Reeling from the recent massive data breach at the Office of Management and Budget (OMB), Federal Chief Information Officer Tony Scott ordered agencies to take immediate and specific actions over the next month to further improve the security of their systems and data. This is a bold call for action from such a large organization, but as we’ve all learned from agile software development the sprint-methodology can make huge inroads towards a problem, in a small amount of time. This can be particularly true for a large organization, and the OMB certainly fits that definition.
The OMB strategy is meant to focus on eight key principles. We wanted to break these down a bit and provide some insight on how each one of them might be more effective in the allotted timeframe to help the government make tremendous strides in just a month. Of course we look at things, always, from the endpoint, and if you read the eight principles you can see how endpoint visibility will be key to a successful sprint.
- Protecting data: Better protect data at rest and in transit.
Great start, and honestly this should be priority one, but we would also be sure to encourage OMB to include the endpoint. A lot of data protection solutions forget the endpoint, yet this is where data can be the most vulnerable whether at rest or in transit. The team should look to be sure they have the ability to assess endpoint hardware and software configuration, including presence of mandated system and data protection agents, as well as Microsoft BitLocker configuration checking. And that is just the beginning; don’t forget to be sure that compliance checking of mandated agents is performed continuously, allowing audit reporting of percentage coverage for each agent.
- Improving situational awareness: Improve indication and warning.
Situational awareness is akin to visibility; your ability to actually see what is happening, why, and where. Oh, and be sure it’s in real-time, not ‘near real-time’. During the sprint, and this goes for any organization, confirm that you can track and identify logged-in users, user presence indications, user focus activities, active processes, network contacts with process-level attribution, notable log events, system stress levels, and a myriad of other activity indicators across many thousands of endpoints hosting vast oceans of processes. THAT is situational awareness for both indication and warning.
- Increasing cybersecurity proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel.
This is perhaps one of the most challenging aspects of any security program. The fact is great talent is hard to find and often harder to retain. But like any skillset that is in demand you can attract the best by also providing them with cool weapons that help them in this cyber battle. Rather than simply giving them a dashboard of blinking lights and alerts why not a solution that allows them to see, literally see, what is happening throughout the environment and on the endpoint? When doing their 30-day sprint the OMB should look at the tool set in place and ask a simple question when using each technology, does this switch my team from the hunted to a hunter? If the answer is no, replace that tool now.
- Increase awareness: Improve overall risk awareness by all users.
Risk awareness begins with effective risk scoring, and fortunately this is something that can be dynamically done all the way to the endpoint and help with educating every user. User education is a limitless challenge that is never complete, as indicated by the almost universal success of social engineering attacks. But when equipped with endpoint risk scoring security teams have concrete items to present to users to show them how, and where, they are vulnerable. These real-life situational awareness (see #2) not only boosts user knowledge, it provides your team with exact info on, say, cases of compromised credentials and insider attackers, known software vulnerabilities, as well as continuously monitoring user, system, and application activity and network points of contact, in order to apply security analytics to highlight elevated risks deserving of security staff triage.
- Standardizing and automating processes: Decrease time needed to manage configurations and patch vulnerabilities.
We should all be demanding not only more coverage from security solutions, but also that they are immediately deployable without tedious preparation, staff training, or infrastructure standup. If the solutions you have took more than a few days to deploy and demands an extra FTE (or even ½ an FTE) you need to rethink those solutions because they are most likely hard to use (see #3) and aren’t doing what you need to also amplify the tools you already have in place. In addition, look for endpoint solutions that not only report hardware and software configurations and active processes and services, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability score for each endpoint to facilitate patching prioritization by hard-pressed support staff.
- Controlling, containing and recovering from incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents.
Prevention is futile, that we now know. Rapid identification and response is our main objective in our new cybersecurity world. OMB, during this 30-day sprint, should inventory their solutions and be sure to find technologies that can not only monitor the endpoint, but track every process that runs and all of its network contacts as well as user login attempts, to facilitate tracking of compromise proliferation and lateral network movement. Data derived from endpoint command and control (C2) accesses associated with major data breaches indicates that about half of compromised endpoints do not host identifiable malware, heightening the relevance of login and contact activity. Proper endpoint security will monitor OMB data for long-term analysis, since many indicators of compromise become available only after the fact, or even long after the fact, while persistent attackers may silently lurk or remain dormant for extended periods. Attack code that can be sandbox detonated and identified within minutes is not indicative of sophisticated attackers. This ability to retain clues and connect the dots across both spatial and temporal dimensions is essential to full identification and complete non-recidivist resolution.
- Strengthening systems lifecycle security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner.
A fantastic goal to have, and an enormous challenge at a large organization such as OMB (or any Fortune 2000 actually). This is another place where proper endpoint visibility can immediately measure and report endpoint hardware and software configurations, system stress levels, operating system SKUs and patch levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outliving their useful or secure service lives. Now you have a full inventory list that you can prioritize for retirement and replacement.
- Reducing attack surfaces: Decrease the complexity and amount of things defenders need to protect.
If numbers 1 through 7 are done, and the endpoint is considered properly, this will be a huge step in reducing the attack surface. But, in addition, endpoint security can also actually provide a visual of the actual attack surface. Consider the ability to quantify attack surface area, based upon number of unique binary images exposed across the entire endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a typical “ski slope” distribution, with a long skinny distribution tail indicating vast numbers of very rare binary images (present on fewer than 0.1% of total endpoints). Ziften identifies attack surface area bloat factors, including application sprawl and version proliferation (which also exacerbates vulnerability lifecycle management). Data from many customer deployments exposes egregious bloat factors of 5-10X, compared to a tightly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas creates a target-rich attackers’ paradise.
The OMB sprint is a great reminder to us all that great things can be accomplished rapidly, but that it takes vision, not to mention some visibility. Visibility, to the endpoint, will be a critical piece for OMB to consider as part of their 30-day sprint.