Two years ago, the Department of Homeland Security (DHS) rolled out a $6 billion program designed to establish continuous diagnostics and mitigation (CDM) for more than 100 civilian agencies. It’s a major cybersecurity effort that began with asset management and will grow to include the management of accounts, event and the security life cycle by 2017.
At the start of the program, DHS set up a process for agencies to assess their security profiles before diving into CDM. The idea was for each agency to evaluate their own security posture before moving forward with filling in any capability gaps. Unfortunately, only 21 percent of federal IT respondents to a 2014 SANS Institute survey said they had taken this crucial step before embarking on the initial phase of the CDM program. For this reason and several others, there needs to be some reprioritization if this program is to deliver the most about of value in the shortest amount of time for civilian agencies.
Battling stolen credentials with better access information
Usually, the first steps would be to build a solid foundation of information about the assets the agencies have (see Manage Assets section of the image above). This would mean understanding and knowing your assets, configurations and boundary methods (encryption, physical, filters, etc.). However, system and application vulnerability patching, usually considered one of the first steps in an effective cybersecurity overhaul might not be where agencies should start. Constant patching doesn’t stop attackers that have obtained valid credentials and are impersonating agency employees. They use legitimate access for nefarious purposes. Also, the gap between when vulnerabilities are discovered and when a patch is available from a vendor varies widely depending on the vendor and means there’s still a window of time when a zero-day vulnerability exists. In every organization – including federal civilian-led agencies – one of the most persistent, dangerous threats comes in the form of stolen credentials. We’ve seen this prove true in recent data breaches at the White House, the United States Postal Service, the U.S. Department of Veterans Affairs and other agencies. The best point of initial compromise detection tools, change management tools and processes won’t stop an attacker in possession of valid credentials.
Compromised account and user impersonation detection needs to be addressed before civilian agencies begin implementing the latter phases of CDM. It’s particularly imperative for any agency in charge of protecting sensitive civilian data or managing critical infrastructures, such as the Social Security Administration, the Department of Energy, the Veterans Administration and many more.
Better security inside government agencies hinges on the ability to perform user behavior intelligence. Civilian agencies need to get a complete picture of user behavior with the capability to alert on subtle, anomalous credential behaviors and access characteristics. Such a security practice makes it much easier to spot intruders that get past traditional security defenses, and speeds up attack detection and response times. The flexibility to adopt this practice in an a la carte fashion would help agencies realize faster return on investment for the CDM program and help create better outcomes from agency efforts.
Fixing security problems starts with getting user behavior intelligence, especially when it comes to compromised credentials, as seen in this video.