Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/5/2018
02:30 PM
Gus Hunt
Gus Hunt
Commentary
Connect Directly
LinkedIn
RSS
50%
50%

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

Since federal agencies have been connected to the Internet, government cyber activities have focused on protecting government information, operations, and assets against intrusions from cyber threats.

Although this security-driven focus has had beneficial effects, the cyber-threat landscape is moving at a far greater velocity, with a far larger threat landscape, and is growing more complex than federal agencies — or any other organization — can keep pace with. We must now admit that absolute cybersecurity is absolutely impossible. The issue is not whether our defenses will be breached but when they will be.

This is why we must shift from a reactive approach to a more proactive stance. We must place far more attention toward making federal systems and networks resilient — that is, being able to continuously deliver the intended outcome despite adverse cyber events.

There is some good news. Agencies have made progress in their cybersecurity preparedness, which they can continue to build upon. In Accenture's recent 2018 State of Cyber Resilience survey, federal cybersecurity professionals report that they can now stop 87% of cyberattacks aimed at our systems. In Accenture Federal's Nature of Effective Defense research, federal respondents also rated themselves as competent or highly competent in 21 out of 33 foundational cybersecurity capabilities that are defined as essential to cyber preparedness. The top five areas respondents feel most confident about are: risk analysis, cybersecurity architecture approach, cyber-incident escalation paths, peer monitoring, and cyber-incident recovery.

There has been legislative progress as well: Last year, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure, and Congress passed into law the Modernizing Government Technology (MGT) Act, which will expand federal IT modernization efforts. In May, the Department of Homeland Security (DHS) released a new cybersecurity strategy that places greater emphasis on building resilience into federal networks. In July, DHS announced the new National Risk Management Center to better coordinate responses to attacks and remediate their impact. And this September, the White House unveiled a new National Cyber Strategy that aims to improve the resilience of federal and critical infrastructures.

While these are all welcome developments, far more progress must be made. In May, a report by the Office of Management and Budget and DHS found that 71 of 96 agencies (74%) have cybersecurity programs that are either at risk or high risk. A Government Accountability Office (GAO) report in September found that agencies have not implemented roughly a thousand recommendations it has made to improve federal cybersecurity. In addition, in the Accenture State of Cyber Resilience survey, federal respondents ranked themselves least competent in several key capabilities, such as: identifying high-value assets and business, designing for the protection of key assets to improve resilience readiness, and cybersecurity investments for key assets.

Getting to cyber resilience requires that agencies think differently about how they build and implement their systems, particularly as they modernize their IT infrastructures. The following six steps, when embedded in agencies' modernization efforts and done in conjunction with the business process improvements identified by the State of Cyber Resilience survey, will help federal agencies transition to a cyber-resilience posture:

  1. Be brilliant at the basics. That includes routine maintenance tasks, such as patches, updates, and access permissions.
  2. Embrace the cloud for security. With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them
  3. Implement data-centric security. Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations.
  4. Demand application security by design. Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary.
  5. Leverage software-defined networking. Adversaries can't attack what they can't find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases.
  6. Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.

Knowing that federal agencies will continue to be under increasingly sophisticated attacks demands a shift in focus toward cyber resilience. It's also important to remember we got here one system, one application at a time, and that’s the same way we will get out of this problem. These six steps, adopted in any order, will help get us to a state of cyber resilience. 

Related Content:

 

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS's cyber practice. Before joining AFS, Hunt was chief architect and the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
12/12/2018 | 12:37:00 AM
Hit it first
These 2 terms really create a huge contrast between having to salvage our situation or being able to prevent that very difficult situation from even happening. In business, the latter is usually a huge cost-saver and at some instances, a complete life-saver for the security team. If we can foresee that big risks are about to come our way, why not hit it before we get hit?
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
12/22/2018 | 4:06:17 AM
Fine balance of objectives.
The problem with cyber security is that it's constantly evolving. True that we can't make sure that everything is in place but who's to say that we aren't sufficiently protected until the point that we are actually being attacked? WE can only do what is our best, based on company budget allocated to the security department. And even so, we still have to make sure the business is profitable. Not everything will depend on security when it comes to making sure a business stays afloat.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...