See something – say something. In the physical security world, this mantra is most commonly associated with efforts to motivate regular citizens to help law enforcement prevent terrorist acts.
In cybersecurity, whether due to siloed technologies, competing companies/agencies, or even under the name of privacy and classified data regulations, this concept hasn’t yet been put to practice in a widespread way.
At a lunch ForeScout hosted this week at RSA, in a discussion with some of the leading public sector cybersecurity professionals, Dr. Phyllis Schneck, former Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate, highlighted the need for stronger programs and systems that will help ensure that “see something – say something” is a core component of our efforts to secure .gov networks, the nation’s critical infrastructure and even private networks.
During Phyllis’ tenure, the Continuous Diagnostics and Mitigation (CDM) program began to be implemented throughout the civilian government. The intent of CDM is to determine the devices connecting to government networks, understand the security profile of those devices, continuously monitor the networks and initiate an automated response to security incidents. CDM is a major way that “see something – say something” will be rolled within the federal government.
Phyllis described the vision of collecting this data across agencies into a global security operations center. One of the greatest challenges facing agencies is determining what is actually on their networks. Most organizations know the managed devices: laptops, mobile devices, etc. But even the most savvy organizations may not have knowledge of the security cameras, smart tvs and other devices that have been installed without their knowledge. Without visibility of these devices, it is impossible to truly secure the network.
This device data, once collected, is correlated, filtered against privacy and national security regulations, and then shared back across agencies and the private sector. This threat intelligence is vital in helping the private sector protect itself from adversaries who might attack for profit or who might be or represent nation-states. Phyllis stated that better, timelier intelligence is forthcoming.
These systems are not possible without partnership between the public and private sectors. As Phyllis mentioned, the government cannot build out these systems alone, and mused that they likely would be delivered over-budget and ten years too late. Instead, the private sector needs to be the innovation engine to build solutions that detect devices on the network, can prioritize threat intelligence and make that intelligence consumable and actionable.
In a world of ever increasing Internet of Things (IoT) devices, the challenge to addressing what’s on networks, and collecting and reporting security data, is made more difficult. And helping to ensure those types of technologies can get into the hands of even the smallest, least cyberaware companies is a challenge when most of these organizations do not have the budget for these solutions or even an approximate understanding of the real risk. (Look at the example of restaurants bleeding credit cards due to ingenious hackers accessing their point-of-sale systems.) To address better security, across the nation, Phyllis laid out a vision of a cloud-offered managed service that would basically deliver CDM as a service to all sizes of businesses. Delivering “see something- say something” at that scale would be a mission that would be achieved through public-private collaboration.