As noted in the survey from MeriTalk this week (read the full report here), Federal IT pros cite numerous challenges with their current security solutions, including integration challenges, long provisioning cycles, performance shortcomings, fragmented solutions, and lack of security for their virtual machines.
Security for the data center and cloud computing has to ensure not only the protection of north-south communications (those to and from the data center) but also east-west communications (those between virtual machines). It must be able to quickly learn which IP addresses are changing, then automatically apply those changes contextually to update security policies. Otherwise administrators are left constantly chasing their data center changes – a cumbersome process that can leave the network vulnerable. You’ve heard us say it before, and you’ll likely hear us say it again: IT must also have visibility to what applications are being used within the data center or their cloud instance(s) and be able to contextually control who has access. But the reality is that the MeriTalk report’s findings signify either a lack of awareness of, or ability to invest in, the right security options for today’s consolidating, virtualizing data centers and cloud implementations. You can read more about what we do today to address all of the main technology challenges identified in the survey here.
What isn’t mentioned in the survey but which we do see in our own data is that 10 business critical applications – those typically found running in data centers – generate 94 percent of our customers’ exploit logs. This means there is tremendous risk within today’s data centers. What’s more, the widespread encryption used in today’s applications can actually be hiding attacker communications. Often, organizations feel that as long as they are monitoring their (cleartext) web and email traffic, they are secure. But that’s far from the case. You’ve likely heard us refer to the attackers today as “hiding in plain sight,” using applications and exploit techniques in innovative ways to mask dangerous threat activity.
Ironically, the consolidation of Government data centers and the adoption of virtualization and the public cloud, including AWS GovCloud, should conceivably save money. The Federal Data Center Consolidation Initiative (FDDCI) aims to reduce the costs of data center operations as well as the necessary hardware and software to run all of the data centers. The hope is that the reduction of the real estate footprint will also reduce costs and energy consumption.
Yet by all accounts, the U.S. government still lags behind in adoption. You can review another report MeriTalk issued earlier last year which is one indicator of how far behind the U.S. government may be on a number of these initiatives. According to MeriTalk, only 14 percent of agencies had completed their virtualization projects last spring, meaning overall, the government is estimated to miss $2.7B in possible savings. Apparently only 9 percent of agencies had adopted cloud computing, which again estimated to leave $3.2B in unrealized savings. These federal agencies point to network reliability and capacity issues as impediments. The good news is that when government agencies *do* choose to adopt consolidation, virtualization and cloud computing, they turn to Palo Alto Networks to provide good, sound options to secure data and applications every step of the way.
Encouraging sound security practices with employee education
Employee education is important but it’s not foolproof. The right security technology should always ensure the utmost protection regardless of human missteps. Processes such as red teaming to test user behavior and technology controls are also important. Regardless of how much you train, attackers will always evolve their techniques to fool even the most diligent employees.
Look at the evolution from blatantly obvious phishing emails to today’s watering hole attacks in which attackers target legitimate and well-used websites to plant malicious code. How would a government employee or partner know not to visit the same website he/she has always visited for a conference, for research, or to seek other information? The security controls we provide in our Enterprise Security Platform can block the URL or IP address – so you don’t have to rely on the employee’s knowledge or decisions. Threat Prevention can prevent malicious malware and Traps Advanced Endpoint Protection can prevent exploit techniques against vulnerabilities on the host or client machine – regardless of whether the IT team has gotten around to updating the software with the given vulnerability or even before they know about an as-yet-undisclosed vulnerability.
But that doesn’t mean we can ignore the employee education component. Train and retrain. Governments and all organizations can create mandatory employee training, but to be meaningful, the materials must be refreshed so that the knowledge sharing is timely and keeps up with the latest attacker techniques. You can also institute red team exercises against the people part of the people/process/technology triad to test employee knowledge of good security practices or “hygiene”. These are informative for everyone and can demonstrate real-world use cases (without necessarily naming the employee involved) which are always more informative than describing theoretical situations. For an employee, security training is as engaging as you make it — especially if you walk them through real-world scenarios and ask what they would do. Their responses can inform where you need to emphasize future training.
The threats to federal systems will of course continue to grow. The payoff for a disclosure of sensitive government activities or disruption of critical systems is enormous for attackers as we all know. I don’t like to give the attackers any more attention than necessary to get across the point. The U.S. move to Continuous Diagnostics and Mitigation (CDM) is an important step to provide government agencies with ongoing visibility to what is happening on their networks all the time – not just a once-in-a –predetermined-period review of security controls.
I know that all of our government customers work hard to maintain the best security practices using the NIST Cyber Security Framework, the ISO 27000 series of standards. And don’t forget to include SCADA security in your overall security planning. The threats of today and the future will not be limited to the IT infrastructure alone.