In the discussion below Jean-Paul discusses the evolution of public sector cybersecurity, the rise of Continuous Diagnostics and Monitoring (CDM) and how he sees cybersecurity policies strengthening over the next 12-18 months.
Please tell us about yourself and Swish Data
SwishData is a women-owned small business that has been providing total IT solutions exclusively to the federal government for eight years. We enhance and secure the data performance of our federal customers.
With SwishData’s Professional Services Organization, my team and I are true cyber IT experts that become part of our federal customers team, with specialized skills and powerful expertise to ensure that our customers are protected from the growing cyber threats.
I am the CTO at SwishData and have been supporting the federal government in IT for over 17 years. My main responsibility is to define and implement our company’s technical vision and lead all aspects of technology development and implementation, I’ve worked on everything from super-computing, storage, disaster recovery and COOP, virtualization to cybersecurity.
What has been the evolution of cybersecurity in the federal space?
Cybersecurity really started by meaning simply a Firewall and end-user Anti-Virus. As criminals got smarter new products started showing up, mostly still defending the perimeter. Now we’re seeing a growing focus on monitoring user activity and traffic inside of the network.
This focus is based on the idea that malicious activity will look different than typical user activity. And we have seen that is true with instances like Bradley Manning and Edward Snowden. You can also see that with compromised user accounts that have been taken over by outside actors.
In this area, SwishData has been developing new and innovative cyber solutions and services, but in order to deploy them, we feel that some consolidation and simplification of legacy products will allow for improved OPEX and CAPEX, opening up funds for federal agencies to implement the latest cybersecurity solutions.
What resources can agencies leverage for advanced cybersecurity solutions?
Right now agencies are dealing with major information overload for two reasons. First there is a difference between low-tech automated attacks and advanced persistent threats (APTs) that are specifically targeted. The low tech “spray and pray” attacks can’t be ignored, but often are designed to produce noise cover for the real threats by specific bad actors.
The second reason is what I call Tool Sprawl. Many agencies have purchased products that fixed very specific issues but not the larger problem – sort of like someone chasing the water coming through the holes in a dam. You run around plugging the holes that sprout up, but that creates a lot of tools that don’t integrate and make for a complex, non-holistic environment. On top of it all, as those products mature, they add features that overlap and you are paying more and more for the same products that now have overlapping features.
What agencies need is someone who can bring a long view, not just push another great tool. That’s where SwishData is focused. Unfortunately, most other VARs tend to only have a few security products and look more like OEMs who are bound to promoting their own product.
We fill in the gap between OEMs pushing products and System Integrators offering complete solutions. The challenge with SIs is you dump everything you already have, and just depend on them. SwishData is focused on building on the current security environment and looking for ways to automate, consolidate and simplify the current security infrastructure. In addition to superior security, this approach frees up funding by moving from CAPEX to OPEX, freeing up dollars for future improvements.
Continuous Diagnostics and Monitoring (CDM) is becoming a hot issue in cybersecurity – what does CDM allow agencies to do?
CDM is where things need to move, whether it’s a solution provided by someone else (such as DHS) or a CDM solution in-house that is tailored to a particular agency’s needs. Analytics and monitoring of user activity and network traffic is the only way to find the bad actors once they are inside your network. And that’s not just for insiders who are “breaking bad,” but also for compromised accounts and external bad actors who have somehow gotten inside already.
That’s actually much more common than an insider threat in the true sense of the word. As a matter of fact, SwishData partnered with leading technology vendors, including NetApp, to create the video series “Hacked” which focuses on that exact scenario. In episode one, a government employee has his account taken over and doesn’t know it for months, and then has to defend himself when it looks like he was the insider conducting illegal activity. Users who are uncomfortable with certain aspects of CDM should understand that it’s going to help them because CDM can protect the innocent while finding the guilty by looking at anomalous activity, not individuals.
The bottom line is that we know bad actors are breaking into government networks, and that’s why you’re seeing the conversation move towards CDM.
The one catch is that building a robust CDM will also contribute to the information overload we talked about. The average cyber warrior in the trenches already has way too much information coming at them that they have to manually stitch together. Many agencies are already having a hard time hiring enough cyber warriors with enough skills to deal with the alerts and data.
That’s why we’re focused on helping through automation, consolidation and simplification of the security infrastructures. Not only will this reduce the need to try to find more cyber warriors that don’t exist yet in the labor market, but it will free up OPEX and CAPEX to purchase cutting edge products that continue to improve the integration and automation, such as behavioral analytics, situational awareness dashboards and automated threat mapping tools.
What does it mean to do a “post-mortem” after a security breach?
Post-Mortem can mean a lot of different things to different people. You’ll often hear “forensics” used here, but that doesn’t help much either. Does it mean that you’re simply going to find the vulnerability and close it? Does it mean that you are going to find every single possible infected device and clean it? Does it mean that you’re going to go much further and possibly even install a honey pot and analyze what the bad actors are after?
The hard part is that we are the defender and not on the offense. It’s like a cornerback covering a wide receiver in the NFL – the offensive player always has the advantage, because he knows the route he’s going to take. However, if the cornerback covers well, it takes a perfect pass from the quarterback to succeed.
The attacker has the advantage, even in post-mortem situations. We are reacting to them, and they can purposefully misdirect if we’re not careful. But we can greatly narrow the vulnerability window with the right security steps.
In your view, what will be the biggest changes we’ll see in federal cybersecurity over the next 12-18 months?
I think we’re already starting to see more solution design and less reactive purchasing. In the past, security teams weren’t well funded and had to point to specific threats to get funding of anything. That caused many to be forced into purchasing siloed tools that didn’t work together well.
This is actually very analogous to the maturity process of the data center. In the early stages, people were buying all kinds of neat and cool products that didn’t necessarily fit together. Over time total solutions that are planned and designed well in advance have become the norm.
This isn’t the cybersecurity teams fault, but they will start getting more architectural help both in consulting and funding. Security infrastructures will be planned for “the long war” and OEMs, SIs and VARs are going to have to move towards that model instead of continuing in the current mode most work in today.
The end result is that we’ll see more big data analytics, behavioral monitoring, and cutting edge technology that truly innovates. We will evolve – but so will the bad guys.