Chuck Leaver – Eight Keys To The Eight Principles Of The OMB Data Breach 30 Day Cyber Security Sprint

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

After suffering an enormous data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take instant and specific actions over the next 4 weeks to additionally enhance the security of their data and systems. For this large organization it was a vibrant step, however the lessons learned from software application development showed that acting fast or sprinting can make a lot of headway when approaching an issue in a small amount of time. For large organizations this can be particularly true and the OMB is definitely big.

There were 8 principles that were concentrated on. We have actually broken these down and provided insight on how each concept could be more efficient in the timeframe to help the government make substantial inroads in just a month. As you would expect we are looking at things from the endpoint, and by checking out the 8 principles you will find how endpoint visibility would have been key to an effective sprint.

1. Securing data: Better protect data at rest and in transit.

This is a good start, and rightly priority number one, but we would definitely recommend to OMB to add the endpoint here. Lots of data protection systems forget the endpoint, however it is where data can be most susceptible whether at rest or in transit. The group needs to check to see if they have the capability to evaluate endpoint software and hardware setup, including the presence of any data protection and system security agents, not forgetting Microsoft BitLocker setup checking. And that is just the start; compliance checking of mandated agents must not be forgotten and it should be performed continually, allowing for the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Improve indication and warning.

Situational awareness is similar to visibility; can you see exactly what is really happening and where and why? And obviously this needs to remain in real time. While the sprint is occurring it should be verified that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, noteworthy log events and a myriad of other activity indications across numerous thousands of endpoints hosting large oceans of procedures is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security efficiency: Make sure a robust capacity to recruit and retain cyber security workers.

This is a difficulty for any security program. Finding fantastic skill is challenging and keeping it even more so. When you want to attract this type of skillset then encourage them by providing the current tools for cyber battle. Make sure that they have a system that offers total visibility of exactly what is taking place at the endpoint and the whole environment. As part of the sprint the OMB ought to analyse the tools that are in place and check whether each tool changes the security group from the hunted to the hunter. If not then replace that tool.

4. Increase awareness: Enhance overall threat awareness by all users.

Threat awareness starts with effective threat scoring, and luckily this is something that can be accomplished dynamically all the way to the endpoint and assist with the education of every user. The education of users is a problem that is never finished, as evidenced by the high success of social engineering attacks. But when security teams have endpoint threat scoring they have concrete products to show to users to demonstrate where and how they are vulnerable. This reality situational awareness (see # 2) boosts user knowledge, as well as supplying the security team with exact details on say, understood software vulnerabilities, cases of jeopardized credentials and insider attackers, along with constantly keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats causing security personnel triage.

5. Standardizing and automating processes: Reduce time needed to handle configurations and patch vulnerabilities.

More protection ought to be demanded from security services, and that they are instantly deployable without tiresome preparation, network standup or substantial personnel training. Did the services in place take longer than a couple of days to implement and require another full time employee (FTE) or maybe 1/2 a FTE? If so you have to rethink those services due to the fact that they are most likely hard to use (see # 3) and aren’t getting the job done that you need so you will have to enhance the current tools. Also, search for endpoint services that not just report software application and hardware configurations and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability rating for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from events: Contain malware expansion, privilege escalation, and lateral motion. Quickly identify and deal with events and incidents.

The fast identification and response to problems is the primary goal in the new world of cyber security. Throughout their 1 Month sprint, OMB ought to examine their solutions and be sure to discover technologies that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of destructive software expansion and lateral network motion. The data stemmed from endpoint command and control (C2) accesses connected with major data breaches suggests that about half of compromised endpoints do not host recognizable malware, increasing the significance of login and contact activity. Proper endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise become available only after the occasion, or perhaps long afterwards, while relentless hackers may silently lurk or stay dormant for long periods of time. Attack code that can be sandbox detonated and identified within minutes is not a sign of advanced hackers. This capability to keep clues and connect the dots throughout both spatial and temporal dimensions is important to complete identification and complete non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost inherent security of platforms by purchasing more secure systems and retiring traditional systems in a prompt manner.

This is a reputable goal to have, and a huge difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly measure and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outlasting their helpful or secure service lives. Now you have a full stock list that you can focus on for retirement and replacement.

8. Minimizing attack surfaces: Reduce the complexity and quantity of things defenders have to protect.

If numbers 1 through 7 are implemented, and the endpoint is thought about properly, this will be a substantial step in minimizing the attack threat. However, in addition, endpoint security can likewise really offer a visual of the real attack surface. Consider the capability to quantify attack surface area, based upon a number of distinct binary images exposed throughout the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image frequency stats produces a common “ski slope” distribution, with a long skinny distribution tail showing vast varieties of extremely unusual binary images (present on less than 0.1% of total endpoints). Ziften recognizes attack surface area bloat factors, including application sprawl and version expansion (which also intensifies vulnerability lifecycle management). Data from lots of customer deployments exposes egregious bloat elements of 5-10X, compared to a firmly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas produces a target-rich attackers’ paradise.

The OMB sprint is a great reminder to all of us that good things can be achieved quickly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be an important piece for OMB to consider as part of their 30-day sprint.

 

~leaverchuck1


No Responses Yet to “Chuck Leaver – Eight Keys To The Eight Principles Of The OMB Data Breach 30 Day Cyber Security Sprint”

Leave a Reply