Part 3 follow-on to June 9 post: Misguided IT security practices that organizations need to address as a result of the root causes as described in my testimony for the Senate Appropriations Subcommittee on Financial Services and General Government on the recent Office of Personnel Management (OPM) data breaches.
Given the complexity of IT environments for large organizations, one must assume that it is virtually impossible to protect all elements of your IT environment. Further, with the interconnectedness of systems and the rise of cloud computing, there really is no boundary to an organization’s IT environment. And finally, even with good protections in place, most breaches are caused by user error, and while we can constantly work to educate the workforce, mistakes (and hence breaches) will continue.
Based on these realities and what is evolving in the cyber security industry, there are three significant areas in which organizations need to be aiming in terms of improving IT security practices:
SECURITY DETECTION TOOLS. There is without a doubt a continuing need to pursue cyber security tools to prevent intrusions, but perhaps even more importantly, detect them quickly when intrusions do occur. A number of products identify and protect against known “signatures” or characteristics of malicious activities, thereby preventing those intrusions. However, more advanced protective capabilities are required to prevent intrusions that the government is not yet aware of, thereby further reducing the government’s attack surface. With enhanced automated protection, network defenders can then focus on detecting and remediating only the most sophisticated and potentially dangerous attacks – rather than trying to decide which of the seemingly endless alerts to pursue today. The cyber security product industry has made great strides in these areas in the last few years, and the industry is working to move to a model in which the most advanced tools for prevention and detection that leverage threat intelligence from users all over the world.
IDENTITY MANAGEMENT. Even with the most advanced prevention tools, organizations need to assume that sophisticated adversaries will still gain access. So alternative approaches are needed, and in particular, ones that rely on creating more trust in online interactions. The root of all trust is verified identity. I must know, that it is who I believe it to be, and in the online world, multi-factor authentication methods are key to doing that. There are a plethora of newly available technologies to enable multi-factor authentication for both and internal user as well as external users. Even though the root of trust is identity, there is more to the trust equation. In the “physical” world, I trust another because I have high confidence they will act in a manner that I expect. Some of the most damaging data breaches have come from individuals that were properly authenticated and authorized to use systems and access data. Their behavior, however, was not in keeping with what was expected. This is commonly called the insider-threat problem. There are new technologies and capabilities today that can bring in other context, such as an audit log or behavioral analysis systems to assess someone’s trustworthiness on a regular basis. These additional factors, beyond those used to assess authenticity, are key to fully establishing and monitoring trust.
PROTECTING SENSITIVE DATA. Finally, organizations need to target additional protection of an agency’s most sensitive information, whether it’s data sets or documents. Tools and products exist that enable organizations to protect information, independent of the likely insecure environment in which they operate. Organizations need to focus on their most valuable information. Recognizing that there are limitations given some of the antiquated systems in which such information may reside, but by focusing efforts on the most sensitive information, an organization can ensure, within a relatively short time, that only trusted parties have access to an organization’s most sensitive information. This would go a long way toward thwarting additional major and damaging data breaches.
A holistic view to protect your organization >> There is no single cyber security product or service that offers complete protection. The best solution involves an organizational alignment between people, process, and technology.