Lessons learned on building a common operating picture across networks

For years, government agencies have poured a great deal of money and resources into finding an efficient way to view activity across their networks.

I saw that first-hand during my tenure in government and my work over the years helping to shape national cybersecurity policy. Despite efforts to readily identify cyber risks, achieving an effective common operating picture continued to prove difficult at many agencies, and having a consolidated view of vulnerabilities and threat activity moving within and between networks was a major operational challenge. When I retired from government at the end of 2018, our Security Operations Centers still tended to coordinate cyber incident response and tracking of malicious activity through conference calls rather than synchronizing awareness and action in an automated fashion. This is a serious impediment when you are trying to counter criminal and nation-state actors moving at machine speed!

Jim Richberg, Chief Information Security Officer, Fortinet Federal

I recognized that part of the problem was due to the complexity and age of agency systems as well as the challenges of the federal budget cycle, but I also felt that the cybersecurity technology to enable integrated situational awareness and automated response must not exist.  My view on that has changed, however, since leaving government and discovering that, in fact, the private sector had already come up with a solution — and is deploying it commercially.

From an agency’s point of view, I understand that IT leaders have to balance the risks of security threats with the day-to-day demands of keeping networks operating despite limited financial resources and staff. That balance has gotten shakier, however, as agencies expand into the cloud, begin to embrace wireless/Internet of Things technology and adopt software defined networks that lack perimeters. In short, the attack surface of government networks will continue to grow exponentially.

There are several factors that have made it harder to attain a centralized view of an agency’s network environment. First is the growing volume of devices and applications accessing government networks every day. Another is the sheer number of cybersecurity solutions and tools agencies have acquired over the years that don’t communicate well with each other. We typically have followed the approach in cybersecurity of seeing a problem, building (or in the case of government, buying) a solution and deploying it.

The result is that after a number of years, the typical large organization may have 50 or more security products or services each addressing a separate problem. Data sharing between these tools is rudimentary, and “connecting the dots” of threat activity and creating the “big picture” of cybersecurity health too often falls on the overworked security analyst or network administrator. Finally, restrictions on sharing sensitive and departmental IT – as well as cultural silos – continue to hinder information sharing, even on basic issues such as the existence of unpatched vulnerabilities.

In light of this situation, it’s easy to see why agency leaders might conclude that establishing a common operating picture and an integrated defense of federal networks will always remain an elusive goal.

Industry’s unified platform approach and its benefits

On the contrary, the private sector has largely solved how to achieve a common operating picture — and how to counter threats in real time at the point of attack and pre-emptively inoculate other potential victims.

This approach relies on a platform of devices — both physical and virtual — that can instrument the perimeter and the core of a network, along with the access points for wireless and IoT devices, with the use of hybrid cloud operating environments. Each of the major security technology providers has a different name for its platform. Fortinet’s is called a fabric approach. They vary in maturity and ability to integrate with products from other vendors, but collectively they signal an impending revolution in cybersecurity capabilities.

We often say one of the reasons cybersecurity remains hard is because the attack or vulnerability surface is growing exponentially, along with the variety and sophistication of threats. However, if we instrument this growing surface and collect key data, we have the ability to further discern potentially harmful or clearly malicious activity from abnormal and benign network traffic.

The key to doing this is big data analytics, in particular artificial intelligence and machine learning (AI/ML), which enables both discovery of and response to malicious activity in real-time and in an automated fashion. But what’s also needed is the ability to implement security improvements incrementally as IT departments upgrade and refresh their technology rather than initiating a wholesale rip-and-replace overhaul before they can achieve any significant improvement in security.

The effectiveness of the fabric approach was demonstrated in August 2019, when NSS Labs — the cybersecurity industry’s leading independent testing organization — conducted a breach prevention system test to assess the effectiveness of the unified platform technology approach. Using both real-world threat data and advanced threat models, NSS’s tests showed that, while the fabric solutions varied in effectiveness and total cost of ownership, as a class, they were both markedly more effective and more affordable than non-integrated point solutions.

AI/ML as potential game changers for cybersecurity

Artificial intelligence and machine learning technology are the key to making a unified platform work. Absent mature big data analytic capabilities, if you instrument the breadth of your IT operating surface, you will drown in data.  But if you can instrument your network and if the devices you use are capable of taking action — as well as generating reports — you can potentially turn the tables on a would-be intruder.

The reality is that malicious cyber-activity is seldom invisible; when we audit the firewall logs during a breach investigation, we can usually see when and how the intruder penetrated the network — and the failed attempts that preceded their eventual success. Network defenders get countless alerts every day, many of which are false alarms. Even when the security operations team recognizes there is a real threat, they may not know how to respond or at least how to respond as quickly as the attacker is moving to capitalize on their success. If automation of threat detection and response can be driven by AI and ML, we can take these advantages of relative secrecy and speed away from an attacker.

AI and ML take time to implement successfully; time spent building and training the models and curating the data. I’ve learned that if you try to rush into implementation of an AI/ML solution too quickly, odds are that your project will fail. Fortinet, for instance, has been using AI/ML technology in threat analytics for nearly 10 years and is on its sixth generation of AL/ML used in its global Security Operations Center and Threat Intelligence Unit (FortiGuard Labs).

Recently Fortinet made the functionality of this cloud-based capability available in software that can be deployed by customers in air-gapped or stand-alone networks. This gives government users who do not want to share threat data externally the ability to deploy a neural network-based threat-discovery and mitigation tool that is both effective out of the box and gets smarter as it learns in the local operating environment.

Commercial AI and ML solutions can also provide organizations another benefit — as a force multiplier to support workforce needs. Globally, various reports point to a 3 million-person shortage in cybersecurity personnel. Using automation to tackle the basics of cyberthreat analysis (tier 1 problems) lets IT staff focus on those tasks which require human judgment.

Take compliance reporting, for example. I don’t know anybody who finds generating compliance satisfying — it’s just necessary tedium. Automating this work increases efficiency and has a positive effect on employee morale, by freeing people to use their skills and training to deal with hard problems rather than rote reporting.

Cyber risk and the need to act

But automating tasks only go so far. It’s more important than ever before to establish a reliable, common operating picture of threats and agency vulnerabilities in order to keep government resources secure.

Government agencies — and the public sector at large — were subjected to more security incidents and more breaches than any other sector last, according to the Verizon Data Breach Investigations Report.  A common operating picture helps IT departments attain wider, and more granular network visibility. That in turn makes it easier to eliminate easily exploitable vulnerabilities that criminal actors routinely look for.

State of the art platforms such as Fortinet’s Fabric provide visibility both onsite and across multi-cloud environments. Fortinet’s technology, for instance, can monitor encrypted traffic moving through firewalls without compromising performance. This matters since the bulk of traffic on a network is now encrypted, and being able to read it without adding significant latency is important. This technology can also quickly distinguish between an external threat and an internal user mistake (such as misconfiguration of a web application), and can respond to both.

And because Fortinet’s platform is built on open, rather than proprietary technologies, agencies can remain more flexible. Part of Fortinet’s success with enterprises worldwide is based on working in an ecosystem of established partnerships with other technology providers so they can build a security approach that couples their existing infrastructure investment with the latest capabilities now available in the private sector in those areas of cybersecurity that they are upgrading. And, because new technology solutions often encompass functions performed by multiple older devices, total cost of ownership drops while performance accelerates.

Cybercriminals certainly aren’t slowing down their attacks. But the sooner that federal agencies begin establishing an accurate common operating picture of their networks coupled with an automated capability to respond to threat activity in real time, the sooner they can start to tilt the security odds back in their favor. The products and services to do so are being deployed in the private sector and the government networks and services that support the American people should leverage these same cybersecurity capabilities.

Learn more about how Fortinet’s Security Fabric platform can provide true integration and automation across your agency’s infrastructure.

Jim Richberg is chief information security officer at Fortinet Federal. Richberg formerly served as the National Intelligence Manager for Cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities. Before that, he monitored and coordinated implementation of the whole-of-government Comprehensive National Cybersecurity Initiative for Presidents George W. Bush and Barack Obama.