For the government, cybersecurity is non-negotiable. But it’s also typically been reactive, due to the barrage of attacks and the pace of change—not just technology changes, but a dynamic business environment. To understand how security can stay ahead of threats from inside and outside the enterprise, and your greatest vulnerability, we spoke with Steve LeFrancois, CTO of Verizon’s Public Sector Group.
Interested in Steve’s insights, but no time to read? Click here to listen.
Government Technology Insider (GTI): Government leads in cyber because of the depth of the investment. But they depend on a security compliance model that looks like it’s past its prime. What is taking its place?
Steve LeFrancois, Verizon (SL): What you’re seeing in industry, and very similar to what’s happening in the overall technology space, is rapid adoption of new technologies and new techniques, both for adversaries and for things that are occurring with the enterprise. A typical CIO is having to react to dynamic business changes, that is really difficult to keep up with from a from an overall compliance perspective. And typically, compliance models have been fairly static; they get put in place and that’s a checkmark that’s looked at on an annual basis.
But with that pace of change, and the addition of new capabilities across the enterprise, you have to operate at that business tempo instead of just on an annual basis, or a semi regular basis. And so there’s been a lot of discussion around continuous monitoring. And what that is, it’s really about not just continuous monitoring, but also extreme awareness of what’s occurring across your enterprise space. So, that may be visibility into your applications, who’s talking to who, are they supposed to be talking to those individuals?
Supply chain has always been a concern within government. But again, that’s been amped up even more as we move into more of a software-defined world. How do you ensure that the software you have running in your enterprise, how many people have touched it? And what are the risks associated with deploying that software across your enterprise space?
And so really, it’s more about looking at the risk models. Where’s your data in your enterprise? Who has access to it, both in real time, as well as an historical perspective? And then how do you go about protecting it in a safe manner?
GTI: We know that insider threats are the leading source of risk, according to industry surveys, including Verizon’s own. How can technology help mitigate this?
SL: When we start looking at things like insider threat and spear phishing attacks, it’s really about how do you gain awareness of the human behavior, the human factor in the enterprise? The single biggest vulnerability is the individual at the keyboard within the enterprise space, and whether you trust them or not. Human nature sometimes kicks in and they will make accidents around things they click on that they shouldn’t be clicking on.
From a security professional perspective, we really have to look at what is occurring, who’s doing what, and who is accessing what, and are they supposed to be? And so this goes back to the age old enterprise and CISO challenge about knowing what you have, being aware of who is supposed to access any of the information across your enterprise space, and are they operating within those boundaries? And then what do you do and how do you react when those boundaries are being broken into?
From an insider threat perspective—while that’s extremely important, and having a lot of the processes in place, and having the right kind of education programs in place is important—it’s also important to make sure you’re putting the technology controls in place, having really good identity and access management in the enterprise.
A lot of folks that have seen this in the past, where it’s a checkmark of, “Yes, I have identity access.” But is it truly driving down the behavior of, “Is this person is supposed to be accessing this application or to this particular service?” Which is why we’re seeing a lot more renewed interest around Zero Trust Architecture. So now the application owners and the data owners can start controlling who has access to that level of information. And more importantly, for the folks who are trying to get in and do the wrong thing, how can they make sure that they’re not getting into data that they shouldn’t get to?
GTI: It seems like security is often broken into the prevention part, which is don’t let something in. And then the reaction part, which is “Whoops, something got in, either through an insider or through a backdoor or some other way.” Should we be looking at security more as a continuum?
SL: Absolutely. And when we start talking about awareness—I keep referring back to awareness is a critical aspect of security and knowing where the sensitive pieces of your network are—as you start looking at the awareness, you’re automatically doing continuous evaluation of the threat across the enterprise space. And as you do that, you start to see things and patterns of traffic, and really start analyzing the behavior of the enterprise ecosystem to make sure that you’re seeing everything good and bad, and not just waiting to pull a log off of an individual device.
As we start looking at things like that continuum of security—getting that application layer visibility, having the network visibility, having a good reaction plan—when you start seeing things that don’t belong, all of those come down to preparing just like you would as if you were doing a disaster recovery drill. You’re also practicing what you’re doing from a SecDevOps perspective, as well.