Imagine for a moment that you’re a security analyst at your agency. As you’re drinking your morning coffee — or tea — you see an alert about a new security vulnerability that could pose a major risk to your agency.
But figuring out if any of your agency’s systems are susceptible to that vulnerability is going to be a daunting task. For starters, your agency is drowning in data and analysts don’t have real-time visibility of the information security environment. In other words, they don’t know what systems and software are up to date, what devices are running on the network and what are the most critical vulnerabilities at any given time.
“For many organizations, the notion of monitoring a sub-organization or sub-agency or a component is extremely challenging in a lot of cases,” said Anthony Perez, Director of Field Technology at Splunk.
Perez led a discussion during GovLoop’s recent virtual summit, “Gov Tech Trends to Pay Attention to in 2019,” about the challenges agencies face when it comes to having real-time visibility into their security operations and how they can begin to address those issues. Under the Homeland Security Department’s Continuous Diagnostics and Mitigation (CDM) program, Splunk provides capabilities to help agencies monitor their networks and diagnose and prioritize which security issues to address first.
Perez kicked the conversation off by giving a brief primer on existing guidance that agencies must follow to determine how well or how poorly they are doing in terms of information security. There are the special publications that the National Institute of Standards and Technology (NIST) puts out, the Federal Information Security Modernization Act requirements, NIST Cybersecurity Framework, and others.
The Cybersecurity Framework, for example, is broken down into five distinct functions that agencies should address: Identify, Protect, Detect, Respond and Recover. Each of these categories represents various data points and capabilities that agencies should have to properly address cyberthreats.
For example, under the Identify function, agencies should know what servers and devices are on their network. With Protect, they should know what operating systems are running on those devices and who the privileged and non-privileged users are.
Having this type of security information is critical for agencies, but it’s virtually useless if they don’t have the right tools to properly collect, analyze and display that data. Perez highlighted four common categories that describe the reporting and visibility challenges government agencies face.
- Scope and scale. Agencies are complex organizations. In many cases, there are sub-agencies in various locations that have diverse missions, and it can be difficult to understand what is happening across the entire organization. Even smaller agencies struggle with scope and scale.
- Diversity of environment. There are often different systems, vendors, and business processes that vary across sub-agencies.
- Constant change. User activity drives constant changes across agencies and their security posture. There are administrator changes, changes to system configurations and more.
- Data collection reporting. Data collected often offers only a snapshot in time versus real-world status. Responding to data calls takes considerable time away from mission activities.
With all of these challenges come more data and insights that agencies must track and make sense of. “It is a constant den of white noise that is constantly injecting change,” Perez said.
This is a common concern that Perez hears from the various government entities that have tapped Splunk to help them address their woes. Splunk serves as a platform for security posture visibility across civilian security operations centers (SOCs), law enforcement agencies, state and local governments, and major research institutions.
“The same factors that led to that centrality of Splunk as a central nervous system for SOCs led to the selection of Splunk as a common data fabric for CDM phases 1, 2 and 3,” he said. Dot-gov assets are fed into Splunk’s data fabric to help agencies normalize, visualize and operationalize their data.
Think back to the earlier example of being a security analyst and hearing about a new vulnerability. With tools like Splunk, you would be able to quickly see which systems may be exposed and to what degree. You wouldn’t have to jump from system to system to figure it out.
Perez also did a demo showing how easy it is for an analyst to use Splunk and determine what employees are accessing and how to use that type of information for compliance purposes. Let’s say you need to ensure employees have read a particular document. You can use Splunk’s capabilities to see if they read the document and the read time. Agencies can also track things like employee visits to gambling and pornography websites.
Having these capabilities demonstrates control over an environment and an understanding of what users are accessing, Perez said. But before you race off and just acquire any tool, he suggested agencies keep these things in mind.
Make sure that the solution you’re buying can perform at scale, and don’t implement a tool that employees will never use or open, he said. If you are thinking about continuous monitoring and you want to develop capabilities for the future, it absolutely has to have inherent machine learning functionality built into that platform. “With the way data is growing and the complexity of systems, that is the future.”
Want to attend more GovLoop virtual summits in 2019? Make sure to sign up at this link to be notified when they are happening!