The Office of Personnel Management in the United States is responsible vast volumes of personal information. They’re responsible for the data relating to potential, current and past employees of the government. IT Security Operations Director Jeff Wagner is responsible for protecting this data against a constantly changing threat landscape. He’s taken a non-traditional approach to not only respond to threats in seconds with fewer resources, but also uncover previously hidden threats that were lurking on the network.
“A lot of people are realising that the current security architecture we’ve grown up with is pretty well dead. We need to take an entirely new approach towards defeating adversaries,” he says. Wagner sees attackers taking a far more targeted approach to breaching organisations. Rather than hammering to boundaries, they are using stolen credentials to simply walk in through the front door. This is disconnected from how many organisations approach security. Typically, they invest heavily in perimeter security that is largely ineffective once someone has access to a user’s account. Many people see two-factor authentication as a potential solution but Wagner sees issues with this approach.
“From a corporate perspective, or a federal government perspective, it’s very difficult issuing out all these two-factor credentials and then trying to manage them. At the same time if a card or token breaks I have to swap it out. Do these people stop doing business while I swap them out? There’s the management overhead of deploying this. It’s very difficult doing two-factor authentication is very difficult for an enterprise”.
That means there needs to be a move from securing the permitter to watching what happens inside the permitter.
“I consider every user an insider threat. I look through everything we do and use behaviour analytics for everyone. I want to now when that good user turns into a bad user,” Wagner says.
“When I log in, I verify my log-in,” he quipped.
The good news is the security industry is starting to evolve with the pace picking up. Peter Clay, the Chief Information Security Officer at Invotas says over 1200 new security companies received venture capital funding last year with the investment continuing to increase.
Wagner sees some significant changes occurring on the defensive side of the cybersecurity war. “We’ve reached the point which, unless we develop full-on AI capability, there’s really not a whole lot new in the IT world. What we need to realise is once we’ve set up all these tools running and something goes wrong – no one stops what they’re doing”.
However, the news is far more positive. He sees the ability to use better analytics to detect malicious behaviour, whether it’s intentional or accidental, a major game-changer along with orchestration – the ability to take the data relating to a detected incident and automatically initiate the response.
When looking at most of the recent mega breaches, the forensic investigation after the incident has revealed log entries that were either missed or noticed but not reacted to either quickly enough or at all. Once the initial log entry was seen, it was lost in the noise of subsequent entries until the attacker launched their attack, often months after the initial breach.
These tools allow Wagner to operate a very efficient team. With a small budget of just $211M USD, he says OPM is the “biggest little agency” of the US government. With just eight engineers to run his network, he needs to maintain a laser focus on what’s important.
“Many people say we only have 8500 users – which is totally true. However I have 13000 federal investigators out around the world with laptops all remotely connecting back to the network. I get over a trillion terabytes of data passing through the sensors. I don’t have enough engineers to react to them. Orchestration is a game-changer”.
Part of his approach has been to do away with written procedures and replace them with flowcharts so that they can be used more readily – much like the pictographs airlines use for emergency procedures. This makes it easier for users to follow and results in fewer errors. It also means repeatable processes are highlighted clearly which simplifies the process of finding which processes can be automated.
The result of the automation is staff can be relieved from performing simple tasks and allowed to focus on higher value and more complex issue resolution. This results in better skilled workers who are better equipped to deal with serious breaches. The automation also reduces the time it takes to react to an issue and initiate a response.
While moving to this kind of automation seems difficult, Wagner says it’s really about finding which problems can be most easily automated and deliver value. Rather than trying to do everything all the same time the secret is to target your efforts and approach it as a long term program rather than a finite project.