Cybersecurity is at the heart of IT modernization. While modern technologies provide agility and convenience, a core requirement of new solutions is the ability to respond to new threats.
Government agencies and private enterprises alike are modernizing IT, not only for peak performance and new capabilities, but to protect against bad actors. Legacy systems leave too many cracks in the security armor. The lack of visibility and cross-functionality makes securing the entire government enterprise in its current state an exercise in futility.
Industry leaders have widely praised government’s recent emphasis on improving IT infrastructure. Multiple, overlapping new initiatives push the modernization agenda, and the president’s own agenda calls IT modernization the linchpin under which government transformation will take place.
Many of the recent programs aimed at bringing government IT into the future rightly cite better security as a key objective. With increasingly complex security problems to solve, agencies must leverage these programs to find the right solutions that take the guesswork out of network fortification.
Stop Combatting Complexity with Complexity
The industry loves buzzwords, and within the modern security vernacular there may be no phrase more widely referenced than “the evolving threat landscape.” But it’s a fair characterization, because it’s a harsh environment. The attack surface is widening; the means to exploit networks have evolved and expanded.
Modernization creates complications. There are more threats and exploits than ever, but industry leaders agree that threat complexity doesn’t need to be tackled with solutions complexity.
“Organizations think every new security threat requires a new tool to solve it. This couldn’t be further from the truth,” said Chris Townsend, vice president, Federal, Symantec.
“One of the biggest problems agencies face today is trying to address complexity with more complexity,” said Ralph Kahn, vice president, Federal, Tanium. “Yes, agencies’ IT environments are constantly being disrupted, but rather than trying to address those many challenges with many tools, agencies need simplicity.”
They agree that departments are overloaded with redundant tools providing functions that are limited in scope and becoming outdated at a rapid clip. The model is shifting to platform-based, rather than tools-based security.
“Moving at the speed of cyber requires using a single platform to do tasks that may previously have been spread out across a dozen or more tools,” continued Kahn. “These tasks range from having complete visibility over every endpoint in real time, to being able to take action on those endpoints in seconds, whether that’s patching a vulnerability across a million endpoints or mitigating an attack instantly.”
“Federal agencies must shift from a tools approach to a standards-based integrated security platform that enables automation,” added Townsend. “This will allow agencies to take advantage of the tremendous strides in machine learning and AI to respond to threats across the entire security continuum.”
That continuum is expanding to include emerging technologies like the Internet of Things (IoT), which will have a marked effect on Federal agencies.
That’s precisely the evolving threat landscape and widened attack surface everyone has been clamoring about. Imagine the networks at Veterans Affairs being attacked through a cardiac monitoring device used on one of its patients. It’s a very real possibility but wouldn’t even have been considered just a few years ago.
“All organizations now face an elastic attack surface, where the growing number of assets and their vulnerabilities have led to a gap in the ability to understand cyber exposure,” said Jack Huffard, president and COO of Tenable. “Agencies need to adopt technologies that provide visibility across the entire attack surface, from IT and IoT to cloud and containers. This is the only way to fully measure, manage and reduce overall cyber exposure.”
Leveraging MGT and CDM
Thankfully, government seems committed to reinforcing agencies’ security posture to combat this increased exposure. There are a lot of programs in play, but expanding upon the ones that offer the most benefit and retooling the ones that are struggling will keep modernization focused on the appropriate outcomes.
Modernization requires prioritization. Agencies can play an important part in guiding and shaping programs to focus on the biggest concerns, and based on what’s at stake, it seems security is the biggest.
For example, appropriators have decided to fund the Modernizing Government Technology (MGT) Act and give the law the legs it needs to fuel new investments in technology. But how should agencies use the awarded funds? They want products that improve efficiency, but need to consider how good security will amplify ease-of-use.
“Cybersecurity and modernizing technology are intertwined–both come down to visibility.” said Kahn. “When agencies have accurate and detailed data on each of their endpoints, large modernization initiatives such as migrating to the cloud become much easier and more cost-effective.”
“The key is leveraging MGT to implement security from the beginning, rather than adding on security reactively,” added Townsend. “If an agency wants to benefit from the cost savings and improved agility of cloud, it must extend security controls into the cloud. The same applies to mobility and IoT.”
Industry voices also pointed to the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program as another means for promoting the network visibility and security controls they’re advocating.
“As we move into CDM Phase 3, there’s a tremendous opportunity for agencies to gain the complete visibility and control the program intended,” added Kahn.
“Congress must also properly fund the program to attract agencies to participate fully, which will ensure the desired level of standardization and consistency across the attack surface of federal networks,” said Huffard.
DHS is authorized to foot the bill for two years of the CDM program before transitioning costs to agencies, so the incentive is there to jump in and implement now. With implementation comes the essential task of refining the program as needs change.
“The government should require that CDM technologies meet rigorous performance standards for time to complete a vulnerability scan or remediate a threat,” said Kahn. “The program may even look at some of the metrics that the Department of Defense (DoD) agencies are meeting as benchmarks.”
Along with Huffard, Kahn lauded current DoD programs as “the gold standard for cybersecurity in government.” Huffard pointed to the Assured Compliance Assessment Solution (ACAS), and Kahn specified the Automated Remediation and Asset Discovery (ARAD) program, as two examples of DoD taking the lead in vulnerability detection and prevention.
Taking cues from successful initiatives like these will require both interagency dialogue and appropriate oversight. It does seem, however, that the discussions, the funding and the top-down direction seem to be picking up steam. It’s hard enough to get all of your acronyms straight, on top of the myriad commercial solutions and security vendors in the marketplace. But cutting through the clutter needs to be agencies’ top priority.