As federal agencies are under new directives to embrace cybersecurity best practices and take a Zero Trust approach, they are not alone in ensuring they have the right solutions in place. Industry experts are reaching out to share their expertise on how federal agency IT security leaders can meet compliance requirements with the latest directives to secure our nation’s most critical assets.
In a recent interview, the Government Technology Insider (GTI) editors had the opportunity to connect with the Cyber Team at Three Wire Systems. We were joined by Simone Feldman, senior vice president, Wes Jackson, chief technology officer, and Ken Stewart, senior program director at the company. During the discussion, we highlighted the importance of embracing a “trust no one and verify always” framework and the foundational elements that are necessary to any Zero Trust approach.
Read the full discussion below:
GTI Editors: What do you think are some of the biggest looming cyber threats for federal agencies right now? How are they being mitigated?
Ken Stewart: A major threat facing the government is that antiquated acquisition regulations make it difficult, if not impossible, for the government to get quick and necessary access to commercially proven technologies and to receive the support and funding to put those solutions into place before a catastrophic event. The reactionary nature of the acquisition process means we are just waiting for the nefarious actors who are constantly probing our networks to cause a catastrophic event, and then we will respond through emergency management to allow new technologies in to protect ourselves. This fallacy in our functional operations presents the greatest threat to our country’s national cybersecurity posture.
Cybersecurity is not a box or part you can go buy. Working with government key stakeholders to develop unique solutions designed to address their specific issues, the expertise of Three Wire Systems’ cybersecurity solutions architects provides the government access to agnostic best practices on building a Zero Trust architecture from the ground up. Customized solutions have the benefit of being unique, and therefore not repeatable, and also of addressing the specific issue of a given agency or entity rather than the 80 percent rule. Being 80 percent secure in this world could have catastrophic results.
Wes Jackson: Zero Trust, as a framework, is guiding agencies in the right direction for the most part. There are good models that describe what Zero Trust is and how to get there, and just about every security product company now says something on their website about Zero Trust.
However, it is easy to miss the essence of what Zero Trust really means. “Trust nobody, ever, always verify…” Frameworks are important, and you need a large number of products in your solution stack to have good security, but it would be possible to follow all of that and still miss the central point.
My advice: look at your Zero Trust framework and ask yourself how you would attack an organization that was following that model. Would you still be able to use social engineering? Would you be able to exploit an inexperienced DevOps engineer into overprovisioning permissions? If you can think of a way in, so can the bad guys. They will find it, just the way did. So, use the framework, contribute to advancing it, and employ best practices. Just don’t ever stop improving.
GTI Editors: What are the key components of a robust Zero Trust architecture in a federal agency?
Wes Jackson: Continuous Monitoring and Compliance (patching, config, etc.) is a very good start. If you don’t know something is on your network, then you can’t defend against it. If it’s 100 percent certain that someone is doing a good job scanning your network and finding weak spots, make sure it’s you and not your adversary.
Next, use Infrastructure-as-Code (IaC) and as much automated compliance and remediation as you can. IaC helps you deploy things right the first time, every time, and automation can help fix problems that arise.
Ken Stewart: Implementing a Comply-to-Connect solution is the first step to establishing any Zero Trust Architecture or Zero Trust Network. As a foundational element, Comply-to-Connect is a must-do action prior to proceeding with perimeter and/or any software-defined boundary. Know your network, secure it, then implement a trust-no one methodology.
In fact, Congress directed the DoD and Federal Agencies to implement a Connect-to-Comply strategy in the 2017 National Defense Authorization Act (NDAA). Following this NDAA, on 28 January of 2021, the DoD Chief Information Officer sent out the mandate for implementation. Some agencies are already working towards implementation; however, several are still slow to execute.
GTI Editors: Tell us about the importance of continuous monitoring and network visibility. Is there a specific significance around these that applies to federal agencies?
Simone Feldman: Federal agencies face several cybersecurity challenges when it comes to ensuring only authorized devices are connected and operating on enterprise networks. Today, many federal services have manual processes in place to determine and report their current Cyber Scores. Even with tools such as ACAS, SCCM, Tanium, and HBSS, organizations are still manually sifting through these applications to try and determine, with some level of accuracy, their current cyber hygiene posture.
Three Wire Systems, through our partnership with Dell Technologies, is developing a solution that simplifies that process and reduces human error. Our ComplyVue solution aims to automate the process of determining an overall cyber hygiene posture through integration with each of the aforementioned tools and then presenting the results in an integrated single pane of glass and orchestrated dashboard.
Engaging with experts like Three Wire Systems, the government can ensure real time data is available to detect and prevent potential threats, a significant benefit of continuous monitoring.
GTI Editors: How can federal agencies go about taking that next step in improving their cybersecurity approaches?
Wes Jackson: Build a culture of cyber excellence from top to bottom. Everyone understands how important physical security is, but there are still people who have a hard time grasping what they don’t see. An armed robber at the front door seems scarier and more likely than someone using ransomware, but you need leaders and hiring managers who understand that both are real. You wouldn’t let a robber in the front door, yet nearly all ransomware attacks are the result of an employee opening an attachment that came to them in an email, which is the digital front door.
Once a culture of cyber excellence is established, be sure to engage industry and meet often with your trusted advisors. As hard working and talented as federal IT teams are, industry colleagues still may have routine exposure to information that could be valuable and timely. Find people who do cybersecurity well and keep them close.
Simone Feldman: The cyberspace threat landscape is gaining complexity every day, and across all industries. The stakes have never been higher to provide business and government enterprise systems and data with the confidentiality, integrity, and availability needed to operate across this highly contested space. The adoption of the cloud, the proliferation of data and the new nature of digital services with high demands and expectations of openness and accessibility bring greater risks from cyber-attacks.
Mitigating these risks requires a new approach that recognizes the modern, more distributed and open nature of networks, systems, and data as well as the need to be experts in responding to the inevitable attacks that will stress or even disable defenses.
Our solutions work with new or existing deployed products to shrink the attack surface. We focus on core technologies such as continuous monitoring, real-time analytics, infrastructure hardening, cyber hygiene, vulnerabilities, and providing operational visibility into the customer’s cyber domain. With these capabilities, we can assess the health of your networks, infrastructure, and systems to identify potential vulnerabilities.
The next step for any federal agency or business is to consult with our experts on your level of readiness.