What it takes to achieve effective cyber defense
Addressing nontechnical challenges could help overcome slow-moving government policies and a compliance-focused culture, writes FireEye's Travis Rosiek.
The federal government is not designed to be nimble, but it can adapt quickly under extreme crises. The nature of the cybersecurity landscape, however, requires agencies to adapt to changing threats continuously, not just during an extreme crisis. And given the rapid adoption and advancement of mobile technologies, that cycle can be on the order of weeks.
Yet historically, cybersecurity budgets follow the standard federal budget process and are planned years in advance. The critical challenge is that adversaries can adapt much faster than defenders can adapt their defenses. And, as I observed during my tenure as a civil servant, other nontechnical challenges compound the problems cyber defenders face.
Culturally, compliance in the federal government is the standard benchmark for job performance. The challenge is that threats have evolved to the point where good hygiene and implementing current mandates are not enough to stop advanced adversaries.
The first step to changing this paradigm is to continue to stress the importance of compliance while realizing that a cyber breach is unavoidable. The key is to focus on what federal agencies can do to rapidly identify a breach, contain it and limit the damage an adversary can do. A synergistic approach of implementing good hygiene and investing in capabilities that promote effects-based defense capabilities is critical to successfully defending government networks.
There are efforts underway to help address many of those challenges, but agencies should also be allowed to more easily invest in game-changing cybersecurity capabilities that not only advance their technical defensive capabilities but also address nontechnical challenges and provide more operational effectiveness.
In many organizations, operationally effective cyber defense revolves around the ability to shrink the time to complete the loop of Attack Prevention > Detection > Diagnosis > Containment > Response. In agencies that don't have requirements that support effective cyber defense operations across the entire IT landscape, completing that loop takes weeks or even months.
For example, one nontechnical challenge that I have observed happens when separate companies have contracts for network administration and endpoint security. I have seen situations in which someone on the endpoint security team identified something suspicious and requested details from the networking team to help diagnose the event. The response from the networking contractor was that it could not provide support because it was not allowed to take direction from another contractor.
That type of nontechnical challenge and delay can dramatically increase the cost and impacts associated with cyber breaches. According to the latest Mandiant M-Trends report, in 2013 the median time from breach to detection was 229 days. For cyber defenders to be more effective, they need capabilities that enable them to be more proactive in defending against threats. Agencies must get out of the business of being reactive and solely relying on mandated signature-based capabilities simply because compliance is the benchmark.
However, because advanced capabilities are not mandated, it requires an incredible amount of effort and time to acquire them -- typically in small installments of end-of-year funds.
Rapidly adopting cutting-edge technologies could give cyber defenders an advantage over adversaries and help overcome some of the nontechnical challenges agencies face. That would save money in the long run and have a dramatic impact on the foothold adversaries can gain in the years it would take to address the problem with current government policies and compliance mandates.