When it comes to ensuring the security and integrity of IT assets cybersecurity professionals are concerned with all threats to the agency, but it might surprise you to learn that they are most concerned about insider threats.
There are ways of thinking about protecting against insider threats and best practices in cybersecurity that can help contain the danger, said two cyber professionals at the 930gov Conference.
“Visibility is critical,” said Paul Parker, chief technologist, federal and national government, SolarWinds. He warned that the challenge is getting the right tools to work together. “We don’t have an absence of technology, what we have is the absence of integration,” Parker said.
The challenge is not a lack of information about insider actions, it’s identifying relevant information, using analytics to identify anomalies and, beyond that, being able to identify how much of a threat they represent.
Tim Jones, Director, System Engineering, Public Sector, ForeScout, agreed. “You have to know the assets, the types of devices, and who’s logging in on them,” he said. “How are [insiders] moving around in my environment?”
This means constantly surveying systems for new devices and thinking about new kinds of devices that historically haven’t been viewed as part of the infrastructure, such as video cameras, video conferencing centers, and IoT-enabled devices.
Among the key steps is making sure systems are configured properly – which includes making sure they conform to agency policies. “If my reality doesn’t match what I say I’m doing, I’m out [of compliance]”, Jones pointed out. “The reality is that you have to [keep] retouching systems” to make sure that nothing has changed.”
Having a strong patch management strategy does not simply mean scheduling the rollout of patches, Parker and Jones suggested. It’s what happens before deployment, especially downloading the patch and testing it to make sure it won’t blow up the system environment.
Key policy questions must also be addressed, such as what an agency’s policy will be for virtual private networks, or whether to allow personal devices or only agency-issued devices. “What do you want to allow, and what are your networks set up to support?” Parker asked. For instance, “NSA will never allow personal devices … What are they (your users) doing, and what do they need to be doing?”
Another step is to stop managing to the lowest possible standard. “Stop securing to the checkbox,” Parker continued. “If you’re only logging from specific systems, if you’re only logging certain types of events … you’re not getting a holistic look at the environment and your analytics will be screwed up from the start.”
At the same time, Parker and Jones suggested cybersecurity professionals worry too much about the latest standards, such as those promulgated by the National Institute of Standards and Technology (NIST), when they haven’t even finished mastering previous standards. “Why are you worried about the latest one when you haven’t implemented the last one?” Parker said. “Ask us [vendors] to give you what we’ve already got on [the Risk Management Framework], for instance, instead of reinventing the wheel.”
Finally, the two advised cybersecurity professionals not to just take a vendor’s word about what their products do, how they integrate, and their security posture. Instead, look closely at the vendor’s supply chain management strategy; see how well they are managing their own risks.
“One of you in this room is an insider,” Jones said. “I may not know you’re the insider today, but I need the tools to identify you.”
Ready to learn more about thwarting insider threats? You can do that here.