The SolarWinds and Log4j incidents have forced many federal agencies to search for new ways to safeguard their networks from a catastrophic cyberattack. The Department of Homeland Security is now eyeing next generation security and automation as means of better protecting its IT enterprises.
Shane Barney, CISO at USCIS, said he likes the next-generation security concept because it fosters a forward-looking rather than purely reactive approach to cybersecurity.
“NextGen is aimed at constantly pushing your security program to adapt and overcome whatever is coming at it. That constant state of change and flux really has to be driven. The modern cloud-based world we live in is unbelievably flexible and security programs have to adapt to that and move at that speed and scale,” Barney said during a Federal Insights Exchange panel.
Eric Sanders, CISO at DHS, said next-generation security also means finding ways to share information with those you don’t traditionally share with.
“It’s one thing to talk about sharing among our traditional partners, it’s another thing to share with those we don’t normally share with that puts us out of our comfort zone but helps us respond to events in a timelier fashion,” Sanders said. “Being able to work through an attack because we know they’re going to happen; we know they’re going to find software vulnerabilities faster than we can create patches for them, so we need to be able to respond in an automated fashion.”
DHS representatives have stated that automation is necessary for securing an enterprise with full cloud integration. The massive amount of data being created, and the scale and speed of it, is not something that protected manually.
“Automation is the critical crux of your entire operation — building proper feedback loops, making sure your automation is correct and doing what you want it to do, making sure that you’re always watching both sides of the fence,” Barney said.
“My priority is to automate our governance risk and compliance solutions and create a real time understanding of risks across the enterprise so we can start to automate the easier decisions as it relates to authorizations. If we can automate those and focus our person power on harder problems and gray areas, to me that would be a big win for us,” Sanders said.
During the event, Barney and Sanders also outlined ways agencies can improve their overall security posture.
Sanders believes that compliance can lead to better security posture, but that technical security is ultimately paramount.
“Assessing that security posture through aggressive adversarial simulations like pin testing and bug bounty programs to try and find those vulnerabilities,” Sanders said. “Inviting others in to assess your security posture especially from the outside will go a long way to ensuring that you’ve made the right decisions and that you’re secure enough.”
“Automate as much as possible about the known things in your environment and then focus as much as possible on the unknown threats,” Barney said. “Never be satisfied where your tool set sits. Stay a step ahead and stay up with the current threat environment as it shifts. Always altering the program, making updates and changing the way you do things is critical.”