CYBERSECURITY: Rising to the Challenge Dialogues with Subject Matter Experts Advanced persistent threats. Zero-day attacks. Insider threats. Cybersecurity experts say that if IT leaders are not concerned about the ongoing evolution of the cyber landscape, it just means they are not paying enough attention. The problem is that these and other emerging cyber tactics are designed to evade traditional cyber defenses and escape detection until it s too late. The good news is it s not a lost cause. In this special report, two subject matter experts discuss cybersecurity technologies and strategies that can help agencies defend their systems and data against the latest cyber threats, today and into the future. Sponsored by
Sponsored Content The complexity of cybersecurity demands a systematic approach Jim Myers Sector Vice President and General Manager, Cyber Solutions Division, Northrop Grumman Information Systems Understanding your complete risk posture is essential. It is the difference between being proactive and in a good defensive position, versus reactive. How can an agency balance Q the need for better security with the need to provide a good user experience? A Understanding risk is critical when securing any digital environment. Today, mobile computing is where we see the most prevalent tradeoffs between user experience and security. Customers want the convenience and efficiencies that come from access to mobile apps. However, the greatest security risks are migrating to mobile, and these issues are limiting its full adoption. Developing essential security standards for application development can begin to address the inconsistency in security profiles that many mobile computing environments experience. At Northrop Grumman, we address security and user experience by taking a systematic approach and looking at mobile security in a holistic, risk-based way. Those customers who take a risk-based approach to developing enterprise cybersecurity policy and related solutions can deploy their resources and implement controls in a way that s best for them, resulting in a better user experience and lower risk. QIs mobile malware winning? What can agencies do to better protect themselves? AAt the moment, mobile malware is winning. That s because existing networks have not been architected with malware in mind, and the mobile environment is particularly vulnerable. Adversaries are using persistent and innovative approaches to get access to networks, and the only way agencies can tackle this is to secure the entire enterprise, including the device itself. You need a strong device security architecture, encryption for both data at rest and in motion, and identity management and authentication solutions to secure mobile users. Two-factor authentication is the classic approach, but there are also biometrics and other ways you can approach identity management. The same way you determine who gets access to certain types of data in a corporate environment, you want to have a similar process in place for a mobile environment. Mobile malware is best managed with non-signature based detection technology. Putting that technology at the network gateway allows you to isolate data and applications that are potentially suspect. We recommend that agencies develop end-to-end trusted mobility solutions that go beyond the gateway approach to include on-device malware detection and identity management. At Northrop Grumman, we re developing innovative security solutions in the mobile data environment, leveraging ideas from our university consortium and developing them through our own technology investments to help advance technology quickly.
QRisk management is an oft-used phrase in cybersecurity today. What does it mean to you, and how well do agencies understand it and practice it? AIn our business, we manage mission critical systems for our customers. As we see it, risk management is the ability to balance key elements of risk tolerance: the cost to implement security with the ability to effectively execute the mission. This is a delicate balance that can only be achieved by partnering with the customer to develop a deep understanding of their mission. We ve been doing this for more than 30 years, and it s this approach that helps enable a meaningful enterprise risk assessment. To help customers and our security practitioners develop this understanding, we created the Fan, a layered cyber defense approach that assesses risk at each level of the IT enterprise the perimeter, network, applications, data and client. The Fan allows us to be agnostic to platform and architecture. Each agency has different IT architectures and missions, and they think about risk differently. This approach allows us to leverage a common view of the enterprise and to identify where risk exists in each customer s architecture. Understanding your complete risk posture is essential. It is the difference between being proactive and in a good defensive position, versus reactive. QThe relationship between government and industry is seen as crucial to progress in cybersecurity. Where does it stand now, and does it still need to improve? How? The relationship is good, and it s a critical A one. This partnership is constantly improving through programs like the Defense Industrial Base cyber pilot. The cyber threat is still a new phenomenon to most, and the ability for agencies to implement even basic cybersecurity practices differs a lot. As we work collectively to get in front of the threat, building cybersecurity early in the acquisition lifecycle is imperative. Creating core cybersecurity criteria for evaluation will be important to establish within future acquisition documents. One area that still needs improvement is securing the supply chain. Government and industry need to work together to find better ways to leverage COTS in secure environments without compromising security. The NIST cyber framework is a great step forward and very useful for communicating how to manage risk by establishing a detection baseline and aggregating and correlating the event data. QWhat s the state of the government cybersecurity workforce? How can it be improved? The demand for cybersecurity experts A far exceeds the availability of this critical talent. That s why we have focused so much effort and investment into enhancing today s workforce and in developing tomorrow s talent. We created our own training program called Cyber Academy, a cyber education continuum for both internal and external customers. We also know the importance of reaching down to the middle and high school levels to get students excited about a career in STEM and cybersecurity. To that end, we re entering our fourth year as presenting sponsor of the Air Force Association s CyberPatriot program, the national youth cyber defense competition. We also partner with universities across the country to develop the cyber workforce. This includes funding the nation s first cybersecurity honors program, the Advanced Cybersecurity Experience for Students at the University of Maryland, and the Cyber Scholars program and the Cync incubator at the University of Maryland, Baltimore County. We also created the Cybersecurity Research Consortium, which includes Carnegie Mellon, Massachusetts Institute of Technology, Purdue and the University of Southern California, and opened a cyber lab at Cal Poly San Luis Obispo. We see our customers extending their training programs in cyber, and the workforce is growing. We also see the military academies offering cyber degrees. In total, there is much to do but I see the ranks of cyber-educated professionals increasing and ready to take on this critically important mission.
QWhat role do managed security services play in overall government cybersecurity? ACommercial managed security services are not always suitable for a government application. We see a wide range of adversaries attacking government IT enterprises, and a managed security service may not have the robustness to address the range of threats targeted at a government agency. If such a service is used, you ve potentially introduced a gap or vulnerability. That said, as IT infrastructure becomes more centralized through cloud computing, managed security services play a natural role. Some areas of the Department of Defense are migrating to shared IT infrastructure models and will likely expand their internal managed service models, including managed security services. Again, risk management is key. We encourage them to think about the risk tradeoffs, and at the same time to expand their internal managed security models with a higher level of security. QThe Snowden revelations have renewed concern about internal security lapses. What can agencies do to protect themselves against insider threats? AThis is one of the most challenging problems that we see today. There are a number of steps agencies can take to protect themselves, starting with basic practices such as evaluating hiring processes and compartmentalizing critical information. But that s not all. Going beyond the basics, there are data exfiltration prevention solutions in the marketplace; however, it s not clear that these current solutions can fully address the threat. This is a problem we ve studied extensively at Northrop Grumman, and we re developing some innovative capabilities for our customers to overcome this challenge. For instance, we re advancing automated solutions that can not only identify malware and provide situational awareness for network operators, but can also identify behavior of insiders that are suspect. Strong identity management, user authentication, and role-based access techniques are central to reducing the insider threat. User credentials, preferably enforced through biometric solutions, are mature enough to be deployed. Enhanced analytics can also be used to identify abnormal or suspicious behaviors. QPassword-only authentication seems to be rapidly falling out of favor. For government, what are the realistic alternatives over the next few years? AIn the coming years, new authentication approaches will replace passwords. With touch screen phone technology, for example, you ll be able to use fingerprint, voice and facial recognition. We see authentication approaches that will combine biometrics, encrypted PINs, and secure device provisioning as attractive alternatives to passwords. Even today there are alternatives available for authentication. CAC cards, for example, can be an interim step and can be used in combination with biometrics such as fingerprint detection. This approach supports our belief that singlefactor authentication is not sufficient. Again, it gets back to the discussion about risk tolerance and what the proper balance is for each agency. There are numerous statistics available now that identify the cost to an organization of a successful cyber intrusion. So once the attack has happened, the ROI for implementing even the most basic authentication and security improvements - as well as basic hygiene measures - is higher and clearly justified. QHow well does the government procurement process aid cybersecurity measures? What else would you like to see? AOur government customers are well aware of the role that procurement plays in cyber, and we stress the importance of designing security into that process. This is absolutely critical. If you can design it in upfront you can keep down costs and do a lot for affordability. We also talk about the need to consider supply chain security early in the process. Deployed systems have to meet proper security standards and that needs to be balanced with the expected advancements in technology and pervasive trends, such as mobility. If they do that, they ll find themselves in a better posture as far as getting the acquisitions underway. Clearly, the awareness among government
officials from the top down is growing and is being translated into policy. The government procurement process itself is very mature, but there is still work to do. In January, the GSA and DoD announced recommendations to improve cybersecurity resilience and address cyber risks in the federal acquisition process, a great step forward QHow well is the FedRAMP program working, and are any changes needed? Will it alone make cloud-based services more secure for agencies? AFedRAMP has a very challenging role in supporting the procurement of cloud services. They ve got a working process now for vetting cloud solutions, and it definitely brings efficiencies to government. The standardization FedRAMP has applied to this technologically diverse environment allows for further efficiencies for the federal government. If a federal CTO or CIO is presented with a cloud provider that has a provisional authority to operate, then they know that provider has a sound solution and their service is a lower security risk. Again, balancing risk tolerance. In that sense, FedRAMP is speeding up the whole process of selecting and acquiring cloud services and getting them much more mature solutions. In the last year, there were just over a dozen cloud providers granted FedRAMP provisional ATOs, so the process is clearly working. About Northrop Grumman Northrop Grumman is a leading integrator of cyber solutions for the Department of Defense, the intelligence community, civil/federal agencies, and for commercial and international customers - offering innovative solutions that are securing networks and products, worldwide. For more information, go to: www.northropgrumman.com