Federal agencies face a smorgasbord of cybersecurity solutions, all of which promise to solve some, if not all, their problems.
Speaking at the recent Fortinet Federal Partner Forum, Phil Quade, Chief Information Security Officer for Fortinet, said there are numerous criteria agencies employ to make decisions about their cybersecurity purchases.
These include the obvious, such as the degree to which a product meets a specific need, cost – that it’s cheaper to buy and/or to operate – and effectiveness.
It also includes some that are less obvious, or more specific to security, such as the least negative impact on operations, that is, less drag on system speed and agility, and fewer mistakes made when security professionals are using the product, which can be seen as a measure of its relative ease of use.
More broadly, however, Quade suggested there are four overarching strategies that agencies also should consider applying to their purchase decisions.
Future-proof security products
“Agencies need to get out of the cycle of buy, inexorably degrade, replace,” Quade said. Many organizations “have accumulated too many point solutions.”
He suggested thinking of the entire collection of security products as a security fabric, which allows the integration of point solutions, from a range of vendors, without increasing complexity. The goal is to make security akin to a single organism operating in an OODA loop, “from sensing, to sense-making, to decision-making, to relevant action. [In security,] that’s sensors, analytics, automatable courses of action, and mitigation. That future-proofs it.”
Employ modern defense for borderless networks
“As network boundaries disappear, segmentation has become the fundamental strategy,” Quade said. “Yesterday’s strategy was a static, external boundary; now it’s micro- and macro-segmentation of boundaries.”
He suggested that in addition to segmentation, agencies should consider the agility of those boundaries – how quickly they can be rearranged to create new segments.
“With agile segmentation, agencies can decide to collaborate while only sharing the information they want to share, and then tomorrow change the boundaries and share with someone else,” Quade said. “Then security becomes a business enabler.”
Avoid – yet prepare for – the inevitable
“We harden our networks as much as possible, then it’s ‘clean up in aisle 9’ when the boom happens,” Quade said.
Using automated hardening and automated defense addresses avoidance in as agile a way as possible, he suggested.
But applying automation to network regeneration and resiliency is an advanced strategy that agencies can use to look past the “boom.”
“Agencies should create a resiliency analytic,” Quade said. “That allows them to make real-time changes to stay as far left of the boom as possible.”
In transformation, complexity is the foe of security
This is the weakness of security point solutions – as more points are added, it becomes more and more difficult to monitor all of them, to know which alerts are false positives and which are real threats, and whether disparate alerts from different parts of the network are actually related in some way.
“We can’t keep throwing point solutions at people and think they’re going to get more secure,” Quade said. “Use automation to reduce complexity – give the CISO or the network operator visibility into weaknesses.”
Taken together, federal agencies can use these four considerations to shape their evaluation of cybersecurity solutions using the more than just the usual criteria, such as cost and ease of use, Quade said. And, in having a broader perspective on how solutions can be put to work for greatest effect agencies will build a more robust and resilient cyber strategy.