Government agencies were already under pressure to modernize their cybersecurity strategies before the pandemic hit, and as workplaces closed and government employees struggled to access data and systems from makeshift home offices, the cybersecurity risks grew. The use of virtual private networks in the U.S. increased to match the early spike in COVID-19 cases, rising 124% in the two weeks from March 8 to March 22, 2020, according to Statista. Around the same time, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert titled “Enterprise VPN Security,” which offered both warnings and guidance on how to handle the surge in usage. With so many employees logging in remotely, agencies found that they had to shift their focus from securing a well-defined perimeter to securing the data that fuels government operations. In a recent survey of FCW readers, protecting data topped the list of cybersecurity priorities, with 75% of respondents citing it. In response to such concerns, CISA released its Ransomware Guide in September 2020. And in May, President Joe Biden mandated that agencies adopt zero trust in his Executive Order on Improving the Nation’s Cybersecurity, and the National Security Agency released a paper a few months ahead of that mandate titled “Embracing a Zero Trust Security Model.” Read the latest insights from industry thought leaders in Carahsoft’s Innovation in Government® report on cybersecurity.
“Analysts have too much atomic data and not enough context about that data. When they don’t have the full picture, they can’t take appropriate action. Re-creating each attack by hand takes painstaking care. And though analysts often relish this challenge, there’s simply not the time to do so for every presented case. Forward-thinking organizations are using artificial intelligence/machine learning (AI/ML) capabilities to fortify user endpoints and server workloads across an array of operating systems. These automations are designed to monitor the growing number of attack vectors in real time and present the full context of an attack in an easy-to-understand view that’s modeled after a kill chain.”
Read more insights from SentinelOne’s COO, Nick Warner.
“Zero trust is an important construct for helping agencies protect their infrastructure in today’s cybersecurity landscape. It focuses on accrediting individuals and their access to government resources. Agencies should make those decisions about access based on a comprehensive understanding of users. Security policies that treat all users as equally risky can be restrictive. Such policies set the bar high and hamper employees’ ability to work, or they set the bar low, which defeats the purpose of having security. Instead, agencies should evaluate users on an individual basis by taking the time to understand what employees do and how they do it — what’s normal behavior and what’s not. Then they can assess the risk of an individual based on that context.”
Read more insights from Forcepoint’s President of Global Governments and Critical Infrastructure, Sean Berg.
“Securing data and apps begins with positively identifying the user. In government, agencies have used multifactor authentication and all kinds of certificates, but those are simple pass/fail security checks. Once users are allowed to cross the security barrier, they often have wide-ranging access to government resources. This means adversaries and malicious (or careless) insiders passing the security checks receive free rein as well. Government needs to move to a continuous authentication model, which leads to better security and a better user experience. It involves seamlessly authenticating users every step of the way — when they touch the keyboard or scroll through an app on a screen. That activity, down to the microscopic vibrations in a person’s fingertip, can be sensed and understood so that IT administrators can answer the question: Is this really the authenticated user, or is it somebody else?”
Read more insights from BlackBerry’s Chief Evangelist, Brian Robison.
“Government employees are increasingly reliant on mobile applications to do their jobs. But without formal monitoring programs in place, agencies might be unaware of the risks inherent in commercial and government-built apps. As a result, few agencies are investing resources and time to address a serious problem. The average mobile device has 60 to 80 apps, representing a huge potential for vulnerabilities at agencies whose employees are using those devices for work. Thousands of apps could be tracking employees or intercepting data. NowSecure founder Andrew Hoog has said mobile apps are the ultimate surveillance tool, given the mix of personal and mission activities in one space.”
Read more insights from NowSecure’s Chief Mobility Officer, Brian Reed.
“Once agencies have gathered their data in a scalable, flexible platform, they can apply artificial intelligence to derive insights from the data. AI speeds analysis and is particularly effective when agencies move from signature-based to behavior-based threat detection. A signature-based approach is good for detecting threats we already know about, but a behavior-based AI approach can adapt to new threats by looking for anomalies such as changes in the behavior of a server or endpoint device. AI also helps with investigations by reconstructing the sequence of events that happened during an intrusion, which fuels agencies’ ability to prevent future attacks. With AI, agencies can start to apply more sophisticated algorithms in their hunt for vulnerabilities and cyber threats.”
Read more insights from Cloudera’s Principal Solutions Engineer and Cybersecurity SME Lead, Carolyn Duby.
“Agencies must ensure recoverability because none of these protections matter if they can’t recover data and systems that run their critical missions and operations. Agencies need to gather and protect data at the edges of their networks, in their data centers and across different clouds. And regardless of where agencies decide to store that data, they need to be able to access it instantly. Recoverability service-level agreements of minutes and hours are possible and delivered today across the whole of government and the Defense Department. Gone are the days of weeks and months to get back online.”
Read more insights from Rubrik’s Public-Sector CTO, Jeffrey Phelan.
“When employees were sitting in a government office behind a firewall, IT administrators had a clearly defined perimeter to protect. Now IT administrators are still focused on protecting the agency’s mission and assets, but the responsibility has become more difficult because they’ve lost some visibility and control over the infrastructure. In response, many organizations are moving toward strategies based on zero trust, which requires validating users and devices before they connect to government systems, or least privilege, which involves only giving employees access to the resources and applications they need to perform their jobs. Zero trust and least privilege require continuous monitoring and a risk-based approach to adding or removing authorizations.”
Read more insights from SolarWind’s Group Vice President of Product, Brandon Shopp.
“Users who need to access low-risk applications and data — for example, publicly available product information — can use an authentication method such as one-time password tokens. But if that same user wants to access higher-value data such as corporate finance records, the required level of authentication should increase, perhaps requiring public-key infrastructure (PKI) authentication with a smartcard. The key is to manage those activities via one pane of glass or one platform that supports the entire risk-based and continuous authentication process. In the past, we’ve been able to base decisions on where users are located — for example, whether they’re accessing data from within the network or remotely via VPN — but that is no longer enough. New technology tools enable agencies to gain a deeper understanding of users’ online behavior so they can make more informed decisions about authentication.”
Read more insights from Thales TCT’s Vice President of Product Management, Bill Becker.
“Networking teams rely on standard configurations to maintain the security policy. These standard configurations dictate connectivity and traffic flows to ensure users can access appropriate resources while preventing unauthorized access. The idea of a standard configuration seems simple, but maintaining it is extremely difficult. Validating configurations is clearly mission critical, but monitoring and validating network behavior are even more telling and help ensure that policies are not inadvertently being circumvented and that there is no unintended connectivity.”
Read more insights from Forward Networks’s Technical Solutions Architect, Kevin Kuhls.
“A software-defined perimeter integrates proven, standards-based security tools to create the ideal foundation for zero trust. When used together, those two approaches give agencies the granularity to customize their security protocols. For example, the IT team could allow USB mice but not USB thumb drives that can store data, and they could block potentially unwanted applications that anti-malware engines might not identify as malicious, such as bitcoin-mining or file-sharing apps. Zero trust is a mindset rather than a specific group of tools. The National Institute of Standards and Technology’s Special Publication 800-207 on zero trust architecture advocates taking a holistic approach to authenticating devices and users and extending that attitude to agency assets, services and workflows.”
Read more insights from OPSWAT’s Senior Director of Government Sales, Michael Hylton.
Download the full Innovation in Government® report for more insights from these government cybersecurity leaders and additional industry research from FCW.