I’ve been traveling a lot this spring and talking to provincial and state government leaders both in the United States and abroad about the priorities they have for network security in the next year. We’ve all heard about a number of recent high-profile public sector security breaches. The U.S. National Association of State Chief Information Officers (NASCIO) announced in January that cybersecurity is their #1 priority for the second year in a row. There’s a growing consensus that governments of all sizes are being targeted. State and municipal governments are increasingly concerned about their lack of visibility into zero-day attacks. As they move more services online, governments are investing in cybersecurity efforts to protect citizen information and provide continuous access to services.
While different agencies have many different projects underway, there are several trends that keep coming up in conversation. Here are the top six security priorities I hear from provincial and state governments: three that are generating lots of press, and three more that are flying under the radar.
1. Securing the cloud.
With both the UK and US federal governments adopting a cloud-first strategy, other governments are exploring how they can use the cloud to be more responsive to citizens while reducing overhead. Offloading backups and storage, websites and other citizen-facing applications seem to be common starting points. Many cities are exploring hybrid cloud architectures. However, these convenient services bring with them a host of security questions, by far the largest concern for state and local governments moving to cloud solutions. And although the cloud provider shoulders the responsibility for securing the data at rest, data in transit is often at risk. Encryption is one answer, but there’s concern that encryption could be used to hide data exfiltration or targeted attacks from security sniffers. A good plan for SSL decryption is necessary.
2. Securing SaaS applications.
SaaS is getting a lot of buzz, and government security and IT teams are nervous about the security of these environments. They have no visibility into sanctioned applications, such as Office 365, or unsanctioned SaaS applications, such as Dropbox, that are now commonly used by their employees. Malicious insiders or careless employees can easily use unsanctioned SaaS applications to exfiltrate sensitive data or introduce threats. Often we find malware located within the SaaS environment.
SaaS is a major focus, but it’s also important to note that data center applications are not going away. State and local government invest in special-purpose legacy applications and HR and accounting software still need protection from zero-day threats and other cybersecurity risks. Many commercial organizations are using virtual segmentation to protect data in their data centers, but governments seem behind in this effort.
3. Harnessing security analytics to prevent successful breaches.
It seems every day more security functions are added to networks, which generates more and more data. What to do with the volumes of data and how best to act on it is a key area of focus for 2016. Many provincial and state governments have network security groups with multi-jurisdictional authority; these groups are looking at how to harness analytics to aggregate security event management, intrusion prevention, and threat intelligence across agencies to improve their overall posture. Smaller municipal governments are looking to outsource these functions to Managed Security Service Providers (MSSPs).
The irony is that many government security organizations feel overworked and understaffed, yet their threat intelligence solutions require precious staff resources to analyze data that does not ultimately prevent threats. The number one objective of threat intelligence—and the best use of talented people—is to prevent attacks on your network immediately, not 24-48 hours after analysis. When we analyze zero-day attacks, our sensors prevent further attacks from that malware within 5 minutes. So the technology is there – it’s important to harness it.
In addition to the three priorities above, public sector leaders are also diligently working on solving some large issues that do not get as much attention or ink:
4. Protecting against incidents caused by insiders.
While outsider attacks get all the press, it’s a poorly kept secret that most public sector security incidents stem from errors or deliberate or unintentional misuse of information by employees or contractors. According to the Verizon 2015 Data Breach Investigations Report, Public Sector, actions by staff were responsible for the majority (63%) of security incidents. But the public sector is not alone, as the 2015 Information Security Breaches Survey commissioned by the UK government revealed that 75% of large organizations—with 500 employees or more—suffered staff-related security breaches in the last year.
5. Securing SCADA.
Teams are rightfully concerned about securing their SCADA infrastructure—especially as they move to more sensors and interoperability across IT and OT. Utilities, traffic controls, emergency services, rail/transportation, and more have operational networks that must be secured. These networks are often running older operating systems that cannot be patched. Virtually segmenting these networks and using anti-exploit technology on the unpatched systems is critical. Some governments are further ahead on this front than others. Relationships between IT and OT teams have improved since I first started engaging the OT side of critical infrastructure, with many teams reporting into the same organization, which improves communication and cooperation. Others have put in place formal communication plans and share a sense of responsibility to the security of the organization’s networks.
6. Fractured Outsourcing.
When teams have limited resources, it makes sense to outsource to a trusted provider, with the emphasis on ‘a’. Government security teams despair over the alphabet soup of providers that own this or that piece of the network. The teams lack visibility and control, and often feel that their leaders don’t understand the grave risk this creates for their networks. Fractured outsourcing also means they cannot take advantage of today’s security technology. Modern security technology helps protect networks by sharing insights across security functions, providing vast improvements to an organization’s threat profile and swifter time to prevention.
If you’re concerned about these or other security concerns, I recommend immediate action on two fronts:
- Get visibility to what applications are being used on your network, and by what users. With better visibility comes better insight into where you may be vulnerable. Remember, attackers are going to use the path of least resistance and look for your weakest links. This is an important starting point before embracing public or hybrid clouds, SaaS applications, virtualizing your data centers, or other technology initiatives that will impact how you secure your network.
- Use the Lockheed Martin Cyber Kill Chain® or the Gartner Cyber Attack Chain to evaluate where else you may be vulnerable. These frameworks can help an organization understand their risk profile relative to each step attackers use to get into and move across networks today. With this view, you can make senior leaders aware of gaps in security and begin improving your risk posture.
Palo Alto Networks can help with both of these steps. We recommend a zero-trust approach to your networks that focuses on safely enabling key business functions, such as limiting certain SaaS applications to certain users or departments. With a solid security foundation to build upon, you can confidently embrace today’s newest technologies—such as SaaS, mobility, and even public clouds—to improve citizen services and increase operational efficiency.
Learn more about what we’re doing for governments by visiting the Palo Alto Networks Government resources page.
[Palo Alto Networks Research Center]