Charles Leaver – The 30 Day OMB Cyber Security Sprint Had 8 Principles And We Have Supplied 8 Keys

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering a huge data breach at the Office of Management and Budget (OMB), agencies were ordered by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next 4 weeks to additionally improve the security of their data and systems. For this large organization it was a vibrant step, however the lessons gained from software application development showed that acting fast or sprinting can make a great deal of headway when approaching a problem in a small period of time. For big organizations this can be particularly real and the OMB is definitely large.

There were 8 principles that were focussed on. We have actually broken these down and supplied insight on how each concept could be more efficient in the timeframe to assist the government make considerable inroads in only a month. As you would expect we are taking a look at things from the endpoint, and by reading the eight principles you will find how endpoint visibility would have been essential to a successful sprint.

1. Protecting data: Better protect data at rest and in transit.

This is an excellent start, and rightly priority one, but we would definitely encourage OMB to add the endpoint here. Lots of data security services forget the endpoint, but it is where data can be most susceptible whether at rest or on the move. The team ought to inspect to see if they have the ability to evaluate endpoint software and hardware setup, including the existence of any data protection and system protection agents, not forgetting Microsoft BitLocker configuration checking. And that is just the start; compliance checking of mandated agents should not be forgotten and it must be carried out continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness resembles visibility; can you see exactly what is actually taking place and where and why? And obviously this needs to remain in real time. While the sprint is taking place it need to be confirmed that identity and tracking of logged-in users,, user focus activities, user existence indications, active processes, network contacts with process-level attribution, system stress levels, significant log events and a myriad of other activity indicators throughout many thousands of endpoints hosting vast oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security efficiency: Guarantee a robust capability to hire and keep cyber security personnel.

This is a challenge for any security program. Finding great skill is hard and keeping it much more so. When you wish to attract this kind of skillset then encourage them by offering the current tools for cyber battle. Make certain that they have a system that provides total visibility of what is happening at the endpoint and the entire environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool changes the security team from the hunted to the hunter. If not then replace that tool.

4. Boost awareness: Improve total risk awareness by all users.

Risk awareness begins with efficient risk scoring, and fortunately this is something that can be achieved dynamically all the way to the endpoint and help with the education of every user. The education of users is a problem that is never complete, as proven by the high success of social engineering attacks. However when security teams have endpoint risk scoring they have concrete products to reveal to users to demonstrate where and how they are susceptible. This real life situational awareness (see # 2) boosts user understanding, along with offering the security group with accurate info on say, understood software vulnerabilities, cases of jeopardized credentials and insider opponents, as well as continuously keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight heightened threats leading to security staff triage.

5. Standardizing and automating procedures: Decrease time needed to manage setups and patch vulnerabilities.

More protection should be required from security services, and that they are immediately deployable without tiresome preparation, network standup or comprehensive staff training. Did the solutions in place take longer than a few days to implement and require another full-time employee (FTE) or maybe 1/2 a FTE? If so you have to reconsider those services because they are most likely hard to use (see # 3) and aren’t doing the job that you need so you will need to enhance the current tools. Likewise, look for endpoint solutions that not just report software and hardware configurations and active services and processes, however applies the National Vulnerability Database to report on real running exposed vulnerabilities and then associates a total vulnerability score for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from occurrences: Contain malware proliferation, privilege escalation, and lateral motion. Rapidly identify and solve events and incidents.

The quick recognition and response to problems is the primary objective in the new world of cyber security. Throughout their Thirty Days sprint, OMB must evaluate their solutions and make certain to discover technologies that can not just monitor the endpoint, but track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of harmful software expansion and lateral network motion. The data derived from endpoint command and control (C2) accesses related to significant data breaches suggests that about half of jeopardized endpoints do not host identifiable malware, increasing the significance of login and contact activity. The right endpoint security will monitor OMB data for long term analysis, because many indicators of compromise appear just after the event, and even long afterwards, while relentless hackers might quietly lurk or remain inactive for long periods of time. Attack code that can be sandbox detonated and determined within minutes is not a sign of advanced attackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is essential to full identification and total non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost fundamental security of platforms by purchasing more secure systems and retiring legacy systems in a timely manner.

This is a reputable goal to have, and an enormous difficulty at a big organization such as OMB. This is another place where the right endpoint visibility can instantly measure and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outliving their useful or safe and secure service lives. Now you have a full stock list that you can focus on for retirement and replacement.

8. Decreasing attack surfaces: Reduce the complexity and quantity of things defenders have to safeguard.

If numbers 1 through 7 are done, and the endpoint is considered properly, this will be a huge step in decreasing the attack threat. However, in addition, endpoint security can likewise really supply a visual of the real attack surface. Consider the capability to quantify attack surface area, based upon a variety of unique binary images exposed across the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence stats produces a normal “ski slope” distribution, with a long slim distribution tail suggesting huge numbers of extremely rare binary images (present on less than 0.1% of total endpoints). Ziften determines attack surface area bloat aspects, consisting of application sprawl and version proliferation (which also worsens vulnerability lifecycle management). Data from lots of consumer implementations exposes egregious bloat elements of 5-10X, compared with a tightly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas creates a target-rich hackers’ paradise.

The OMB sprint is a fantastic reminder to all of us that good things can be accomplished rapidly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a critical piece for OMB to think about as part of their 30-day sprint.