People often complain about how the government spends money inefficiently—and in many cases these criticisms are justified. And when it comes to spending on cyber security solutions, there’s plenty of room for improvement, according to a recent study.
U.S. federal agencies can save more than $5 billion per year—and act faster to protect systems and data—by enhancing threat monitoring, correlation and automation of protections, according to the report by MeriTalk, a public-private partnership focused on improving the outcomes of government IT.
The study, “Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation,” underwritten by Palo Alto Networks, highlights what the researchers call a “need for actionable cyber awareness” in the government. It’s based on an online survey of 150 federal employees who work with their security operations team, conducted in September 2016.
The report indicates the federal entities can save as much as 27%, or $5 billion annually, of their cyber security budgets and address threats more quickly by making the necessary improvements in threat monitoring and other areas.
Networks used by the government are radically changing, with the move to the cloud, the growth of mobile technology, and the rising use of software-as-s-service (SaaS) applications. And the approach to security needs to adapt to address these trends.
The report notes that agencies might be missing key indicators of attacks, such as how they are finding a pathway into their networks, and are unable to correlate threat data points. While the majority of agencies monitor traditional entry points such as mail servers, the Internet and Web gateways), fewer than half fully protect their data centers, SaaS enforcement points and mobile endpoints such as laptops and smartphones.
This shortcoming might impede their ability to spot specific behaviors that indicate malicious activities. Even with the enforcement points that are being monitored, only 61% of agencies are capable of automatically distributing information against malicious behaviors across different enforcement points.
What’s particularly alarming, given how quickly threats can spread within networks, is the fact that only 15% of those surveyed say their agency can create protections against a new threat within a few minutes. And only 17% can distribute these protections for enforcement within that same brief time frame.
Certainly agencies are not lacking in the threat information they take in from various sources. On average, agencies subscribe to 25 external threat feeds daily, according to the report. Nearly half are received via email, which the study says drastically increases the time it takes to distribute new protections based on those insights.
A little less than three quarters of the agencies say it takes a few hours to a few days to assess if a unique threat is present and determine if action is required. Even more (81%) say it takes just as long to create actionable changes in their organization’s security posture.
As they continue to grapple with these time-intensive processes, federal security operations teams continue to allocate manpower and financial resources to tasks that are capable of being automated.
Twenty percent of security operations professionals say 12 or more members of their agency’s security operations center team are primarily responsible for the creation of custom signatures for security technologies on the network; correlation of isolated network events that may be related to part of a campaign; taking threat intelligence from various feeds and making it actionable; and correlating different behaviors to associate them with one or more threat campaigns.
The report found that many security operations professionals are not using critical advanced threat capabilities. About 70% of agencies use some form of automated analysis and reports to reduce the volume of data and focus efforts on hunting targeted attacks. But fewer than half use advanced techniques including dynamic analysis (48%), static analysis (32%), and machine learning (19%). Working together, those capabilities can improve threat analysis and the ability to anticipate future threats.
Despite the need for the automation of prevention processes, only 30% of federal security operations professionals are willing to invest in the automation of signature creation and distribution.
Agencies are falling into a culture that’s too focused on the legacy, manual way of doing security, noted Steve O’Keeffe, founder of MeriTalk. Agencies need to make technology investments in addition to having the right expertise in order to detect new attacks and determine what’s a full-blown, global, coordinated campaign as opposed to an unrelated or one-time event, he said. And they need to be able to act accordingly to quickly and effectively minimize damage.
The report provided recommendations for agencies to assess threats as quickly and efficiently as possible: Ensure detection and enforcement across all potential attack vectors into the network to detect any anomalies that could be new threats; correlate isolated tactical behaviors as a sign of a bigger attack pattern, and isolate network segments to reduce the effectiveness of attacks; prevent new attacks by first analyzing and accurately predicting the next step in the attack before it occurs; and leverage new techniques such as machine learning and dynamic and static analysis.