While cybersecurity is a monumental challenge for all federal agencies, it becomes even more daunting when factoring in the many regulations and mandates organizations are required to adhere to. From Executive Order 14028 to CISA’s Binding Operational Directive 23-01 and beyond, it can be difficult for agencies to successfully manage all of the actions they must take to achieve true Zero Trust cybersecurity as defined by the federal government.
Our recent webinar addressed this challenge head-on through the perspective of one of the federal government’s most visionary IT leaders. In Mayhem to Magic: How to Meet the Mandate, Modernize the Mission, Minimize the Risk, Robert “Rob” Roser, CISO and CDO at Idaho National Laboratory (INL), shared his thoughts on how to balance a risk-based approach to meeting compliance requirements, the role that automation and tools play in boosting an organization’s security posture, how to use government mandates as a launch pad for innovation, and more.
Here are some highlights from that conversation.
You need to be able to see it to protect it
Shortly after Rob assumed his role in 2019, the INL’s cybersecurity “demilitarized zone” was hacked by Advanced Persistent Threat Group 41 (APT-41), a Chinese-backed criminal organization. Rob and his team successfully mitigated the infiltration within 24 hours–but the attack made it clear that changes needed to be made.
“The security posture we were representing was not the security posture we were executing,” said Rob. “We had to change culture and tools (and) put a new architecture in place.”
The APT-41 incident proved that “you can’t protect what you can’t see” and that having total asset visibility is key to both a strong security posture and meeting government mandates. In the webinar, Rob detailed the steps INL took to ensure they had the necessary visibility to prevent a similar attack from happening in the future and talked about the roles that cybersecurity asset management technologies and automation play in this effort.
Automation is critical to enable skilled cyber staff to focus on threats
Rob’s team at INL consists of 50 experienced and dedicated individuals, but despite their talents, they simply do not have the resources to keep up with a rapidly evolving threat landscape. In Rob’s words, “the adversaries have the advantage. We have to continue to figure out how to leverage emerging technologies in order to play defense.”
Automation is one of those emerging technologies. It allows Rob’s team to delegate necessary but mundane tasks to software so they can focus on high-priority items.
Automation enables more efficient and accurate responses to data calls
Rob is also using automation to efficiently manage data calls and satisfy FISMA data reporting requirements. Every quarter, FISMA issues a data call requesting an inventory of all of Idaho National Laboratory’s assets. To make reporting more efficient, the lab uses Axonius to automatically catalog its asset inventory. It then shares this information with the Department of Energy, which then mines a copy of the data and shares it with FISMA.
As a result, “we don’t have to answer a number of the data calls (issued by FISMA),” according to Rob. The team saves significant time while remaining in compliance.
“Castle and Moat” model is no longer sufficient in Zero Trust mandated environments
Organizations have traditionally protected their organizations through a “castle and moat” approach using firewalls as the first line of defense. Rob talked about why, in the world of Zero Trust, this approach is no longer sufficient. Per Rob, today, “identity is your firewall. You’re paying attention to your data, applications, and network. It’s much more expensive and complicated to execute a Zero Trust strategy than a traditional one.”
To maintain an effective Zero Trust approach that meets requirements like those spelled out in the Office of Management and Budget’s Zero Trust memorandum, agencies need to embrace a change in cybersecurity philosophy. That includes proactively identifying gaps in risk postures–which goes back to the need for complete IT asset visibility. This is particularly important as agencies introduce new tools into their environment. Without a complete view of all of these assets, Zero Trust is unattainable.
Cybersecurity incidents can be learning experiences and launchpads for advancement
Cybersecurity incidents should always be used as learning experiences organizations can use to make improvements to their risk profiles. For Rob and his team, the APT-41 attack allowed them to identify and repair areas of weakness so that INL is better fortified against future threats.
As an example, Rob spoke about the advancements INL has made with its endpoint detection and response (EDR) tool. The organization’s previous solution was configured in a way that allowed a single system administrator to change its configuration settings, which ultimately helped contribute to the APT-41 attack. Thanks to lessons learned during the attack, Rob and team upgraded their EDR tool and security policies.
Today, any policy changes require authorization from two administrators. Further, INL is using advanced managed defense and response EDR capabilities. “It gives us an additional sort of security, especially in today’s world,” said Rob. “(Especially given) what’s going on in Israel, Russia, and the Ukraine, time is of the essence, so we’ve added capabilities.”
Protection needed from social engineering attacks
Rob touched upon many other important topics throughout the webinar, including how he’s building his cybersecurity technology roadmap for federal fiscal year 2024, the need to protect human beings from increasingly sophisticated social engineering attacks, and the steps he’s taking to ensure his organization’s Zero Trust journey aligns with federal mandates.
Watch Mayhem to Magic: How to Meet the Mandate, Modernize the Mission, Minimize the Risk, and learn how one of your peers is doing all of that and more.
