by T. Kent Elliott, CEO, ForeScout Technologies
Tomorrow, President Barack Obama will unveil his much anticipated cyber security report, a move that is likely to have significant impact on the security industry. President Obama has identified cyber attacks –such as those on the NYPD, Dalai Lama, the Pentagon’s Joint Strike Fighter and the U.S. electrical grid — as one of the most significant threats facing our national security. Obama has pointed out that the increased use of Web 2.0 applications and peer-to-peer architecture are making it easy for hackers to maintain armies of hijacked computers. And he has called upon federal, state and local government agencies to take steps to increase security, protect against malware and reduce insider threat.
But what can be done?
According to Steven Cooper, former CIO of both the American Red Cross and US Department of Homeland Security, and founding partner of Strativest: “It is becoming more critical for federal government agencies — and their suppliers — to consider adopting key enterprise security technologies like NAC, which successfully protect global enterprises against hackers and malware today.”
With a growing number of federal, state and local government customers, ForeScout is in a unique position to address the threats to the US infrastructure and the challenges the government faces in managing these threats to protect its citizens and their personal and national economies.
At times like these, hype and anxiety often reaches its peak. It is important to remember the basics and avoid sensational theories and ambitions that simply act to multiply the risks.
There are manageable and measureable steps that government administrations and companies, alike, can take to improve infrastructure security that will not force the nation to reinvent the wheel, but deploy current proven best practices such as:
- Identify the real vulnerabilities.
We have to understand the scope of the issue. Many government agencies and companies have network infrastructure and users spread across multiple buildings and locations … all with varying levels of security. In realtime, you have to know who/what has access to your network, where it is and how compliant it is to your well thought-out policies … before you can protect it. As we found in working with enterprises and local government agencies such as the FAA, the US Army and Albany County, network discovery and asset management are fundamental baselines critical to identifying then eliminating real network vulnerabilities. - Prepare to address evolving threats.
Over the last year we have seen cyber threats take a variety of forms, from malware to peer-to-peer network breaches, to man on the inside attacks and cyber espionage launched via USB thumb storage drives. As ForeScout has found in working with government agencies to help ban the use of external computer flash drives at mission-critical locations, remove threatening peer-to-peer applications on endpoints, seeing zero-day morphing of existing worms into new, unknown attacks, etc, whatever solution the government puts in place must have the ability to respond to these evolutionary threats. ForeScout, knowing all security policies of the organization, immediately detects existing, evolving and emerging threats and violations, enabling the agency to take immediate, automatic, appropriate actions from terminating connectivity, disable a device or uninstalling a risky, banned applications – automatically, without human intervention … once the policy is established and put into enforcement mode. - Avoid rip and replace tactics.
The US government is already spending excessive amounts of money trying to reboot the economy – but too much money can permit easy knee jerk reactions complicating an already existing challenge. From a security expert point of view, the ripping out and replacement of network infrastructure should be the last thing we try to do with these cyber security efforts. Vast overhauls to the network infrastructure across local, state and federal levels, seriously delays protection and risk – actually increasing vulnerabilities. While new deployments attempt to be made stabilized over a very lengthy process, inherent vulnerabilities within the new infrastructure rear themselves, adding to the dangers – counter to the objectives. As has been successfully experienced in all ForeScout installations, the security technology within the company’s CounterACT product, mesh with and into already existing, stabilized heterogeneous IT infrastructures. Therefore, CounterACT brings heightened, field proven security against cyber threats without the requirement to make major IT changes, bringing speedy security capacity to vulnerable networks. - Choose scalable solutions that automate baseline security operations.
The network is always dynamic with never-ending comings and goings of equipment, applications, people and internet connectivity, each bringing their own threats and exposure. Automation with proven Network Access Control appliances such as CounterACT, that are accurate, provide real-time base-lining of security posture, conduct immediate and timely assessment then enforcement/remediation, is the only way to protect the enormity of the infrastructure from the magnitude of each problem that is in a constant case of flux, from case to case and moment to moment.
As the nation moves forward, we must remain wise about the solutions we put in place, using prudence to build upon current network strengths, adding to them, bolstering, making them dynamic in response to evolving threats rather than in a panic, not knowing what to do, throw an untested, non-stabilized, lengthy to deploy infrastructure at the problem.
CounterACT makes today’s static but stabilized network infrastructure dynamic, equal to the dynamics of the ever changing threats. CounterACT provides an automated/scalable infrastructure-agnostic solution for network access control that has been proven in real-life deployment across global networks to be well-equipped to address the needs of Executive, Federal and State government agencies. CounterACT has been certified after rigorous testing and field deployed in numerous US government agencies today: it is, in fact, the only approved NAC solution currently on the US Army purchase list (AIAAPL).
Solutions like CounterACT are required to close the security gaps in the Department of Homeland Security and other US networks while mitigating the rising cost of security. It is our earnest hope that those in a position to make technology recommendations and decisions – the spokespeople of BENS.org, the contract leads at Booz Allen Hamilton, the Obama appointees such as Melissa Hathaway or even Admiral Dennis Blair – will make wise, prudent and fiscally sensible choices.
