In many respects, the past year has dealt one bad hand after another: the COVID pandemic, economic slowdown, job cutbacks, and worst of all too many lost lives. Fortunately, many elements of the American system have proven relatively resilient to these setbacks. During this same time, many different impactful cybersecurity events have taken place—some small scale and others more newsworthy. The SolarWinds breach was a wake-up call to the cybersecurity community, where a software supply chain compromise not only affected the initial victim, it affected all the commercial entities and Federal agencies that utilize their software. IT organizations are still feeling and calculating the pain of this attack and will continue to do so for some time. Though this attack made the news outside the IT community, very little pain was felt at a consumer level. However, this attack proved to be a harbinger to one that would not only affect technology at large, but the American public directly. The Colonial Pipeline breach demonstrated just how vulnerable our systems are and the ability of an attack to cause widespread disruption of American society. I know, I was searching for gas last Saturday…
The May 12 Executive Order on Improving the Nation’s Cybersecurity lays out a multi-pronged approach on how to mitigate these types of attacks. As explored below, a failure in any one of the abilities to detect, report, employ protections in a timely manner, and ultimately defend against the threat can cause a cascading effect on whether or not the threat is successfully thwarted. In other words: Attackers only need to be right once. Cybersecurity professionals need to be right all the time.
The concept of Zero Trust has been around for some time. The Federal government was primarily introduced to Zero Trust in the form of the TIC 3.0 modernization effort, which at its core is built on top of Zero Trust. The TIC 3.0 initiative came to light due to the need for Federal agencies to allow Federal data and services to reside outside the agency’s security boundary via cloud services. Unfortunately, properly securing sensitive data being shared between cloud providers and agencies has fallen short of an acceptable risk threshold, and the recent executive order calls this out.
The Federal government must be able to obtain threat data from its partners to stay on top of the latest security threats. NIST has taken an excellent step towards addressing as to what Zero Trust should mean to Federal government with SP 800-207.
Many agencies and corporations still suffer from blind spots within their cybersecurity organization. If attacks cannot be seen, they cannot be detected, reported, and mitigated. Visibility has become an even greater issue due to the proliferation of SSL/TLS across what have been traditionally deemed as secure/internal parts of the network, related to the need to encrypt all transmissions of data. Additionally, visibility is essential for the Zero Trust paradigm to function properly, as the Zero Trust Policy Enforcement Point (PEP) must have all the necessary data to make the proper decision as to whether or not access should be allowed.
Visibility of threats is essential to detection, with the subsequent reporting, monitoring, and ability to share threat intelligence next in terms of priorities. Properly sharing threat intelligence provides a mechanism to potentially confirm a threat or the risk severity a threat poses—even more importantly, it provides cybersecurity analysts with all the data needed to quantify a novel threat.
Initiatives like CDM have been underway for some time to help realize the consolidation and reporting of threat data. Some processes and threat intelligence gathering are far behind required standards, especially with significant blind spots still existing in some networks. This leads to a cascading effect across the cybersecurity protection landscape. In the end, cybersecurity teams need to see all the transactions and data from client to application to provide the most meaningful assessments of possible threats. Unhindered sharing of threat intelligence must exist in the Federal partner ecosystem. Threat intelligence sharing is also vital in the detection of software supply chain threats.
New threats will undoubtedly emerge, and they’ll cause cybersecurity teams to deploy additional or new measures of protection. The question is, how quickly can cybersecurity teams employ protections in a secure and non-disruptive manner? Plainly, the ability to detect and be agile is now mission-imperative in providing proper protection. IT is going through a major shift in becoming more agile. Being able to quickly and securely deliver modern applications with less disruption has been coined DevSecOps. This modern development practice allows organizations to become more nimble in how they employ cybersecurity protections in a safe and non-disruptive manner.
Default security measures put in place by cloud providers have provided the ability to bring on-prem security into cloud environments, and have become a driving force behind cloud deployments. Still, consumers of cloud are often taking a leap of faith that cloud providers are doing “the right thing” when it comes to cybersecurity while relinquishing a level of control of data and security to the provider. Information sharing between cloud providers and agencies must be part of the Federal partner ecosystem to provide more comprehensive security.
Each of these tenants are required to achieve a higher cybersecurity standard. Learn more about how F5 Government Solutions can help in meeting and exceeding the level of security associated with the recent Cybersecurity Executive Order here.
By Ryan Johnson, Solutions Engineering Manager – F5 U.S. Federal Solutions