Last year, the number of targeted attacks — which often seek the crown jewels of sensitive, critical data — reported by the average federal agency soared from 211 to 320, a 53% increase. This is according to Accenture’s recent report, “State of Cyber Resilience – Federal Edition,” which surveys the threat landscape faced by federal agencies and the responses effective in quashing those threats.
The good news is federal agencies are getting more adept about protecting their IT infrastructures and successfully thwarting traditional data breach methods, slashing the number of data breaches by 43% last year, according to the report.
Even still, a new threat is looming: Increasingly, hackers, cyber criminals and other threat actors are finding new ways to infiltrate government systems through indirect attacks on suppliers, contractors and other third parties. Adversaries are shifting their target from an agency’s direct perimeter to the diffuse network of suppliers and third-party providers that makes up their extended operation — often the weakest link in the security chain in an ever-more connected world. Indirect attacks are up 40% from the last year.
In fact, this move to third party vectors now accounts for nearly half the attacks federal agencies confront: 45%. And amid other progress fighting traditional threats, the surge in indirect threats is a troubling development that “blurs the true scale of cyberthreats,” according to the report’s authors. Federal leaders agree–with 85% stating that their agencies need to think beyond securing their enterprises and take steps to secure their ecosystems to be effective.
To stay ahead of these shifts and to keep up with the speed of detection, experts say it’s time for federal agencies to evolve their cyber approaches in two important ways. First, they should transpose their focus from recovery to a proactive approach to remain resilient and accelerate abilities to detect and remediate breaches. And second, they should look beyond securing their four walls to protect their supply chains, enterprises and operations, ultimately safeguarding their entire ecosystem.
Cyber Resilience Is Key
The move to consider the supply chain and indirect threats is spurring a rethinking of the concept of cyber resilience. Extending the security ecosystem is amplifying the attack surface area. Agencies must assume they have been or will be compromised, and as a result, they must invest in and modernize efforts to focus on delivering cyber resilience.
But what does cyber resilience mean in today’s digital environment?
Aaron Faulkner, managing director and cybersecurity practice lead at Accenture Federal Services, says, “It’s about continuity of operations,” meaning the ability to carry on with an agency’s mission no matter what.
Given the pervasiveness and sophistication of threats, enterprises must assume that their systems will be breached. A cyber resilient agency employs adaptive security strategies to more quickly respond to threats, minimizing potential damage while continuing to operate while under attack.
That’s why some organizations are investing in a zero trust security approach, a more proactive method to cybersecurity. It’s a concept based on the principle that organizations shouldn’t automatically trust anything inside or outside its perimeters. Zero trust requires all users of an organization to be continually authenticated and authorized before being granted access to applications, in hopes of stopping a threat or a breach in its tracks
“Connectedness has consequences,” as noted in Accenture’s separate “Cyber Threatscape Report,” a new report which highlights five trends currently influencing the specific types of cyberattacks agencies’ face.
This trend raises awareness of the new ways attackers exploit critical systems as these systems become more exposed and even more connected. As untrusted devices connect to organization networks and enterprises, and cloud connectivity increases, targets become more accessible and widespread. And according to the reports’ authors, this year saw a rise in the number of operational technology vulnerabilities reported by researchers.
In this digital age, security leaders have to navigate how to thwart operational technology threats before they happen, or be able to maintain business functionality when they do. Patches on common operating systems and bug bounties help, and the report suggests it’s a matter of spreading this awareness and implementing standardized systems that are simple, easy to integrate and thoroughly scrutinized.
That’s why pivoting from recovery to continuity of operations is critical. Attacks can and will happen, especially as the threat landscape evolves.
Retired U.S. Army Maj. Gen. George Franz has helped retool the definition of modern cyber resilience. As the cybersecurity lead for Accenture Federal Services’ National Security business and former director of operations for U.S. Cyber Command, Franz notes that for the intelligence and defense community, specifically, it’s all about mission assurance. Rather than just ensuring the networks are up and running, resilience is about building the capability to conduct an assigned mission knowing there’s the possibility of a cyberattack.
“Ultimately, you need the ability to operate even under attack, even when you have capabilities that are being affected,” he says. “It’s the ability to continue your core mission … knowing that you’re going to have to do that in a cyber-degraded environment.”
This means building in flexibility: being able to operate when or if disconnected from the network while recovering and connecting to the cloud when necessary. The approach must be holistic, branching from networks to applications and compute capabilities, and having those positions in different places so organizations can continue to operate under attack.
A proactive cyber resilience model is a must for the future, he says.
Getting there requires agencies to continue to adapt, find ways to be faster and more accurate, while building on lessons learned from other agencies.
Streamline Cybersecurity: A Path to Resilience
Some organizations have propelled themselves to the front of the pack when it comes to building cyber resilience, according to the Accenture State of Cyber Resilience report. They set the standard for cybersecurity excellence by blocking more attacks, finding and fixing breaches faster and containing damage impact.
Replicating the behavior of these global cybersecurity leaders can save federal agencies a significant chunk of money — an estimated $273,000 per security breach. So far, only about a quarter of federal agencies (28%) fit this category. But more can be done by prioritizing operational speed, scaling and maximizing technologies, providing more user training and boosting collaboration with other organizations, government bodies and the broader security community.
There are solutions that help agencies put speed of recovery at the forefront and marry their cyber and IT investments to achieve the speed they need to keep up with the pace of adversaries.
“Embracing extended detection and response, or XDR, can help agencies get a handle on convening the orchestration of these solutions and practices across the entire enterprise to build cyber resilience,” says David Dalling, director of cybersecurity and XDR capability lead at Accenture Federal Services.
The “X” in XDR falls on the backdrop of a series of technological advancements that at their core provided detection and response capabilities for different technologies.
Agencies began by using Network and Endpoint detection and responding tools to stop malicious activity in the environment. Eventually, that evolved to managed detection and response, meaning a cyber analyst could track incidents on the network, end points through a single tool.
“Where the next generation comes into play is not only providing a single tool, but also stitching the incidents from security and network operation center into one place,” Dalling says.
XDR covers monitoring of the entire network, end point and multi-cloud environments, providing high-fidelity incidents while reducing the number of tools and alerts an analyst has to use.
What does this mean for end customers — and for cyber resilience?
XDR is delivered as a managed security service, improving the work output of a security workforce, while slashing the number of tools to monitor all at the same time as minimizing alert fatigue and reducing false positives. Once customers send their logs to XDR, the artificial intelligence takes over, consumes it and provides actionable insights and offers automated remediation then it is validated by senior analysts. This brings machines and humans together as the ultimate cyber weapon.
Visibility is critical considering the growth in sophistication and number of attacks organizations face today. The nature of XDR insights makes it difficult for an attacker to hide. Plus, each third-party supplier can also send its information to the customer’s XDR platform to monitor and fully monitor the supply chain.
XDR is highly advanced and fast; from the time it detects to the time it responds is under 15 minutes when its full capability is used, some even down to seconds, according to Dalling. With the industry average’s dwell time over 50 days, according to a FireEye report and the Ponemon report, there is a tremendous reduction in operational impact with response times this fast. It’s extremely important to shrink the time an attacker penetrates an organization to the time the attacker leaves to prevent damage to the organization, Dalling says. A fast mean time to detection (MTTD) is pointless if you don’t have a fast mean to respond (MTTR).
XDR also enables threat correlation and trending, bringing together all cyber intelligence, versus having siloed tools and areas of focus. Security professionals can catalog techniques, tactics and procedures to build threat models and maps for how adversarial actions would impact the organization.
That correlation platform brings in more than 50 different threat intelligence feeds and adds new ones constantly. These IOCs are being pushed out to all security tools and data models to update rulesets for detecting and blocking incoming incidents before they happen.
This proactive level of threat response and damage control allows organizations to continue to operate even under attack. As a managed service, all clients benefit from inherent joint network defense, where an indicator of attack at one agency and the XDR countermeasure put in place to mitigate it is automatically extended to every other XDR user.
Considering the speed of innovation, fragmented market, lack of security professionals and lengthy procurement processes, XDR can help cover the bases. It reduces repeatable processes and procurement of multiple technologies and brings advanced technologies to the table. Additionally, it combines industry best practices and expertise, so customers don’t have to piecemeal a solution and find someone to manage it.
Get Safe and Stay Safe
As agencies successfully safeguard their infrastructure, it’s important to stay safe by embracing security practices for newly implemented systems.
A similar approach has been key to agile development success — business, mission and IT come together and agree on the best use of time and investment dollars, Faulkner says.
“The future of cyber resilience is that mission, IT and security must be at the table together, making integrated joint decisions about what is the most valuable thing to spend your next set of cycles and dollars on that will accomplish the most good and the objectives of the mission itself,” he says.