Recently RedSeal hosted its annual Federal Customer Forum. One of the panels featured a discussion with several luminaries in the federal government cybersecurity ecosystem. The topic: the importance of the integration and automation of cybersecurity operations.
Those present were:
- Wayne Lloyd, RedSeal (Moderator)
- Kevin Phan, Splunk
- Tim Jones, ForeScout
- Wade Woolwine, Rapid7
- John America, Mystek Systems
The following questions and answers were lightly edited for better comprehension:
Why is integration and automation important in defending against cyberattacks?
Not enough time to manage cybersecurity. The mundane tasks use up all the people and there is stuff to do afterwards. Humans need to focus on high level actions. Let the tools talk together and that will increase speed to resolution and limit damage. Attacks are automated by hackers, so defense needs to be automated, too.
Are security vendors doing enough to integrate with each other to support their customers’ needs? If so what have you seen work well? If not, what should we as an industry be doing better?
No. No one vendor does it all, and often have trouble integrating with others, so customers need to do a better job integrating solutions from different vendors or hire a managed security services provider.
When it comes to securing IoT devices, where does responsibility lie? Is it with the manufacturer, the user, or both?
Most say that there should be shared responsibility. Devices should be patchable and upgradable. “Know your network” is hard with IoT. There are many, many more endpoints to worry about. Organizations need to develop safe processes for adding IoT to the networks, and segment them onto less secure networks. Organizations need to develop a patching strategy generally, but specifically for IoT devices.
There was a recent example where drones were purchased by the DOD. It turns out that the chips had been white-label manufactured by Huawei in China. These drones were exfiltrating data without user’s knowledge to parties unknown. This kind of supply chain issue is going to be a bigger problem going forward.
If you were to go into an organization that is standing up a new, from scratch, security stack, what capabilities would you recommend they choose?
Detection is important, but how do you trust the decisions that the software makes? You need to get to the raw, unfiltered data. Also, the key is to set up network segments to prevent intruders from roaming freely across your infrastructure. Third, you need to set up hunt teams to proactively search for those intruders. Fourth, setting up a continuous config management process that inventories unpatched software is mandatory now. Penetration testing is useful, but penetration testers usually quit after they find a way in. What about the other thousands of vulnerabilities that they didn’t find?
Good cybersecurity teams are always looking to tear down silos. Bad ones stick to themselves. Hackers are known for sharing code, tools and vulnerabilities, so it seems obvious that cybersecurity teams should do the same. NOCs and SOCs are starting to talk more, which is a good thing, however cloud and dev ops teams seem to be still off on their own. Executive priorities still drive decision making, and no one can prevent those decisions from creating security issues. Cyber teams need to be stewards of data. Implement CIS 20 and set up a risk management framework. Use table top exercises to train and improve execution, rather than focus on checkboxes and processes.
It appears that you cannot truly protect yourself if you are not using integrated products. Does it make sense to keep buying solutions piecemeal or should security teams look for packages that already integrate?
Most systems integrators do a good job integrating various cybersecurity tools in government. The private sector is much less advanced in this area. Most commercial companies get technologies then push them to a managed services provider.
Do you see threat intelligence playing a big role with federal customers in protecting their networks?
It’s notable that the same old threats pop up all the time. What is unknown is the scary part of the day. For threat detection, we need a faster and faster process of identification, integration and remediation. Hackers share data. We need a better understanding of where the whole threat environment is coming from. That said, we need to protect high value assets (HVA) first. That means mapping out access from HVAs. The average detection time nowadays is 170 days, so you had better set up your organization for maximum resilience. Attacks are now coming from POS systems and, famously, a fish tank in a Las Vegas hotel.