Cyber leaders at the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) believe automation can make dramatic improvements to threat detection and vulnerability management processes at federal agencies, but the cybersecurity workforce shortage still challenges federal agencies’ overall cyber health.
According to CISA Tech and Cyber Strategy Lead Daniel Bardenstein, detection is one of several areas where agencies should be placing more emphasis as they try to strengthen their security posture.
“Detection of threats, detection of assets and detection of vulnerabilities. Automation is very flexible. It provides many different ways to get better visibility around what assets and vulnerabilities are so the agency has a sense of what it is that needs to be fixed,” Bardenstein said during a recent FCW event.
Once a particular threat has been detected, the next steps are finding out what assets were impacted, who owns the assets, and then identifying the vulnerabilities.
Bardenstein said vulnerability management is often overlooked in cyber strategies but can be heavily automated to reduce the burden on cyber professionals.
“Process automation across IT systems can make a huge impact and save a lot of people’s time to make phone calls or look up other resources,” Bardenstein said. “If people in their normal jobs can identify things that they can do all the time and repeat all the time, that is a good place to start automating. Just focus on the processes that people do over and over again.”
CISA is also trying to integrate existing technologies to have a common analytical environment, especially within the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program.
“We’re also launching EDR — the endpoint detection response effort — and a couple of other host-based initiatives that will provide additional degrees of both detection and automation to departments and agencies to help them better stay protected from threats,” Bardenstein said.
The SolarWinds, Colonial Pipeline and Log4j software breaches highlight that no organization or sector is immune to cybersecurity vulnerabilities.
According to Energy's Puesh Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response, the agency is focused on increasing the visibility of threats targeting critical infrastructure through risk analysis, detection, discovery and mitigation efforts. One thing it's looking at is how to quantify cyber risks.
“We feel it’s a foundational thing in terms of how you actually invest in cybersecurity,” Kumar said. “We’re partnering with NIST to think through cyber risk modification efforts and how to connect cyber risks to financial risks so we can better invest in this area as a company across the board.”
Another project DOE is working on is determining cyber base lines for critical infrastructure sectors.
“In some cases, they will be different for each sector and there may also be some commonalities where there’s an expectation of baseline cybersecurity that we should think about and how do we educate companies of all sizes on that,” Kumar said.
Securing software supply chain remains a top priority for DOE. Kumar wants to set common software supply chain security standards across energy sectors to improve cyber postures.
“We’re developing a framework for what that can look like for energy systems so that we don’t have multiple variations of [software bills of material] and [hardware bills of material]. If we can develop a template, it will make it easier for energy companies, manufacturers and suppliers,“ Kumar said.
In addition to workforce constraints, Bardenstein said retention and the high volume of data has caused many federal agencies to hit a tipping point as they move IT systems and data to the cloud. He said computers should do what computers are good at, and human workers should focus on more challenging work.
“We’re at a tipping point where people are starting to realize that there’s no way we can actually handle all of this,” he said. “A softer skills side of cybersecurity, where automation can often be most valuable to an enterprise, is in the area of a 'Tier 1' security analyst where humans take more steps. Tier 1 life is very difficult, there are mental health issues and a lot of burnout, which is not good for the employees or the enterprise that continuously loses talented personnel who try to promote elsewhere to make more money.”
Instead of trying to automate processes all at once, Bardenstein encouraged federal agencies to adopt a “spectrum” approach to automating data and security processes.
“There is a maturity model that you can think about across that spectrum. Enterprises should be thinking about how they can continuously find the right way they need to operate move to a more mature approach to automation in their environment,” Bardenstein said.
CISA is in the process of operationalizing automation to address staffing needs and changes. In a security context, automating identification and detection workflows is a good starting point.
“Most people are concerned about automation when it comes to mitigating actions. Figuring out if something has changed, gathering additional information and presenting it to a user is a much safer place to start connecting those APIs and testing things out, “Bardenstein said. “You can have an identification, detection and enrichment playbook and then have a human in the loop to decide what to do. It’s important to understand where that risk and concern is around deciding what to do and automate everything in front of that and then if applicable everything after that.”
Two years ago, DOE established a fellowship for middle- and senior-level cybersecurity and operations managers from U.S. electricity, oil and natural gas companies to help fill talent gaps in the cyber workforce.
“Let’s bring together power systems engineers and electrical engineers and maybe teach them cyber and then bring cyber individuals to the table as well and have a cross pollination of information so they can all work on this together,” Kumar said.
DOE is also investing in academia to mature cyber workforce development programs.
“Students participate in a competition called 'Cyber Force.' They come from all across the country and go to DOE laboratories where their goal is to protect a mock energy company while a red team tries to attack them,” Kumar said. “They learn about cybersecurity and about energy systems and what makes them unique.”
DOE hopes to expand the program to high schools in the future, he added.