Despite sequestration, budget cuts, and limited resources every federal government agency CIO knows that they need to remain vigilant on cybersecurity. From the personally identifiable information of citizens stored on a server at the Department of Homeland Security to weapons systems plans from Department of Defense, U.S. government agencies are high-value targets.
While many cybersecurity experts are busy touting new proprietary systems and solutions in order to provide additional layers of security, one expert is bucking the trend. Martin Roesch, founder and chief technology officer of Sourcefire, and creator of open source intrusion detection / prevention standard Snort, suggests that instead of relying solely on purchasing solutions to cybersecurity problems, agency IT leaders should look to open source technologies to complement commercial solutions to address these challenges.
In a recent interview, FTI sat down with Roesch to see what counsel he could offer federal agency IT teams as they grapple with shrinking budgets and increasing demands. Throughout our conversation it was obvious that his key message to federal agency CIOs is that an open source platform aimed at fighting security threats brings many advantages. From its building block-like infrastructure that provides the ability to expand systems as an agency grows to providing a rapid response environment to combat the array of ‘immediate’ cybersecurity threats that agencies face day in and day out.
Reflecting on his own experience with the Snort open source community, which has a well-earned reputation for extraordinary organization and responsiveness, Roesch commented that “ultimately, an open source code platform equates to faster improvements and an accelerated pace of rule development, which are both necessary for addressing new and evolving threats.” This is good news in an era of tight budgets as open source technologies, including Snort, are basically unable to become outdated.
Another area that Roesch zeroed in on is the inevitability of attacks. In his opinion, if you asked any agency if their network had been compromised the answer would be yes – “if someone targets an agency, it’s almost impossible to keep them out.” In his opinion the only way to mitigate an attack – whether its nation-state directed cyber espionage or crusading hacktivists – is to view the cyber attack as part of an “attack continuum” – with three distinct phases encompassing periods before, during, and after the attack. In many ways Roesch says we need to relinquish the idea of security only before the attack and simply accept the fact that attackers are going to get in.
“If you’ve taken stock of your infrastructure, hardened assets and considered other options for preventing attacks, such as IPS, then you’ve done what you can,” notes Roesch. Then, with continuous monitoring that can detect and block attacks you’re well on your way to achieving some degree of resilience. However, even after an attack occurs that cycle of continuous monitoring and evaluation continues to understand not only where an attacker got in, but also to figure out if they’ve set-up shop and patched your network for you in order to establish their base of operations within your network.
One of the other major benefits of open source security solutions, such as Snort, to the federal community is the ability to share within their private community. They can also write signatures on their own for attacks that are targeting them and can maintain their privacy and keep the advantage over the attackers – something they call “federation between agencies.”
Due to the sensitivities surrounding measures to secure federal networks, when the presence of malicious or potentially harmful activity is detected, network defenders need to be able to create and deploy their own custom protections as quickly as possible. They can’t take the risks that come with communicating vulnerabilities outside of the federal enterprise to third-party security vendors and waiting to receive new or updated protections. The ability to create and customize protections using the Snort rule-driven language gives federal network defenders control to write their own rules and maintain privacy over security measures. Today’s sophisticated attackers validate their malware works before launching an attack by testing it against widely available security tools. Keeping these custom rules and signatures internal to the federal enterprise minimizes the information attackers can leverage as they try to evade defenses.
In addition, using Snort, network defenders can write their own protections to defend against uniquely targeted threats quickly and efficiently while keeping adversaries in the dark. They can also federate these rules and signatures so that network defenders across the U.S. Government can share relevant security information, saving time and resources while enhancing security.
While Roesch is pleased to see the strides that federal agencies are making in their approach to network security, he believes security agencies need “to think philosophically about technology and break out of the hype cycle.” He urges agency CIOs to go back to the three phases of an attack and assess whether the security technology they’ve invested in meets a need in each phase of the attack; if it doesn’t, though, he pleads with them to merely “stop throwing technology at the problem” and think about the broader problem they actually need to solve.