The U.S. federal government is making strides in multiple areas of advanced approaches for cybersecurity. Various agencies have implemented new technologies and new processes to address evolving security threats. Emerging technology and approaches covered in this article that have been discussed and implemented in the federal market include the zero-trust model, predictive analytics, machine learning, behavioral analytics and real-time assessment tool integration.
Zero-Trust Model
The primary driver in the zero-trust model is that both external and internal networks are to be secured and operated under the assumption that the networks cannot be trusted (i.e., don’t trust your network; assume it is compromised). We had used such a model in corporate IT in the early 2000s, especially segmenting users from the servers inside the corporate network.
The Forrester-developed outline of the model includes identifying the organization’s sensitive data, mapping data flows of that data; architecting the network based on the transactions and with logical and physical segmentation, enforcing control and policy through automation and continuously monitoring the network and systems. The various and multiple data breaches at the Office of Personnel Management (OPM) drove the U.S. House of Representatives Committee on Oversight and Government Reform to recommend adoption of this model.
Predictive Analytics
Predictive analytics focuses on the proactive identification of trends through analysis of various available data sets in cybersecurity such as server logs, applications, storage devices, network devices and so forth. This approach greatly aids cybersecurity protections at the network level due to the volumes of data required for analysis.
Predictive analytics can focus on three main areas: potential and likely future target points of a cyberattack, analysis of large sets of expansive security data, and automation of the analysis workload. The outcomes of the analysis serve as a strategy map for additional cyber protections and/or hardening. Predictive analytics service offerings are more readily available now than in the past, and firms such as Red Hat offer a solution using software as a service (SaaS). With finite or reduced budgets in IT, having a focus on additional cybersecurity resources and potential related spending based on likely attacks helps to spend the right funds on the right areas. Last year, Federal News Radio held a panel that focused primaily on how predictive analytics can help secure Department of Defense systems.
Machine Learning
Machine learning makes use of algorithms to allow a computer system to use models of cybersecurity behavior and provide analysis and/or predictions based on data evaluated such as logs, real-time communications and transactions. In an effort to accelerate machine learning, the Department of Defense created the Algorithmic Warfare Cross Functional Team to increase the integration of machine learning for data analysis and with potential applications related to cybersecurity. An example of the use of machine learning is the Amazon GuardDuty service, which applies machine learning in the company’s continuous security monitoring and threat detection service to scan public and Amazon Web Services (AWS)-generated data streams to detect malicious or unauthorized activity in AWS environments.
Behavioral Analytics
The application of behavioral analytics is used to detect patterns on network and system activity in order to identify potential or actual cybersecurity threats. Often, the use of behavioral analytics is applied to the network, but it is also now applied to user devices and systems as well. For instance, increased abnormally high data transmissions from a particular user device could signal a cybersecurity issue. Both the National Security Agency and the Office of Personnel Management are using behavioral analytics to fight insider threats through the mining of log files related to user activity.
Real-Time Assessment Tool Integration
This capability exists to assess interdependent cyber activities, services and systems along with data sets such as analytics in order to present a cohesive depiction of events such as a cyberattack. To perform this task, the Johns Hopkins University Applied Physics Laboratory developed Dagger, which is a framework which can model and visualize cyber situational awareness data to reveal mission impacts.
The model does require initial data entry from subject matter experts to craft the mission model used to pull information from multiple real-time data feeds. Then a visualization is presented showing the status of networks, systems, software tools, connections, servers, etc. This aids in the understanding of cyber network mission dependencies (CNMD) and improved decision making in the event of a cyberattack.
As an example, through sponsorship from the Army Network Enterprise Technology Command (NETCOM), Dagger was used to map key cyber terrain and combine results from cyber defensive analytics, which gave network defense service providers and cyber protection teams “the situational awareness needed to actively defend the network and provide the commander with decision support to fight through an attack.”
Further adoption and implementation of these approaches and technologies individually and in combined scenarios will aid to increase cybersecurity protection of critical U.S. federal government networks and systems.