Ivanti Blog: Posts by

Making Sure the Future of Federal Work Is Secure and Enjoyable – Why We’re Partnering with NIST on Its Zero Trust Project

Thu, 04 Aug 2022 18:54:19 Z

Last year, we announced our partnership with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) to work on the Implementing a Zero Trust Architecture project. 

After a year of collaboration with its industry partners, including Ivanti, NIST recently released its preliminary draft, NIST Cybersecurity Practice Guide SP 1800-35 Vol B, for public comment.

Together, we are collaborating with NIST and ZTA technology providers to build several example ZTA solutions, demonstrating their ability to provide secure access to corporate resources.

The solutions will enforce corporate security policy dynamically and in near-real-time with:

Restricting access to authenticated, authorized users and devices.
Supporting a flexible, complex set of diverse business use cases involving a remote workforce, cloud use and partner collaboration.
Supporting contractors.

Our proposed solutions build upon the work of NIST Special Publication (SP) 800-207. The publication digs into how to leverage commercially available technology, including Ivanti Neurons for MDM (MI Cloud FedRAMP) to build interoperable, open, standards-based ZTA implementations that align to the concepts and principles in NIST Special Publication.

Working to secure a zero trust federal government

At Ivanti, we were pleased to contribute to this draft, as the executive order on improving the nation’s cybersecurity calls for the federal government to move to a zero trust architecture.

We worked with NIST on three principal areas for successfully implementing zero trust across government:

Securing the managed mobile device.
Supporting remote workers with access to resources – regardless of the user’s location or device.
Establishing conditional access controls with validation of the device, network and apps, before allowing access.

These areas are important for security and potentially help with job retention in the federal government – which is desperately needed. According to the June job report, the government has lost 640,000 jobs since the pandemic began.

Allowing flexibility in federal workplaces

While security must be paramount for our federal agencies, which have faced an onslaught of attacks in recent years, we must make sure the federal government is an enjoyable place to work.

With recent news reports showing the public sector is falling behind in attracting and retaining top talent, making these adjustments can be a huge step in catching up to the private sector.

That means supporting telework, allowing employees to bring their own devices to work and more, all while maintaining the highest levels of security through a zero trust architecture and securing employees’ mobile devices.

All of this is possible through embracing the Everywhere Workplace.

While this is not the final publication, we’re excited by the work we’ve done and will continue to do throughout this process, ensuring the future of zero trust in government includes the flexibility for employees to securely and safely work from everywhere.

Employing DEX in the Public Sector to Attract and Retain Top Talent

Mon, 01 Aug 2022 19:24:57 Z

A recent news report shows the federal government is struggling significantly more than the private sector when recruiting new employees.

Axios reporter Emily Peck writes: “While the number of private-sector jobs surpassed its pre-pandemic level, there are 664,000 fewer people employed in the public sector, according to the government jobs report released [July 8].”

Peck speculates this disparity can be attributed to the inflexibility of government work. Pay is often lower than similar positions in the private sector, and there may be less fully remote and hybrid options.

With the nature of work forever changed, how employees interact with technology can define their success and the value they deliver in their organizations.

As long as there is a sharp focus on the potential for flexible and secure networks, the Everywhere Workplace is undeniably the future of work, and digital experience is its number-one enabler. 

DEX report highlights employee frustrations

Recently, Ivanti worked with global digital transformation experts and surveyed 10,000 office workers (including some in government), IT professionals, and the C-suite to evaluate how they prioritize and adopt digital employee experience (DEX) in organizations and how it shapes the daily working experience.

The responses to this extensive survey found inadequate and sometimes difficult technology was a key contributor to employee dissatisfaction.

The results of the DEX report show:

Nearly two-thirds of employees believe they would be more productive with better technology at their disposal.
49% find the tools and technology provided by their organization frustrating. 
Over two-thirds of knowledge workers have spent their own money on new hardware and software to get their work done.
80% of employees identified they are working across multiple applications and platforms to get work done.
50% responded they have considered quitting their job partly due to the technology applications and tools currently available to them.

Technology should not be a burden to success but elevate and streamline workflows.

Recently, the House Select Committee on Modernization of Congress considered how integrating updated technology in the legislative process can make Congress more efficient and transparent. These large-scale upgrades show the importance of digital modernization and should also be considered on a smaller scale within the everyday employee experience.

As the federal government fiercely competes with the private sector for talent, it is critical to ensure the technology tools government employees utilize daily meet their needs.

What this means for the public sector

In the war for talent, a pivotal differentiator for organizations is providing an exceptional and secure digital experience, especially within the public sector.

If the public sector were willing to emphasize modern and operational technology for employees, there would be broader potential to attract and retain the type of employees the sector needs. Our research found that 65% of current employees said they could be more productive if they had different tools.

With the availability of innovative new technologies that enable and support hybrid workforces, IT now has the opportunity to make a positive impact on broader organizational strategy.

By taking ownership of DEX and working closely agency leadership to accomplish common goals, IT can drive better business outcomes – from employee productivity to workforce retention.

With the new release of Ivanti Neurons for Digital Experience, IT teams can better understand, measure and improve their digital employee experience. Ivanti Neurons for Digital Experience effectively measures and proactively optimizes the experience employees get through the devices and applications they rely on in their Everywhere Workplace.

It provides IT teams with real-time actionable insights, including the ability to assess employee sentiment, track and optimize experience over time and make recommendations on actions to remediate and improve the digital employee experience.

Cybersecurity Awareness Month – It's Not Just for October: Reminders that Deserve Year-Round Attention!

Fri, 22 Oct 2021 20:18:17 Z

Since 2003, with the sponsorship of the U.S. Department of Homeland Security (DHS), October has been recognized as National Cyber Security Awareness Month. As with other important issues that have “designated months,” like Bullying Prevention Month and Domestic Violence Awareness Month (both also recognized in October), these are issues that deserve year-round attention, not limited to 31 days in October. As a result, this seems like a good time to revisit some critical aspects of cybersecurity about which Federal, State, and local agencies need to remain particularly vigilant.

After 18 months of this worldwide pandemic, I think we all realize that we will continue to support either a fully remote, or at best a hybrid workforce, for the foreseeable future. Our employees and contractors continue to work from everywhere. The almost overnight transition to nearly 100% telework in March of 2020 has presented challenges for connectivity, VPN capacity and routing, and expanded the agency’s threat surface significantly. Add to that, the timing of this move to remote work coincided, for many agencies, almost perfectly with their migration to Office 365 and cloud-based productivity apps. This further acerbated the strain on IT and network administrators charged with patching and protecting their network, applications, and data.

Two of the most critical threats facing agencies today are Phishing Attacks and Weaponized Vulnerability Attacks. DHS recently said, that as agencies are improving their cybersecurity protections and access controls, Nation-state threat actors and cyber attackers are focusing even more attention on “Spear Phishing” -- targeting specific individuals within an organization to gain an entry foothold. DHS went on to say that these “Spear Phishing” attacks, are not necessarily focused on high profile or senior executives, rather they are focused on individuals for which they have sufficient information to create an individualized and enticing phishing email. The bottom line, spear phishing is not necessarily targeting the biggest fish, just the easiest to catch!

At the same time, the speed of vulnerability weaponization continues to increase. As threat actors are maturing their tactics and weaponizing vulnerabilities, especially those with remote code execution, organizations are struggling to discover their attack surface, understand the risk and implement ways to accelerate patch and remediation actions. If we think back to 2017, which seems like an eon ago in cybersecurity years, we recall the “WannaCry” ransomware attacks. This exploit and resulting ransomware, encrypted hundreds of thousands of computers around the globe. The more important thing to recall from this attack, is that the vulnerability that was exploited and the patch to address the vulnerability, were known for months in advance of the attack. And even now, four years later, more than 60% of companies still have not implemented the necessary patch and remain vulnerable to this attack. In the first quarter of 2021, there was a 53% increase in the number of organizations newly infected with WannaCry ransomware.

So, what do agencies do to protect against ransomware?

1. Employee Training – Even while only marginally effective, a recent study showed that 97% of users could not recognize targeted phishing attacks. Frequent and recurring education can help keep this attack top of mind for our users.

2. Backup your Data – All of your data including system snapshots, configurations, applications, and data, and even log files; and store it off-line and off site.

3. Update and patch your systems – Patching your systems includes operating systems, applications, third-party software, and firmware. This is where a vulnerability-based patch management system can return a rapid time to value, in helping to prioritize and automate patching of those vulnerabilities that are actually, actively being attacked “in the wild”. Today, it is nearly impossible to remain fully current with all of the patching required for most heterogeneous environments.

Ivanti recently released the results of a survey that was conducted, in which more than 70% of IT and security related professionals indicated that patching is too complex, and time consuming. The survey indicates that most agencies do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit, and struggle to keep up with deploying patches and validating that they were successfully implemented.

4. Segment your networks – implementing a zero-trust architecture with network segmentation, even micro segmentation, and doing continuous authentication and authorization of users, devices, and transactions to ensure that only authorized transactions are accessing data and resources. Separate your business networks from your operations/manufacturing/production networks, and of course separate your dev/test/and QA networks. And then further segment your network with access control checks to prevent lateral movement within the network for non-authorized users or bots.

5. Regularly test your incident response plans – test that you can recover from your backups and test your system recovery, and continuity of operations plans to make sure they work, are documented, and your teams know what to do and what not to do. Include in your plans crisis communications, and rehearse and practice every contingency.

The top risk that most agencies face today is ransomware, and the top attack vectors are phishing attacks and weaponized vulnerability attacks against unpatched systems and applications. In many cases, a successful phishing attack, has the payload of launching the weaponized vulnerability attack from inside the network’s perimeter defenses. As threat actors continue to refine their attacks, these vulnerabilities, especially those with remote code execution capabilities

¹ https://www.itpro.co.uk/security/wannacry/359516/over-two-thirds-of-companies-still-run-software-with-wannacry-flaw

²https://www.ivanti.com/company/press-releases/2021/71-of-it-security-pros-find-patching-to-be-overly-complex-and-time-consuming-ivanti-study-confirms

Ivanti Derived Credentials: A Zero Sign-On Solution for Smart Card-Enabled Organizations

Tue, 14 Sep 2021 22:44:48 Z

What is a smart card?

Government agencies and some regulated industries have adopted standards (such as NIST SP 800-157) for issuing smart cards, based on the user’s validated and confirmed identity. The smart cards have digital certificates such as an authentication certification, a signing certificate, and an encryption private key (certificate). Often the smart cards also act as human recognizable identity validation cards and contain the user’s picture (for a guard to validate at a door or gate). The cards also may have a proximity chip for entrance to a facility, and they may contain biometrics as well.

The smart cards are then used for access to secure buildings and to log in to traditional enterprise workstations like laptops, desktops, and enterprise web services. Typically, an employee inserts their smart card into a reader on a workstation and enters a pin to access the authentication certificate, allowing the user to log in to the device or enterprise applications including cloud-based and web applications. This authentication method replaces usernames and passwords and provides two-factor authentication. That’s because the smart card is a physical entity that the user has, and the pin is something only they know – so neither the card nor the pin are sufficient, individually. These rules are described in the FIPS 201-2 definition of multifactor authentication and NIST SP 800-63-3.

What is a derived credential?

The difficulty of requiring smart cards for two-factor authentication is that as workers move from traditional workstations to more modern and mobile devices, smartcard readers are not practical. Therefore, a process is defined to securely create and provision digital certificates on mobile devices directly, based on the smart card. These certificates are derived from the initially assigned certificates and therefore are referred to as derived certificates or credentials. Derived credentials allow organizations that are using smart cards for authentication to easily extend this technology to mobile devices, providing strong, passwordless authentication to the most sensitive of resources. The end user securely authenticates to a portal using their physical smart card on an enterprise workstation. Then, using the information on the smart card, a mobile-friendly soft token is created and stored in a secure enclave on the mobile device as a digital certificate. The derived digital certificate is tied to a certificate on the smart card for revocation and validity. These certificates can be used for secure authentication to enterprise and web applications and resources, to sign emails and documents, and to encrypt messages on mobile devices.

What kinds of smart cards are out there?

U.S. civilian government agencies have standardized on smart cards called Personal Identity Verification (PIV) (based on a Homeland Security Presidential Directive HSPD-12), while the U.S. Military and Defense agencies have standardized on the Common Access Card (CAC). These smart cards and underlying technologies differ slightly, but both can be used for derived credentials.

Ivanti’s solution

The Ivanti team recognized the challenge our customers faced when complying with smart card and derived credential regulations in a mobile environment and have a solution to make the deployment of derived credentials easy. Working with trusted certificate and smartcard solutions like Entrust, DISA Purebred, Xtec and Intercede, we leverage derived credentials to enable organizations to extend their existing security investments in smart cards to their mobile infrastructure.

The Ivanti PIV-D manager solution integrates with Public Key Infrastructure (PKI) systems to seamlessly deploy derived credentials and manage the lifecycle of the credentials in any mobile enterprise or government organization. Ivanti PIV-D Manager stores the derived credentials securely in our encrypted Ivanti AppConnect framework, which is FIPS 140-2 enabled. The credentials can then be seamlessly shared with other secure AppConnect apps such as Email+, Docs@Work, Web@Work and native mobile OS apps for secure single sign-on, and S/MIME use on iOS and Android devices.

Prior to its acquisition by Ivanti, MobileIron assisted government agencies such as the Federal Emergency Management Agency (FEMA) and the DoD’s Defense Information Systems Agency (DISA) to deploy derived credentials seamlessly. These agencies now have tens of thousands of devices leveraging derived credentials, enabling their end users to access enterprise resources securely from mobile devices using their device.

The next level: Zero Sign-On

While derived credentials provide a strong authentication mechanism backed by PKI, Zero Sign-On enables derived credentials in conjunction with a comprehensive set of attributes, to be validated before granting access to enterprise resources. Ivanti’s approach to end-to-end, zero trust security significantly reduces risk by giving organizations complete control over enterprise data as it flows across devices, apps, networks and cloud services. This is essential as the world adjusts to a permanent shift to the Everywhere Workplace.

If you want to learn more about Ivanti’s world-class derived credential solution, please contact us.

What happened to election security?

Fri, 20 Aug 2021 20:04:18 Z

Ah summertime, heat, humidity, Black Hat! In 2020, Black Hat, like so many conferences was held virtually, and I was fortunate to participate on a panel talking about election security. As a matter of fact, I did several panels and discussions around securing the election of 2020. We discussed and covered several different areas; voting using an app on the mobile device, on a website, electronic voting in various flavors, block-chain voting, and there was a lot of discussion about the security of the voting machines in use across the nation. Which machines have paper backups, and don’t, which ones could be hacked (as demonstrated at Black Hat) and lots more.

Then the election happened, and other than the false narratives that came out of it, the 2020 election really was the most secure election we have had. And through all of the discussions about the threat vectors, and exploits, much of what we said was that we needed more time to work through the technology and policy challenges, and that trying to do that with an election only months away was foolish.

Now, here we are in the summer of 2021. Are we working on those voting alternatives? Are we addressing the policy and technology challenges? Are we evaluating identity, validation and verification of cast votes, privacy, and secrecy? There are probably some folks who are, but it is not in the mainstream of discussion.

What is happening is that many states are passing legislation regarding voting, but not to improve the security of electronic voting or the voting machines. Instead, in the first 6 months of 2021, 18 states have enacted 30 laws to restrict access to casting a ballot, and there are a total of 400 pieces of legislation pending at the state level to restrict voting.

There is some positive news, our friends at DHS CISA have updated many of the information resources available around election security, including the newest library of Mis, Dis, and Malinformation, to assist state and local governments, and the private sector to understand and combat the threat from erroneous reports and information.

Years ago, James Moore wrote a book called “Noah Built his Ark in the Sunshine”. I always liked the image of that title. Noah did not wait until it started raining to begin building the boat. We should not wait until we are once again facing a monumental election, to revisit the discussion around using the mobile phone to cast a ballot, be it via an app or on a website. Many of the states will be using the same voting machines and technologies for the midterm elections in 2022 and likely for the 60^th quadrennial presidential election in 2024. The same equipment and technologies coupled with more restrictive voting access, will surely bring about even louder voices for a different approach to enabling people to cast their secret ballot and to participate in the electing of officials for this constitutional representative republic in which we live, and call a democracy.

Ah, summertime, heat, humidity, and thunderstorms – maybe enough rain to remind Noah why the boat needs to be built in the sunshine, and maybe enough threat to remind us why we need to be building a better voting system, now.

How Ivanti is Helping the Federal Government Make Zero Trust a Reality

Mon, 26 Jul 2021 16:55:09 Z

As you may have heard, Ivanti was selected by the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) to participate as a collaborator in its Implementing a Zero Trust Architecture project. Many of the high-level details can be found in our press release, so, rather than reiterate in this blog, I’ll be taking a closer look at what a zero trust framework entails, why this project came to fruition, and why NIST NCCoE chose Ivanti to participate.

What is zero trust?

Zero trust flips traditional “trust but verify” security strategies on its head. It’s not a technology or something you’d buy. Rather, it’s a framework that assumes bad actors are already and always on your network—hence no inherited trust. The intent is to ensure consistent validation of applications, users, and transactions, thereby moving organizations toward a comprehensive IT security model that spans the entire enterprise.

With zero trust, all users, devices (desktop, mobile, server, non-person entities ([NPEs] and IoT), applications, and networks are authenticated, authorized, and continuously validated according to granular, policy-based controls before being granted access to corporate resources. This micro-segmentation and continuous verification of posture and compliance reduces an organization’s attack surface and, ultimately, the likelihood of data breaches.

For an easy analogy, think of a museum. Some museums only station security at their front entrance, and once a visitor passes this checkpoint, they’re free to move about the premises. Most guests will comply with the rules, but there’s always the possibility a few bad actors will touch a sculpture or take a selfie despite flash photography being disallowed. This “front door only” approach is how most traditional network security operates—once you’re in, you’re in.

Conversely, a zero trust museum (if you will) places security guards at the front entrance and in every single room. There’s a checkpoint in all directions, and as visitors mill about and move from exhibit to exhibit (resource to resource), a guard is always present to verify admission and enforce compliance. Guests are never granted the benefit of the doubt, and one false or suspicious move means they’re out—no apologies or ability to move to a different area.

Makes sense, right?

What led to the “Implementing a Zero Trust Architecture” project?

While zero trust was considered an eventuality among security professionals for the past few years, the pandemic accelerated the need for widespread adoption. As workforces went remote, employees required access to corporate apps and data, often connecting via unsecured networks using a combination of organization-owned and personal devices. That, in turn, eroded the network perimeter, rendering traditional approaches to enterprise security inadequate.

Soon after, threat actors, capitalizing on these new weaknesses, ramped up sophisticated cyberattacks. The disappearing perimeter led to the exposure of exponentially more devices, and because a single exploitable vulnerability is all a bad actor needs to work their way into a network, attacks grew (and continue to grow) at an alarming rate. Put simply: The inadequacy of most enterprise security in the wake of remote and remote-first workplaces has made cyberattacks too easy—and too lucrative—for most hackers to ignore.

Recognizing the problem and seeking to leverage effective security for resources on-premises, in the cloud, and at the edge, President Biden signed an Executive Order, which states that “the Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” As part of the recommendations for doing so, the Executive Order makes zero-trust architecture a top priority.

Ivanti was chosen as a collaborator

Ivanti’s stated mission is to make the perimeterless Everywhere Workplace possible, and we’re a leader in providing solutions that accelerate zero-trust adoption. As a chosen collaborator for the Implementing a Zero Trust Architecture project, Ivanti will lend its expertise to develop zero trust architectures that address real world cybersecurity and infrastructure challenges.

While Ivanti has a portfolio of solutions that enable zero trust, we are one of the only Unified Endpoint Management (UEM) vendors among the collaborators. UEM is a critical component of an effective zero-trust architecture because the technology enables IT administrators to gather detailed device data and automate software and OS deployments for every single device that touches their network. As remote and hybrid workplaces become the new status quo and the proliferation of user devices and operating systems grows, IT administrators can use UEM to apply security, privacy, lockdown, and sync policies to registered devices, ensuring only devices that comply with security requirements can connect to the network.

All told, we’re excited to be a part of the NIST’s NCCoE’s initiative, and we look forward to developing zero trust architectures that enable organizations to counter today’s most pressing cybersecurity threats.

The Increasing Popularity of Ransomware Amongst Cybercriminals

Tue, 22 Jun 2021 17:21:13 Z

Cybercriminals are becoming increasingly savvy and ransomware attacks have soared over the last decade. A recent PwC UK Cyber Threat Intelligence report revealed a spike in cybersecurity incidents which have significantly affected many organisations that are already dealing with challenges caused by the pandemic. It is likely the increase in the rate of attack has been fuelled by the influx of new ransomware actors, the expansion of existing affiliate schemes and pursuing improved revenues by established cyber-crime actors. And, unfortunately, no one is safe. Ransomware attacks can affect all business sectors and they are growing in intensity.

It all comes down to opportunity costs. During the pandemic, cybercriminals have been capitalising on ransomware as more people are working remotely. All it takes is a single vulnerable device. The disappearing perimeter means that many more devices are exposed, and many are simultaneously connected to a corporate or government network, and the user’s personal home network. A single successful attack can result in cybercriminals making hundreds of thousands or even millions of dollars.

Common avenues into public sector organisations

Despite ‘ransomware’ being the term that usually makes it into the headlines, social engineering, email phishing, and malicious email links are the major vectors that criminal organisations use to infiltrate environments and deploy their malware, and recent studies have shown that many successful attacks originate from a mobile device.

Getting rid of passwords in favour of multifactor, biometric or zero sign-on capabilities is the only way to stop cyber criminals harbouring credentials. Eliminating passwords should be tightly coupled with the ability to establish a contextual relationship between the user, the network, policy compliance, and the data that they are accessing.

Unpatched vulnerabilities and default configurations are another common point of entry into public sector organisations’ ecosystems. Underfunded public bodies typically struggle in prioritising the patch management process in IT, due in part to the resources needed to patch every vulnerability manually.

Unpatched vulnerabilities leave those organisations unprotected from malicious cyber threat actors exploiting known threat vectors to get a foothold into connected endpoints. They then move laterally up the cyber kill chain to evolve into an advanced persistent threat (ATP). These APTs are often undetected and living off the land within a victim company’s network.

Hyper-automation technologies that are powered by deep intelligence and use supervised and unsupervised machine learning algorithms can drastically improve IT defences. They provide organisations with visibility over all endpoints, applications, and data, and can effectively manage their security and self-healing capabilities with minimal human intervention.

Providing education to all levels of an enterprise

Ransomware attacks, like the one that hit Colonial Pipeline, are becoming increasingly common, but there are relatively simple steps businesses can take to avoid falling victim to a ransomware attack.

Educating all levels of an enterprise is possibly the most important mitigator when protecting your business from Ransomware. Cybercriminals monitor employees’ online behaviour to gain access to an organization’s network. Creating an enterprise-wide cybersecurity education and training strategy is key to mitigating ransomware attacks.

Organisations should start with the basics: educate employees to practice safe clicking, recognise phishing and social engineering attempts, and report suspicious emails and activity to the IT department. This should be treated like fire safety, schedule regular drills to test and monitor the efficacy of your employee training. Even offer rewards for spotting fake phishing emails.

Investing in a unified endpoint management platform with built in threat detection software is another must. This will allow public sector networks to detect policy violations and implement the correct response. IT should also enforce regular account access reviews to ensure that only the right people have access to sensitive company information. This not only protects sensitive data from internal threats but also stops malicious actors from using over-permissioned accounts to inflict damage on the business systems.

Paying ransom

Paying ransom doesn’t guarantee the recovery of your files or ensure the code is removed from your corporate systems. For that reason, government cybersecurity authorities, like the NCSC, don’t advocate emptying your wallet. Additionally, by paying ransom greedy cybercriminals will only be encouraged to continue their plight. But a ransomware strategy that priorities defence and thorough recovery should mean that you won’t need to pay.

If an organization doesn’t have a recovery plan in place, then the ability to not pay the ransom is highly jeopardised. Preparing for ransomware attacks with drills to make sure a thorough recovery plan is in place is crucial. Simply restoring data from a backup onto corrupted systems isn’t an option. You need to reimage hundreds or thousands of systems, prior to putting the data back on. A blue print will be needed for what can be a huge operation.

Ivanti Federal CTO's Take on the Cybersecurity Executive Order

Thu, 13 May 2021 19:03:52 Z

Ivanti Federal CTO, Bill Harrod, shares his take on the recent cybersecurity Executive Order issued by President Biden:

I applaud the Biden administration’s work on developing and releasing the Executive Order (EO) with mandates for improved threat and attack information sharing, focus on endpoint detection, acknowledging the risk of unchecked and unknown devices especially those sensors and actuators that are part of the Internet of Things. In addition, hopefully the Technology Modernization Fund (TMF) will aid agencies in making the improvements needed to upgrade technologies and software with a focus on the security of the network, enforcing strong, multi-factor authentication, implementing zero trust architectures, endpoint detection of new and untrusted devices, and taking the proactive approach to cybersecurity outlined in the EO.

In many ways, this is not terribly new, rather it is an acknowledgement that we have not been enforcing basic hygiene as we have built and expanded access to our applications and data. I can envision a time when a device connecting to an enterprise network will be automatically detected – even for an IoT or mobile device – queried for compliance with a baseline of cybersecurity standards, and quarantined if not compliant. In addition, to being “sandboxed,” the network can implement actions for automated remediation, and monitoring across the network will detect, remediate, and “self-heal” any device, solution, or technology that falls out of compliance.

The government started down this path years ago with the implementation of the Continuous Diagnostics and Mitigation (CDM) program. A program where the basics are focused on who is on my network, what devices are on my network, what activity is on my network, and how is data protected.

There will be significant challenges in implementing the EO. Timely information sharing has always carried an additional risk and stigma for companies that have been attacked and sharing the attack intelligence highlights the company’s vulnerabilities. Sharing vulnerability scans has long been a part of the regular cadence for companies that operate a FedRAMP cloud, but how many agency CIOs actually receive any information about those monthly reports? And today, the government’s enterprise network is everywhere, from the mobile device carried by top level officials, to the employees working from home, to the IoT devices being used for automation and process improvements.

Again, I applaud the Biden administration’s EO and look forward to being able to help define the details that will make for a strong and effective implementation.

Cybersecurity is Fundamental for Modernizing Government

Thu, 06 May 2021 17:24:30 Z

Digital transformation is a strategic initiative of the federal government and has been for years, but adequate funding has never been appropriated. Digital transformation is essential within all areas of government, to deliver services faster, more reliably, and securely. In order to keep up with the global expansion of digitalization, government agencies must modernize their IT and security infrastructure. This realization has led to an increase in funding opportunities with the formation of grants like the Technology Modernization Fund (TMF).

The TMF was authorized in 2017 to provide funding and technical expertise for approved projects. TMF received $1 billion in the American Rescue Plan in January 2021 to fund modernization projects. To access TMF grants, government agencies must submit their project proposals to the Technology Modernization Board for review and go through a two-phase approval process.

The increasing need for secure digital transformation

Security threats from nation-state and non-state bad actors are escalating and targeting the government’s critical infrastructure. Last year’s attacks are examples of why we need to harden our government’s security posture. The SolarWinds attack targeted large enterprises and top government agencies and exposed sensitive data. The critical infrastructure failure in Texas’ electric grid left millions without power and water for days. Florida suffered an electronic breach into the water supply infrastructure where someone illicitly gained remote access to the system and added high levels of lye into the water.

The Biden administration has called upon Congress to launch an ambitious effort to modernize and secure federal IT infrastructure. The administration’s new TMF budget request has targeted $9 billion, of which CISA would receive an additional $690 million to increase cybersecurity across federal civilian networks.

TMF funding is important, but it’s no guarantee

Digital transformation funding is important, but there’s no guarantee the TMF funding will pass, and agencies need to implement solutions today. Even well-funded cybersecurity efforts, if poorly executed, can make government agencies complacent. High risk areas can easily be overlooked, when agencies incorrectly assume protection exists. Effective cybersecurity requires knowledge of every asset, processes that are tested and proven, and multi-layered security that is unified within a single view for deep visibility and intelligence correlation.

It’s all about mitigating risk

While modern technology to secure government assets is available today, the truth is, many agencies still have outdated technology incapable of supporting modern advances. Agencies with antiquated operating systems and hardware have difficultly moving forward with today’s new and innovative technologies. This, along with the increasing cybersecurity risks, is why the Biden administration is calling on Congress to launch the most ambitious effort ever to modernize and secure government IT infrastructure.

Traditional cybersecurity concepts are still important and are needed for good hygiene. However, we need to understand at a more fine-grained level all of the IT and network infrastructure components, including elements within agency supply chains. This is evidenced by the SolarWinds attack, that revealed the limitations in our understanding of assets connected to our networks, and how patches are tested, sandboxed and applied. To mitigate risk and ensure reliable protection of government assets, we need to know exactly where, and what, the components are across the enterprise, down to the firmware and chipsets.

It sounds daunting, but we have solutions that do this. It’s a technology problem that requires technology solutions. It is about discovering, managing and controlling assets enterprise-wide, and applying risk management principals around them. This is where information technology asset management, or ITAM, solutions become important. They discover and identify all assets and reach back to the manufacturers to enrich the data based on device models and serial numbers. ITAM enables government agencies to discover, identify, manage, authenticate, and validate every device across their enterprise.

Cybersecurity policies and processes that are ambiguous and insufficiently defined, along with siloed and disjointed technologies, pose great risks. Detecting new users and devices connecting to the enterprise, interrogating them, and determining the risk before granting access to data and resources is crucial. Understanding, at a more granular level, the components, chipsets, memory, firmware, and software that comprise every part of the enterprise is how threats are mitigated. New software and applications should be quarantined within a sandbox, with conditional access granted only to data and resources based on a risk score or assessment.

Know your assets and apply policies to enforce protections

To control and limit access, effective asset management and policy enforcement requires risk mitigation and scoring of authentication and authorization processes. Management of the everywhere enterprise is complicated, with expanding security perimeters, diverse hosting environments, and users and devices accessing from anywhere. Binding together the users, devices and credentials is what encompasses an identity, and what defines, limits, and controls access to government assets.

The United States’ transportation infrastructure of roads and bridges are inventoried and graded based upon the level of need for repair or replacement. The lower the grade, the higher the risk. By inventorying and grading this critical infrastructure, we know what needs to be done, and how to prioritize the work. The U.S. government’s technology modernization needs to focus on the same things, by understanding and inventorying diverse and distributed assets. We can determine what the assets are, and their risk factors, and apply policies to prioritize against risks.