I am very glad to turn the page on 2021, however, I am not optimistic that 2022 will be remarkably better.
I am hopeful that President Biden’s Executive Order 14028 and the Department of Homeland Security’s (DHS’s) Binding Operational Directive 22-01 (BOD 22-01) will help improve our cybersecurity practices and bolster our resilience, especially for mission critical and infrastructure protection. These mandates outline:
- Enhanced practices for prioritization and remediation of risk-based vulnerabilities, focusing on those that have known exploits
- Implementing a comprehensive asset inventory including mobile devices and remote work endpoints, and
- Leveraging solutions like security orchestration, automation and response (SOAR) and endpoint detection and remediation (EDR).
In addition, EO 14028 instructs agencies to adopt a zero-trust model including comprehensive identity management, continuous authorization, least privilege, separation of duties, network segmentation, and privilege access management controls.
A challenge to the adoption of the mandates, for many agencies, is that they are uninformed about how their existing solutions may already provide significant progress towards meeting the objectives of the mandates. Agencies are searching for information on how to perform a gap analysis for their existing solutions and the mandates, and direction on how to adequately address those gaps.
Many agencies are looking to the Technology Modernization Fund (TMF) to help them fund the solutions required, since the mandates were released after the current budget requests were submitted. However, even with the funding in the TMF, it cannot cover all the additional funding required, especially for wholesale rip and replacement of existing technologies that
may partially address the requirements.
Let’s be specific: if agencies have an effective unified endpoint management solution, including mobile device management, that provides asset discovery and inventory management, and it already feeds an IT service management platform and configuration management database, then a large part of what EDR provides is already in place and working. Why rip that out to implement a new EDR solution that may take months to install, configure, and tune?
In this case, perhaps what an agency is lacking is risk-based vulnerability management, effective patch management, and instrumentation to detect anomalous behavior and feed the information into an automation engine that also gets feeds from intrusion detection and monitoring systems, as well as the automation engine to interpret the results and provide alerts to the business owner, the application owner, the security operations center (SOC) and the network operations center (NOC).
One thing the pandemic has demonstrated is an unprecedented shift in endpoints, workloads, and where data and applications reside. Today, the Federal workforce remains mostly remote and telework is being conducted over modern endpoints such as mobile devices and tablets, and the applications and productivity tools are now cloud-hosted solutions. To be effective, those additional endpoints and mobile devices need to be included in the Agency’s asset inventory, the devices need to be managed and validated for conformance with the Agency’s security policies, and the identities of the user and their device must be known and validated.
Additionally, the applications that are cloud-hosted must be included in the zero-trust framework including being protected by strong, conditional access controls, effective vulnerability management and automated patch management processes.
I am optimistic that we can make great strides towards improving cybersecurity in 2022, if we are smart and pragmatic about prioritization, risk management, and leveraging automation to help us work smarter not harder. Included in working smarter is having an automated, comprehensive, and accurate asset inventory.
The inventory should include everything on the enterprise network, including cloud-hosted applications, resources, and data, as well as all the Agency’s IP addressable devices, including printers and IoT devices, and devices that are running on networks “not connected” to the Internet. The next step is to ensure that there is a way to maintain that asset inventory by detecting and discovering all new devices or assets that may be added to the network.
Then integrating the asset inventory with risk-based and vulnerability management, automated patch management, change management, and service management provides a pragmatic and prioritized cybersecurity strategy. This is the type of strategy that can help agencies address the risks of 2022 and proactively protect against the exploitable and weaponized vulnerabilities released throughout the year.