CBP security chief: ‘It’s all about the data’

Customs and Border Protection is in the process of delivering its first comprehensive cybersecurity strategy, and Shaun Khalfan, the agency’s chief security officer, is the midwife.

“We have a handful of projects within the enterprise as we’re looking to increase our security posture,” Khalfan told the Federal Drive with Tom Temin. “Everything from solutions at the network level for data loss prevention all the way down to the endpoint encapsulation, virtualization technologies to prevent phishing attacks and other threats to the CBP network.”

The strategy consists of three key elements: technology, process and people.

The technology element basically consists of finding ways to protect CBP’s assets. Data loss prevention is one of the agency’s biggest focuses in this realm. Khalfan said CBP’s solution is to follow the data throughout the network.

“We can tag data, we can look at what’s leaving the network, what’s going between different points on the network, and that enables us to look for anomalous activity and also supports the risk mitigation for insider-type behavior,” he said.

Khalfan said that allows CBP to identify certain patterns and data, like credit card or Social Security numbers, and points them in the direction of potentially compromised machines or malicious users. Managing the data from end-point to end-point allows Khalfan to ensure that nobody has access to the data that shouldn’t, and the integrity of the data is maintained.

“When we look at security, it’s all about the data,” Khalfan said. “Has that machine been compromised? Is there some other type of malicious software on there that might be trying to send that data off?  Is a user inadvertently sending that data off? Or could it be a user with malicious intent that might be sending that data off the network?”

CBP uses algorithms and logic to search for what Khalfan refers to as “indicators of compromise.” These indicators have evolved over the years to become more sophisticated than they used to be.

Khalfan said a few years ago, antivirus programs worked to find known baselines: signatures of these indicators. Now, however, the signatures are polymorphic, meaning they can change a single digit in order to hide themselves.

Khalfan also deals with “advanced persistent threats,” like two-stage malware, which gains a foothold, but waits to execute its function.

“We’ve gone into this with polymorphic signatures and advanced threats and malware that’s out in this environment, we needed to step our game up a little bit,” Khalfan said. ”Networks are no longer a ‘scan, patch, and that’s it.’ You need to have this continuous visibility of what data, what you have on the network, who’s accessing the network, and it starts with knowing who’s on the network, who’s authorized to be on it, what assets you have, and then you need to continuously monitor that baseline, and look for activity that might flag or might be anomalous or somebody who might have circumvented one of those key areas.”

The key element, Khalfan said, is the people. Some of the users he supports aren’t technically inclined, and some may not even use computers except at work. So educating is an important part of his job.

“We can’t expect non-technical users and your everyday person who’s just trying to do their job to be up to date and aware of every single threat that’s out there. It’s just not reasonable,” he said.

Part of that education involves social engineering, Khalfan said. He conducts tests, such as sending out health care payroll or mock phishing attacks, to see which users are on guard. Those that fail such tests receive supplementary training to help them become more able to recognize threats.

Most of the threats Khalfan said he deals with are aimed at end-point users, like phishing attacks and malware, because they’re the ones using email and browsing the internet.

“Some of these threats are so sophisticated,” he said. “They’re not the Nigerian prince… these are very sophisticated scams now and attacks that are coming down, where even security professionals can be fooled if you’re not using the right solutions, looking at the data, looking at the code, even sandboxing some of these links.”

Khalfan said he divides the people involved in his networks into two categories. The first are the cyber defenders, responsible for maintaining and patching the systems. The other is the user population, whom he considers his customers.

“This technology shop is not for technology’s sake; it’s to enable the mission, to support our customers, and hopefully create efficiencies for them to accomplish their jobs, and so with that, we have a lot of training,” Khalfan said.