Attacks are Effectively Unstoppable

Cyberattacks are effectively unstoppable and people are starting to recognize that. Two things are happening; one is a technical issue and the other is a management issue—both hold promise. Fundamentally we are in detection and remediation cycle. The faster that cycle goes, the better you are. Signature-based detection tools are limited, and anomaly-based tools do not remediate in an automated way so another technical defense is emerging—authenticate transactions using two factor authentication.

The second is implementing the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). What we are talking about is agencies being able to accept risk and the whole Federal Information Security Management Act (FISMA) implementation project effectively. Continuous diagnostics and mitigation cracked the idea that information security was just about checklists, but the problem of implementing the RMF is that you uncover flaws in your operational processes. All organizations, even large companies, have a hard time putting discipline into their organizational processes because people are not used to discipline.

Security Issues
Attackers are smart. They study the defenses of an organization so no combination of signature-based, detection-based mechanism and human response can keep them at bay unless it is a security organization. This is a problem for the civilian agencies and commercial organizations since they are not designed to be a security organization. Part of the answer will have to be in the cloud. If the intelligence community establishes a workable cloud model at the high level, it will be propagated to other organizations. Cloud providers can leverage very expensive monitoring, SOC audits and training that agencies cannot afford.

If you assume that code is not securable, then you have to do authenticated transaction underneath the operating system to secure transactions. National Strategy for Trusted Identities in Cyberspace (NSTIC) and FIDO are initiatives by the US government and industry to secure transactions through stronger identity management. The old argument that this would cause a performance hit is irrelevant when modern performance capability grow at Moore’s law speed. In our economy, the way we deal with inferior products is through the plaintiffs’ bar, except for software where there is an exemption. If this is our economic model but we exempt software, how do you expect a change to occur?

Views on US Legislation
Legislatively, the update to FISMA was a useful step forward because it codified the risk management framework in the US federal government. It establishes risk management and risk assessment as a primary function, not merely a response to IG audits. The strategic advantage is that agencies have to do risk management. The other big thing is the whole sharing problem which is the old paradox where those who know will not say and those who say do not know and everyone has a reason to not say what they know. There is a fundamental issue about how businesses avoid liability problems. I do not think the legal model is in place yet to allow business to truly share information with each other to control proprietary knowledge. If you have a product, would you like to admit a vulnerability to a competitor? This is a real issue, but no one has figured out how to manage this yet. Perhaps the US executive order setting up the Information Sharing and Analysis Organizations will meet this need. The US Department of Homeland Security (DHS) Information Sharing and Analysis Organizations (ISAO) model is an attempt to crowd source the security issue. ISAOs will have a common operating environment and culture so they can constitute themselves as information sharing organizations.

Staffing
There are two types of staff. First, there is staff that manages the SOCs. These are the people who are able to read net flow data, understand coding languages and how to detect and remediate an attack, which is a specialized capability. For most organizations, you do not want that capability on your staff due to cost. These people are too highly qualified and specialized; they need to be leveraged across many organizations like the cloud model. Your staff has to be very well educated, but also need to be generalists with business acumen to be able to translate technical information and communicate it to your business owner. Your staff needs to be made up of four parts: incident response, training, certification and authorization, and a security architect. I think if properly filled by people with broad-based experience and credentials with the ability to reach down into the technical staff, then you have a staff that will create a better defense against cyberattacks .

Leo Scanlon
Division Director, IT Security
Office of the Chief Information Officer
US Department of Health and Human Services

[ISACA Blog]