The following post is an interview with Bob Lentz, Member of FireEye’s Board of Directors, President of Cybersecurity Strategies, and former Deputy Assistant Secretary of Defense for Cyber, Information, and Identity Assurance. It is an excerpt from GovLoop's recent guide, Securing Government: Lessons from the Cyber Frontlines.
Though government spending on cybersecurity continues to increase, many agencies are having difficulty producing real return on their significant investments. Bob Lentz a member of the Board of Directors at FireEye, a security solutions provider, explained why allocation of security resources must change in the public sector. He also offered these three steps to enhance cybersecurity strategies.
Upgrade Your Technology
“The first priority is that we need to move away from the legacy architectures and move to a much more advanced type of architecture to deal with the advanced cyber threats targeting agencies,” said Lentz. “We can no longer invest in legacy instrumentation that is proven to be ineffective.”
Simply put, legacy technology cannot meet the challenges of new menaces. “We are still focusing on what I would call ankle-biting attacks, and we’re spending a disproportionate share of our resources on instrumentation to deal with these low level threats. But it’s the more advanced attacks that are really having a significant impact on enterprises,” said Lentz.
He explained that one reason many agencies continue to invest in ineffective systems is because they are too focused on regulatory compliance. “You might check a box that says you have to have identity management or access control. You check that box and you walk away saying, ‘Well, I’ve met the spirit of the law.’ In fact, it could be a very weak form of access control that does not adequately address an organization’s threat environment. And unfortunately, this compliance mentality is creating a major gap where you’re not really putting your best instrumentation and capabilities in place.”
Instead of following regulations alone, agencies should invest in technologies that address their vulnerabilities. But before they do that, they have to assess their current state.
Tackle Your Vulnerabilities
“Priority number two is there needs to be very serious attention at the senior levels on regularly assessing your cyber readiness to deal with these attacks,” said Lentz. “And that will result in having senior level oversight and, therefore, a corresponding increase in budget to be able to deal with those threats.”
This oversight and budgeting should be dedicated to assessing current capabilities. “Agencies have to be much more rigorous in deploying red teams of their networks to assess their vulnerabilities,” said Lentz. “If you constantly test yourself, you’ll be able to know if you can contain these attacks and prevent them from getting to the crown jewels and causing significant damage.”
At the same time, “You have to understand where your most important assets are,” continued Lentz. “I think [agencies] will quickly come to the conclusion that even though they may be meeting these compliancy requirements, they’re leaving themselves significantly open to attacks. So I think you really need to look deeper inside your network and shift your resources around.”
Strengthen Your Security Teams
Finally, Lentz said that agencies must focus on filling the gap in cyber skills. He again related this need to inherited architecture problems. “What we have found is that we have a lot of these legacy capabilities that are pretty much taking over enterprises and, in fact, they’re actually increasing the complexity of managing threats,” he explained. “It’s actually making the manpower and human resource problem much more weighty than it really needs to be.”
Therefore, “The third priority is to focus on training the workforce and to leverage automated tools so that this workforce can focus on the increasing number of sophisticated, complex attacks,” said Lentz.
As agencies transition technologies, they must also ensure they provide the necessary training to network administrators. “If you look at the breaches that are occurring, in some cases they’ll have instrumentation that is pretty good, but they’re just not using it right,” said Lentz. Increased focus on personnel education can ensure technology investments aren’t diminished by inappropriate use.
In addition to training for manual tasks, security should also be automated whenever possible. “Increased automation will allow you to make up for a lot of the talent gap,” explained Lentz. “It will let you quickly sift through the noise, to look for those attacks that are going to be the most lethal. And then when there are attacks that are successful, you can more quickly stop them from having serious impact on your enterprise.”
Lentz concluded, “You need to look deeply inside your network, re-architect your priorities, and invest in the right things. If you can do that, you’ll implement the right techniques that will allow you to more effectively manage your enterprise and reduce the strain on human resources significantly.”