Sharing security best practices among federal agencies: The time has come
There is no shortage of attention being paid to the need for enhanced information security by the federal government, and for better sharing of information that may affect national security.
In mid-March, the heads of the DHS, FBI and Joints Chiefs appeared at a Senate hearing to express their concern about the threat of cyber-attacks. A few days later, the Attorney General announced new guidelines for the National Counterterrorism Center, which The New York Times reported, “are expected to result in the center making copies of entire databases and ‘data mining them’ ... to search for patterns that could indicate a threat.”
When President Obama announced creation of an Insider Threat Task Force last October, his executive order said the objective was to “ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security” and to “address both internal and external security threats.” The emphasis on sharing, security and interagency cooperation was clear.
Anything that stands in the way of an efficiently operating community of expert cyber analytics and shared best practices imperils national security, given the ongoing threats posed by cyber-attackers to government, commercial and civilian targets.
While the goals of interagency cooperation and “connecting all the dots” still face hurdles, the good news is that technology exists today that can move us toward these objectives. Advanced technologies and practices can contribute to interagency cooperation in several ways. Among them are these three essential elements:
Gathering and storing all relevant data, without creating oppressive burdens from the cost and complexity of storage;
Applying the most advanced analytic tools to understand what insights the data may hold; and
Sharing those insights with all interested and affected parties, breaking down barriers created when information is segregated in agency- or system-specific “silos.”
A logical starting point for sharing security analysis best practices is advanced security information and event management (SIEM) services that serve as a cornerstone technology for developing and applying cyber analytics. These analytics can be leveraged to improve the effectiveness and trustworthiness of an organization’s operations by identifying, understanding and counteracting insider threats, advanced persistent threats, cyber threats, fraud and compliance violations.
Increasing industry adoption of MITRE’s Common Event Expression (CEE) standards to develop a common taxonomy of security events means that inter-agency sharing of best practices -- including those drawn from commercial industries such as telecommunications, healthcare and financial services -- is available for agencies to employ.
An example of advanced technologies and practices of value to federal intelligence and defense customers is found in the combination of the Sensage Event Data Warehouse and Security Analytics Library and security intelligence capabilities offered by KEYW, one of the most respected cyber security consulting organizations.
The starting point for this approach is the conviction that cyber-attackers will continue seeking vulnerabilities in a target until they succeed. When those vulnerabilities are discovered and remedied, attackers will search for more. No cyber defense is impenetrable. In fact, it is prudent to assume that eventually an attacker will infiltrate a system. For this reason, priorities must shift from passive defense to dynamic defense. This requires a system that detects malware based on a variety of criteria, scans and recommends patches for vulnerabilities, automatically eliminates discovered threats, manages security baselines and accumulates intelligence.
The coordinated efforts of several types of tools would form the most effective means of counteracting these threats. In particular, the combination of a malware detection tool, a vulnerability management tool and a configurations management tool would make a powerful dynamic defense.
An effective malware detection tool should do more than simply alert if malware appears. It should automatically detect an intrusion, quickly associate it with specific IT assets and then quarantine those assets from the surrounding network. The tool also should recommend specific remediation procedures, and participate in a prompt, thorough reporting system. If the malware detection tool consistently reports detections in a uniform format, valuable intelligence will be accumulated quickly.
In addition to detecting what threats have entered or are attempting to enter a system, it is important to minimize attack opportunities. This is the value of a vulnerability management tool. This tool should have an automated system that regularly scans for known vulnerabilities and associates any discovered vulnerabilities to specific IT assets, software configuration items and common vulnerability identifiers. Uniform reports on discovered vulnerabilities and historical trends are vital for attack pattern discovery. Only after the tool identifies patterns can it recommend a successful countermeasure.
A configuration management tool establishes a third component of this ideal cybersecurity system. This tool would maintain compliance to the configuration baseline for maximum security, documenting and storing security configuration settings for both networked and non-networked IT assets. Periodic scans would facilitate the identification of any security configuration changes. The configuration management tool’s ability to track these changes would facilitate historical trend analysis and deviation identification.