Protecting the exploding attack surface: A blueprint for government agencies
No industry possesses more confidential, sensitive and proprietary information than government agencies. From citizen data and employee files to military plans and details about national laws and regulations, federal, state and local government agencies are a gold mine for nation-states and other criminal groups.
This is nothing new, of course. Over the past few years, we’ve seen no shortage of government-targeted attacks. What is fairly new, however, is the rapidly expanding attack surface, which is giving attackers more ways than ever to infiltrate government networks and get their hands on the nation’s most sensitive data.
IPv6 explodes the attack surface
In 2012, the U.S. government mandated that all government agencies transition to IPv6, which was designed to overcome the problem of IPv4 address exhaustion. With IPv6, there are more than enough IP addresses to accommodate every connected device, which, in the age of IoT, cloud computing and digital transformation, is a necessity.
From a government perspective, this transition to IPv6 — which some agencies are just beginning — along with the accelerating rate of cloud adoption means that almost everything — from military weaponry to building management control systems to voting machines and census-collection tablets — is IP-enabled and part of the network ecosystem. And while this is driving greater effectiveness and efficiencies from an operations standpoint, it’s also introducing tremendous security risk.
First, more network devices mean more endpoints susceptible to attack. Second, thanks to cloud computing and digital transformation, applications and systems are deployed, changed and removed at a faster rate than ever before, leaving security teams constantly trying to understand the state of their network infrastructure. And last but certainly not least, security teams are struggling to bring all network assets under the correct security policy to control access and ensure a strong security and compliance posture.
In today’s “hybrid agency,” where IT infrastructures are massively distributed and constantly changing, is it possible to really know what’s on the network, maintain proper policy hygiene and attain continuous security that moves at the speed of innovation? The answer is yes, thanks in large part to cyber-situational awareness and intent-based network security.
Achieving cyber-situational awareness
Agencies must find a way to monitor network assets and activity across physical, virtual and cloud environments. This means achieving real-time visibility into all endpoints and resources across all computing infrastructures; understanding how those endpoints are connected to the agency, the internet and each other; and identifying suspicious traffic, potential leak paths to the internet, anomalous activity, unknown rogue devices and shadow IT infrastructure.
In other words, IT security teams must be able to identify threats and vulnerabilities to the infrastructure as they emerge and change, so they can develop effective incident response and risk mitigation strategies. Agencies that use cyber-situational awareness in this way have the real-time and accurate network visibility needed to properly protect their networks, critical data and our nation’s infrastructure. Following are five tips to achieve this ideal state:
- Validate the network IP address space. Understand the scope of IP address space in use and visualize the network topology. Instead of working from a set of known addresses that you think encompass the entire organization, verify that there are no unknowns.
- Determine the network edge. Understand the boundary of the network under management.
- Conduct endpoint census. Understand the presence of all devices on the network infrastructure, including traditional IP-connected devices, such as routers, gateways, firewalls, printers, PCs, Macs, iPhones, etc., and non-traditional IP-connected devices, including medical equipment, security cameras, industrial control systems, etc.
- Conduct endpoint identification. Assess the nature of devices on the network, including type, operating system and model.
- Identify network vulnerabilities. Evaluate and comprehend network anomalies, such as unknown devices, unmanaged address space, leak paths, etc., for remediation.
Integrating intent-based network security
Once you have a real-time, holistic understanding of what’s on your network, you can then implement proper policies and rules. Until recently, IT security teams manually wrote rules for every enforcement point. In today’s complex, dynamic hybrid environments, manual policy management processes just aren’t sustainable — not to mention, they’re costly, burdensome and prone to error.
Intent-based network security provides a desperately needed shift in global security policy management — one that automates policy orchestration and allows agencies to take advantage of innovation without slowing down development processes or introducing enterprise risk.
At a high-level, intent-based network security unites business, DevOps, security and compliance teams by enabling them to collaborate on a global security policy. Non-security personnel determine the business intent of applications and security personnel define the accompanying security and compliance intent, and then all three are aligned so policy changes can be fully automated and meet the needs of all parties. Manual rules-writing becomes a thing of the past, and all assets across the hybrid agency are brought under the proper security policies.
The powerful combination of cyber-situational awareness and intent-based network security enables agencies to use next-gen technologies and processes, such as IoT and cloud computing, without introducing security and compliance risk. IT security teams can successfully protect their network assets regardless of how many there are, where they reside or how they change. And the size of the attack surface no longer matters because security is finally able to adapt at the speed of change — and in today’s world, that’s a blueprint for success.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.