Public sector security professionals have had an extremely busy six months juggling pandemic-driven security needs alongside the perennial objective of improving Federal agency security for the longer haul.
The range of challenges has been broad – led by aggressive adversaries targeting operations disrupted by the pandemic, Federal agency telework programs, updates to the Cybersecurity and Infrastructure Security Agency (CISA) TIC 3.0 guidelines, and efforts to migrate to Zero Trust security architectures. The eventual end of the pandemic remains over the horizon, but the changes to government operations and the security they require may be the longest-lasting effect of the public health crisis.
We caught up with Ned Miller, Chief Technology Strategist for McAfee’s U.S. Public Sector’s Business Unit, to ask about the progress he is seeing across the government customer landscape with these initiatives, and to explore the next set of challenges and priorities government security professionals will need to address amid the continuing environment of uncertainty.
MeriTalk: Ned, first let’s discuss how government departments and agencies have managed the surge in telework or work-from-home initiatives. Are we over the hurdle? Any interesting lessons learned?
Miller: For the most part, the government has managed its way through the telework surge very well, considering the circumstances. Based upon several hundred discussions with our customers since March of this year, many struggled initially with the necessity of quickly expanding VPN access technologies and coming up with ways to manage access to collaboration capabilities such as Microsoft 365, Microsoft Teams, Zoom, Slack, etc. In addition, there was also a challenge with the new cost structure scaling their infrastructure to the work-from-home model. The actual cost implications are still working their way through the system, and it will be interesting to see FY20 planned budget expenditures vs. the actuals. Today I would say the ecosystem across government has reached a steady state and is operating as well as can be expected under the new normal.
MeriTalk: Second part to the work-from-home question – has there been an increase in cyber risk to the enterprise as a result of the change in workforce location and behavior?
Miller: This is a great question. We were thinking the same thing. So in May of this year – to bring more insight into the impact of working from home and specifically the use of cloud services and the threat landscape – we produced our Cloud Adoption and Risk Report, Work From Home Edition. McAfee aggregated and anonymized cloud usage data from more than 30 million cloud users worldwide between January and April 2020. The data set represented all major industry segments across the globe, including government, financial services, healthcare, education, retail, technology, manufacturing, energy, and transportation.
There are several notable results with the key findings – overall that enterprise use of cloud services spiked by 50 percent; collaboration services saw an increase of up to 600 percent; and external attacks on cloud accounts increased 630 percent, with government being in the top three industry verticals called out.
The one metric that really caught my attention was the fact that enterprises were allowing cloud usage from unmanaged devices. The data suggested that cloud traffic from devices outside department/agency managed networks – meaning not under the control of IT or cybersecurity – more than doubled. The implication is there is no way to recover sensitive data from an unmanaged device, so the increased access could result in data loss events. That clearly raises questions around BYOD models and making access too easy in the spirit of “we need to keep government open for business.”
MeriTalk: You mentioned the McAfee Cloud Access Security Report which aggregated cloud usage data from more than 30 million cloud users worldwide, and a key statistic caught our attention – the correlation between the increased usage of collaboration tools like MS Office 365 and MS Teams, and the increase in cloud security threats. Can you elaborate on why this is occurring and what the threats look like?
Miller: With the significant increase in use of collaboration tools, threat actors began targeting these cloud services. For our report, we focused on two specific categories – excessive usage from an Anomalous Location and Suspicious Superhuman. Both of these typically involve the use of stolen credentials.
Excessive usage from an Anomalous Location begins with a login attempt from a location that has not been previously detected and is anomalous to the user’s organization. The threat actor then initiates high volume data access and/or privileged access activity.
A Suspicious Superhuman attack also starts as a login attempt, however from more than one geographically distant location, where it would be impossible to travel to within a given period of time. We tracked this behavior across multiple cloud services. For example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later, you have an obvious problem.
Internal or insider threat categories largely remained level or the same as previous reporting periods. This indicates that employees don’t go rogue and attempt to steal more data just because they are working from a different location other than the office. The majority of the attacks we observed were external, cloud native threats targeting cloud accounts directly.
MeriTalk: Clearly, the telework model has accelerated the use of cloud, and cloud security is a front-and-center area of concern more so now than ever before. What recommendations are you sharing with customers to better protect their enterprise?
Miller: The dramatic shifts with agencies and departments using cloud services are breaking the efficacy of legacy security and networking solutions deployed by many organizations. VPN infrastructures – although working OK – are struggling and experiencing performance issues attempting to handle the surge with remote employees. In addition, the cost implications are just beginning to have an impact.
Modern cloud applications, like Microsoft 365, are delivered directly through the cloud, yet many organizations still use a hub-and-spoke network architecture to route cloud traffic through security appliances in their data centers. In reality, employees will do whatever is easiest and fastest to accomplish their tasks. They will even turn off their VPN and access applications in the cloud directly.
The work-from-home guidelines and collaboration initiatives across government are challenging dated models of connecting into an agency network through a VPN before going to a Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) resource. We are recommending to our customers as they explore the new direct access models to require conditional access controls for agency-issued and personal devices, comprehensive data protection, strengthened user-behavior analytics, and cloud-native threat prevention with automated policy response capabilities to remediate risks. At the end of the day, we are focusing more on data protection – wherever the data may be at any given point in time.
MeriTalk: Speaking of work-from-home guidelines, let’s switch gears and move on to the TIC 3.0 program. How has the latest TIC 3.0 program updates and interim guidance influenced how agencies are accessing internal network resources and adopting the use of cloud-native applications?
Miller: CISA has done a great job of reacting to the mandatory work-from-home policies by updating the TIC 3.0 guidance with an interim update specifically addressing several of the challenges we previously discussed regarding the new telework model.
McAfee is very focused on assisting customers with navigating the best architectural approach for providing secure access and data protection to agencies’ and departments’ most sensitive information. There are several uses cases involved, but there are seven “must haves” that every organization needs to ask and answer:
- Enforce data loss prevention policies on data in the cloud, in sync with your enterprise data loss prevention (DLP) strategy;
- Prevent unauthorized sharing of sensitive data to the wrong people;
- Block/sync download of agency data to personal devices;
- Detect compromised accounts, insider threats, and malware;
- Encrypt cloud data with keys only the agency can access;
- Gain visibility into unsanctioned applications and control their functionality; and
- Audit for misconfigurations against industry benchmarks and automatically change settings.
MeriTalk: Let’s explore the topic of cloud security a bit further, and specifically how organizations are beginning to qualify and quantify cloud security risks. MITRE recently released the MITRE ATT&CK Cloud Matrix. How are you helping customers leverage the matrix to stay ahead of the threats?
Miller: Customers have needed a precise way to sort through the vast expanse of cloud security incidents they experience to uncover real threats. This is where the MITRE ATT&CK Cloud Matrix comes into play. The ability to map anomalies, threats, DLP incidents, configuration audit, and container vulnerability results to the tactics and techniques to the Cloud Matrix allows security analysts to first have a common vocabulary to explain and understand the threat and second a way to quickly visualize potential threats.
We offer this capability in our MVISION Cloud Security Platform today. Several security analyst teams will benefit and enable the following use case scenarios:
- SecOps Teams Advance from Reactive to Proactive:MVISION Cloud now allows analysts to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple SaaS, PaaS, and IaaS environments;
- SecOps Teams Break Silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management (SIEM)/Security Orchestration, Automation and Response (SOAR) platforms via API, mapped to the same ATT&CK framework they use for endpoint and network threat investigation; and
- Security Managers Defend with Precision:McAfee MVISION Cloud now takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques.
MeriTalk: Zero Trust is the hot topic across the industry now, and has been for several months. Why is Zero Trust so relevant now?
Miller: Even though Zero Trust (ZT) concepts have been around for over a decade, it’s now the hot topic on everyone’s mind. Zero Trust is interesting because it’s not a product, although many vendors are presenting themselves as the solution for ZT. I look at ZT as a reference architecture with many components. NIST recently released its SP800-207 and has defined ZT as a term, explaining it as an evolving set of cybersecurity paradigms.
The new NIST definition helps explain why Zero Trust is a very popular topic as the workforce has transitioned to a remote work environment. Many customers have been focused on the access control element, while we have been focused on data protection of cloud-based assets not located within an enterprise owned network boundary. There is not a one-size-fits-all Zero Trust solution. Architecture, process, maturity models, technology, and evolution play a role in the full adoption of a Zero Trust model, of which there are many interpretations.
MeriTalk: McAfee has recently released messaging around a Unified Cloud Edge capability. What is this exactly, how is it relevant to the topics we discussed today, and perhaps more importantly how does it help your government customers?
Miller: Unified Cloud Edge protects data from the device to cloud and prevents web-based and cloud-native threats that are invisible to agency and department networks. It is a framework for implementing a Secure Access Service Edge (SASE) architecture – a Gartner definition – which also aligns to a Zero Trust model and provides a safe way to accelerate digital transformation with cloud services, enabling cloud and internet access from any device anywhere to optimize workforce productivity.
Unified Cloud Edge enables consistent data and threat protection controls from device to cloud. It begins with three core technologies converged into a single solution:
- Cloud access security broker (CASB): Direct API and reverse proxy-based visibility and control for cloud services;
- Secure web gateway (SWG): Proxy-based visibility and control over web traffic and unsanctioned cloud services; and
- Data loss prevention (DLP): Agent- and network-based visibility and control over sensitive data. These technologies work together to protect data from device to cloud and to prevent cloud-native attacks.
Unified Cloud Edge creates a secure environment for the adoption of cloud services and enablement of access to the cloud from any device. Agencies and departments can accelerate their mission tasks through faster adoption of transformative cloud services by protecting their data and assets.
MeriTalk: What is on the near-term horizon for cloud security, and where might agencies and departments begin to focus more energy around their cybersecurity programs and initiatives?
Miller: I see at least four cloud security categories that will be discussed more frequently and require additional attention by cyber defenders and analysts over the next 6-12 months.
The will be managing the complexity of securing multiple hybrid cloud infrastructures, especially as container technologies become more pervasive.
The second area that will rise to the top of the list of concerns, if it hasn’t already, will be delivering a comprehensive data protection strategy across the enterprise from the device or endpoint to all things cloud. This will include cloud-to-cloud data exchanges and/or collaboration tools such as Microsoft 365, MS Teams, Slack, WebEx, etc. All the cloud services that we have been rapidly adopting over the last 6-8 months require a data protection strategy. Legacy security tools do not provide complete protection for cloud-based information exchanges and collaboration tools.
The third category will be attempts at providing security governance models for legacy applications that are moving to the cloud either through complete modernization efforts or leveraging container technologies. Comprehensive data protection and user behavior monitoring of these custom cloud applications will have to be addressed. Simply operating in a government-authorized cloud is not enough. It is the customer’s responsibility to secure the data monitor the user behaviors.
The final category will be the evolution of Zero Trust Architectures to Adaptive Trust Architectures. Zero Trust discussions today tend to focus on trust-no-device or entity at the point of entry or data flows in a South-North concept. Conditional and contextual access at scale will challenge a pure Zero Trust model in practice, and so will mission oriented organizations in connected and disconnected environments. In addition, data flows East-West or Cloud-to-Cloud information exchanges require additional security considerations.
Look for more on this topic in the near future…