Joel Dolisy is the CTO/CIO of SolarWinds. He provided written responses to questions from C4ISR & Networks.
C4ISRN: The DoD plans to place greater emphasis on automated responses to cyberattacks. How will automating responses and actions improve network security? What is involved in creating more automated networks?
JOEL DOLISY: Automating network security provides an abundance of benefits for IT security professional and their agencies. With automation, information is gathered and can be leveraged instantaneously for security management of both devices and users to ensure that the organization is in a proper security posture. Also, in a world where security breaches continue to get more sophisticated and more damaging, every second counts, so automating network security can help to quickly pinpoint a breach, identify the root cause and often lead to a resolution quicker than manually checking every endpoint and connection.
There are some key features that go a long way to automating network security, specifically a single-pane-of-glass view into every component of the network with easy to understand metrics, alerts and reports. By continuously monitoring connections and devices on the network, and by maintaining logs and data of user activity, you can assess where on the network certain activity took place, when it occurred, what assets were on the network and who was logged into those assets. All of this information can help in reactive situations, but also ultimately turn your security automation into a proactive tool. Also, prioritization processes, configurations and change management and defenses against malicious or accidental insider breaches can all benefit from being automated and ultimately provide another layer of checks to the security posture.
Traditionally many security tools have been cryptic and hard to use, with very few people on the IT team possessing a true understanding of how they work. To be beneficial, network security automation tools have to be easy to use at all levels of IT—a CIO must be able to get a high-level report and the IT security professional working with the tool every day must be able to get the detailed information they need—or it will fail.
C4ISRN: Share your thoughts on the Joint Information Environment and Joint Regional Security Stacks, and how the concept and the JRSS implementations will improve cybersecurity.
DOLISY: Never has the need been greater for JIE and JRSS. To ensure the safety of our country, and of our world, we require collaborative communications and modernized networks that allow forces to securely and efficiently deliver on their missions. Although obstacles exist, there are massive benefits to be gained from JIE and JRSS—one of them being the military's ability to take on a holistic view of security.
When JIE is complete, the DoD will have a single network that will be more efficient, secure and easier to maintain. IT administrators will have a holistic view of everything that's happening on the network, allowing them to pinpoint how one issue in a specific area can not only be detrimental to that portion of the network but also how it impacts other areas—this alone will bring about cybersecurity improvements. Plus, it will do away with everyone having their own monitoring or security tools, so a set of best practices can be established and shared across all the participants in JIE.
With a standard security architecture, it will be easier for IT managers to monitor and corner potential security threats and respond to them rapidly. While network managers can explore the development of a continuous monitoring strategy, which can directly address the DoD's goals regarding efficiency and security. As its name suggests, continuous network monitoring involves 24/7 automated reporting on overall network performance, availability and reliability. It also helps identify potential security breaches, unauthorized users and areas of vulnerability. With the security and network teams working together, using standardized tools, JIE is bound to be an overwhelming success.
C4ISRN: Besides cyber hygiene, what are the key technical challenges associated with improved cybersecurity?
DOLISY: Even with proper cyber hygiene, the increased sophistication of attacks creates a number of technical challenges, including data management, insufficient tools and tuning and the ever crucial human element.
Data comes in and out of agencies all the time, sensitive, mission critical data at that, and as data leaves an agency it is difficult to ensure that everything that leaves is actually OK"ok" to leave. What should go out? What should come in? What is the risk to the agency? The challenge is to know if the data is leaving because of a break from an attacker who got in and exfiltrate sensitive information or if employees are copying confidential information to Dropbox or USB drives. Employing tools that track activity including user device tracking software, IP address management, SIEM and log and event management software can help to identify who and what are responsible for certain activity on your network and accelerate the identification and termination of suspicious activity.
The age old issue of insufficient IT security budgets and long procurement processes presents a significant challenge to improving cybersecurity because federal IT pros are unable to purchase the necessary tools. And once the tools are implemented, they often require frequent fine-tuning to ensure that most value from signal to noise ratio. As the sophistication of attacks increases, federal IT and security pros need to arm themselves with the right tools and need backing from an agency that is willing to provide the budget to secure their networks.
Finally, if the human element isn't secure, it can be quite easy for attackers to bypass even the best cyber hygiene programs. Social engineering often successfully targets both IT pros with privileged accounts and non-privileged users to gain information to launch an attack. Consistent, regular end user training is required to address the constantly changing threat landscape that agencies find themselves in today. The training has to be realistic and provide information about exactly how much damage a breach can cause to the mission of the agency to be impactful for end users.
C4ISRN: What are the challenges associated with endpoint security?
DOLISY: Even if the agency or military branch has their endpoints locked down, there are still several challenges including, use of public networks, physical loss, and again the human element.
Many agencies have heavily secured endpoints that prohibit data being accessed from a home network or a public network at a coffee shop or airport for example, but even though rules are in place, and good IT pro always plans for the rules to be broken. Just one employee sitting on the wireless network in a public location can open themselves up to session hijacking and man-in-the-middle attacks. While the majority of users will connect to a VPN to provide a secure connection, it is not fool proof. The challenge is to make sure that all applications that are running on the endpoint are running securely whether or not they are inside of outside of the network.
Even with the most secure endpoint security, a lost or stolen laptop can present a significant security risk unless the hard drive is encrypted, which is not very common. To add to this, once again, we have the issue of end users. The user is one of the biggest risks to endpoint security as they may have privileges to override security precautions that have been put in place or simply click on the wrong link. Users need certain access to do their jobs, but they often then have enough permissions to inadvertently do a significant amount of damage. Once again, the best way to combat this is frequent training that illustrates how easy it is to be the target of an attack and how the user can be a key defense in any endpoint security strategy.