The House Committee on Oversight and Government Reform chastised the Office of Personnel Management (OPM) in a report released September 7. According to committee chair Jason Chaffetz, the 2014 cybersecurity breach was easily preventable, given “some basic hygiene, some good tools, awareness and some talent.”
While OPM Director Beth Cobert quickly criticized the report, saying it “does not fully reflect where this agency stands today,” the fact remains that more than 21 million records related to current and past federal employees were stolen.
Lack of visibility
One of the core issues, according to the committee’s report, came down to a lack of environmental visibility and context (operational intelligence). The report states that two hackers worked in tandem to break through the network; one of whom was known to security officials while the other went unnoticed. The first intruder, who OPM security experts were able to monitor, stole network manuals that likely aided the second, unknown hacker in navigating OPM’s environment.
This is a typical trick hackers use, distracting officials in one area of the network as a cover for others to break in. This problem, however, is one that an agency with a robust security analytics program could easily deter.
“If OPM had … sufficient visibility to fully monitor their network in the summer of 2014, they might have detected and stopped [the second hacker] before they had a chance to exfiltrate the security clearance background investigation files,” the report said.
The OPM breach was the result of many factors at play including an out-of-date security system which left the agency’s information systems exposed, a lack of understanding among senior agency officials regarding the severity of the attack, and failing to follow a handful of other standard IT security best practices.
With a more robust security analytics toolset, OPM’s IT staff would likely have spotted the second hacker, who used the credential of an OPM contractor to gain access. Whilethe hacker had a legitimate credential, a security analytics tool could have identified that person’s unusual behavior on the network, and reported it to the proper channels for review.
Additionally, leveraging a robust security analytics platform would have offered the following capabilities:
- An alerts dashboard that can present a history of alert activity along with flagging new alerts for attention based on the alert’s threat score.
- Anomaly detection that performs statistical analysis on captured data to alert the user of anomalous behavior. The analytics would also alert the user of when the anomaly occurred, how often and on what endpoints.
- Dynamic filtering that allows the user to not capture un-interesting packets based on pre-determined rules. Eliminating elements such as streaming video or music will increase an agency’s capture window to focus on more critical threats.
- Session-level application classification that looks inside network protocol exchanges that can provide telltale signs of malicious intent. Top of the line classification tools can recognize and index more than 2,500 applications andthousands of attributes for quick search and recovery.
- Finally, active reports can provide a detailed and vivid picture of network traffic while granting users the power needed to respond to incidents as they unfold.
The OPM breach serves as an example of what can happen when cybersecurity risk is not properly addressed. Elected officials like to say “a crisis is too good a thing to waste.” For them, it means a chance to bring change. Federal IT leaders should view the OPM breach the same way. While it is a terrible thing that happened, it could prove to be a wakeup call for other agencies that have let their security systems age beyond relevance.
While a robust security system is made up of many aspects, a deep use of security analytics remains an integral part of any well-protected environment.
Aubrey Merchant-Dest has 27 years of experience in Network & Systems/Sales Engineering in both Carrier (fixed and mobile) and Enterprise environments. He focuses on security, traffic engineering/management and network analytics, and has an in-depth and hands-on understanding of networking from layer 2 through 7. Aubrey is currently the Federal CTO at Blue Coat Systems.