How the right cyber intelligence can give agencies the upper hand

Tony Cole, vice president and global government chief technology officer for FireEye, said threat intelligence will help agencies mitigate risks by answering some basic questions about who the attackers are and what they are trying to do.

The two seminal moments over the last 15 years in federal government cybersecurity both came in 2006. The first is when the Defense Information Systems Agency required service members and civilian employees use of the Common Access Card to log into their computers; and the second was when a Veterans Affairs Department employee lost a laptop with the data of 26 million veterans.

Both of these events shaped the next 11 years of policies, laws, regulations and actions by chief information officers in trying to protect data, systems and networks.

Despite all the focus and tens of billions of dollars for new tools and services, the effort to harden federal computers and information remains a tremendous struggle.

We all know about the hack suffered by the Office of Personnel Management, which lost the data of 21 million current and former federal employees. And OPM isn’t alone by far, the list of breaches suffered by agencies grows monthly.

And in May, the Information Technology and Innovation Foundation’s review of almost 300 of the most popular federal websites found 66 percent of the websites used Secure Sockets Layer (SSL) certificates, which underpin Hypertext Transfer Protocol Secure (HTTPS). While 90 percent of all websites use Domain Name System Security (DNSSEC), but only 61 percent of all websites used both HTTPS and DNS-SEC.

Beyond websites, the annual Federal Information Security Management Act (FISMA) report to Congress shows other long-standing challenges as well as gains.

In facing almost 31,000 incidents last year, agencies still fell well short of the governmentwide goal to implement hardware and software asset management, use malware and anti-phishing technologies and on average agencies were rated at a level 2 out of 5 on the maturity model.

So what can agencies do to further their protections and move from a reactive to proactive cyber defense.

Tony Cole, vice president and global government chief technology officer for FireEye, said even though there is a lot of discussion about how the attacks continue to be more sophisticated, many times hackers are taking advantage of known and fixable holes in an organization’s network.

“We need to make sure we implement the basics across the board—cyber hygiene. I think that’s really important even though that gets me a little frustrated so we’ve been talking about that since about 1997. That’s still a challenge for us,” Cole said on the Innovation in Government show. “It should be institutionalized at this point where you have the right budget in place to ensure you always have the hardware that can support the latest operating systems and you have your patching institutionalized as well so it’s implemented as well as quickly as possible. Then you can start to focus on the more significant threats around your most critical assets across the board. There is a lot that can be done, but those are two areas that we need to focus on today.”

Cole said part of the way to address this long-standing challenge of cyber hygiene is to make it more than a chief information officer’s responsibility and make sure every executive and employee understand the risks and steps to mitigate cyber attacks.

While the government has made some progress with initiatives such as the EINSTEIN intrusion detection and protection software and the continuous diagnostic and mitigation program, Cole said the collecting and sharing of cyber threat intelligence is a real game changer.

“As we bring more and more assets into the IT enabled space, we are going to see this problem accelerate so we really need to get our arms around it,” Cole said. “We need CIOs and we need departments and agencies thinking about this as an evolving problem.”

He said threat intelligence will help agencies mitigate risks by answering some basic questions:

  • Who is after you?
  • Why are they after you?
  • What are they after?

“When you start to understand that, then you can actually start to hunt inside the environment, looking for additional indicators. Do they have other beachheads, compromised systems that they may have compromised long-ago that you simply are not be aware of because they are not beaconing out. Hunting in that environment is critically important and you can’t do that unless you understand the adversary,” Cole said. “That will help you build your cybersecurity strategy for risk mitigation instead of just focused on compliance.”

Cole said while attribution remains a huge challenge, agencies can architect and apply instruments to their networks to recognize the threat actors through threat intelligence indictors such as the tools they use, the IP addresses they come from, the folders they focus on and how they change those folders.

“Part of the challenge today as people clearly define threat intelligence. We hear a lot of folks say ‘it’s indicators of compromise. You can get it from anywhere and everyone shares that.’ But that’s not true,” he said. “What you want is contextual threat intelligence. You want to understand what advanced persistent threat is attacking you? What nation state do they come from? What tools do they use? What folders do they go after? What assets they are trying to gather? There is a ton of information about those adversaries in context that can help you protect your environment. If you are just using hashes and IP addresses, then you are not doing it properly because you are not doing with an adversary focused perspective. That is the big difference you can actually have if you get the proper threat intelligence into your environment.”

Cole said for agencies to take more advantage of cyber threat intelligence, they need to implement automation and orchestration tools to both take care of the basics of security, but also help CIOs and chief information security officers deal with the ever-increasing amount of data coming from network sensors.

“Pulling together a single pane of glass with all of the alerts in it and then actually building automation to respond to those alerts along with courses of actions is really what will help security defenders across the board inside security operations centers,” he said. “Just to give you an example, here comes a phishing alert from a known bad domain, you can build a course of action that is just a push button or you could even automate it so that that phishing email is actually quarantined, dumped off and that domain is added into your environment with very little work on the analysts part. That’s critically important that you actually start to do that so we can get rid of 80 percent of the alerts from those devices and focus on the 20 percent that is important.”

 

About FireEye

FireEye is an intelligence-led security company. Working as a seamless and scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, military-grade threat intelligence and world-renowned Mandiant expertise.

FireEye’s focus on Government enables federal, state, local and public education entities to save time and money as they look to add holistic, cloud-based security to meet the challenges of delivering on advanced threat protection. With recent achievement of FedRAMP authorization for its cloud-based Email Threat Prevention (ETP) solution, FireEye continues its pursuit in supporting key Government missions around the world.

FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyber attacks. FireEye has over 5,800 customers across 67 countries, including more than 40 percent of the Forbes Global 2000.

 

Resource Center

Top 5 Ways to go Beyond Prevention

Endpoints are popular targets of advanced threats such as ransomware attacks. The best solutions detect, investigate and respond to alerts quickly.

This short video series covers 5 important capabilities to look for as you consider a more comprehensive endpoint solution:

  1. Intelligence-led endpoint security
  2. Multiple detection & prevention engines
  3. Integrated workflow
  4. Automated detection and prevention
  5. Single, consolidated agent

 

Host

Jason MillerJason Miller

Jason Miller is a reporter whose work focuses mainly on technology and procurement issues, including cybersecurity, e-government and acquisition policies and programs.

 

Guest

Tony Cole, Vice President and Global Government CTO, FireEye

As FireEye Vice President and Global Government CTO, Tony Cole assists government agencies and companies worldwide in understanding today’s advanced threats and their potential impact. Prior to FireEye, Mr. Cole ran global government security consulting services for McAfee, headed a large government-focused consulting group, and served in a lead technical program business development role at Symantec. Mr. Cole is retired from the U.S. Army, where his last military assignment was technical operations manager for network security services at the Pentagon.  He has over 30 years’ experience in communications, intelligence, cryptography and a variety of other IT and security environments.