Federal government agencies are facing a cyber insurgency.
The past year underscored the systemic vulnerability of our government. Security teams are facing increasingly sophisticated attacks – and they’re doing so in a remote work environment. In parallel with this, organizations are accelerating cloud adoption which expands the threat surface for cybercrime cartels and nation-state actors who have used the pandemic as a chance to industrialize their operations. Whether it’s island-hopping as we saw with SolarWinds or new attack techniques, VMware found destructive attacks have increased by 118 percent as cyberspace becomes increasingly hostile. It’s no longer a matter of if an organization will get attacked, but when.
This stark reality galvanized the Biden administration to act decisively. The recent Executive Order on cybersecurity is of historic importance. The cornerstone of this critical shift is founded in Zero Trust, a paradigm centered on the premise that the infrastructure must defend itself and suppress intrusions.
As defined in the Executive Order, Zero Trust is “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both insight and outside traditional network boundaries.” The Executive Order continues, “The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs.”
Each federal government agency has been instructed to develop a plan to implement Zero Trust Architecture within 60 days of May 12, using the migration steps outlined by the National Institute of Standards and Technology (NIST) and ensuring that all cloud environments are leveraging Zero Trust.
Zero Trust endows the defender with situational awareness. It naturally enhances the SOCs ability to suppress intrusions that bypass perimeter defenses. The common operating picture accelerates detection and response thus decreasing dwell time. As CISOs arm their teams with the resources needed to defend against attackers, two things should remain top of mind. First, the assumption that these cyber cartels will not only target their organization but that they will attempt to hijack their infrastructure. Second, that attackers will fight back via counter incident response.
CISOs must remain vigilant against cyber cartels. The following best practices can help organizations achieve cyber vigilance with Zero Trust:
- Increase situational awareness: It is critical that organizations take a proactive and comprehensive approach to security, regardless of sector or size. Telemetry is thus fundamental to achieve situational awareness one must integrate the network detection and response platform with their endpoint protection platform.
- Secure workloads and Kubernetes environments: Migration to the cloud shows no sign of slowing down, which must result in security that extends across workloads, containers and Kubernetes environments. Protection across cloud workloads should be the top priority for organizations utilizing public and private clouds to take cloud security to the next level and protect against attacks like cloud jacking.
- Track identities on the move: Today’s attacks do not have a distinct beginning or end. Instead, adversaries use the opportunity to learn as much as they can about organizations. Security teams need the ability to accurately track identities as they move throughout networks to ensure adequate protection. This requires just in time administration and two factor authentication. Implement multifactor authentication. Protect all external-facing assets with multifactor authentication. Leverage a single sign-on (SSO) provider to allow for centralized and seamless authentication across the vastly distributed work environment. Finally, apply the principle of least privilege.
- Operationalize hardening and patching: By leveraging industry best practices for hardening and patching, ensure IT operations and security are on the same page with vulnerability data and have agreed on service-level agreements (SLAs) for patching.
- Apply micro-segmentation: Limit an adversary’s ability to move laterally within the organization. Forcing intruders to cross trust boundaries provides an improved opportunity for detection and prevention.
- Activate your threat hunting program: Prepare for the worst, hope for the best. Security teams should assume attackers have multiple avenues into their organization. Threat hunting on all devices can help security teams detect behavioral anomalies as adversaries can maintain clandestine persistence in an organization’s system. Organizations have already begun to realize the value of threat hunting with more than 81 percent reporting they have a threat hunting program in place. Threat hunting should be conducted on a weekly basis.
Going forward, security must be built-in, not bolted on. Security “stacks” must suppress intrusions from the start. Thrashing is the enemy of security.
In cybersecurity, thrashing occurs when too many “tactical” security solutions, technologies, and tools are employed without a “strategic” focus—creating a complex and incomprehensible operating environment that overwhelms an organization’s available resources (people, time, and funding) and results in poor situational awareness and insecure systems. Systems that are secure-by-design are built with a strategic focus on a solid foundation of systems security engineering—emphasizing mission and business assurance as the primary objective.
Dr. Ron Ross, NIST, 2021
We must put the power back in the hands of defenders and give security teams the means to remain vigilant in the chaos of cyberspace. Cyber vigilance can only be achieved by aligning with the principles of Zero Trust that will empower your digital infrastructure to defend itself in real time.
