Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/5/2018
02:30 PM
Gus Hunt
Gus Hunt
Commentary
Connect Directly
LinkedIn
RSS
50%
50%

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

Since federal agencies have been connected to the Internet, government cyber activities have focused on protecting government information, operations, and assets against intrusions from cyber threats.

Although this security-driven focus has had beneficial effects, the cyber-threat landscape is moving at a far greater velocity, with a far larger threat landscape, and is growing more complex than federal agencies — or any other organization — can keep pace with. We must now admit that absolute cybersecurity is absolutely impossible. The issue is not whether our defenses will be breached but when they will be.

This is why we must shift from a reactive approach to a more proactive stance. We must place far more attention toward making federal systems and networks resilient — that is, being able to continuously deliver the intended outcome despite adverse cyber events.

There is some good news. Agencies have made progress in their cybersecurity preparedness, which they can continue to build upon. In Accenture's recent 2018 State of Cyber Resilience survey, federal cybersecurity professionals report that they can now stop 87% of cyberattacks aimed at our systems. In Accenture Federal's Nature of Effective Defense research, federal respondents also rated themselves as competent or highly competent in 21 out of 33 foundational cybersecurity capabilities that are defined as essential to cyber preparedness. The top five areas respondents feel most confident about are: risk analysis, cybersecurity architecture approach, cyber-incident escalation paths, peer monitoring, and cyber-incident recovery.

There has been legislative progress as well: Last year, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure, and Congress passed into law the Modernizing Government Technology (MGT) Act, which will expand federal IT modernization efforts. In May, the Department of Homeland Security (DHS) released a new cybersecurity strategy that places greater emphasis on building resilience into federal networks. In July, DHS announced the new National Risk Management Center to better coordinate responses to attacks and remediate their impact. And this September, the White House unveiled a new National Cyber Strategy that aims to improve the resilience of federal and critical infrastructures.

While these are all welcome developments, far more progress must be made. In May, a report by the Office of Management and Budget and DHS found that 71 of 96 agencies (74%) have cybersecurity programs that are either at risk or high risk. A Government Accountability Office (GAO) report in September found that agencies have not implemented roughly a thousand recommendations it has made to improve federal cybersecurity. In addition, in the Accenture State of Cyber Resilience survey, federal respondents ranked themselves least competent in several key capabilities, such as: identifying high-value assets and business, designing for the protection of key assets to improve resilience readiness, and cybersecurity investments for key assets.

Getting to cyber resilience requires that agencies think differently about how they build and implement their systems, particularly as they modernize their IT infrastructures. The following six steps, when embedded in agencies' modernization efforts and done in conjunction with the business process improvements identified by the State of Cyber Resilience survey, will help federal agencies transition to a cyber-resilience posture:

  1. Be brilliant at the basics. That includes routine maintenance tasks, such as patches, updates, and access permissions.
  2. Embrace the cloud for security. With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them
  3. Implement data-centric security. Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations.
  4. Demand application security by design. Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary.
  5. Leverage software-defined networking. Adversaries can't attack what they can't find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases.
  6. Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.

Knowing that federal agencies will continue to be under increasingly sophisticated attacks demands a shift in focus toward cyber resilience. It's also important to remember we got here one system, one application at a time, and that’s the same way we will get out of this problem. These six steps, adopted in any order, will help get us to a state of cyber resilience. 

Related Content:

 

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS's cyber practice. Before joining AFS, Hunt was chief architect and the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
12/22/2018 | 4:06:17 AM
Fine balance of objectives.
The problem with cyber security is that it's constantly evolving. True that we can't make sure that everything is in place but who's to say that we aren't sufficiently protected until the point that we are actually being attacked? WE can only do what is our best, based on company budget allocated to the security department. And even so, we still have to make sure the business is profitable. Not everything will depend on security when it comes to making sure a business stays afloat.
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
12/12/2018 | 12:37:00 AM
Hit it first
These 2 terms really create a huge contrast between having to salvage our situation or being able to prevent that very difficult situation from even happening. In business, the latter is usually a huge cost-saver and at some instances, a complete life-saver for the security team. If we can foresee that big risks are about to come our way, why not hit it before we get hit?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.