How Can Federal Agencies better Manage Cyber Risk in a fast changing environment?
By: Ralph Kahn, VP of Federal at Tanium
Almost every day there is a new data breach, cyberattack, or IT security concern. With the rise of readily available hacking tools, cybercriminals can conduct sophisticated attacks at scale and at a low cost. The FBI’s Internet Crime Complaint Center received a total of 467,361 complaints with reported losses exceeding $3.5 billion in 2019 alone. Just a couple of months ago, a parts manufacturer for Tesla and SpaceX confirmed a data breach. And earlier this year, malware was discovered on servers at the Department of Defense.
These threats are not new, and agencies and commercial enterprises alike are focused on detection and mitigation. So much so that the global information security market is expected to reach $170.4 billion in 2022. If agencies are already focused on strengthening security, what’s the problem?
The problem is the approach. What must be refreshed is how federal agencies approach security—how are they identifying, managing, prioritizing, and mitigating risks? Also, agencies must take a hard look at how they are measuring the effectiveness of the security tools they buy and deploy to ensure a strong return on their investment.
Asking resource-strapped agencies to change their approach is not simple. If you look at last year’s GAO report, key challenges for agencies included: managing competing priorities across IT operations and security, receiving quality risk data, and incorporating cyber risks into enterprise risk management.
Compounding these challenges, the number of connected devices continues to grow. IDC predicts there will be over 41 billion in the next five years and according to some, we can expect 500 billion in the next decade. While this growth occurs, agencies must not only secure growing networks, but continue supporting mission needs and keep pace with ever-evolving technology.
So, how have agencies responded? Many agencies have turned to security tools to resolve the complexity dilemma; however, the collection of point solutions running across federal networks has only further compounded the problem. Most of those point tools require an agent to be installed, resulting in agent bloat, and studies have shown that the more agents there are on an endpoint, the higher the probability that it will be breached.
Further, while each tool may provide useful data, the tools often fail to communicate with one another to create a uniform, standardized output, making it difficult to accurately and confidently assess enterprise risks. Cyber risk management needs easy-to-calculate values and clear, prescriptive guidance for risk mitigation.
What can agencies do? First and foremost, start with the fundamentals. With new risks popping up each day, it’s easy to focus on the newest or most difficult problem. Security basics, such as those offered by the Center for Internet Security, are foundational.
Many agencies have turned to the MITRE ATT&CK framework. While useful, it is not a security compliance standard. ATT&CK currently includes more than 40 threat actor groups, malware families, or utilities that may query an unknown number of registry keys. However, attempting to address every technique in the framework would quickly prove a resource intensive task. Instead, agencies are better served by taking a holistic risk management approach, using complete, accurate, and real-time data from a single source to reduce risk and improve security. In doing so, they can also reduce the number of point products, reallocate budget and scarce resources, and justify future budget requests for critical security activities—all while providing a more comprehensive view of the security landscape that enables more strategic business decisions.
The good news is that once agencies begin to reduce the thicket of tools they use, the benefits (more accurate and actionable data, reduced complexity and cost, and reduced workload for an overworked IT and cyber work force) accrue almost immediately.
To improve security, agencies need to start with risk management; to do that, they need complete visibility and control to reign in the volumes of data running across enterprise networks. When complete visibility and control is achieved, agencies risk from cyberattacks is significantly reduced and their ability to make good business decisions is improved.
About the Author
Ralph Kahn has more than 25 years’ experience in the technology industry. He has held positions in systems engineering, product management, professional services, sales, and business management. Mr. Kahn has spent the last 20 years working in the cybersecurity industry.
As the Vice President of Federal for Tanium, Mr. Kahn is responsible for delivering on the U.S. government’s need for real-time situational awareness at scale. Under Mr. Kahn’s leadership, Tanium is helping the U.S. government improve cybersecurity, reduce costs, and gain reliable visibility and control of its IT infrastructure. Mr. Kahn works with leaders across government and on Capitol Hill to drive innovation and thought leadership in Cybersecurity, IT Operations, and overall IT Management. Mr. Kahn has worked with key stakeholders, such as the Technology Business Management Council, in updating the Federal Information Technology Acquisition Reform Act, and he has provided key input to the Department of Defense’s evolving Cybersecurity Maturity Model Certification effort.
Prior to joining Tanium, Mr. Kahn was responsible for leading an advanced technology group chartered with forward-looking cyber research at McAfee. Under his direction, this group discovered several new threat vectors and developed an information sharing and cyber system interaction model.