Chuck Leaver – There Were 8 Principles To The OMB Cyber Security Sprint And We Provide 8 Keys

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

After suffering a massive data breach at the Office of Management and Budget (OMB), agencies were ordered by Tony Scott, Federal Chief Information Officer, to take instant and particular actions over the next four weeks to additionally enhance the security of their data and systems. For this large organization it was a vibrant action, however the lessons learned from software application development proved that acting quick or sprinting can make a lot of headway when approaching an issue in a small amount of time. For large organizations this can be particularly true and the OMB is definitely big.

There were 8 principles that were concentrated on. We have actually broken these down and provided insight on how each principle could be more effective in the timeframe to assist the government make significant inroads in only a month. As you would expect we are looking at things from the endpoint, and by reading the 8 concepts you will find how endpoint visibility would have been key to an effective sprint.

1. Securing data: Better protect data at rest and in transit.

This is an excellent start, and appropriately priority number one, but we would definitely recommend to OMB to add the endpoint here. Lots of data protection systems forget the endpoint, however it is where data can be most vulnerable whether at rest or in transit. The team needs to check to see if they have the capability to assess endpoint software and hardware setup, consisting of the existence of any data defense and system defense agents, not forgetting Microsoft BitLocker setup checking. And that is simply the start; compliance checking of mandated agents should not be forgotten and it should be performed continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Improve indication and warning.

Situational awareness resembles visibility; can you see what is in fact happening and where and why? And naturally this has to remain in real time. While the sprint is happening it must be validated that identity and tracking of logged-in users,, user focus activities, user existence indications, active processes, network contacts with process-level attribution, system stress levels, significant log events and a myriad of other activity indicators across numerous thousands of endpoints hosting large oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security efficiency: Ensure a robust capacity to recruit and keep cyber security workers.

This is a challenge for any security program. Finding fantastic talent is challenging and keeping it a lot more so. When you want to attract this sort of skillset then convince them by offering the current tools for cyber battle. Ensure that they have a system that offers complete visibility of what is happening at the endpoint and the whole environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool switches the security group from the hunted to the hunter. If not then change that tool.

4. Increase awareness: Improve general risk awareness by all users.

Threat awareness begins with effective risk scoring, and fortunately this is something that can be accomplished dynamically all the way to the endpoint and help with the education of every user. The education of users is a difficulty that is never ever finished, as evidenced by the high success of social engineering attacks. However when security groups have endpoint threat scoring they have concrete items to show to users to demonstrate where and how they are susceptible. This real life situational awareness (see # 2) increases user understanding, in addition to supplying the security group with exact details on say, understood software application vulnerabilities, cases of compromised credentials and insider attackers, as well as continually keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated risks causing security staff triage.

5. Standardizing and automating procedures: Decrease time required to handle configurations and patch vulnerabilities.

More coverage must be required from security services, and that they are instantly deployable without tiresome preparation, infrastructure standup or extensive personnel training. Did the services in place take longer than a couple of days to execute and require another full-time employee (FTE) or even 1/2 a FTE? If so you need to reassess those solutions due to the fact that they are most likely hard to use (see # 3) and aren’t getting the job done that you need so you will have to improve the existing tools. Likewise, search for endpoint solutions that not just report software and hardware setups and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates a total vulnerability rating for each endpoint to facilitate patching prioritization by over worked support personnel.

6. Controlling, containing and recovering from occurrences: Contain malware expansion, privilege escalation, and lateral motion. Quickly determine and solve events and occurrences.

The fast recognition and response to problems is the main goal in the new world of cyber security. During their One Month sprint, OMB ought to examine their solutions and make sure to discover technologies that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login efforts, to assist in tracking of malicious software expansion and lateral network movement. The data stemmed from endpoint command and control (C2) accesses related to significant data breaches suggests that about half of jeopardized endpoints do not host identifiable malware, heightening the significance of login and contact activity. Proper endpoint security will monitor OMB data for long term analysis, considering that many indicators of compromise become available just after the occasion, or perhaps long afterwards, while relentless hackers may silently lurk or stay inactive for long periods of time. Attack code that can be sandbox detonated and identified within minutes is not indicative of advanced hackers. This capability to retain clues and connect the dots throughout both spatial and temporal dimensions is necessary to full recognition and complete non-recidivist resolution.

7. Strengthening systems lifecycle security: Increase intrinsic security of platforms by purchasing more secure systems and retiring legacy systems in a prompt way.

This is a reputable goal to have, and a huge difficulty at a large organization such as OMB. This is another place where appropriate endpoint visibility can immediately measure and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outlasting their beneficial or protected life span. Now you have a complete inventory list that you can prioritize for retirement and replacement.

8. Decreasing attack surfaces: Reduce the intricacy and amount of things defenders have to secure.

If numbers 1 through 7 are implemented, and the endpoint is thought about appropriately, this will be a substantial step in reducing the attack threat. However, in addition, endpoint security can likewise really offer a visual of the actual attack surface. Consider the capability to quantify attack surface area, based upon a variety of distinct binary images exposed across the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a typical “ski slope” distribution, with a long slim distribution tail indicating large varieties of really uncommon binary images (present on fewer than 0.1% of overall endpoints). Ziften recognizes attack surface area bloat elements, including application sprawl and version proliferation (which likewise intensifies vulnerability lifecycle management). Data from numerous client deployments exposes outright bloat aspects of 5-10X, compared with a firmly handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas develops a target-rich attackers’ paradise.

The OMB sprint is a terrific reminder to all of us that great things can be accomplished rapidly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a vital piece for OMB to consider as part of their 30-day sprint.