i. This is a big data for cyber security issue. It’s difficult to find a managed system that is not able to report on network and OS-level activity (e.g. Syslog, SNMP, etc.). We’re not talking about a log-manager or SIEM but rather the resulting data (structured and unstructured) being transferred securely into a data repository for link analysis, correlated with various sources of threat intelligence and end-point... more »
3. Breach-to-Response Acceleration
How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response times? Please include ideas on how government agencies can expand capabilities beyond reacting to known threats through programs like Einstein, to identify new threats and zero-day exploits in near real-time.
Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.
The answer may not be “innovation” but going back to basics. It starts with comprehensive asset management. An agency has to identify ALL hardware and software assets on its network. You can’t scan hardware for configuration errors or software for missing patches if you don’t know those devices exist. Every unknown asset is a potential threat vector. This will also help compress breach-to-detection-to-response times.... more »
The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »
Data anomalies don’t necessarily catch the extrusion of compressed data and it must be consistently and constantly applied across government. However, the technology is there for content encryption; polices are needed that govern content distribution/risk, allowing focus on critical risks.
The old adage "it takes 10,000 hours of practice to become an expert" is very true in cyber defense. We can't teach people to prevent zero day exploits but we can provide an inexpensive way to show what happens when an exploit is used. Technology today is finally available to provide ubiquitous Cyber Battlerooms, like Netflix, where you log into the cloud and "play" on a Virtual Clone Network of a government agency,... more »
Clarify a “hotline” reporting channel for people who suspect an issue, in agency or government-wide – if a user sees a potential problem, can check with team to for tech assistance on whether it’s real and what are next steps. Sort of a help desk for cyber reporting.
Monitor data going out for anomalies, including tagging for sensitive data. This would have been a signal to spot exfiltration like in the OPM case
Enhance content aware, rapid, and automated anomaly detection, both in network traffic/usage as well as user behavior. In-memory analytics powerful for this work. Be able to detect and respond in minutes not hours weeks and months.
3) How can agencies effectively address current time lags with the detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response times? Please include ideas on how government agencies can expand capabilities beyond reacting to known threats through programs like Einstein to identify new threats and zero-day exploits in near real time?
: With these key recommendations, we believe that the government can better leverage commercial technologies to deploy a platform that blocks all known threats within minutes of discovery by injecting new controls into key locations down the Kill Chain. Second, this platform should also have the ability to discover new attacks automatically by statically and dynamically analyzing files passing through the networks.... more »
Agencies must plan for success. Increasing response time is a combination of technology, threat knowledge, and skill sets of cybersecurity practitioners. Lag time exists because organizations unable to effectively integrate practitioner skills, threat knowledge, and technology. Although agencies are in possession of effective tools (e.g., Einstein and CDM) that collect indicators and signatures of malicious traffic crisscrossing... more »
Consistent with the concept that security is the responsibility of all employees, all agency employees should be educated and trained on general incident response planning concepts and any related responsibilities, including how to notify response organizations, the information to report, and other relevant activities. All incidents, exercises, and general activities offer opportunities to learn and improve planning.... more »
(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies effectively address current time lags with detection of and response to vulnerabilities and threats that will significantly compress breach-to-detection-to-response... more »
Breach discovery/open vulnerability information should be shared through closed, but accessible data sharing systems open to both private industry and government. While it may be inadvisable to share open vulnerability information in a public forum, it is critical to share this information among industry and government cyber security professionals through a closed but easily accessibly forums.