By Egon Rinderer, Global Vice President of Technology and Federal CTO, Tanium
Most agencies have successfully met initial telework surge requirements – putting the basics in place to continue essential operations. Recent research found approximately 90 percent of federal employees now telework and 76 percent feel they will be able to telework at least part-time in the future. With the basics now in place, the next priority for every IT team is a careful assessment of cyber risks, current protections, and what is needed to keep systems and data safe in an environment with exponentially more endpoints in more places.
Data residing on endpoint devices operating beyond the agency network perimeter isn’t all that’s at risk– if compromised, those devices can also be used by malicious actors to tamper with or steal sensitive data on the agency’s enterprise network. As the number of devices outside of the protected network grows, the attack surface expands and risk increases.
The reality is that many organizations were already struggling with basic cyber hygiene before the telework surge – and most of the security tools implemented were designed for local enterprises. With a distributed workforce, this means increased cyber risk, as the security tools in place become even less effective.
In this new environment, federal IT teams should focus on risk prioritization and remediation – identifying and addressing the vulnerabilities that pose the highest risk and could have the biggest negative impact on the agency and its mission.
Performing Risk Prioritization and Remediation
Almost half of federal agencies say the new distributed workforce has affected the execution of projects and over one-quarter feel planning for the next fiscal year has been delayed. April and May were months of change, and June is predicted to be a catch up month. Demand and expectations for real-time information and IT support from customers are up, so agencies must be prepared.
Risk prioritization can help IT teams evaluate the infrastructure beyond data vulnerabilities to help determine which vulnerabilities to patch and assess an endpoint’s security level – which can dramatically change the risk level. By prioritizing risks, security teams can more effectively allocate their already limited resources to focus on mission critical tasks.
However, IT teams now have to consider the degrees of separation between each endpoint in context. In addition to the connectivity to the enterprise network, there’s often connectivity to other endpoints, the applications and users authenticated to each, and the rights and privileges conveyed through such mechanisms as AD group membership. Even if one endpoint is completely secure, a user profile on another more vulnerable endpoint could provide an access point for lateral movement into the entire network. Given that these factors and variables can change by the second in a large enterprise, a quarterly, monthly or even weekly risk assessment is insufficient.
Often, the security problems that agencies are facing are oversimplified, and vendors can only provide partial solutions to help; they run a vulnerability assessment and receive a risk score from systems such as the industry standard Common Vulnerability Scoring System (CVSS), helping them assess and rank their vulnerability management processes. However, while risk scoring systems such as these combine several types of data in order to provide the vulnerability risk score, they aren’t always based on real-time data and the results are only as good as the data that’s input.
Vendors have completed a piece of the puzzle by diagnosing vulnerabilities and identifying threats, but have to now take into consideration the millions of risk scores across millions of endpoints – some of which are unknown – trying to access the network and the context of the relationship between these endpoints over time.
The lack of complete visibility into the network leaves many vulnerabilities unknown and makes risk assessments little more than guesswork for IT teams – increasing the likelihood of a breach. Risk scores are living, breathing things, and, especially in the new teleworking environment, must be based on real-time data to protect the agency’s environment and overall mission.
Now that agencies have established basic connectivity, the focus has shifted to optimizing connections and improving security. There are a variety of approaches – some agencies have deemed split-tunnel virtual private networks (VPNs) too risky, opting for full tunnel VPNs where both user and management traffic flow through the same channel. While this approach can achieve the short-term goal of establishing and maintaining secure connectivity, it also has unintended consequences.
Using full tunnel VPNs can lead to slow response times, causing employees to disconnect from the VPN altogether. When this happens, IT teams are blind to those devices and they don’t get routine patches, making them increasingly vulnerable to cyberattacks. While these endpoints used to enjoy the added protection of existence behind the protective boundary of the enterprise network perimeter, they are now isolated in an uncontrolled environment with only their point tools protecting them and active management and visibility only afforded while connected to the VPN.
BYOD has added another layer of risk and complexity, with many employees turning to personal devices to continue working. However, there’s often a discrepancy between not just the out of the box tools that reside on an individual’s personal device and their work computer, but also the security tools loaded and managed on each. And, when these BYOD devices only have periodic connectivity to the agency network, cybercriminals no longer have to penetrate a multi-layered protected perimeter to get into the main server. They can use the unprotected device as an entry point into the network.
A holistic approach helps enable improved visibility and control over the network, regardless of where an asset is located. The challenge is that decisions about connectivity, endpoint security, and perimeter security are often made in a vacuum by those independent teams responsible for each versus a combined solution. With a holistic approach in mind, teams can understand what is impacting the agency’s risk, mitigate each risk for the time being, and remediate it for the long-term.
The Next Phase
As agencies look to the future, operations will not resume as in times past and budgets will be impacted. Agencies must consider the sustainability of solutions long-term, specifically in terms of mitigation of the inherent risk a distributed workforce carries. They should be pragmatic in their future plans, having ideological discussions around assessing and measuring risk, dealing with steps to mitigate risks, and finding cost-effective ways to address risk and secure the network. IT teams need to be data driven and look at the validity of the data agencies are working with.
Agencies must build a foundation for assessing and addressing risk based on real time data to maintain business and mission continuity amid a risk landscape that’s changed dramatically and irrevocably.
It may seem impossible to get a hold of the amount of data needed quickly enough to make good risk decisions. But, it’s not impossible – it’s being done today. With the new levels and types of risk that arise from this remote environment, it is critical to set aside traditional risk assessments and protections and start looking at risk pragmatically. Agencies must take a hard look at existing tools and how they are hamstrung when dealing with remote endpoints – and consider replacing those legacy tools/platforms that fall short.
About the Author
Egon Rinderer is the Global Vice President of Technology and Federal CTO at Tanium. With 30 years of Federal and private sector industry experience, Egon currently leads the global Enterprise Services Organization as well as leading Tanium Federal as Chief Technology Officer. Joining Tanium at a time when the company was made up of less than 20 employees, he has held roles ranging from Technical Account Manager to Federal Pod Lead to global Vice President of the TAM organization. Prior to joining Tanium, Egon was with Intel Corporation and served throughout the US military and intelligence community in the United States and abroad in an operational capacity. Egon can be reached at firstname.lastname@example.org, online at https://www.linkedin.com/in/egon-rinderer/, or at our company website at https://www.tanium.com/solutions/federal-government/