By Julian Waits, GM, cyber business unit & public sector for Devo
The recent executive order calling for immediate improvements in the federal government’s cybersecurity is impressive. I give the Biden Administration a lot of credit for publicly admitting there are significant problems and weaknesses in the federal government’s IT and cybersecurity infrastructure and practices. The order also includes some key points that are significant for Devo and our customers.
Let the Work Begin
Issuing the order was easy. The challenge will be executing it. I have two major concerns. First, where’s the money going to come from to pay for it? Second, what happens if agencies don’t get it done within the deadlines that will be established? Will department heads lose their jobs for failing to implement these urgently needed upgrades? Where are the teeth in this EO? I hope it doesn’t get buried in bureaucracy. The country desperately needs this work done right — and right now.
Not surprisingly, one of the things I love about the EO is its emphasis on moving government data into the cloud and away from on-premises systems wherever possible. The order calls for centralizing data logs in the cloud. For Devo — and our customers and partners — the EO focuses on what we’ve been doing for years.
Is Centralized Logging Really Important?
There are a few key reasons for the EO’s emphasis on cloud shift and centralized logging. First, cyber protection technologies are broken. The Sunburst hack against SolarWinds happened. The Colonial Pipeline ransomware attack happened. These incidents happened because organizations were relying on technologies that failed to see, identify and stop new attack vectors. The same outdated practices are rampant in the federal government, including the Department of Defense, as well as hundreds of thousands of corporations and other organizations. They all fail to catch new threat vectors. One of the best ways to identify malicious cyberthreats is by analyzing logs. Centralized logging in the cloud — a Devo hallmark — is the fabric that ties this heightened emphasis on cybersecurity together.
Everything the EO mentions — encryption technologies, cloud-native infrastructures for releasing applications, the entire IT and security stack — must be instrumented with logging. Endpoint detection and response (EDR) is not enough. Organizations, including the federal government, must be able to log what their EDR solutions are seeing. Storing data in the cloud is great, but what are cloud trails telling you? What are other logging and instrumentation technologies telling you? That critical information is vital for timely, effective cybersecurity.
Then, if you want to be smart about it, organizations must instrument whatever applications they are using so they can understand what’s really going on. Organizations need instrumentation up and down the full stack, including the supply chain and financial management. Traditional firewalls don’t cut it. Comprehensive security includes everything you’re using to manage these applications, as well as the applications themselves. That’s why Devo delivers both security and IT operations for our customers.
It’s Time for Better Tools
The team that prepared this order appear to realize that, fundamentally, cyber protection technologies simply aren’t good enough. You wouldn’t need logging technologies if intrusion prevention systems (IPS) and extended detection and response (XDR) solutions worked completely. If these solutions were foolproof, there would be no need for logging solutions. But they aren’t, and that’s the problem this executive order is attempting to address by emphasizing logging and cloud-based security. There’s a fundamental acceptance among businesses, the government and other organizations that cyberthreats and cybercriminals are going to succeed in their efforts to cause mayhem. That said, the only way we’re going to be able to see what happened is with logs.
By the Book
Another area the EO addresses is the need to develop common cybersecurity playbooks so government agencies and departments can respond to security incidents faster and more effectively. As with the emphasis on logging and cloud-shift, this is an achievable goal. It’s important to realize that playbooks will be more useful for incident response than for detecting threats and those perpetrating them. That’s because detection vectors keep changing, making them much more difficult to predict and plan for. The best playbook can only do so much, even with highly skilled professionals executing them. Ultimately, when cybercriminals encrypt data and demand ransom to unlock it, or steal information to sell on the black market, they’ve taken control of it. That’s why logging is such a fundamental principle of cybersecurity. The only way to perform effective incident response is to have a history of exactly what happened.
Get Your Heads in the Cloud
The EO hits the nail on the head with its call for government entities to move their data to the cloud. The government must have a centralized location for all the information it needs to monitor and manage. In fact, every government, business or other organization should operate under the assumption that its data will be compromised, someday, somehow. When that day comes, do they want to chase down the culprits and what they did across 20 different systems and wildly inconsistent on-premises environments? Or do they want to go to one centralized, highly secure location, whether it’s AWS, Azure or another cloud services provider? That’s why it makes so much sense for the government to put an end to decentralized data. It’s time to modernize it with consistent configurations in the cloud.
Old technologies still used widely by governments, utilities and other critical infrastructure are highly vulnerable to attack, as we saw with the Colonial Pipeline. Far less publicized are smaller security breaches that happen all the time and can cripple communities and the people who live and work there. For instance, in the Tampa, Fla., area, where I live, a local water utility recently was breached because somebody used remote-control software to log into systems that hadn’t been modernized. The application programming interfaces (API) were completely accessible once the attacker breached the network. There was no meaningful protection for the old infrastructure, which is still relied on by utilities around the nation and the world.
I’m optimistic this executive order will have a swift and positive effect on hardening the federal government’s cybersecurity defenses. State and local governments should watch closely and adopt the approaches that prove most effective. The same goes for business organizations, which also need to adopt modern logging and security analytics.