The options available to agencies to protect and secure their crucial data are greater in number than ever before. Responding to cyber threats or vulnerabilities in real-time is no longer the aspiration, thanks to artificial intelligence and machine learning. But how do agencies use these advances to their advantage, how can they make their cyber initiatives as effective as possible, and what should they know before they begin? For many, Autonomous Cyber is the answer.
GDIT’s Cyber Director, Dr. Matt McFadden, recently spoke with Meritalk about Autonomous Cyber, why it’s more important than ever and how the COVID-19 pandemic (and the massive shift to remote working) is affecting agencies’ need to secure their informational assets across multiple platforms and devices. His enlightening Q&A follows below.
MeriTalk: With so many people teleworking now, organizations have a broader attack surface due to increased use of mobility and cloud solutions. What are some of the top challenges agencies face in this environment?
Dr. McFadden: The main challenge with the increase in telework is that most agencies’ infrastructure wasn’t designed to meet the demand of an almost 100 percent remote user workforce. For some of our customers, we’ve had to work hard to scale their architecture, which could be anything from leveraging the cloud to supplementing the network devices that they have. For example, we had an agency customer that couldn’t provide remote access to their workers and gave us five days to implement a virtual private network (VPN) portal to support thousands of mobile users who couldn’t work from home without it – which we successfully completed.
MeriTalk: Now that we are a few months into the COVID-19 pandemic, are you still seeing agencies having issues with supporting telework or is it mostly resolved?
Dr. McFadden: I definitely think things have smoothed out a bit since COVID-19 first began affecting the workforce. Agencies are now working on more long-term strategies around the mobile workforce, and how they can scale and provide capabilities to support it over time, even when we all go back to the office.
MeriTalk: Are there any other challenges that you are seeing, aside from scalability?
Dr. McFadden: There is always the threat aspect you need to look out for in remote environments. Most agency cyber defenders are focused on those big existing perimeters that they’re used to supporting. As they go deeper into this mobile realm, they’re starting to see the increased use of endpoint devices or different remote work scenarios impacting their environments. They will have to adapt their operations to support that and increase emphasis on using a zero-trust approach because of it.
MeriTalk: How do you define autonomous cybersecurity, and how can this model better protect agencies’ crucial data?
Dr. McFadden: Autonomous cybersecurity is the automation of your cyber defense capabilities and the ability to adapt and respond in real time. Cyber threats are constantly changing, increasing, and growing more sophisticated. And, as more agencies move to the cloud, there is more data to analyze than ever before, especially at the edge. Despite the growing cyber workforce, there are still finite resources to meet demand. We need our cyber defenders to maximize their time to focus on the high priority impacts, rather than on the trivial ones they’re bogged down with. Autonomous cyber defense can help solve those challenges – resulting in enhanced perimeter protection, improved endpoint and continuous monitoring, automated patch management, and enriched cyber situational awareness.
MeriTalk: Responding to threats in real-time can make all the difference in an agency’s exposure to a cyber-adversary. How can agencies integrate automation tools like AI/ML to detect zero-day and other unknown threats, and reduce response time?
Dr. McFadden: The main point here is that artificial intelligence and machine learning are not the end-all, be-all for cyber practices – it’s more about how you apply them. AI/ML can help detect unknown threats, as well as provide a way to respond by blocking uncharacteristic traffic. They can help agencies orchestrate a response that allows for vulnerability prioritization and reconfiguration of systems in real time. For example, where you more traditionally relied on signatures, using a signature-less detection capability can help detect those unknown threats. The more traditional methods don’t necessarily go away, but AI/ML are used to supplement the ability to detect those zero-day type threats.
This aligns with autonomous cyber defense, where sometimes agencies will reference AI/ML, but are actually more focused on the automation component. GDIT is essentially trying to drive detection to respond in near real time, so if we find a cyber threat, we can automatically remediate it. This could include reconfiguring a misconfiguration issue or patching a known vulnerability. There are many different application areas, and GDIT is looking to work with agencies to define concrete use cases that will help improve their cyber outcomes.
MeriTalk: Can you provide any examples?
Dr. McFadden: One of the large enterprise agencies we work with leverages GDIT’s Cyber Stack to reduce the workload of analytical response by 85 percent. We looked at the top use cases and cyber events that bogged their security operations center (SOC) response capabilities down to identify areas where we could use autonomous cyber defense.
Leveraging GDIT’s Security, Orchestration, Automation, and Response (SOAR) tool in the Cyber Stack, we orchestrated and automated the response actions to alleviate the tier one and tier two responders from having to manually respond to incidents. This 85 percent reduction in manual response time allowed the team to focus more of their resources on more impactful cyber events.
MeriTalk: Can you describe an example of a cyber event that could bog down an agency’s security operations center (SOC)?
Dr. McFadden: Phishing emails are a great example and are a common threat in the workforce. Every time an employee receives a phishing email, it is detected and reported, requiring SOC analysts to investigate if the attack was a targeted threat. Rather than manually going through and finding the cyber event and analyzing the intent and origin, we can automate that piece of the response to look at certain indicators to see where it came from, including the IP address, if it was a targeted spear phishing email to a top executive, etc. By automating the response, we can more efficiently receive and assess the data to prevent a future attack and reduce the manual processes needed.
MeriTalk: What is GDIT doing to drive automation in its cyber capabilities so organizations can increase efficiencies in their operations?
Dr. McFadden: We created the GDIT Cyber Stack to build a multi-cloud cyber defense capability that focuses on the integration and automation of cyber capabilities, using more cloud-native cybersecurity products from all of the major cloud service providers (CSPs). We wanted to increase efficiency by building a cloud platform where multiple agencies and mission partners can work together, rather than building a cyber capability set for each implementation. By leveraging more cloud-native tools, we can increase integration and perform better cueing and orchestration of defenses and remediation, improve vulnerability identification and autonomous patching, and use adaptive defense and self-securing systems.
MeriTalk: How do you see autonomous cyber defense re-shaping Federal cybersecurity strategies in the future?
Dr. McFadden: I see a lot of great outcomes from the shift to autonomous cybersecurity, as a lot of cyber defenses are leveraged in parallel with the zero-trust strategy. One example is the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which demonstrates that the more you leverage automation, the more mature your cybersecurity is.
MeriTalk: SOAR plays a vital role in implementing an autonomous cyber defense strategy. Talk us through the steps of SOAR and the importance of using this model in government systems.
Dr. McFadden: As part of our Cyber Stack capabilities, we defined a functional set of cyber requirements that aligns to the DoD’s Secure Cloud Computing Architecture (SCCA) and TIC 3.0 requirements. Using those requirements, we develop playbooks and use cases to automate components. We typically work with agencies to determine the top incidents and most resource-intensive incidents where we can use automation to drive efficiencies. We look at how we can detect unknown threats and how we can respond and orchestrate in near real time. A lot of the cases we run into require solutions to automate patching and configuration management. We want to be as proactive as possible to reduce our attack surface, and SOAR is a big part of that.
MeriTalk: What advice can you give to agencies looking to adopt autonomous cybersecurity practices? What are the biggest obstacles they run into?
Dr. McFadden: Stakeholder buy-in is very important. At any large Federal agency, there are multiple stakeholders with different roles and responsibilities for different areas of the organization. For example, you may have a network team or the CISO team might not be organized under the CIO or the SOC may operate independently. In order to adopt autonomous cyber defense effectively, you have to be able to automate across the entire stack. To do that, the stakeholders need to agree on the prioritization of use cases and the orchestration actions that we’re providing. But most importantly, stakeholders need to understand they won’t move to full autonomous cyber defense on day one; it’s a phased approach of understanding outcomes and measuring metrics over time.
In addition to figuring out the people aspect, agencies also need to determine if they have the right technology capabilities to do autonomous cyber defense. Having a clear capability rationalization is very helpful as they’re getting started, as well as knowing how well their existing vendor tools integrate with other cybersecurity vendors’ ecosystems. It’s all about providing a comprehensive integrated approach.
MeriTalk: One of the biggest challenges the Federal government faces in implementing new technologies is associated cost. How can agencies best work with the private sector and gain buy-in from decision makers?
Dr. McFadden: At GDIT, we have a very large cyber alliance partnership that helps drive down costs across multiple vendors and partners. We have a great deal of insight into the implementation process and can help advise agencies on how to reduce spending on unnecessary products and services, as well as realize capability rationalization. Through the modular capability approach the Cyber Stack offers, we can swap out certain products based on mission or agency’s needs to ensure we meet the capability requirements.
MeriTalk: Anything else you’d like to cover today?
Dr. McFadden: We built our Cyber Stack solution to help address the emerging threats changing the threat landscape. By leveraging artificial intelligence, machine learning, and automation, we can adapt to those threats and work together with other vendors to improve cybersecurity outcomes. Pairing the top cyber defense platforms with a zero-trust strategy is the perfect formula for a comprehensive cybersecurity strategy.
Learn more about GDIT’s cyber capabilities.
This interview first appeared on Mertialk.com in June 2020.