An interview with Michael Epley, Chief Architect and Security Strategist, Red Hat
Cybersecurity threats have become more frequent, more varied and more sophisticated. While familiar attack vectors like phishing remain among the most common, new threats are gaining traction: One industry survey found that supply chain attacks on open-source software increased 650% in 2021. Because software supply chains are incredibly complex, firms such as Red Hat that partner with government agencies and help remove weak links from their supply chains are critically important.
Accept That It’s an Arms Race
“I think of it as an arms race,” said Michael Epley of Red Hat’s North America Public Sector. “Sometimes attackers will get the upper hand. But even when they have minor tactical successes, we can win with a broader strategy for defending our enterprises.”
Epley explained that modernizing their IT systems, adopting cloud resources and integrating operational technology (OT) systems into a common enterprise fabric can create vulnerability. That new complexity has led hackers to see supply chains as an easy point of attack, from which they can then move laterally through the system.
Epley noted that Executive Order 14028, “Improving the Nation’s Cybersecurity”, provides a roadmap to meeting these challenges. It calls on federal agencies to move toward zero trust and accelerate their transition to secure cloud. Zero trust can help reduce the impact of attacks through the supply chain by requiring verification every time one resource attempts to access another, he said.
3 Ways to Make it Stick
Epley has three recommendations to help organizations build resilience against attacks:
- Use security champions to show the value of cybersecurity practices to the rest of the workforce, and to respond to their needs and requirements.
- Use zero trust as a holistic strategy for enabling and providing security controls across your organization, from the hardware up to the applications, up to the data, and up to the system level, and all the way to your enterprise perimeters.
- Outsource your risk. Vendors and managed service providers are often best positioned to understand both the risks and the available security controls for their systems and to respond quickly and effectively to threats.
How Red Hat can Help
Red Hat is a good example of a vendor that can assume some of the security burden for its customers. The company provides systems that are “hardened by default,” Epley explained, “so that even if there is a vulnerability, the controls we ship with our products can help mitigate it.”
Red Hat creates secure supply chains for its customers, treating every system as if it were a production system, Epley said. “That means better cybersecurity data sharing across all those players — vendors, IT providers, our own internal cybersecurity team, as well as [customer] incident response [teams] and all the other partners that are affected.”
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.