LEADERSHIP VOICES
Sponsored by
Sponsored Content:
For today’s CISOs, the stakes have never been higher. Not only are they tasked with the ever-present mission of keeping constant cyberattacks at bay, but with millions of public sector employees working remotely, attack surfaces are growing. To enable crucial remote work, agencies are easing restrictions while doubling and tripling up on new defenses, desperately trying to keep up with increasingly sophisticated attackers without compromising services to constituents.
John Evans knows exactly what agencies are going through. As Maryland’s first governor-appointed chief information security officer, he has guided both statewide agencies and city, town and county governments toward more secure policies and practices. Now chief technology advisor at World Wide Technology, Evans is no longer fending off daily cyberattacks and instead is an on-call advisor, fielding calls for assistance from federal, state, and local agencies looking for an edge in the never-ending battle for true cybersecurity.
Security Transformation
WWT’s holistic approach to security protects our customers’ reputations, business assets and intellectual property. By connecting business goals and objectives to technical solutions, our customers are able to mature their security postures, prepare for new and existing threats, achieve more effective outcomes, and align security transformation to an enterprise architecture. Through our partnership with Cisco Security, we are able to simplify customer’s experiences, accelerate their success and protect their future.
At WWT, a technology solution provider, Evans tackles calls from intelligence and defense agencies, federal civilian IT shops, and state and local governments. He provides a valuable strategic and technical resource and brings not only the technical chops from two decades in government technology, but also the life experience of service as a state CISO, one who has wrestled the same demons, walked in the same shoes, and speaks the same language as those who count on his counsel.
“This is an opportunity to really be able help lots of different customers tackle their cybersecurity, cloud and technology issues,” Evans says.
The topics are intertwined. Evans helped drive Maryland’s push into the cloud as the state’s chief technology officer, then took over the security challenges as CISO. The once-clear boundaries that delineated where government systems ended and the wild, untamed internet began are no more. Now, with agencies running thousands of virtual machines in the cloud, and with users leveraging cloud-based software-as-a-service solutions, there is no clear perimeter.
Managing this requires a strategic and mental shift, Evans says. Cloud adoption makes it essential to employ new concepts like defense-in-depth, zero-trust and multi-layered security. Firewalls still defend the network but by themselves cannot defend the enterprise. Data Loss Prevention (DLP) technology, intended to stop a massive exfiltration before it occurs, and Cloud Access Security Brokers (CASB), designed to block unapproved cloud services, are now indispensable elements of a defense-in-depth strategy. Automated tools like these have become critical since the volume of data now moving in, out and across the enterprise are beyond human comprehension.
Activity must be monitored, questionable activity flagged, and inappropriate activity stopped. Thoughtful protocols must be in place to address scenarios like a user who appears to be operating from an unusual worksite, or an employee operating an atypical device. Additional tools may be added to verify the individual, either by behavior, such as monitoring mouse usage, or by requiring additional authentication. At the same time, security must be vigilant, but also sensitive; the aim is not to disrupt legitimate activity, lest users seek their own workarounds, creating unsafe, shadow IT environments.
“Look,” Evans says. “If a hacker wants to get into your environment badly enough, if they have the right resources and abilities, it’s almost impossible to stop them. That’s where cyber resiliency comes in: Security now is less about trying to just keep people out and more about building layers of security to stop problems and then to still be able to operate through an attack and/or recover from an attack, if one happens.”
And they happen. The latest report from the FBI’s Internet Crime Complaint Center (IC3) says hackers cost U.S. businesses and individuals at least $3.5 billion in 2019. Other estimates peg ransomware attacks as having cost U.S. government agencies, educational institutions, and health care operations at least $7.5 billion in 2019. According to Verizon, 86 percent of hacks are financially motivated; some 30 percent are perpetrated by organizations’ insiders.
A decade ago, moving to the cloud was seen as a security risk, but time has shown that commercial cloud service providers are more adept at patching and other basic security services than most on-premises IT shops. Today, the question isn’t whether the cloud is safe or not, but whether agencies and businesses are managing risk appropriately at every level and for every system.
“We’ve gone from just keeping people out of the perimeter to limiting the damage that they can do if or when they do get into your systems,” Evans says. “So, in addition to a firewall, you’ve got advanced intrusion detection and intrusion prevention systems. You’ve got data-loss prevention software. You’ve got encryption on all your sensitive information. And you’re designing your architecture to make sure critical resources are harder for the bad guys to get to.”
“If a hacker wants to get into your environment badly enough, if they have the right resources and abilities, it’s almost impossible to stop them. That’s where cyber resiliency comes in: Security now is less about trying to just keep people out and more about building layers of security to stop problems and then to still be able to operate through an attack and/or recover from an attack, if one happens.”
JOHN EVANS | Chief Technology Advisor, Public Sector, World Wide Technology
Cultivating Insights
But it’s important to note that the more cloud services are used, the more they are likely to be targeted. Verizon reports the number of attacks on web applications doubled in the past year and now make up 43 percent of data breaches.
Not all data is created equal, he continues. An outward facing website providing basic information on agency programs does not need to have the same level of protection as a database of taxpayers or Medicare beneficiaries.
“So, you’re locking down remote access protocols, making sure that your basic cyber hygiene is in place, making sure that your patching is up to date,” he says. “And, most importantly, you’re taking a risk-based approach.”
Ultimately, CISO’s act as an internal risk assessor: They score the odds of attacks against the risks of a breach in each system and determine the level of effort and investment necessary to minimize those risks.
One challenge, however, is that the proliferation of devices — smartphones, laptops, cameras, and all manner of operational technologies, from air conditioning systems to digitally controlled lights, motion sensors, and more — mean there are more ways in and out of the network than ever before, and many of those are outside the purview of CISOs.
“One recent report said only about 60 percent of most organizations are covered by the cybersecurity program,” Evans said. “So, we can be focused on all the right things, doing all the right things, and there can still be other parts of the enterprise that aren’t defended at all. If your HVAC controls are riding on the same network as your critical business systems, it’s not going to be hard for attackers to move laterally once they’ve gained access.”
The convergence of physical and digital security is one step. But, ultimately, CISOs have to have an eye into every part of the enterprise, from the supply chain to the end points connected to the system. “You have to have a very holistic strategy,” Evans says. “You have to look at the organization as a whole: What are all my ingress points? What things aren’t covered by my cybersecurity program?”
These days, with the COVID-19 pandemic driving more workers to operate from home, weak points may be expanding. Who authorized that new wireless printer operating on a home WiFi network that’s being used to print out draft reports? Is the maintenance team aware that those new energy-saving lightbulbs are connecting to a WiFi network that also handles secure business processes?
“Only a few years ago, the majority of the systems pitched to me were based on a primitive defense approach, you’d put some sort of network tap at the perimeter with your IoT devices, SCADA systems, and that was considered security,” Evans says. Not anymore. Well-publicized hacks that leveraged those systems for access, or to launch denial-of-service attacks cast a spotlight on risks, driving increased attention on the security risks inherent in dumb devices attached to networks.
“Now we’re seeing solutions developed specifically for SCADA and other IoT-type systems, defense-in-depth solutions that can track the actions of those devices and identify if something is making them behave in an undesirable manner,” Evans says. “Just because those network-controlled lights or other connected devices don’t have direct access to get into anything sensitive in your network, doesn’t mean you don’t have to be concerned. They still need to be protected, because if they’re not, your lack of security could cause harm to someone else.”
To manage all of this effectively, CISOs must focus on resilience — that is, the ability to sustain operations in the face of attacks.
“Resilience is making sure one has the right processes and systems in place to ensure we can recover in an acceptable timeframe and manner,” Evans says. “It means making sure backups are in order and tested, and systems recover rapidly.”
This requires a detailed, methodical approach, employing multiple layers of security to minimize damage and downtime at every level. Persistent hackers will eventually find a way to get inside; the layers are intended to minimize what they can do once they hurdle a wall and enter your systems.
“Resilience is making sure one has the right processes and systems in place to ensure we can recover in an acceptable timeframe and manner,” Evans says. “It means making sure backups are in order and tested, and systems recover rapidly.”
JOHN EVANS | Chief Technology Advisor, Public Sector, World Wide Technology
Managing the Defense
As attacks proliferate, so do defenses. The explosion of new cybersecurity requirements, tools and toolsets over the years has added to the complexity of the security enterprise. The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program is a case in point. It defines requirements for agencies and identifies the products and services to meet those requirements, but agencies are on their own to implement those solutions. The result for many is a plethora of systems that are increasingly likely to overlap.
“It’s not unusual for agencies to have the tools but lack a strategy,” says Evans. Nor is it unusual for agencies to have the tools but fail to implement them to maximum advantage — or to streamline them to avoid duplication and waste.
A first step in many interactions is to conduct a Security Tools Rationalization Assessment, often at no charge.
“We come into an organization and evaluate the tools that they have in place, their technical controls, their procedural controls, and the configurations and implementations of the tools,” Evans says. “Then we start asking questions: Are there things that they the organization is paying for but hasn’t been using? Is there overlap between the tools? Are there gaps, things none of their tools seem to be addressing? Are there configurations that need to be changed in order to cover some of those gaps? And then we come back and make recommendations on either decommissioning tools because of overlap or purchasing new tools in order to fill gaps.”
The surprise in all this: “I don’t know of any tools rationalization assessment done to date where we weren’t able to actually save money.” It’s not that WWT hasn’t advocated for adding tools, Evans added. “No — it’s that the price of those tools is generally more than offset by the savings gained from decommissioning overlapping tools no longer needed in their environment. Every security assessment that I’ve been involved in or privy to, has actually lowered the cost to the customer.”
“We come into an organization and evaluate the tools that they have in place, their technical controls, their procedural controls, and the configurations and implementations of the tools. Then we start asking questions.”
JOHN EVANS | Chief Technology Advisor, Public Sector, World Wide Technology
Modeling Success
Bigger still, Evans argues, is the overall strategic approach that WWT applies to the problems customers bring forward.
“I’ve worked with many organizations, but I’ve not seen anywhere the customer really gets the top level strategy and perspective and then the implementation guidance and product guidance to be able to pick the things that are right for their environment and the deep technical expertise to make it all work,” Evans says. “It’s very, very cool.”
The point is, he explains, the basics of cybersecurity are well known, if not always well understood.
“If you can do three things, you’re 99% covered,” Evans says, making exceptions for certain high-end customers in the Defense and Intelligence communities. “If you can lock down your remote access protocols and lock your ports down; if you can make sure that your patching is up to date and that you’re able to account for your systems and their patch-compliance levels; and if you can stop your users from doing things that they shouldn’t be doing. With those basic protections, unless you’re getting attacked by a nation-state you’re probably going to be fine.”
While getting those basics right eliminates most of the threats, CISOs must keep their senses trained on the 1% that could get through. This is where it helps to have friends with the right connections. Having comprehensive knowledge of the solutions on the market and also how well they work together is beyond any individual CISO, and also beyond most security teams. There’s just too much to do day-to-day to stay up on the latest of everything.
Having a partner, then, that can help you reason through your options is a necessity. Having one, like Evans, who’s trod your very footsteps, understands your perspective from the inside out? That’s priceless.
Intel Builds Security Into the Silicon
With WWT’s platform expertise, Intel and WWT help agencies overcome modern security threats and challenges. Intel’s products are architected to deliver advanced security, with built-in, silicon-enabled security technologies that help protect potential attack surfaces. Rooted in silicon, our security technologies are meant to operate beyond the reach of potentially corrupted software, which helps create a trusted foundation for computing that customers can depend on.
Connect with our cybersecurity experts, access our research and explore our labs, join our platform at WWT.com.
