Looking back on 2015, it’s been a rough year for the Office of Personnel Management (OPM). The headlines said it all – 22 million current and former federal employees, contractors, and in some cases, family members of those individuals, had personal information stolen out of an OPM database. The theft took place through July and August 2014; a second theft, this time of OPM data stored in an Interior Department data center, happened in December 2014. The exploits weren’t discovered until April 2015.
A scathing hearing was held by the House Oversight and Government Reform Committee in June, and OPM Director Katherine Archuleta resigned a month later. Earlier this month the agency announced it is bringing in Clifton Triplett, formerly the managing partner at SteelPointe Partners, an international management consulting firm, as senior cyber and IT advisor. Just last week President Obama formally nominated Beth Cobert, who has been serving as acting director, to head the agency.
In a press release announcing Triplett’s hire, OPM said he “will serve as a key advocate for advancing the state of enterprise architecture and cybersecurity, including information technology investments, capabilities, and services. Working alongside OPM’s CIO, Triplett will support the ongoing response to the recent incidents, complete development of OPM’s plan to mitigate future incidents, and recommend further improvements to best secure OPM’s IT architecture.” Triplett will report directly to Cobert.
While there is an element of “closing the barn door after the horse has been stolen,” the agency has been taking aggressive steps to strengthen its cybersecurity, including a 30-day “cyber sprint” to implement multifactor authentication, patching critical vulnerabilities, and identifying high-value assets.
We reached out to OPM to see what lessons they’ve learned from the incidents. The agency is incorporating guidance from the Department of Homeland Security’s Computer Emergency Response Team (CERT), National Institute of Standards and Technology (NIST), the Office of Management and Budget, NSA, and the Federal CIO, according to an OPM IT program specialist, along with industry best practices. Collaborations with agency partners to design and implement new infrastructure are ongoing. Cybersecurity experts from OMB’s Office of e-Government and Information Technology also are working closely with OPM personnel, she said.
The IT program specialist said OPM is in “the early stages” of implementing continuous diagnostics and mitigation tools through DHS’ CDM program, with full deployment targeted for the end of March 2016. The tools will be used for a wide range of tasks, including routine compliance scans to locate security vulnerabilities, using real-time monitoring dashboards to detect anomalies from normal network activities, and integrating Indicators of Compromise (IOC) intelligence feeds into the agency’s security infrastructure.
The agency also is committed to expanding the use of analytics. The program specialist said planning is under way to deploy a data analytics tool that provides advanced log correlation technology, and another tool that will gather large datasets to create network activity baselines in order to spot anomalies.
John Sellers, head of federal sales for Lancope, a provider of network visibility and security intelligence commented on the importance of agencies leveraging security analytics. “It is crucial that federal agencies rely on a concept known as ‘context-aware security’. Context-aware security hinges on knowing what normal, everyday activity on the network looks like in order to identify suspicious or abnormal behavior,” he told us. Sellers went on to say that, “today’s modern network has too much activity and too many users for a person to make sense of it manually.”
Solutions, like the Lancope’s StealthWatch® System can baseline activity from or to every host and machine on the network to determine what normal operation looks. Sellers explained that any activity that falls outside that threshold is immediately red flagged, allowing for either an automated response, or allowing security personnel to investigate and mitigate the threat before data is stolen. Additionally, Sellers told us that StealthWatch also recognizes behaviors commonly associated with threats such as data hoarding, reconnaissance, unauthorized access to sensitive information and data exfiltration.
In addition to expanding the use of security analytics, OPM plans to increase security awareness training and requirements to reflect current issues and threats, and provide those affected by the breaches with identity protection services. The program specialist said the latter effort may establish a precedent that could lead to creation of new federal policy.