Breach discovery/open vulnerability information should be shared through closed, but accessible data sharing systems open to both private industry and government. While it may be inadvisable to share open vulnerability information in a public forum, it is critical to share this information among industry and government cyber security professionals through a closed but easily accessibly forums.
How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »
All incidents, exercises, and general activities offer opportunities to learn and improve planning.... more »
3) How can agencies effectively address current time lags with the detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response times? Please include ideas on how government agencies can expand capabilities beyond reacting to known threats through programs like Einstein to identify new threats and zero-day exploits in near real time?
Enhance content aware, rapid, and automated anomaly detection, both in network traffic/usage as well as user behavior. In-memory analytics powerful for this work. Be able to detect and respond in minutes not hours weeks and months.
Monitor data going out for anomalies, including tagging for sensitive data. This would have been a signal to spot exfiltration like in the OPM case
Clarify a “hotline” reporting channel for people who suspect an issue, in agency or government-wide – if a user sees a potential problem, can check with team to for tech assistance on whether it’s real and what are next steps. Sort of a help desk for cyber reporting.
Data anomalies don’t necessarily catch the extrusion of compressed data and it must be consistently and constantly applied across government. However, the technology is there for content encryption; polices are needed that govern content distribution/risk, allowing focus on critical risks.