Fed Approaches to Cyber Security

This paper examines changes in the cyber threat/response landscape over the last year and recommends adjustments to current approaches based on shifting mission needs.

The Risk Equation

A common means of approaching cyber security decisions is to consider cyber risk as having three components which can be expressed in algebra:

Cyber-risk = Vulnerability x Consequence x Threat

This equation provides a good reminder of the multiple dimensions CIOs and enterprise mission managers must continuously monitor and assess. Consider the impact of risk if any of those factors approach zero. If there is no vulnerability there is no risk even if there is high consequence and high threat. If there is high vulnerability but no consequence then risk is low there too. And if only the threat would go away!

The bad news is that the value of none of those variables is low, and all require continuous mitigation.

  • Vulnerabilities: Computer science and real-world history shows we will never drive vulnerabilities to zero, especially in the widely-fielded Windows-based systems that are found in all IT enterprises. Defense in depth can mitigate vulnerabilities, but these defenses cannot remain static.
  • Consequences of attack: IT now enables almost every aspect of modern business, government, and infrastructure support missions. Assessments of consequence of cyber attack will vary among mission component, as will mitigation strategies.
  • The Threat: With so much to gain from crime and so many ways to avoid detection and capture, criminals, often organized, have been growing in capability. Nation-state espionage is also growing with brazen attacks underway in seemingly unstoppable continuous extractions. Mitigation steps are possible, but generally require full-spectrum responses that include own force forensics/security and coordination with private security investigators, legal teams, law enforcement professionals and frequently the government.

The state of vulnerabilities, consequences and threat today lead to a key need for federal agencies: enhanced cyber solutions

The “As Is” State of Cyber Operational Defense

Savvy enterprises employ multiple methods to mitigate vulnerabilities, consequences of attack and threat vectors. This approach is frequently referred to as defense-in-depth and it remains a fundamental of security relevant to all enterprises today. Common capabilities in traditional enterprise defense include:

  • Access Control
  • Anti-Spam and Anti-Virus
  • Application Security
  • Attack Visualization
  • Auditing
  • Authentication
  • Business Continuity Planning
  • Compliance
  • Database Security
  • Denial of Service
  • Disaster Recovery
  • Encryption
  • Firewalls
  • Forensics
  • Incident Management
  • Managed Security
  • Intrusion Detection Systems
  • Intrusion Prevention Systems
  • Password Management
  • Patch Management
  • Public Key Infrastructure
  • Risk Assessments
  • Penetration Testing
  • Security Policies
  • Virtual Private Networks

Those enterprises whose cyber-risk assessment warrant it have sought increasing means to defend by enhancing:

  • Advanced mission assurance
  • Behavior-based anomaly detection
  • Global Threat Awareness
  • Knowledge of authorized and unauthorized equipment in the enterprise
  • Predictive solutions providing early or advance warning of threats.
  • Situational Understanding

Changes to the Cyber-Risk Assessment

Over the last 12 months the federal government has continued to coordinate enhanced action to mitigate global threats. However, those actions have only served to highlight the significant weaknesses in our IT fabric. Over the last 12 months threats have grown and theft of intellectual property has continued at rates that are hard to quantify. In the midst of that, organizations big and small, both private and public, continue to increase their reliance on IT.

A combination of vulnerability and threat dynamics in the last year have resulted in the following observations:

  • Threats are not being stopped by firewalls. Firewalls are set to open gateways for trusted applications, gateways which are exploited for attack purposes.
  • Organizations must make use of new applications to enable missions, and many of those bring these new attack vectors. Of particular note are new Web2.0 capabilities and social media applications.
  • Threats are not being stopped by anti-virus or anti-malware solutions. Those solutions are inherently reactive. They only act after an infection is detected and analyzed. Sophisticated threats disable or bypass those defenses.
  • Anti-virus and anti-malware signature files cannot keep up with the threat. Signature files must look for nearly 7 million different variants of malicious code in every sweep of a system.
  • Web gateways can only block what they are told to block. All are overly reliant on manual administration.
  • Deep Packet Inspection (DPI) holds great promise to help, but DPI solutions require management, configuration and maintenance (like every other security tool).
  • Criminal bot-nets have grown in size with millions of computers running malicious code under command of criminals who can use those networks for fraud, espionage and denial of service attacks.
  • Fraud from supply chain, customers, mission partners and others is increasingly hard to detect– till it is too late.
  • Malfeasance from within is growing in cost and impact.

Perhaps of even greater significance to the above is the malicious brain-power of adversaries in cyberspace. Criminals and organizations with malicious intent have made the determination that their own risk-reward equation warrants acceleration of attacks, a fact that their behavior exhibits.

The Needs and Gaps because of these changes

Enterprise mission owners in and out of government continue to struggle to mitigate risks by reducing vulnerabilities, mitigating threats and reducing consequences of attack. Yet, the changes in all those areas are becoming increasingly hard to keep up with. New, continuous mission aware solutions are required. Elements of mission aware solutions include:

  • Continuous Awareness:
    • Ensuring mission success in this environment requires an ability to dynamically know/assess the risk and rapidly mitigate threats, vulnerabilities and consequences.
    • Situational awareness takes on new meaning in this face-paced cyber environment. Decision-makers cannot prevail in this environment without continuous knowledge of mission impact of risks, and continuous knowledge of the potential impact of remediation to risk.
    • Persistent security awareness
  • Highly automated capabilities that augment traditional staffing making analysts more effective (may include dashboards and other means of quickly reading and assessing key metrics as well as anomalies).
  • Systems which can provide attribution indicators and signal adversary intent
  • Systems that leverage deep packet inspection capabilities at market today
  • Systems that access non-traditional sources of potential intelligence (blogs, social media platforms, etc.) and trend topics and provide early warning of memes that are likely to “go viral”
  • Systems that can accurately gist non-traditional sources from native languages into English
  • Advanced comprehensive and easy to use collaborative capabilities, especially those that integrate into commonly used productivity software
  • Knowledge discovery vice knowledge search in IT datasets
  • Cross domain multi-level intelligence and information sharing, both interactively between analysts and operators, as well as automatically for content classified at a level below a given system’s classification level
  • Automation of enterprises to visualize and report by the Consensus Audit Guidelines
  • Deeper integration into existing legacy systems of the enterprise (the age of the “forklift upgrade” are over).

Concluding Thoughts:
There is a great deal of continuity from the cyber missions of old to the cyber missions of today and tomorrow. But there is also change. Measurements of Cyber-risk (Cyber-risk = Vulnerability x Consequence x Threat) must be made in much more dynamic ways, with increased emphasis on both the consequence of attack and consequence of defensive actions.