This post is a summary from a session at Adapt 2024: Reimagining Our Federal Cyber Future — our second annual one-day conference dedicated to unpacking the complex challenges facing Federal IT, cybersecurity, and operations teams.
Cyber professionals can't protect what they don't know is there.
Today's IT teams face evolving threats, including understanding their own ever-shifting networks. With the proliferation of cloud computing, mobile and Internet of Things devices, software, and other technologies, cyber professionals must deal with an attack surface continually expanding and contracting as assets drop on and off. Conventional siloed security tools can't manage this complexity.
"Visibility is step one," Stephen McElwee, ID Technologies' vice president of enterprise architecture, told the 2024 Adapt conference in Washington, D.C. "If you can't identify what you have across your network, what that looks like at any given point in time, then you're going to run into a serious issue down the line."
As a systems integrator, McElwee helps large, decentralized agencies such as the Air Force manage assets like ruggedized servers and other connected devices that frequently change locations.
"We're constantly seeing assets that are jumping on the network, jumping off the network. They're connected at one point, and they're all off-network, and they're connected in a different way," McElwee said. "We can't solve problems that we don't know are there."
The shifting assets require a holistic view of how they move inside network architecture, their security posture, and the ability to push policy and fixes as needed. This means consolidating asset data from disparate security tools into a centralized platform, like the Axonius Cyber Asset Attack Surface Management (CAASM) platform.
Here Today, Gone Tomorrow
The National Cancer Institute is part of the National Institutes of Health, an agency comprising 27 institutes and centers with many different missions and federated networks. Craig Hayn, NCI's chief information security officer, must secure roughly 10,000 users and endpoints—and that doesn't include mobile devices.
"The explosion is a challenge period which greatly and rapidly expands our attack surface," he said. "As security professionals, we're challenged and charged with ensuring we have visibility of all those assets—understanding their posture at any given time."
Hayn and his team used a variety of tools to track their inventories, but they encountered blindspots and had difficulty running queries. Like many government organizations, NCI's tech stack includes legacy and other end-of-life systems. They could wring data from these old systems using adaptor prompts and Sneakernet methods.
"To deal with that, we've had to pull up to a higher level, and Axonius came along at the perfect time for us about four years ago. Now it was very apparent immediately, our value we get along by moving away from those separate tools and pulling all that data into a single pane of glass," he said.
The holistic view enables faster, more accurate detection and response while avoiding the wasted effort of chasing false positives. NCI's SecOps team can triage more accurately while meeting the government's binding operational directives and closing vulnerabilities within two weeks. "If we can get to the truth faster, we can act much faster," Hayn said.
The AI Threat
Generative artificial intelligence and AI-generated content and assets are emerging challenges with no easy solution. Organizations face pressure from their workforces to adopt AI tools while still drafting foundational policies and risks.
At NCI, for example, researchers and developers are eager to use AI in their projects to see what results. However, tech leadership is still figuring out how to evaluate AI technologies and monitor and manage their use of data like patient information.
As a systems integrator, McElwee is exploring ways to build matrices to help determine whether an asset is real or generated and how a zero trust architecture can be applied. While there are no easy answers, a single unified platform for cyber attack asset management provides a foundation.
"As we go forward, more requirements are being based on business outcomes. … There used to be anecdotal requirements that are now hard requirements," McElwee said. "A single pane of glass used to be a nice to have analysis, and now it's priority number one."