Over the years, federal networks have become more complex. Cloud technology has replaced in-house infrastructure. Employees conduct work on their personal computers. And, thanks to the Internet of Things, a proliferation of “smart” devices connect to agency systems.
Agencies largely know about the equipment they manage, but the unmanaged devices are much harder to see and secure, said Jean Schaffer, Federal Chief Technology Officer with Corelight, a network detection and response (NDR) platform that provides complete network visibility across hybrid and multi-cloud environments.
“Visibility really is about understanding anything and everything that’s touching your networks, including your workflows in the cloud, so you can get your arms around what needs to be protected,” Schaffer said. A comprehensive, dynamic view — not a snapshot in time — is necessary to identify your high-value assets, the “crown jewels you really want to protect,” she explained.
A Core Need
In August 2021, the Office of Management and Budget released Memorandum 21-31, establishing federal requirements designed to increase government’s network visibility before, during and after a cybersecurity event. “The memo requires agencies to understand what is happening down at their network and endpoint layers and to maintain a record of that information in a way that can contribute to their overall security defense,” Schaffer said.
Corelight helps organizations comply, passively monitoring all their network traffic and creating logs that memorialize the behavior and detect both known and behavior-related threats (e.g., anomalous logins). “What Corelight does really well,” she said, “is stitch together [an agency’s] logs so it’s easy for defenders to understand the context of what’s happening and get that true picture quickly.”
The platform is a foundational tool that helps agencies build effective cybersecurity programs, Schaffer added.
True Story
Corelight data makes a real-world difference. The 2020 Solar Winds SUNBURST attack, which affected more than 40 federal agencies and thousands of other entities worldwide, is a prime example. FireEye’s threat research team discovered the supply chain attack using Zeek, Corelight’s core technology, to detect the novel threat in Solar Winds’ environment.
“Without those detailed logs, they said they couldn’t have identified [the attack] as quickly … or how the attacker entered the supply chain,” she said.
Options
Corelight fills network visibility gaps left by endpoint detection and response (EDR) and security information and event management (SIEM) solutions. Sensors can be installed anywhere Linux can, whether as a physical appliance, software or virtual appliances available for several cloud platforms, such as Amazon Web Services, Azure, GCP, VMware, and Hyper-V. Corelight can also be installed on customer-managed Linux to take advantage of existing agency-owned hardware, regardless of vendor.
Government and its industry partners are “doing this dance with our adversaries every day,” in which malicious actors pose new threats that agencies and industry try to detect and remediate, Schaffer said. Knowing about everything traversing your network is the foundation of a strong cyber defense.
This article appeared in our guide, “The 2024 Cyber Agenda.” To learn more on the cyber outlook for the coming year, download it here:
Leave a Reply
You must be logged in to post a comment.