In today’s cyber world, the unfortunate reality is that breaches happen. The government and other organizations need to accept that fact and adjust accordingly. But things aren’t always that simple, and denial is often the first sign of a problem. A perfect example of this is the continued promotion of the EINSTEIN Program for cybersecurity. This technology is more than 10 years old and is the equivalent of using 20th century technology to combat a 21st century problem.
While EINSTEIN has its merits, it was developed by US-CERT for intrusion prevention, and essentially monitors for unauthorized access. But because attacks have become so sophisticated, it is impossible to completely protect the perimeter from malware and zero-day attacks. We see this evidenced by all the high-profile breaches being reported almost every week. As a result, EINSTEIN is not widely adopted, as agencies realize the ineffectiveness of its approach. In fact, only a handful of the more than 600 government agencies actually deploy EINSTEIN. The approach of perimeter security is clearly no longer valid due to the proven ability of cyber attacks to go unnoticed as they easily slip past network perimeter defenses.
Adversaries that are breaking into government agencies like the Office of Personnel Management (OPM) and IRS for example, are not using attack vectors that will just let you stumble upon their signature or remain static so they can be easily detected. They are using fresh, new exploits that essentially render EINSTEIN blind to detecting their intentions. EINSTEIN is only as good as the information it is fed. So the question not only becomes why would the government want to continue using an outdated solution, butrather, why are they concentrating on protecting the perimeter when the endpoint is where data leakage can successfully be thwarted?
Look at it from this perspective. If you can be honest with yourself and admit that breaches are going to happen, you can stop focusing your efforts on keeping adversaries out (which has proved futile) and focus on identifying when abnormal behaviors are happening on the endpoint and shutting those endpoint devices down before critical data can be compromised. Critical data is ultimately accessed from the endpoint, so focusing on securing the endpoint rather than keeping people out of the network enables agencies to better identify and remediate cyber attacks when they happen. The sad reality is that once the perimeter is breached, the adversaries often have free reign to travel the network and conduct nefarious activities undetected. This cannot happen when you concentrate your efforts on the endpoint.
So, if EINSTEIN isn’t the answer for protecting against cyber attacks, what can the government do? The prudent course of action would be to scrap EINSTEIN completely and focus on a solution that uses analytics and anomaly detection at the endpoint. What makes today’s cyber attacks so difficult to defend against is the ability of them to constantly change their mode of attack. Signature solutions are only effective if the attack has already been detected; that does you no good with zero-day attacks and new forms of malware. But by using analysis and monitoring for abnormal behavior from the endpoint, you are able to quickly identify a potential attack and take the necessary action in real-time, before critical data is lost.
I am not saying abandon perimeter security completely, but supplement that approach with analytics aimed at the endpoint. By doing so, when an adversary penetrates the network perimeter, they will be quickly identified when they try to manipulate the endpoint in order to steal sensitive information. This approach may not always keep the enemy out, but it will definitely keep the enemy from leaving with your valuable data.
Focusing on the endpoint and using real-time analytics also addresses another major challenge for government organizations – meeting compliance requirements. By constantly checking the status of all the computers on the network and using analytics to spot unexecuted changes and conditions that indicate non-compliance, even when there is no specific policy for that given attribute, organizations will not only remain in a state of continuous compliance, they will be able to address cyber threats in real-time. This will become even more important as the government starts to actually face the consequences of not being in compliance with regulations and letting breaches occur.
Until the recent OPM breach, the government has never seriously been penalized for not getting a good security assessment or allowing a major breach to happen. If the recent actions following the OPM breach are any indication, the need to prove compliance will be more important than ever.
Until the government finds a way to act more like small companies that can move quickly to implement the latest and greatest technology solutions, they will always be several steps behind their adversaries and making headlines for being breached. You can only give so many years of Life Lock to employees.
John Prisco is president and CEO of Triumfant, a provider of continuous protection from advanced malware threats on the endpoint.