Charles Leaver – 30 Days To The OMB Cyber Security Sprint With 8 Principles And 8 Keys

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering an enormous data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next four weeks to further improve the security of their data and systems. For this large organization it was a bold action, but the lessons learned from software application development proved that acting quick or sprinting can make a lot of headway when approaching an issue in a small amount of time. For large organizations this can be especially true and the OMB is certainly large.

There were 8 principles that were focussed on. We have actually broken these down and supplied insight on how each concept could be more efficient in the timeframe to assist the government make significant inroads in just a month. As you would anticipate we are taking a look at things from the endpoint, and by checking out the 8 concepts you will discover how endpoint visibility would have been crucial to a successful sprint.

1. Protecting data: Better safeguard data at rest and in transit.

This is a good start, and appropriately priority one, however we would certainly encourage OMB to include the endpoint here. Lots of data defense services forget the endpoint, however it is where data can be most vulnerable whether at rest or on the move. The team needs to inspect to see if they have the ability to evaluate endpoint software and hardware setup, consisting of the presence of any data security and system security agents, not forgetting Microsoft BitLocker configuration checking. And that is simply the start; compliance checking of mandated agents should not be forgotten and it should be performed continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness resembles visibility; can you see what is really taking place and where and why? And obviously this has to be in real time. While the sprint is occurring it need to be validated that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, noteworthy log events and a myriad of other activity indicators throughout numerous thousands of endpoints hosting huge oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Make sure a robust capacity to hire and retain cyber security workers.

This is a difficulty for any security program. Discovering excellent skill is tough and retaining it a lot more so. When you wish to attract this type of skillset then persuade them by offering the latest tools for cyber battle. Make certain that they have a system that supplies total visibility of exactly what is taking place at the endpoint and the whole environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool switches the security group from the hunted to the hunter. If not then change that tool.

4. Increase awareness: Enhance overall threat awareness by all users.

Risk awareness starts with effective threat scoring, and thankfully this is something that can be achieved dynamically all the way to the endpoint and help with the education of every user. The education of users is a difficulty that is never ever finished, as evidenced by the high success of social engineering attacks. But when security groups have endpoint risk scoring they have concrete products to reveal to users to show where and how they are susceptible. This real life situational awareness (see # 2) increases user knowledge, in addition to providing the security team with accurate details on say, understood software application vulnerabilities, cases of jeopardized credentials and insider opponents, in addition to continually keeping track of system, user, and application activity and network points of contact, in order to use security analytics to highlight heightened risks causing security staff triage.

5. Standardizing and automating procedures: Reduce time needed to handle configurations and patch vulnerabilities.

More protection ought to be required from security services, and that they are instantly deployable without tedious preparation, infrastructure standup or extensive staff training. Did the solutions in place take longer than a couple of days to execute and demand another full time employee (FTE) or even 1/2 a FTE? If so you have to rethink those solutions due to the fact that they are probably hard to use (see # 3) and aren’t doing the job that you require so you will have to improve the present tools. Likewise, look for endpoint solutions that not only report software and hardware configurations and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities then associates an overall vulnerability score for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly determine and deal with events and occurrences.

The quick recognition and response to issues is the primary goal in the brand-new world of cyber security. During their 30 day sprint, OMB should assess their services and make sure to discover innovations that can not just monitor the endpoint, however track every process that runs and all of its network contacts including user login attempts, to facilitate tracking of harmful software proliferation and lateral network movement. The data stemmed from endpoint command and control (C2) accesses associated with major data breaches shows that about half of jeopardized endpoints do not host recognizable malware, heightening the relevance of login and contact activity. Appropriate endpoint security will monitor OMB data for long term analysis, given that lots of indicators of compromise become available just after the event, or perhaps long afterwards, while relentless hackers might quietly lurk or remain dormant for extended periods of time. Attack code that can be sandbox detonated and recognized within minutes is not indicative of advanced hackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is vital to full identification and complete non-recidivist resolution.

7. Reinforcing systems lifecycle security: Boost intrinsic security of platforms by buying more secure systems and retiring traditional systems in a prompt manner.

This is a reputable objective to have, and a massive difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly determine and report endpoint software and hardware setups, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indicators of endpoints outliving their useful or secure service lives. Now you have a full inventory list that you can focus on for retirement and replacement.

8. Decreasing attack surfaces: Decrease the complexity and quantity of things defenders need to secure.

If numbers 1 through 7 are implemented, and the endpoint is considered properly, this will be a substantial step in lowering the attack risk. However, in addition, endpoint security can also in fact supply a visual of the actual attack surface. Think about the ability to quantify attack surface area, based upon a number of distinct binary images exposed throughout the entire endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a common “ski slope” distribution, with a long skinny distribution tail showing vast varieties of very rare binary images (present on fewer than 0.1% of total endpoints). Ziften identifies attack surface area bloat aspects, including application sprawl and version proliferation (which likewise exacerbates vulnerability lifecycle management). Data from numerous consumer deployments exposes egregious bloat elements of 5-10X, compared to a securely handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas develops a target-rich attackers’ paradise.

The OMB sprint is a terrific pointer to us all that good things can be achieved quickly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a crucial piece for OMB to consider as part of their 30-day sprint.


Leave a Reply

Your email address will not be published. Required fields are marked *