!

!
!
!
!

P L A N
AN ew A M a p E e
E R G e s S h
CY B ak
T
Introduction
It's not your imagination: The cyber threat
landscape takes a turn for the worse every year.
Ransomware, once seen as slowing, has become
vs.
a persistent threat. Data breaches continue to
occur with alarming frequency. And now cyber
experts are warning about the growing risk of
potentially devastating attacks against non-
! ! traditional technology, such as that used by
! x utilities and other critical infrastructure.
! !

The problem is that malicious actors are

x endlessly inventive, finding new ways to get
around existing defenses and engineering
attacks for which no defenses exist yet.
Agencies can't hope to find a foolproof
approach to cybersecurity.
What they can do, however, is become more
adaptive. This guide will look at how agencies
can improve their ability both to anticipate
threats and to change tactics as new threats
emerge. Specifically, we highlight activity in
three key areas: automation (including the
use of artificial intelligence), training, and
intergovernmental collaboration.
At the heart of this guide is a breakdown of
the recently released National Cybersecurity
Strategy, which will shape federal efforts in the
years to come and provide a model for state and
+4 +50 local governments to follow.
No doubt that strategy will evolve as the cyber
landscape continues to evolve. But maybe, just
+1 +2 maybe, the ongoing work highlighted in this
guide will help bring some change for the better.
Table of Contents

r
the Cybe
Mapping pe
4 Threat La
ndsca

egy
ctive Cyber Strat
A Proa
8 now
Need to K
What You 023 National
10 About th
Cyb ersec
e2
urity Stra
tegy

Is,
t: What It
Zero Trus s
16 It Matter
and Why

$$
5 Ways to rsecurity

$
17 $

$$

$
be
Tackle Cy
e
ddress th
How to A ud-Native Apps
20 Risks of C
lo
22 Agenc
ie
Cyber s Bank on
Innova
tions
24 The Be
s
Agains t Defense
t
Is a St Cyber Threa
rong O t
ffense s
26 Gover
nm
Streng ents Find
th in N
umber
28 How to
I
the We solate
s

akest
Link
30 3 Way
st
Cyber o Bridge th
Workfo e
rce Ga
32 How to
G
Vulner et Ahead o
p

ability n
Manag
34 How to
Lands
Adapt
ement

cape: 6 to the Cybe

Takeaw r
ays
Mapping the Cyber Threat Landscape
Cyber experts often emphasize that there’s no silver bullet for improving the security of government systems.
The problem is not that technology always falls short. Instead, it’s that the cyber threats are so varied and
always evolving. Here is a look at the current threat landscape, based on recent cyber-related news and events.

A High-Level View

According to the 2022 (ISC)2 Cybersecurity

Workforce Study, the global cyber workforce
has reached 4.7 million workers, but that still
leaves 3.4 million positions unfilled. In the
United States, the number of unfilled jobs
stands at about 410,000, a 9% increase over
2021. As Fortune points out, these shortages
are good news for cyber wages — ­­ and bad news
for government agencies competing for talent.

Shadow IT — that is, technology that the

IT department does not approve or
manage — continues to be a bugaboo. In
February 2023, for example, the Defense
Department’s inspector general found that
“DoD personnel are downloading mobile
The federal government has increased efforts
applications to their DoD mobile devices that
to improve the security of the software
could pose operational and cybersecurity risks
supply chain. Beginning in September 2023,
to DoD information and information systems.”
software vendors must attest that they are
Another persistent problem: Agencies aren’t using secure development practices identified
applying patches to known vulnerabilities. A by the National Institute of Standards and
recent study by Tenable Research found Technology. But recent media reports suggest
that many organizations were falling the deadline might be elusive.
victim to attacks that exploited well-known
Just the sheer volume of remaining work
vulnerabilities, including some dating to 2017.
can be daunting. In a January 2023 report,
In 2021, the Cybersecurity and Infrastructure
the U.S. Government Accountability Office
Security Agency (CISA) debuted a catalog of
notes that its auditors have made 712
nearly 300 known, exploited vulnerabilities;
recommendations to federal agencies
that list now stands at around 900.
since 2010, 21% of which have not been
implemented. “Until these are fully
implemented, federal agencies will be more
limited in their ability to protect private and
sensitive data entrusted to them,” the
report states.

4
 Non-Traditional
Tech Gets Targeted
Specters of a Cyber War
In April 2022, GAO said the Department
of Homeland Security urgently needed
On Feb. 20, 2022, with the Russian invasion of
to improve the security of the nation’s
Ukraine seen as imminent, New York Gov. Kathy
critical infrastructure, with a focus on the
Hochul said the state was strengthening its
vulnerability of operational technology
cyber defenses against possible Russian state-
(OT) – that is, hardware and software used
sponsored attacks against public institutions
to control industrial equipment. “Water
and critical infrastructure.
treatment facilities, power plants, and other
On Feb. 25, the day after Russian invaded critical infrastructure assets are increasingly
Ukraine, Texas Gov. Greg Abbott directed the connected to computer networks and the
state’s departments of Information Resources internet,” the report states. “Recent cyber
and Public Safety “to use every available incidents targeting pipelines and other
resource to safeguard the state’s critical facilities underscore the need for effective
infrastructure and to assist local governments cybersecurity to protect this infrastructure.”
and school districts with their needs.”
Also in April 2022, CISA warned that “certain
Around the same time, CISA issued an advisory advanced persistent threat actors” have
warning about an Iranian state-sponsored developed the ability to gain access to multiple
threat group known as MuddyWater, which was industrial control systems and related OT that
conducting cyber espionage and other malicious could be used to disrupt critical infrastructure,
cyber operations targeting government and especially in the energy sector.
private-sector organizations worldwide.
A July 2022 report raised similar concerns
MuddyWater was a subordinate element within
about public transportation. A study conducted
the Iranian Ministry of Intelligence and Security,
by the Mineta Transportation Institute and San
according to CISA.
Jose State University noted that public transit
Meanwhile, in March 2022, cybersecurity firm relies on external vendors to deliver services
Mandiant reported that a state-sponsored threat and provide critical technologies. Although
group in China had successfully hacked the advanced technologies have brought many
defenses of six state governments in the United improvements, they also have introduced
States during a 13-month stretch. The group new risks for agencies to mitigate,
exploited a well-known vulnerability called log4j. including ransomware.

In April 2022, two months after the invasion In March 2023, the U.S. Environmental
began, the United States and four other Protection Agency issued a memo urging
countries issued a joint cybersecurity advisory states to include cybersecurity assessments as
warning that Russian state-sponsored cyber part of their regular audits of water systems. In
actors could target critical infrastructure both a press release, EPA noted that a recent survey
within and beyond the region. The joint advisory found that many public water systems “have
provided links to more information about known not adopted basic cybersecurity best practices
threat groups. and are at risk of cyber-attacks.”

5
Ransomware’s Persistent Threat

State-sponsored malicious actors in North Korea

are targeting health care, public-sector agencies
and critical infrastructure organizations, according
to a February 2023 advisory that CISA and other
agencies issued. The revenue generated goes toward
supporting North Korea’s various national objectives,
including cyber operations against the United States
and South Korea, CISA reports.

CISA also has noted that ransomware has become

more of a commercial enterprise, with criminal groups
turning to independent “cybercriminal services-for-
hire” to do their work. Additionally, some ransomware
groups now offer ransomware-as-a-service, making it
easy for smaller groups to carry out attacks.

Experts warn that malicious actors are using more

sophisticated tools that are increasingly difficult
for their targets to defend against. For example,
some are using a tactic known as intermittent
encryption. Rather than encrypting everything,
they might encrypt every other 16 bytes, explains
BleepingComputer, a security-focused media site. The
encryption process takes half the time but effectively
renders the file useless.

In some cases, attackers threaten to or actually

publish stolen data as a way to coerce organizations
to pay up. That was the case in a recent attack against
the city of Oakland, California. In early March 2023,
weeks after the attack, the hackers started posting
online employees’ personal information, such as
names, addresses, and driver’s license and Social
Security numbers.

But the news is not all bad. Early this year, the U.S.
Justice Department announced that the FBI has
hacked the systems of the Hive ransomware group,
which had been responsible for more than 1,500
attacks worldwide. In the process, the FBI captured
more than 300 decryption keys for Hive victims who
had been under attack, and another 1,000 keys for
previous Hive victims.

6
 The Cost of Human Folly

Each year, a study confirms what cyber experts

always say: The weakest link in most cyber defenses
is humans. Purposefully or accidentally, human
action is a contributing factor in 82% of data
breaches, according to Verizon’s 2022 Data Breach
Investigations Report. “As long as organizations
continue to perceive and treat cybersecurity as a
technical challenge, we will continue to lose this
battle,” wrote a cyber expert at the SANS Institute
in a blog post about the report.

What motivates people to be more attentive to

security? According to a 2022 study published in
the journal Computer and Security, the answer is
fear. Specifically, the study found that employees
who have a better understanding of the risks
and ramifications of security problems are more
likely to adopt good cyber practices. That said,
the researchers also noted that employees who
experience a strong sense of belonging are
more likely to become good “stewards of the
organization’s resources.”

In March 2022, NASA’s inspector general (IG)

recommended that the agency expand its program
for detecting insider threats from only classified
systems to all systems. But the IG highlighted an
important caveat: “On-going concerns including
staffing challenges, technology resource limitations,
and lack of funding to support such an expansion
would need to be addressed prior to enhancing the
existing program,” the report states.
$ Bad actors continue to develop new ways to fool
even the most well-intentioned employees. For
example, according to a recent advisory from the
Multi-State Information Sharing and Analysis Center,
employees at two federal agencies downloaded
remote monitoring and management software
after receiving emails that appeared to come from
their agencies’ help desks. The software enabled
cybercriminals to access the users’ systems and
steal personal data.

7
 A Proactive Cyber Strategy
An interview with Kevin E. Greene, Public-Sector
Chief Technology Officer, OpenText Cybersecurity

Government often plays catchup to threat actors Greene said a new OpenText Cybersecurity
rather than tracking their activity early in the attack technology, called cyDNA (available in May
life cycle. But according to Kevin E. Greene with 2023), runs machine-aided analytics on internet
OpenText Cybersecurity, it is time for government backbone traffic and develops adversary genealogy
agencies to become more forward-leaning, especially relationships that identify threat actors and their
considering the new National Cybersecurity Strategy capabilities. Unlike traditional threat intelligence,
(NCS), which underscores the need to disrupt cyDNA tells users what is happening to provide
threat actors. situational awareness around mission threats.

“Part of what the NCS emphasizes is taking a more “We have seen some data from early warning
proactive approach with cyber defense, actively signals at least four hours before an imminent
hunting for early warning signals associated with attack,” Greene said. “That’s enough time to run
threat actor behaviors to adapt and evolve cyber adversary emulation and unleash red/purple teams
defenses to disrupt their campaigns,” he said. to assess cyber defense capabilities against
imminent cyberattacks.”
Early Warning Signals
Unlike indicators of compromise, which are forensic Zero Trust
clues discovered after a cyberattack happens, early If you work from the zero-trust premises of “never
warning signals detect an adversary’s preparations trust, always verify and assume compromise,” it is
before the initial access phase of the attack life cycle. essential to incorporate good identity management
hygiene and visibility into daily operations, Greene
For instance, an agency could use what we call
said. It forces users to pay greater attention to little
global adversary signals and analytics to detect
things because “you can never take subtle notification
reconnaissance activities to gather information threat
alerts for granted,” he explained.
actors use to plan and execute their initial access for
a cyberattack, Greene said. By leveraging mission-specific threat intelligence,
government agencies can take what is considered a
Early warning is “basically creating an inspection
threat-informed defense approach to formalize their
shield looking for signals coming in and out of what
zero-trust strategies and make the right investments
we call a covered space [routable IP addresses]
to mature their zero-trust architecture. But “at the
to detect compromised behaviors and suspicious
center of everything is protecting the sensitive data,
communications to known infrastructure controlled
whether it’s in use, in motion or at rest,” he said.
by threat actors or infrastructure supporting
compromised assets and resources, and using that … For organizations that must do a lot, but with limited
to hunt for these signals in [security information and resources, adopting a proactive cyber stance can
event management], XDR/EDR telemetry and drive be difficult.
better planning [and] repurposing of cyber defenses
“Government is a little risk-averse, but I think we have
to be more resilient against cyberattacks,” he said.
to try new things, because some of the things we’re so
used to are just not keeping pace with threat actors,”
Greene said.

8
9
What You Need to Know
About the 2023 National
Cybersecurity Strategy
When the Biden administration released its eagerly awaited National Cybersecurity Strategy (NCS) in
March 2023, the big news was its requirements for potentially increased regulatory oversight and for the private
sector to step up.

One major goal of the strategy is to shift responsibility for security away from individuals and small
organizations — including state, local, tribal and territorial governments — to those “most capable and best-
positioned…to make our digital ecosystem secure and resilient.” That’s primarily the federal government and
cloud and infrastructure vendors.

But government has plenty to do under the new guidelines. For starters, NCS calls for accelerating
modernization, specifically transitioning from legacy systems to the cloud and speeding up adoption of
zero trust.

Specifics of implementation won’t be available until later this year, but here are some ways each pillar may affect
you. The key takeaway is that you’ll be collaborating, coordinating and sharing information with other agencies,
the private sector and even international allies as never before.

Big Picture
Soundbite
“Next-generation interconnectivity is collapsing the boundary
between the digital and physical worlds, and exposing some of
our most essential systems to disruptions.” “Our goal is a
defensible, resilient
The strategy is designed to drive what it calls two
digital ecosystem
fundamental shifts:
where it is costlier to
• Rebalance the responsibility to defend cyberspace. In attack systems than
short, individual users have been left to their own devices, defend them, where
making them weak links that malicious actors can exploit to sensitive or private
access larger organizations. information is secure
and protected, and
• Realign incentives to favor long-term investments. The where neither incidents
idea is to find “points of leverage,” or areas where small nor errors cascade
investments or “minimally invasive actions” could get into catastrophic,
everyone working toward building for “future resilience.” systemic consequences."

10
Pillar 1: This pillar raises the minimum cybersecurity requirements in critical
sectors, such as energy, nuclear, water, aviation and some high-priority
Defend Critical manufacturing, whether public or privately owned.
Infrastructure Agencies, especially Sector Risk Management Agencies (SRMAs),
will need to coordinate more tightly with CISA and operators of critical
infrastructure systems and assets.

“We aim to operationalize an enduring and effective

model of collaborative defense that equitably distributes
risk and responsibility, and delivers a foundational level

Big Picture of security and resilience for our digital ecosystem.”

• Regulate, but carefully. The administration plans to work with Congress

Key to establish “minimum cybersecurity requirements” and to “mitigate
Tactics related market failures.”

• Broaden public/private collaboration. The goal is to create a “trust-

based ‘network of networks’” of cyber defenders, enabling “collective and
synchronized action.”

• Coordinate cyber centers. Various agencies have cyber centers intended

to support organizations managing critical infrastructure. But everyone
could benefit from coordinated intelligence collection, analysis
and partnerships.

• Update the National Cyber Incident Response Plan. ’Nuff said.

• Strengthen federal defenses. In planning for better defenses in the long

term — including the adoption of zero-trust principles — feds can serve as
“a model for private sector emulation.”

Soundbite “The American people must have confidence in the availability

and resilience of this infrastructure and the essential services
it provides.”

11
Pillar 2:
Disrupt and Dismantle
Threat Actors Big Picture

This pillar is about undertaking large-scale “Our efforts will require greater
efforts to attack the attackers. This means collaboration by public and private sector
using all the tools of federal government — partners to improve intelligence sharing,
from law enforcement to diplomacy — to go execute disruption campaigns at scale, deny
after malicious cyber actors. adversaries use of U.S.-based infrastructure,
and thwart global ransomware campaigns.”

• Coordinate disruption campaigns. Numerous agencies are involved in such

Key campaigns, including the Justice Department and other law enforcement
Tactics agencies and DoD. The plan calls for both technological and organizational
platforms to support coordinated efforts.

• Public/private collaboration. In the same way, agencies should increase their

work with private-sector organizations in areas such as threat hunting.

• Share more and share quickly. Information sharing with the private sector
is a common practice, but it needs to happen at a greater scale and in a
timelier fashion.

• Defend against foreign actors. Key IT services often go through foreign-based

providers, which makes it difficult to identify malicious actors. Better visibility
is needed.

• Prioritize ransomware. Ransomware can’t be beat on a case-by-case basis.

The plan envisions a multipronged effort focused on international cooperation,
greater investigative efforts and crackdowns on digital money laundering.

“The United States will use all instruments of

national power to disrupt and dismantle threat
Soundbite actors whose actions threaten our interests.”

12
Pillar 3: The focus here is carrot and stick — using federal
buying power and regulations to push vendors
Shape Market Forces toward best practices. This pillar is the core of NSC’s
to Drive Security commitment to shifting responsibility for breaches
and their consequences away from individuals and
and Resilience small organizations and onto the private sector.

“To build the secure and resilient future we want, we must

shape market forces to place responsibility on those within
Big Picture our digital ecosystem that are best positioned to reduce risk.”

• Create accountability around data. The plan calls for legislation that provides
Key clear limits on how data can be used and how it should be protected.
Tactics
• Create accountability around software. The plan also calls for legislation
to establish liability for vendors developing products or services that are
not secure.

• Focus on IoT security. The internet of Things encompasses sensors, baby

monitors, industrial control systems and other devices connected to the
Internet — many of which have few or no security features.

• Use the power of the purse (1). Through infrastructure-related grants programs,
the federal government can stipulate the adoption of sound cybersecurity
design, development and practices.

• Use the power of the purse (2). In the same way, good cybersecurity can be
enforced through the procurement process.

• Stabilize the cyber insurance industry. Catastrophic cyberattacks can

overwhelm programs designed to help organizations recover from attacks. The
administration would like to explore options for providing a backstop.

Soundbite “In too many cases, organizations that choose not to

invest in cybersecurity negatively and unfairly impact
those that do, often disproportionately impacting small
businesses and our most vulnerable communities.”

13
Pillar 4: A resilient future demands an upgrade
from the no-longer-reliable past. The
Invest in a Resilient Future structure of the internet is getting
old, and everything built on top of it is
subject to its underlying vulnerabilities.

“The Federal Government must leverage strategic public investments

in innovation, R&D, and education to drive outcomes that are
Big Picture economically sustainable and serve the national interest.”

• Secure the foundation. The internet is built on an aging, vulnerability-riddled

Key infrastructure. It’s time for a major clean-up.
Tactics • Spur more research. Federal agencies and labs should prioritize cybersecurity
research, with a focus on such areas as AI, industrial control systems, cloud
infrastructure and encryption.

• Prepare for quantum threats. Quantum’s massive power is expected to render

many current encryption techniques useless. Research on new techniques needs to
begin now.

• Secure clean energy. Many emerging clean energy solutions rely on automated,
interconnected systems that are vulnerable to attack unless security solutions
are developed.

• Secure digital identities. Many data breaches and fraud cases are possible because
there is no foundation for creating strong, verifiable digital identities for use in
online transactions. The federal government should support efforts to fill that gap.

• Build the cyber workforce. There are hundreds of thousands of unfilled cyber
positions across the public and private sectors — and that’s just in the United
States. NCS calls for the development of a National Cyber Workforce and Education
Strategy that draws on lessons learned and best practices from other countries.

Soundbite “As we build a new generation of digital infrastructure...and prepare for

revolutionary changes in our technology landscape brought by artificial
intelligence and quantum computing, the need to address this investment
gap has grown more urgent.”

14
Pillar 5: Forge Big Picture
International Partnerships
“To counter common threats, preserve and
to Pursue Shared Goals reinforce global Internet freedom, protect
against transnational digital repression, and
In addition to Pillar 2’s emphasis on using build toward a shared digital ecosystem that
international ties to thwart cyberattacks, NCS is more inherently resilient and defensible,
is intended to forge a cyberspace community the United States will work to scale the
that expects and rewards responsible behavior emerging model of collaboration by national
and makes it both isolating and expensive for cybersecurity stakeholders to cooperate
states to engage in hostile cyberactivity. with the international community.”

• Build coalitions. Global internet freedom requires global solutions. The United States
Key plans to build on and extend existing mechanisms (e.g., the Quadrilateral Security
Tactics Dialogue) for collaborating across borders to respond to malicious activity.

• Exchange subject-matter expertise. The State Department is expected to coordinate

a whole-of-government effort to share expertise and insights with cyber officials in
other countries.

• Give a helping hand. U.S. cyber officials can help other countries respond to and
recover from significant cyberattacks. The administration will establish policies for
determining when such assistance is in the national interest.

• Reinforce global norms. When state-sponsored attacks occur, the global community,
with leadership from the United States, should respond, both in terms of statements
of condemnation and “meaningful consequences.”

• Secure global tech supply chains. Today’s technology infrastructure is built on

hardware and software produced by an international supply chain, and that business
model comes with risks that must be addressed. Ultimately, the goal is to build
supply chains that “flow through partner countries and trusted vendors.”

Soundbite Conclusion
The United States will pursue these Not all changes will happen quickly; NCS has a decade-long
goals “while recognizing the need timeline. Plus, several of its provisions — notably, increased
to work with partners to thwart the regulation of private players and funding — call for
dark vision for the future of the legislative action. The divided Congress almost guarantees
Internet that the [People’s Republic compromise and possible blocking of some key points.
of China] and other autocratic Nonetheless, this strategy provides the blueprint for a
governments promote.” stronger, more resilient and more secure digital future.

15
Zero Trust: What It Is, and Why It Matters
Traditionally, organizations took a moat-and-castle But it’s critical. “Incremental improvements will not
approach to network security: Anything within a give us the security we need,” said the Administration
network’s perimeter was deemed safe, while external in a May 2021 executive order. “Instead, the Federal
infrastructure and activity raised Government needs to make bold changes and
cybersecurity concerns. significant investments in order to defend the vital
institutions that underpin the American way of life.”
But that approach has proven costly and insufficient
as cyber criminals devise new schemes to invade “A transition to a ‘zero trust’ approach to security,”
our networks and traditional on-premises systems the EO continued, “provides a defensible architecture
become more scattered and diffuse. for this new environment.”

So, the federal government, some local governments Zero trust vs.
and much of the private sector now are transitioning perimeter-based security
to a zero-trust architecture. It essentially turns
Zero-trust security
traditional cybersecurity on its head.

Rather than worry about perimeters, zero trust

by default denies people access to enterprise Mobile Cloud Remote
devices applications employees
information. Users are granted limited access based
on their roles and responsibilities, and no one or
device is implicitly trusted.
Hybrid Personal Vendors and
The framework relies on multi-factor authentication, cloud devices contractors
encryption, and continuous monitoring and
Perimeter-based security
verification, among other features. Transitioning to a
Traditional network: Endpoints,
zero-trust architecture can be costly, though, and it on-site users, servers, apps
takes time.
Source: TechTarget

Steps to build a zero-trust network

Network teams are largely responsible for deploying and configuring
the elements that make up a zero-trust network. But security teams should
also be involved in developing the overall zero-trust architecture.

STEP 1 STEP 2 STEP 3 STEP 4

Identify users and devices Set up access controls Deploy tools to continuously Evaluate remote access
that attempt to connect for application, monitor the network to ensure proper security
to the network file and service access and device behavior and authentication

Tool used: Tool used: Tool used: Tool used:

Identity and access Next-generation Network detection Remote access
management firewall to create and response, AI for VPNs
microsegmentation IT operations

Source: TechTarget

16
5 Ways to Tackle Cybersecurity
Cybersecurity is a perpetual battle. As soon as
agencies shore up their defenses, a new type of
attack arises. But the 2021 Executive Order on
Improving the Nation’s Cybersecurity has done much
to give the good guys an edge. In addition to making
“prevention, detection, assessment, and remediation
of cyber incidents…a top priority and essential to
national and economic security,” the order calls for
specific actions, including implementing zero-trust
architectures, removing barriers to threat information
sharing and improving threat detection.

“It’s pretty amazing because for the

first time in a lot of years, we’re really
transforming what cybersecurity is across
the federal government and how we’re handling 1. Zero Trust
things,” said Amy Hamilton, Senior Cybersecurity The concept of zero trust “assumes no implicit
Adviser, Policy and Programs, at the U.S. Department trust granted to assets or user accounts,” providing
of Energy. a strategic opportunity to fundamentally change
agencies’ approach to cybersecurity, Berlas said.
Bo Berlas, Chief Information Security
That change involves moving away from traditional
Officer (CISO) at the U.S. General Services
perimeter-based security to “applying security with
Administration, is optimistic about public-
a focus on the data, with a focus on the device, with
sector cybersecurity, too. “I can tell you from an
a focus around the user, and making sure that we
agency perspective, we have a clear vision and a
not only validate that access initially, but do so on a
detailed plan that is really focused around executing
continuous basis,” he said.
against a set of challenges that we have,” Berlas said.
“That’s a really great place to be.” One way GSA is doing that is through
microsegmentation — dividing networks into segments
So, just how are agencies tackling this persistent
and applying security controls to each. As a result,
problem? Here are five ways.
about 98% of users no longer connect over virtual-
private networks, but over secure access and
secure edge technology. “We’ve facilitated direct
migration of roughly 30 to 40 buildings towards this
microsegmentation model for more readily securing
[operational technology/the Internet of Things]. We’re
focused around getting to roughly 500 buildings over
the next three years.”

Berlas cautions that some employees mistake zero

trust as agencies not trusting them. “That really
couldn’t be any farther from the truth,” he said. “It’s
about providing the right access at the right time.”

17
2. Artificial Intelligence
Since OpenAI’s launch of ChatGPT in November 2022,
talk about AI has been at an all-time high, but AI in
general has a role to play in cybersecurity because
of its ability to pick out patterns — and anomalies —
faster than humans can.

Consider how it could thwart phishing attacks by

detecting when someone has clicked on a phishing
link in an email, for example — something that at least
one person at 86% of organizations has tried to do.

AI algorithms “help identify abnormal

behavior, whether it’s an account or some
other service running on the network,”
said Russell Marsh, Cyber Operations Director in the
National Nuclear Security Administration’s Office of
the Chief Information Officer (CIO).

“I would like to see us get to the point where AI

and machine learning help us get more proactive,”
he added, such as being able to identify IP-based 3. Information Sharing
protocols before they’ve gone all the way through to Cyber threats don’t affect one organization alone, but
attack or before bad actors can broaden their account rather government agencies at all levels. That’s why
privileges across the network. it’s helpful for officials to share information on what
suspicious activity they’re seeing and lessons learned
from past attacks.

For example, when threats of cyberattacks

by Russia intensified in 2022, Jeremy
Wilson, Deputy CISO for Texas, used
partnerships with CISA, the U.S. Homeland Security
Department, and others to request dedicated sessions
to understand the threat.

“We collaborate with other states as well,” Wilson

said. “When you have those opportunities to kind of
collaborate and share threat intelligence and talk
about concepts, to me, that’s where the relationship
really happens.”

He also pointed to the Texas Information Sharing and

Analysis Organization, which had more than 1,500
members as of January 2022 and allows them access
to intelligence and educational opportunities, plus
information sharing.

18
4. Backups
In today’s hyper-digital world, backups
almost seem archaic, but they still
play an important role, particularly in
recovery from cyberattacks, said Gerald Caron, CIO
and Assistant Inspector General for IT at the U.S.
Department of Health and Human Services’ Office of
the Inspector General.

“If you want to be able to keep operations going,

you’ve got to be able to restore,” Caron said, adding
that IT managers must regularly check backups for
effectiveness and security. “Cloud technologies help
a lot with that now because now you can set those
to sync with those folders and basically your backup
will be in the cloud. You’re still able to work offline
because you saved it to your local computer. When
you get hooked back up, any changes you made
will sync.”
5. Tech Literacy
The biggest threat to cybersecurity is human error.
Fast recovery is crucial for many government And as technology advances and becomes more
agencies. For some, “it can mean life or limb if the complex, the risks rise. To combat it, agencies must
right data isn’t available to the right people at the train employees, regardless of their job titles, to be
right time,” Caron added. “You want to recover as more tech literate.
best as possible, but you don’t want the same thing
“When you don’t understand or you
just reoccurring, so have a good plan, have good roles
don’t know, you tend to have the most
and responsibilities, [and] make sure that you recover
resistance” to change, said Cindy Good, a
in a proper fashion. Don’t just…reboot and put things
Program Manager at the Office of Financial Innovation
back online.”
and Transformation at the Bureau of the Fiscal
Service at the U.S. Treasury Department. “Couple that
also with the culture, or the mindset, of not wanting
to change. Those are pretty big barriers, where even
in instances where we’ve gotten the technology to
deploy, we’re finding it very difficult to scale at large.”

One example is blockchain, which Good said could

revolutionize the agency’s financial services
operations. “But the full benefits of that have not
been realized just because there’s limited stakeholder
acceptance,” she said. “So, there’s the education
piece, and also the adoption of it.”

One way that the agency encourages change is by

measuring how many pilot programs and proofs of
concept it has completed. “We’re also measuring how
we are embedding these into our processes,” she said.

19
 How to Address the
Risks of Cloud-Native Apps
An interview with Benjy Portnoy, Vice President, Global Solution Architects, Aqua Security

Software developers and malicious actors both Revisit Traditional Processes

love cloud-native applications, but for very Many core cyber defense processes built with
different reasons. traditional technologies in mind don’t address the
Developers understand the many benefits of using risks with associated cloud-native applications.
cloud-native applications, including architecture, One challenge is that cloud-native applications
agility, flexibility and scalability. typically are built using containers, providing a
Nefarious actors are increasingly exploiting the fact specific function that can scale as needed. This can
that traditional security solutions aren’t equipped to pose a problem when it comes to a process such as
manage the growing threat landscape in cloud-native incident response, said Portnoy.
environments, especially with technologies such as "Typically, containers are ephemeral by definition,
containers, Kubernetes, functions and pipelines. sometimes around for just minutes or hours," he said.
Attack services are increasing, said Benjy Portnoy "By the time a breach has been discovered, it’s likely
of Aqua Security, which specializes in cloud-native that the particular container that was used in this
security. "We see not just a significant increase in breach will no longer exist, making incident response
the volume of attacks that are specifically targeting and containing the attack a challenge.”
cloud-native technologies like Kubernetes, Docker,
etc., but also in the sophistication of these attacks,
Use Cloud-Native Tools
Automation is essential. One of the main reasons
such as the evasion techniques being used,” he said.
organizations adopt cloud-native methodologies is
To provide robust security of cloud-native the speed with which they can develop, deploy and
applications, Portnoy said, federal government scale applications. Without automation, security risks
agencies must address three key areas: people, will not be addressed, or mitigation efforts will gum up
processes and technology. the works.

Fill the Knowledge Gap To address the complexity of this environment, Aqua
Agencies need their security teams to have both created a Cloud Native Application and Protection
the knowledge and the tools to secure cloud-native Platform (CNAPP). Aqua's platform stops cloud-native
applications, said Portnoy. For example, what are attacks from code to cloud and back, identifying risks
serverless functions, and what are the ramifications early in the application lifecycle while protecting
for application security? What are common causes of production workloads from attack.
Kubernetes misconfigurations, and how can they be "Our platform was built to help organizations address
exploited by malicious actors? the risks and gain visibility into the threats they face
But agencies also need their developers to throughout the entire application lifecycle, ensuring
understand the risks involved and how to mitigate that security teams understand the context of an
them during the development process. attack so they can priotitize and remediate the
highest risks to the business," Portnoy said.
"How do we foster that collaboration between
security teams and the developers to ensure that the
entire application lifecycle has the relevant processes
and security controls in place?" he said.

20
21
 Agencies Bank Cyber Accelerators
The goal is to help organizations get out of reactive

on Cyber
mode, in which they play catch-up with malicious
actors. Automation makes it possible for security
teams to identify and adapt to potential threats and

Innovations vulnerabilities, and to respond more effectively when

attacks occur.

Increasingly, organizations are adopting security

Malicious actors are coming up with new tools and orchestration, automation and response (SOAR)
tactics faster than agencies can adapt. You might call platforms, which simplify the process of coordinating,
it the cyber innovation gap. automating and executing key security functions,
such as vulnerability management, incident response
This challenge has been a long time in the making. As
and threat intelligence. SOAR platforms typically
the National Cybersecurity Strategy puts it, “public
come with playbooks, providing users with basic
and private investments in cybersecurity have long
approaches to common tasks.
trailed the threats and challenges we face.”
In a recent survey by the Enterprise Strategy Group,
That said, both government and industry have been
49% of respondents said automation improved their
developing new solutions for addressing the cyber
mean-time to respond, while 44% said it improved
threat landscape, building on emerging solutions for
incident prioritization. Other benefits include more
automation, AI and machine learning (ML).
quickly isolating assets in the event of an attack
(44%) and faster escalation of critical issues (43%).

AI and ML are expected to accelerate automation

solutions, according to a 2021 paper published in Tech
Science Press.

“AI/ML-powered cyber defense systems will be

instrumental in responding to the continuing growth
in the number and complexity of threats, the
evolving nature of threats, and the need for rapid and
substantially automated responses to threats,” the
authors wrote.

22
Advancing the State of the Art Worrying About Quantum
CISA is spearheading the development of numerous NCS identifies quantum computing as a
cyber automation solutions. Here are some of its high-priority concern.
flagship projects:
Quantum computing uses subatomic particles to run
• The Cyber Analytics and Data System (CADS), a massive number of calculations in parallel. “This
highlighted in the Biden administration’s fiscal means quantum computing may revolutionize our
2024 budget request, is intended to help security ability to solve problems that are hard to address with
teams make more effective use of advanced even the largest supercomputers,” according to the
analytics to identify, detect and prevent or U.S. Department of Energy’s primer on the topic.
mitigate emerging threats, according to a budget
All that compute power has cyber experts worried.
document. CADS will provide tools for ingesting
Traditional encryption techniques essentially are
and integrating cyber-related data, as well as for
just difficult math problems. But future quantum
coordinating and automating the analysis of
computers might not find them so difficult,
that data.
QuantumXchange explains.
• The CISA Advanced Analytics Platform for
NCS calls for the federal government to plan a
Machine Learning (CAP-M) (formerly known
transition to quantum-resistant cryptography
as CyLab) is a virtual collaborative research
environments and to determine how to ensure
environment in which CISA’s cyber experts can
cryptography’s continued evolution.
test ideas for using data to tackle cybersecurity
problems. CAP-M can run on-premises and on
A Double-Edged Sword
a multi-cloud platform. CISA will share lessons
Cyber experts have similar worries about AI and ML.
learned from its research with partners across
Although this technology will play a critical role in
government, industry and academia.
strengthening cybersecurity, it doubtless will also fuel
• The Advanced Data Analytics and Machine efforts to crack those defenses.
Learning Technologies Program is focused on
For example, cyber criminals are expected to use
using data to assess risks across cyber, physical
emerging AI-based chatbot solutions to devise
and blended cyber-physical environments
much more convincing phishing emails, leading
— a major concern when it comes to critical
more unsuspecting users to click on malicious links,
infrastructure. As part of its mission, the program
according to a report from the Center for Security and
is intended to build the foundation for using AI.
Emerging Technology.
Activities include developing representative
datasets for AI training, providing computational “Cybersecurity is a constant battle between attackers
testing capabilities and assessing emerging and defenders who try to leverage advances in
analytic tools. technology to gain an advantage,” the researchers
wrote. “Progress in those technologies can tip the
scales in favor of either offense or defense, and it is
not always clear beforehand which side will benefit
more.”

23
 The Best Defense Against Cyber
Threats Is a Strong Offense
An interview with Marty DeConcilis, Vice President,
Federal Sales and Engineering, Fidelis Cybersecurity

In today’s highly contested cyber environments, “Real-time insight is essential to quickly detect and
agencies must be faster and smarter than even the investigate threats and prevent sessions that violate
most sophisticated adversary. Retroactive analysis policies,” said DeConcilis. “You need deep, contextual
and periodic scans aren’t enough. And even with the analysis of data movement in real time to spot and
best tools, you must assume that attackers will — or stop risks.”
already did — find their way in. Only a proactive cyber
defense will help you stop attackers early enough Outmaneuver the Attackers
in the kill chain so that threats don’t become costly Post-breach technologies that put you back in control
incidents. In other words, you need to put your cyber of your environment, including deception and active
defenders back on the offensive. threat detection, are imperative to cyber resilience.
Deception technology changes the attack surface and
“A proactive cyber defense is essential to winning lures attackers into a contained area of your network.
the war against cyber threats,” said Marty DeConcilis Active threat detection works in conjunction with
of Fidelis Cybersecurity. "The first step is to fully DLP and deception to correlate alerts and provide
understand your environment, so that you can be strong, actionable conclusions about active threats.
prepared to detect, distract and defeat whatever This means fewer false positives and faster response
comes next." times.
Here are three strategies for proactive cyber defense. “With deception in place, defenders can hunt, detect
and defend with great speed and confidence. And
Understand Your Cyber Terrain active threat detection provides high-confidence
You must understand your environment better than
conclusions about attacks, including attack stages
your attacker. That means having visibility into all
and the tactics, techniques and protocols in use,”
traffic, and ongoing risk prioritization. Only then can
DeConcilis said. “Together, these solutions help stop
you identify potential attack vectors, isolate issues
active threats and prevent re-engagement.”
and resolve problems before they escalate.
Fidelis Elevate is an eXtended Detection and
“Once you have automated systems that continuously
Response (XDR) platform designed for proactive
discover, analyze and map your cyber terrain, you
cyber defense. It automates security operations
can put that intelligence to use and stay ahead of
across traditional network architectures and extends
adversaries,” DeConcilis said.
seamless security controls into the cloud, across all
network ports and protocols, and out to endpoints.
Follow the Data
Addressing cyber threats requires strong data loss With patented Deep Session Inspection and in-line
prevention (DLP). But in today’s hyper-connected decryption, Fidelis Elevate catches DLP risks other
environments, traditional DLP can’t keep up. True data tools miss, providing content with rich context.
protection requires a continuous understanding of Fidelis Elevate includes built-in deception and game-
data access and movement throughout your network changing active threat detection. This platform
— which is called network DLP. delivers cyber resilience that gives defenders
strategic advantages over evolving threats.

24
25
 Governments CISA Coordinates
a National Effort
Find Strength The federal government has collaborated with state
governments on cybersecurity over the years. But the

in Numbers
National Defense Authorization Act (NDAA) of 2021
institutionalized those efforts by creating a network
of state coordinators under CISA’s purview.

The goal is for each state to have a federal, on-

Increasingly, government leaders recognize the
the-ground cyber expert. These coordinators will
need to approach cybersecurity in the same way
work with public- and private-sector organizations,
they approach public health: There must be a
providing advice, supporting preparation, incident
holistic network in which the well-being of individuals,
response and mediation efforts, and connecting those
or individual systems, depends on and benefits the
organizations with federal resources.
well-being of others.
“Cybersecurity for state and local governments
Like viruses, cyber threats succeed by finding a
is just as important as efforts at the federal level,
vulnerability before moving on to overwhelm the
and frequently, they lack the resources, technical
larger population. The more they succeed, the longer
know-how, and situational awareness to secure their
they stay in circulation, putting everyone at risk.
systems, or respond in the event of an attack,” said
It is in our best interests not only to share resources former Sen. Rob Portman (R-Ohio), one of the original
and expertise, but also cyber intelligence, to create sponsors of the bill incorporated into the NDAA.
a more complete picture of the threats in the digital
ecosystem. Forewarned is forearmed.

Collaboration is inherent in the National Cybersecurity

Strategy. “By working in partnership with industry;
civil society; and State, local, Tribal and territorial
governments, we will rebalance the responsibility
for cybersecurity to be more effective and more
equitable,” the strategy states.

Here are examples of collaborative efforts

already underway.

26
DHS Extends States Create Cyber Fleets
Funding to Local Agencies Federal support and direction are essential, but states
Federal efforts also can help spur collaboration also need to run their own cyber defense vessels.
within states. That’s the hope for the State and Local
In February 2022, New York Gov. Kathy Hochul
Cybersecurity Grant Program and Tribal Cybersecurity
established the Joint Security Operations Center
Grant Program, as part of the Bipartisan
(JSOC) to unite local, state and federal response
Infrastructure Law.
efforts and data collection. It includes businesses that
With a historic $1 billion, the program funds agencies operate critical infrastructure, plus DHS, Emergency
for four years to address risks and strengthen Services, the New York State Police, the Metropolitan
security, particularly for critical infrastructure. CISA Transportation Authority, the Port Authority of New
and the Federal Emergency Management Agency will York and New Jersey, and other entities.
approve state plans, with committees comprised of
Qualified personnel from across New York staff JSOC,
cybersecurity representatives from counties, cities,
which is headquartered in Brooklyn, both in person
towns, public education and public health. States are
and virtually. Officials expect the center’s central
required to distribute at least 80% of the funding
view of threat data to make it easier to detect and
to local and rural communities and 3% to tribal
respond to emerging threats and to accelerate
governments, for new and existing programs.
remediation efforts.
At a 2022 conference of the National Association of
Other states, such as Illinois, North Carolina and Utah,
State Chief Information Officers, state participants
have established similar task forces that include their
were asked what a successful State and Local Cyber
state’s emergency management agencies, police, the
Grant Program would look like. One of the hallmarks of
National Guard and infrastructure partners.
a good program, they said, was that it would “[break]
down barriers between state and local government Cyber Care
and foster 'an inertia of collaboration'."
on the Global Landscape
But a holistic approach needs to go beyond the
public sector.

With that in mind, Congress created the Joint Cyber

$

Defense Collaborative (JCDC) in 2021 for public- and

$$
$$

$ private-sector partners worldwide. The collaboration

$

involves service providers, infrastructure providers,

cybersecurity experts and researchers who can share
information, decrease threats and build defense plans
to serve the global community.

Every government agency, business and nonprofit is

part of our cyber landscape. That means that each
entity’s level of security is tied to the next, in more
ways than we can imagine. As the JCDC website says,
“No one entity can secure
cyberspace alone.”

27
 How to Isolate
the Weakest Link
An interview with Mike Rider, Senior Solutions Engineer, Menlo Security

If you think about it, there’s a fundamental disconnect Agencies can take a nuanced approach to restrict
between the concept of zero trust and the approach browsing. Some websites might be blocked fully, and
traditional security technology takes. others might be accessible, but in view-only mode.
Menlo Security’s solution enables agencies to create
As employees browse the internet or open email,
granular polices that define who can access what type
legacy solutions scan the content for potential threats
of file in what mode.
before allowing access. That’s not zero trust. That’s
“innocent until proven guilty.” Security at Speed
If you take zero trust seriously, you will treat all Of course, if airport security worked the same way, no
content as if it’s malicious, whether you detect a one would make their flight. But that’s not a problem
threat or not. with isolation technology, said Rider.

That’s the mindset behind isolation technology, said For example, when the Defense Department (DoD)
Mike Rider of Menlo Security, which provides browser- adopted browser isolation, users saw a 50% reduction
and email-based isolation solutions. in load times of web content, according to the Defense
Information Systems Agency.
“With isolation, our default approach is that all
content is malicious, and we treat it as such (i.e., That’s because under its old approach, security scans
never trust it),” Rider said. “Never let the end user happened at the department’s internet access points,
have access to it, but instead, always deliver to them which led to bandwidth congestion. Moving security to
a safe, sanitized version.” the cloud eliminated those chokepoints.

Although DoD is a unique environment, most agencies

How It Works should expect the performance of browser isolation
Think about going through airport security. Imaging
to be on par with their standard internet connection,
technology and metal detectors scan every person
Rider said.
and their bags. If a system detects something
suspicious, security officials pull that person and Isolating the Human Factor
their bags aside for greater inspection. That’s how A 2021 global study by IBM found that 95% of
traditional security tools work. successful attacks or breaches involved human error.
Now, imagine if every person and every bag were It’s just human nature, Rider said: No matter how
automatically subject to the highest level of scrutiny. much training people receive, they are bound to click
That’s how isolation technology works. on links or visit sites that they shouldn’t.

Browser isolation routes web traffic through a cloud- With isolation technology, “users can freely navigate
based remote browser where all content can be the web and make mistakes, which they will do,
activated in a safe environment. If nothing malicious without bringing risky content into an organization,”
is present, the content is passed on to the end user. Rider said.

28
 Data Sheet
Cloud Security
Platform
Powered by an
Isolation Core™
Three things to know:
Empowering organizations with While recent work-from-anywhere
the essential Internet security policies have created more flexibility for
the world’s workers, they have also led
platform they need to eliminate to increased security vulnerabilities, as

threats and protect productivity. the browser is still the most common
attack vector.

Menlo Security adopts a Zero Trust

approach to this security challenge

What’s stopping malware? through its Isolation Core™ technology,

which prevents attacks from reaching
users in the first place by moving the
The work-from-anywhere policies necessitated by the global
browsing process off the desktop and
pandemic have created more flexibility for the world’s into the cloud,
workers, but an unwanted result was an increase in security
vulnerabilities. With the broader range of ways that people Menlo Security consolidates all Secure
Web Gateway (SWG) capabilities—
are connecting to enterprise networks every day, the concept including CASB, DLP, RBI, proxy,
of a secure perimeter is officially obsolete. sandbox, FWaaS, and private access—
into an end-to-end single cloud-native
platform. The platform also integrates
with SD-WAN to provide an integrated
Secure Access Service Edge (SASE)
solution. It is also extensible via an
API framework and features a single
interface for policy management,
reporting, and threat analytics across all
29 the consolidated services.
 3 Ways Better Balance and Benefits
Government may be able to capitalize on recent

to Bridge
layoffs at major tech firms — but salary remains a
stumbling block.

the Cyber Although agencies may not be able to compete

with industry on pay, other benefits also matter —

Workforce Gap
especially to younger workers.

Public-sector jobs can attract new talent by offering:

• Student loan repayment
Implementing the new NCS will take many technical • Hybrid and remote work
professionals at a time when an estimated 40,000 • Health care, financial and other benefits
to 45,000 public sector cyber positions are going
• An important mission
unfilled and 69% of state and local human resources
officers are reporting an IT-hiring crunch. At the National Science Foundation (NSF), an agency
that’s competing for scientists, doctors and others
Despite a Federal Cybersecurity Workforce Strategy
who can make more money in the private sector,
that’s been in place since 2016 and a Federal Cyber
flexibility can be a deciding factor, explained
Workforce Management and Coordinating Working
Wonzie Gardner Jr., Office Head and Chief Human
Group dating from 2019, governments continue to
Capital Officer for NSF’s Office of Information and
struggle to find enough qualified cyber personnel.
Resource Management.
That’s partly because they’re competing with a
private sector that’s short an estimated 710,000 “Work-life balance is so important to millennials,”
professionals — and can pay more. Gardner said, speaking at a recent GovLoop virtual
event. “Remote work, hybrid work, supporting
Tech workers earn more in the private new parents — these are key for both recruiting
and retention.”
sector than in local government
And don’t forget the agency’s mission. It’s what
Average salaries for tech workers in U.S. dollars.
distinguishes a government career from one in the
Private sector wages private sector. Many people seek meaning in their
Local government wages, work — and those are the people you’re looking to hire.
excluding hospitals and schools Emphasize how their role contributes to the agency’s
overall goals.
Computer $167K
and Information
Systems Managers $123K

Computer and $102K

Mathematical
Occupations $82K

Engineers $104K
$98K

Source: Michael Brady/Smart Cities Dive

30
Seek Talent Early and Often Grow Your Own
Accelerate your hiring pipeline and tap into it early. Finally, there’s the option of developing your own
That means internship, fellowship and other programs internal tech pipeline. Employers — both public and
that catch workers early in their careers, or even while private — have drastically reduced what they spend on
they’re still in training. training since 2000. That needs to change.

One such program is the Office of Personnel Developing good training programs can open your
Management (OPM)’s CyberCorps “Scholarship for options. You can bring in new hires who have the
Service,” which recruits young professionals in IT, potential to learn needed skills once on board, rather
industrial controls, and security for federal, state, local, than hold out for people already trained. And use
tribal and territorial governments. The scholarships, vendors’ professional services to train employees on
for up to three years of undergraduate or graduate specific technologies and applications.
study, require recipients to work in government for the
Taking advantage of the Federal Rotational Cyber
same number of years that they received the aid.
Workforce Program, under which cyber employees
Cities and states reach out to local institutions in work at other agencies for six months to a year, can
various ways. For instance, Kansas City, Missouri works help tech staff learn new skills.
with local universities by hiring graduate students to
You can also think of “rotations” to the private sector
help with city projects, and the students can stay on
as a way to upgrade skills. According to NSF’s Gardner,
after graduation if they choose. Washington, D.C., has
younger tech workers are unlikely to stay with the
a pilot program that trains inmates for Amazon Web
same employer for their whole career, so they might
Services Certified Cloud Practitioner certification,
not stay in a government job for life. But you can
giving them a chance at better jobs when they’re
entice them to return to government after time in the
released. The key is to be creative and take advantage
private sector by promoting a workplace that meets
of local resources.
their needs for flexibility and work-life balance.
You can also reduce barriers in the hiring process —
“Talent that we want is going to learn skills in different
for instance, by adopting OPM’s 45-day hiring model
places,” Gardner said. “We say the best employee
and replacing academic requirements with skills-
is one that can go from one agency to another, and
based ones. For federal agencies seeking cyber talent,
the best employee [now] is one that can go out of
OPM has the Cybersecurity Hiring Resource Hub,
government into industry and later come back in.”
which brings together information on incentives and
expedited application processes.

31
 How to Get Ahead on
Vulnerability Management
An interview with Bill Harrod, Chief Technology Officer, Public Sector, Ivanti

At some point, security becomes all about the math. Change the Equation
Every device you connect to the network becomes Back in the days when networks had a relatively
another potential security vulnerability. And the more stable number of devices, the security team tended to
vulnerabilities you have, the harder it is to sort out keep tabs on vulnerabilities using a spreadsheet. But
what to tackle and when. with the proliferation of connected devices, “trying
to manage it with a spreadsheet is just a losing
That's always been the case. What's new is how the proposition,” Harrod said.
devices have proliferated over the last several years,
in large part because of remote and now hybrid work. Here are three areas in which automation can change
the equation:
“Think about it: There are, maybe, several hundred
thousand potential vulnerabilities on a network,” • Identifying and assessing devices and other IT
said Bill Harrod at Ivanti, which provides risk-based assets in real time, including all hardware and
vulnerability management solutions. “Where do you software on premises, in the cloud and at the edge
go first? How do you do the patching to keep up with • Correlating that inventory with threat intelligence
zero-day attacks and critical security vulnerabilities?” and other security data to prioritize
remediation efforts
Map Your Threat Landscape
The first step toward answering that question is to • Testing, deploying and validating patches, and
identify those vulnerabilities. ensuring that patch deployments have minimal
impact on your employees and system workloads
It's not enough to know what devices are on the
network. You also need insight into the status of Keep the Employee in Mind
every device: Is it compliant with your security If security had one objective — to protect systems and
policies? What software does it run, and exactly data — you could just lock users out of the network
what components are part of that software? Is that and call it a day. But the real goal, said Harrod, is to
software up to date on its patches? Have security “make it as easy as possible for people to do their
controls been altered? And so on. jobs and be secure at the same time.”
The next step is to understand the risk involved. Every In fact, he said, a 2022 survey by Ivanti found that
misconfigured system, outdated software or missing 40% of respondents would consider changing jobs if
patch represents a vulnerability. But to what extent they couldn’t access the tools they need, such as a
is that vulnerability likely to be exploited, and what mobile device.
damage might be done?
Ivanti provides risk-based vulnerability management
That discovery process must be continuous as new and related tools that enable organizations to provide
devices are connected, the status of existing devices that user experience without compromising security,
changes (e.g., new patches must be applied or Harrod said.
software must be updated) and new threats emerge.

32
Ensure peace of mind,
everywhere your
business works.
Our security solutions provide the highest
barrier you can get against threats,
giving you the power to protect your
business—everywhere.

Ivanti Discovery

Make your IT, and your user experiences, more efficient

and secure with real-time visibility of your assets.

Ivanti Unified Endpoint Management

Automate deployments, personalize user workspaces

and fix issues quickly, everywhere.

Ivanti Zero Trust Access

Deliver secure, streamlined user experiences with zero

trust access for any application or device.

Ivanti Risk-Based Vulnerability Management

Move from detection of vulnerabilities and weaknesses

to remediation in minutes – not months.

Ivanti Patch Management

Efficiently prioritize and remediate the vulnerabilities that

pose the most danger to your organization.

www.ivanti.com

33
 !

How to Adapt to the Cyber Landscape: 6 Takeaways

Here's the bottom line: There's no such thing as an immutable defense. Good security is adaptive security. Here
are some key takeaways on how to improve your cyber agility.

Automate. Given both the volume and velocity of tasks, there's no way that cyber experts can keep pace with
threats without automation.

Build the cyber workforce. Build it every which way: Recruit young talent, upskill existing staff and hire seasoned
professionals. Whatever it takes.

Keep tabs on CISA. The cyber agency is spearheading the development of advanced cyber strategies and
solutions. Follow its lead wherever possible.

Don't go it alone. Collaborate with other agencies or organizations to build cyber intelligence and develop cyber
best practices.

Get serious about zero trust. Zero trust has become a bit of a buzz word, but it remains one of the best
approaches to securing applications and data.

Secure non-traditional tech. Any device that's hooked up to the internet is at risk. The problem is that many IoT-
type devices do not come with security features, leaving your network vulnerable.

34
About GovLoop
GovLoop’s mission is to inspire public sector
professionals by serving as the knowledge
network for government. GovLoop connects
more than 300,000 members, fostering cross-
government collaboration, solving common
problems and advancing government careers.
GovLoop is headquartered in Washington, D.C.,
with a team of dedicated professionals who
share a commitment to the public sector.

For more information about this report, please

reach out to info@govloop.com.

Thank You
Thank you to Aqua Security, Fidelis
Cybersecurity, Ivanti, Menlo Security, and
OpenText Cybersecurity for their support
of this valuable resource for public
sector professionals.

Authors
John Monroe, Director of Content

Lauren Walker, Senior Staff Writer

Susan Kirby-Smith, Senior Staff Writer

Candace Thorson, Managing Editor

Stephanie Kanowitz, Contributing Writer

Designer
Marc Tom, Junior Graphic Designer