Editor’s Note: This article was first published by the Federal News Network.
Cybersecurity has reached a boiling point over the last year or so. Between the acceleration in cloud technology adoption from the pandemic, the resultant push to adopt zero trust to help secure endpoints that were suddenly outside the traditional perimeter, and major cyber incidents like the SolarWinds breach, the need for new guidance was clear. Federal agencies got that with the new cyber executive order.
Its main significance is a reinforcement of the idea that cybersecurity can’t be an afterthought for federal agencies. In the past, security and IT modernization weren’t part of the core mission, so they got short shrift. And while it’s still not the primary mission, federal agencies are coming to understand that it has to be part of the backbone of their operations.
But federal agencies don’t have to go it alone. It may not be part of their core mission, but there are plenty of vendors for whom this is their only mission.
“When you’re moving your data to the cloud, the biggest issue is just not having somebody to guide you through that process—that’s what we’re here for. When you’re not the expert at something, you bring somebody in who is,” said Amanda Fennell, chief security officer and chief information officer at Relativity, a global legal and compliance technology company that helps government agencies, law firms, financial institutions, and other major corporations manage large volumes of data.
For example, cloud providers have been making huge investments over the past ten years. That often includes getting FedRAMP certified, so that federal agencies can be certain that these offerings meet the baseline for security. It can be difficult even under the best of circumstances to keep ahead of updating architecture, so these providers are working to maintain best-in-class technologies so that federal agencies don’t have to. Relativity, for example, built the cloud-based RelativityOne Government platform specifically for usage by state and federal agencies.
That includes an emphasis on zero trust architecture, which Fennell said isn’t really optional anymore—it’s required. Requiring continuous verification of the operational picture in real time is necessary. And providing users only the bare minimum access they need to accomplish their mission allows for easy containment of a compromised device, which is increasingly a concern as the remote workforce adds more endpoints outside the traditional perimeter.
“If you have cloud services, and you’ve got zero trust, you’ve reduced the risk of what your threat profile looks like,” Fennell said. “For zero trust, really make sure that there are a limited number of people who would access it from the cloud. Two-factor authentication is still super important, you still have to make sure that not only do you have the right people accessing it, but they’re authenticating to more than one method.”
Agencies also need to avail themselves of any threat intelligence they have access to.
“Threat intelligence is the core of any great security program. ‘You don’t know what you don’t know’ is not a great excuse anymore. You should know what you don’t know. And threat intelligence is how you get that answer,” Fennell said. “It’s really about aggregating a ton of visibility out there. And then you apply this in a platform that will help you to pull up those anomalies, pull out analysis of secondary or tertiary indicators with the help of machine learning. All this effort will tell you what you should care about.”
SolarWinds is a great example of this, she said. The threat intelligence community is tight-knit, and you’ll often hear about many of these vulnerabilities in that community months before it goes mainstream. Members of this community, including the various industry-specific Information Sharing and Analysis Centers, share new threats they’re seeing, including tactics, tools, and procedures being used. That’s valuable information to have at your fingertips. So much so, in fact, that Relativity’s Calder7 security team created a free threat intelligence feed that people can sign up for in order to stay on top of it.
“We put that intelligence feed out there, because we’re hoping to really inspire people to grab on to threat intelligence,” Fennell said. “This is really the core of everything that we do. We want to know what’s out there. We want to know the unknown unknowns, and we want to make sure that we understand what we should be focusing on and protecting, and make that actionable for the community.”
And that starts with building relationships, Fennell said. There’s a lot of information sharing and preparation going on behind the scenes, but it’s not always transparent. The community is built around connections, like a call tree.
And that’s one of the big strengths of the cyber EO, according to Fennell. Its focus on intel-sharing across organizations and agencies will help shed some light on this situation, which she believes will result in an increase in membership in these threat intelligence sharing organizations.
But federal agencies will always encounter unique challenges in these pushes to increase security and modernization that the private sector doesn’t have to deal with, which is again why Fennell said they shouldn’t try to go it alone.
“Everyone has a role in securing data and we hope to empower each person in this journey,” Fennell said. “At Relativity, we have an amazing team that can partner with the government and make them more efficient and innovative. RelativityOne Government is here to organize the data so agencies can act on what they find, securely.”
Artwork for this article was created by Natalie Andrews.