Automation has played a key role in helping improve cybersecurity processes, but workforce constraints continue to hinder efforts.
Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy (DOE) IT leaders believe that automation can make significant improvements to threat detection and vulnerability management processes at federal agencies, but the workforce shortage in cybersecurity still puts a strain on the general cyber health of federal agencies.
According to Daniel Bardenstein, head of cyber strategy and CISA technology, detection is one of several areas where agencies should place more emphasis as they seek to strengthen their security posture.
“Threat Detection, Asset Detection and Vulnerability Detection. Automation is very flexible. It provides many different ways to gain better visibility into what assets and vulnerabilities are so that the agency has an idea of what needs to be fixed, ”Bardenstein said at a recent FCW event.
Once a particular threat is detected, the next steps are to find out which assets were affected, who owns the assets, and then identify the vulnerabilities.
Bardenstein said vulnerability management is often overlooked in cyber strategies, but can be heavily automated to reduce the burden on IT professionals.
“Automation of processes in IT systems can have a huge impact and save people a lot of time making phone calls or looking for other resources,” said Bardenstein. “If people doing their normal work are able to identify the things they can do all the time and repeat over and over again, this is a good starting point for automation. Just focus on the processes that people go through over and over again. ”
CISA is also looking to integrate existing technologies to have a common analytical environment, particularly within the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program.
“We are also rolling out the EDR, the Endpoint Detection Response effort, and a couple of other host-based initiatives that will provide additional layers of detection and automation to departments and agencies to help them better protect themselves from threats,” said Bardenstein. .
SolarWinds, Colonial Pipeline, and Log4j software breaches highlight that no organization or industry is immune to cybersecurity vulnerabilities.
According to Puesh Kumar of Energy, director of the Office of Cyber Security, Energy Security and Emergency Response, the agency focuses on increasing the visibility of threats targeting critical infrastructure through risk analysis. detection, discovery and mitigation efforts. One thing he is looking into is how to quantify cyber risks.
“We believe this is critical in terms of how we actually invest in cybersecurity,” said Kumar. “We are partnering with NIST to reflect on cyber risk modification efforts and how to link cyber risks to financial risks so we can better invest in this area as a company across the board.”
Another project DOE is working on is determining the cyber baselines for the critical infrastructure sectors.
“In some cases, they will be different for each industry and there may also be some commonalities where there is a basic cybersecurity expectation that we should think about and how we educate companies of all sizes about this,” he said. Kumar.
Software supply chain security remains a top priority for DOE. Kumar wants to establish common software supply chain security standards across all energy sectors to improve IT positions.
“We are developing a framework for what may appear for energy systems so that we no longer have variations of [software bills of material] And [hardware bills of material]. If we can develop a model, it will be easier for energy companies, producers and suppliers, ”Kumar said.
In addition to workforce constraints, Bardenstein said that data retention and high volume have led many federal agencies to hit a tipping point as they move IT systems and data to the cloud. You said that computers should do what computers are good at and that human workers should focus on more demanding jobs.
“We are at a tipping point where people are starting to realize there is no way we can actually handle this,” he said. “One aspect of the more transversal skills of cybersecurity, where automation can often be more valuable to an enterprise, is in the area of a ‘Tier 1’ security analyst where humans take the most steps. Level 1 life is very difficult, there are mental health issues and a lot of burnout, which is not good for the employees or the company that continually loses talented staff that they try to promote elsewhere to make more money. ”
Instead of trying to automate processes all at once, Bardenstein encouraged federal agencies to take a “specter” approach to automating data and security processes.
“There is a maturity model you can think of across that spectrum. Companies should be thinking about how to continually find the right way they need to operate, move to a more mature approach to automation in their environment, “said Bardenstein.
CISA is in the process of making automation operational to meet the needs and changes of personnel. In a security context, automating identification and discovery workflows is a good place to start.
“Most people are concerned about automation when it comes to mitigating actions. Understanding if something has changed, gathering additional information and presenting it to a user is a much safer place to start connecting those APIs and testing things, “said Bardenstein.” You can have an identification, detection and enrichment playbook and then have a human being in the business of deciding what to do. It is important to understand where the risk and concern lie in deciding what to do and automate everything first and then, if applicable, everything later. ”
Two years ago, the DOE established a scholarship for cyber security and mid- to high-level operations managers from US electricity, oil and natural gas companies to help fill talent gaps in the cyber workforce.
“We bring power systems engineers and electrical engineers together and maybe we teach them about cyber and then we bring the cyber individuals to the table as well and we cross-pollinate information so they can all work on that together,” Kumar said.
DOE is also investing in academia to mature IT workforce development programs.
“Students enter a competition called ‘Cyber Force.’ They come from all over the country and go to the DOE labs, where their goal is to protect a fake energy company while a red team tries to attack them, “Kumar said.” They learn about cybersecurity and energy systems and what makes them unique. ”
The DOE hopes to expand the program to high schools in the future, he added.