics and eDiscovery.

One of the things that a forensic tool will do is help with the problem: I don’t know what I’m looking for, so how do I find it?

“You need a forensic tool,” said Maccherola. “This is common for police investigations; now can take that over to malware. Recently an agency got hit with an email attack. The incident response team didn’t know what to look for, something was crawling through their network. We have the ability to look into files and disks and evaluate and investigate an intrusion at the forensic level. The key is having that forensic view to dig at the operating system level; it’s a powerful tool incident response teams find valuable.”

To avert these breaches Maccherola urges agencies to be much more proactive in protecting the data itself. “Government has spent billions on protecting the perimeter—the defense in depth strategy—but is still being penetrated on a daily basis. Clearly all of this investment isn’t really protecting them.”

At the epicenter of government is the data at rest housed at the endpoint or the desktop. Some agencies don’t know exactly where their data is; or if there is personal or classified information stored in areas it shouldn’t be.

Maccherola urges government IT managers to proactively look to see what processes are running in their network that might be detrimental and could be used to exfiltrate data. Then use tools either continuously or on a timed scan basis to proac­tively look at the data and take remedial steps when necessary.

Telework Requires Role Based Security

Dave Gruber at Merlin is in a unique position. Merlin has long standing relationships in the network and cybersecurity fields and is continuously seeking to recruit companies with disruptive technologies.

“We can use them to provide solutions never thought of be­fore,” explained Gruber. “We put together unique solutions based on in-depth understanding of our partners’ capabilities and de­liver that to our customers.”

Gruber says the whole area of role based security—knowing who has access to what, what they do and are they doing some­thing unusual—is going to come to the forefront as the federal government moves towards a telework model.

Telework may be soon mandated, but that doesn’t mean all the details have been figured out. “We are helping develop tools, but the real concern is the person is working on their home com­puter and all those threats are then brought into federal enclave,” said Gruber. “You are assuming all of the risks your untrained us­ers take on their home computers. How do you make sure that doesn’t happen?”

The answer could be something such as a thumb drive to boot your home computer and prevent other aspects of the computer to be used. But for government cybersecurity ex­perts, Gruber says the questions are, “does our solution really protect us from the vulnerabilities that are out there? And what is the best solution for providing security for home computers in a telecommuting world?”

Authenticate, Identify, Trust, Share

Bill Clark at CA Technologies is keenly aware of just how im­portant content aware identity management working in concert with a trusted supply chain are to secure information sharing.

“If you are federating, everyone has to be legitimate; any break in the link makes you vulnerable,” explained Clark.

CA provides cyber solutions that address the 15 automatable Critical Security Controls (out of 20) identified by the Center for Strategic and International Studies (CSIS). This includes asset inventory (hardware and software), configuration management, log management, user account and privilege management, vul­nerability management, intrusion prevention and data protection.

How to ensure identity management through strong authenti­cation becomes more critical each day as we push more comput­ing and apps to mobile devices.

For mobile devices such as smartphones and iPads to access network resources, Clark sees the need to eliminate the smart card and use a piece of software code to authenticate the user and generate a password automatically.

The issue with passwords is they can be swiped easily. Elimi­nate that and you don’t have to do a lot of password resets and there are lots of economies he added.

“Now with content aware identity management, I know who you are and I know what you can see,” explained Clark. “Then you are connected to the app. What is it in the app you want to see? You may not see everything—only what policy or role allows access.”

Looking out over the next 24 months, Clark said increased sensor networks are allowing the network itself to see anomalies. “That makes the network increasingly smart and when it sees something out of the ordinary, it alerts.”

This triggers complex event processing creating a lot of data analysis about if this is true, then do this. Further, Clark talked about the growing use of what he called Advanced Pervasive Threat analysis, actually figuring out what threats could be out there and taking countermeasures.

“After all, you can do a lot of damage in 2 seconds of computer time,” noted Clark. n