Data-mapping is the next step when it comes to building cyber situational awareness, security leaders said at GovCIO Media & Research’s zero trust conference Thursday.
In order to detect suspicious activity on your network, you first need to understand what regular behavior looks like, said Gerald Caron, CIO for the Office of Inspector General at the Department of Health and Human Services (HHS).
“We are doing data mapping — not network mapping, but data mapping,” he said. “Understanding where our data is, where our data is going. Because if that's what we're trying to protect, we’ve got to understand what normal looks like. That will allow us to later do micro-segmentation.”
Drew Malloy, technical director for the Cyber Development Directorate at the Defense Information Systems Agency (DISA), said that understanding data will be critical to maturing the Department of Defense’s (DOD) zero trust model.
“If we want to get to the true of zero trust Shangri La of fine-grained, access control to specific data — based on how it's tagged, based on need to know, things of that nature — we have to get our hands around data. DOD is a behemoth when it comes to that, right, but we need to start small.”
In order to secure that data, not only do cybersecurity teams need to gather information on what normal activity looks like — they also need to understand their users' operational needs. Operational data is critical to getting controlled access and segmentation right, otherwise security measures can become a barrier to people doing their jobs.
“We're not asking, ‘How do you work?’ But, ‘How do you want to work?’ So we can build those things in,” Caron said. “What kind of devices do they like? What do they really need? When do they need it? And then when we go on this journey, there’s less friction."
User experience is a critical issue across the Defense Department, which is shifting its cybersecurity priorities to focus on mission performance.
"We had a really bad habit of going after the best, newest thing out there that somebody got sold on, and then throwing it on the endpoint,” Malloy said. “And the next thing you know, we've got three or four agents running on the endpoint and it's pegging your CPUs and you can't get anything done. So, taking a look at, how do we have a unified endpoint management product that we can optimize for actual performance while bringing security? No longer looking at the two in isolation, but bringing the two together to say, 'Security can't just come at the cost of performance.’”
Don Watson, CISO at the Patent and Trademark Office, said that cybersecurity measures have to work with mission, not against it. When he joined USPTO, he began building relationships with operational leaders to make that happen.
“When I came on board at USPTO, about three and a half years ago, I found our approach toward cybersecurity overall to be that we were more of a roadblock than an enabler,” Watson said. “It's very important that you are an enabler for either mission or business operations. I met with all the businesses, and I told them, 'I am not here, and my team is not here, to stop you from doing anything. We're here to help you either design a product or deploy a solution that is secure.'"
For Caron, it all comes back to understanding data — where it is, who is using it, and what normal traffic looks like — so that users can securely complete their mission.
“At the end of the day, we're protecting data,” Caron said. “Data to the right people at the right time.”