Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
After suffering a huge data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next four weeks to further improve the security of their data and systems. For this big organization it was a bold action, however the lessons learned from software development proved that acting fast or sprinting can make a lot of headway when approaching a problem in a small period of time. For big organizations this can be particularly real and the OMB is definitely big.
There were 8 concepts that were focussed on. We have actually broken these down and offered insight on how each principle could be more effective in the timeframe to assist the government make considerable inroads in only a month. As you would expect we are taking a look at things from the endpoint, and by checking out the eight principles you will discover how endpoint visibility would have been crucial to a successful sprint.
1. Securing data: Better secure data at rest and in transit.
This is a good start, and appropriately priority number one, but we would certainly encourage OMB to add the endpoint here. Many data security services forget the endpoint, however it is where data can be most vulnerable whether at rest or in transit. The team needs to inspect to see if they have the ability to examine endpoint software and hardware setup, including the presence of any data security and system defense agents, not forgetting Microsoft BitLocker setup checking. And that is just the start; compliance checking of mandated agents need not be forgotten and it must be carried out continuously, permitting the audit reporting of percentage coverage for each agent.
2. Improving situational awareness: Enhance indication and warning.
Situational awareness is similar to visibility; can you see exactly what is in fact taking place and where and why? And of course this needs to remain in real time. While the sprint is taking place it should be validated that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, notable log events and a myriad of other activity indicators throughout many thousands of endpoints hosting huge oceans of procedures is possible. THIS is situational awareness for both warning and indication.
3. Increasing cyber security proficiency: Ensure a robust capability to hire and keep cyber security workers.
This is an obstacle for any security program. Discovering excellent skill is difficult and keeping it much more so. When you want to attract this type of skillset then convince them by offering the most recent tools for cyber war. Make certain that they have a system that offers complete visibility of exactly what is taking place at the endpoint and the entire environment. As part of the sprint the OMB must analyse the tools that are in place and check whether each tool changes the security group from the hunted to the hunter. If not then replace that tool.
4. Boost awareness: Improve overall threat awareness by all users.
Risk awareness begins with efficient threat scoring, and thankfully this is something that can be attained dynamically all the way to the endpoint and help with the education of every user. The education of users is a challenge that is never ever finished, as proven by the high success of social engineering attacks. But when security groups have endpoint threat scoring they have concrete items to show to users to show where and how they are vulnerable. This real life situational awareness (see # 2) enhances user understanding, along with providing the security team with exact details on say, understood software application vulnerabilities, cases of compromised credentials and insider enemies, in addition to constantly keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats causing security staff triage.
5. Standardizing and automating processes: Reduce time required to handle configurations and patch vulnerabilities.
More protection ought to be demanded from security solutions, and that they are instantly deployable without tiresome preparation, infrastructure standup or substantial staff training. Did the solutions in place take longer than a couple of days to carry out and require another full-time employee (FTE) or even 1/2 a FTE? If so you need to reassess those services due to the fact that they are probably hard to use (see # 3) and aren’t doing the job that you require so you will have to enhance the existing tools. Likewise, search for endpoint services that not only report software application and hardware setups and active services and processes, however applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability rating for each endpoint to help with patching prioritization by over worked support staff.
6. Controlling, containing and recuperating from events: Contain malware expansion, privilege escalation, and lateral motion. Quickly determine and solve events and incidents.
The fast recognition and response to problems is the main objective in the new world of cyber security. Throughout their 1 Month sprint, OMB needs to evaluate their solutions and make sure to discover technologies that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of destructive software proliferation and lateral network movement. The data derived from endpoint command and control (C2) accesses associated with significant data breaches shows that about half of jeopardized endpoints do not host recognizable malware, heightening the importance of login and contact activity. Appropriate endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise appear just after the event, and even long afterwards, while relentless hackers might silently lurk or remain dormant for extended periods of time. Attack code that can be sandbox detonated and determined within minutes is not a sign of sophisticated attackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is necessary to full identification and total non-recidivist resolution.
7. Reinforcing systems lifecycle security: Increase intrinsic security of platforms by purchasing more secure systems and retiring traditional systems in a timely way.
This is a credible objective to have, and a massive challenge at a large organization such as OMB. This is another place where the right endpoint visibility can instantly determine and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outlasting their useful or safe service lives. Now you have a full stock list that you can prioritize for retirement and replacement.
8. Minimizing attack surfaces: Decrease the complexity and quantity of things defenders have to protect.
If numbers 1 through 7 are completed, and the endpoint is thought about effectively, this will be a huge step in reducing the attack threat. However, in addition, endpoint security can also actually offer a visual of the real attack surface. Think about the ability to quantify attack surface area, based upon a variety of distinct binary images exposed throughout the whole endpoint population. For instance, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a typical “ski slope” distribution, with a long slim distribution tail indicating vast numbers of very unusual binary images (present on less than 0.1% of total endpoints). Ziften determines attack surface area bloat elements, consisting of application sprawl and version expansion (which likewise worsens vulnerability lifecycle management). Data from lots of client deployments exposes outright bloat factors of 5-10X, compared to a firmly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas produces a target-rich attackers’ paradise.
The OMB sprint is a great reminder to all of us that good things can be achieved rapidly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a critical piece for OMB to consider as part of their 30-day sprint.