Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/5/2018
02:30 PM
Gus Hunt
Gus Hunt
Commentary
Connect Directly
LinkedIn
RSS
50%
50%

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

Since federal agencies have been connected to the Internet, government cyber activities have focused on protecting government information, operations, and assets against intrusions from cyber threats.

Although this security-driven focus has had beneficial effects, the cyber-threat landscape is moving at a far greater velocity, with a far larger threat landscape, and is growing more complex than federal agencies — or any other organization — can keep pace with. We must now admit that absolute cybersecurity is absolutely impossible. The issue is not whether our defenses will be breached but when they will be.

This is why we must shift from a reactive approach to a more proactive stance. We must place far more attention toward making federal systems and networks resilient — that is, being able to continuously deliver the intended outcome despite adverse cyber events.

There is some good news. Agencies have made progress in their cybersecurity preparedness, which they can continue to build upon. In Accenture's recent 2018 State of Cyber Resilience survey, federal cybersecurity professionals report that they can now stop 87% of cyberattacks aimed at our systems. In Accenture Federal's Nature of Effective Defense research, federal respondents also rated themselves as competent or highly competent in 21 out of 33 foundational cybersecurity capabilities that are defined as essential to cyber preparedness. The top five areas respondents feel most confident about are: risk analysis, cybersecurity architecture approach, cyber-incident escalation paths, peer monitoring, and cyber-incident recovery.

There has been legislative progress as well: Last year, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure, and Congress passed into law the Modernizing Government Technology (MGT) Act, which will expand federal IT modernization efforts. In May, the Department of Homeland Security (DHS) released a new cybersecurity strategy that places greater emphasis on building resilience into federal networks. In July, DHS announced the new National Risk Management Center to better coordinate responses to attacks and remediate their impact. And this September, the White House unveiled a new National Cyber Strategy that aims to improve the resilience of federal and critical infrastructures.

While these are all welcome developments, far more progress must be made. In May, a report by the Office of Management and Budget and DHS found that 71 of 96 agencies (74%) have cybersecurity programs that are either at risk or high risk. A Government Accountability Office (GAO) report in September found that agencies have not implemented roughly a thousand recommendations it has made to improve federal cybersecurity. In addition, in the Accenture State of Cyber Resilience survey, federal respondents ranked themselves least competent in several key capabilities, such as: identifying high-value assets and business, designing for the protection of key assets to improve resilience readiness, and cybersecurity investments for key assets.

Getting to cyber resilience requires that agencies think differently about how they build and implement their systems, particularly as they modernize their IT infrastructures. The following six steps, when embedded in agencies' modernization efforts and done in conjunction with the business process improvements identified by the State of Cyber Resilience survey, will help federal agencies transition to a cyber-resilience posture:

  1. Be brilliant at the basics. That includes routine maintenance tasks, such as patches, updates, and access permissions.
  2. Embrace the cloud for security. With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them
  3. Implement data-centric security. Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations.
  4. Demand application security by design. Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary.
  5. Leverage software-defined networking. Adversaries can't attack what they can't find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases.
  6. Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.

Knowing that federal agencies will continue to be under increasingly sophisticated attacks demands a shift in focus toward cyber resilience. It's also important to remember we got here one system, one application at a time, and that’s the same way we will get out of this problem. These six steps, adopted in any order, will help get us to a state of cyber resilience. 

Related Content:

 

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS's cyber practice. Before joining AFS, Hunt was chief architect and the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
12/12/2018 | 12:37:00 AM
Hit it first
These 2 terms really create a huge contrast between having to salvage our situation or being able to prevent that very difficult situation from even happening. In business, the latter is usually a huge cost-saver and at some instances, a complete life-saver for the security team. If we can foresee that big risks are about to come our way, why not hit it before we get hit?
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
12/22/2018 | 4:06:17 AM
Fine balance of objectives.
The problem with cyber security is that it's constantly evolving. True that we can't make sure that everything is in place but who's to say that we aren't sufficiently protected until the point that we are actually being attacked? WE can only do what is our best, based on company budget allocated to the security department. And even so, we still have to make sure the business is profitable. Not everything will depend on security when it comes to making sure a business stays afloat.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0828
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
CVE-2012-0844
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
CVE-2013-3587
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
CVE-2012-6277
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.