Technology has come a long way from the days of antivirus software installed on endpoints. Recently, the Agriculture Department migrated from a host-based security system to endpoint detection and response. The big difference, USDA Deputy Chief Information Security Officer Ingatius Liberto said, is that final word: response.
“In the old days, we had this mindset of allow all, deny my exception, and then if we had a threat signature, we’d load it in there and certainly go hunting for that specific threat signature. Now, with technology and the way we’ve generated our defense in depth for our enterprise network, we’re looking for anomalies,” Liberto said on Improving Cybersecurity through Autonomous Endpoint Management. “But at the end of the day it’s these automated responses, the ability to isolate, contain and quarantine very rapidly, whether it be a threat signature coming in via email or from one of our many forward facing websites. It’s the ability to understand as soon as possible that something is not normal so we can kick off an investigation.”
Liberto said his team uses log aggregators to collect, tag and categorize information in order to more quickly get a better picture of what normal network traffic looks like, and spot the anomalies. In addition, he said that logging capability is being used to generate dashboards to increase situational awareness and critical thinking around adversaries and their aims.
Those dashboards help separate the digital signal from the noise, giving Liberto and his team a better idea of what’s worth following up on, and what isn’t.
“You can’t chase every false positive and you don’t know it’s a false positive until you chase it,” he told the Federal Drive with Tom Temin. “So we’re getting better and better at tuning our sensors. We’re getting better at better understanding what normal bad behavior on our network looks like. So then, when we feel confident, when we get an alert, we can chase it.”
Adversaries may try to violate the confidentiality of data by exfiltrating it, manipulate the integrity by altering it, or shut down access points to deny its availability. Those three items — confidentiality, integrity and availability — are what Liberto refers to as the “CIA triad.” He said USDA is working on incident response plans to protect those aspects of the data.
Information sharing
But when it comes to cybersecurity, the more data you have, the easier it is to identify anomalies and stop adversaries. That’s why USDA is engaging in multiple partnerships, including the Department of Homeland Security and private sector stakeholders.
“The National Security Council has identified the food and agriculture critical infrastructure,” Liberto said. “So what we’re doing now is figuring out ways to collaborate, cooperate and share information with the vendors and with these large industries that support the food and agriculture, and going to discussions on how we’re going to work together to defend this critical infrastructure. So this is a nascent capability, but we’re moving very rapidly in that direction.”
The idea, Liberto said, is that if an adversary can penetrate the systems of one of USDA’s peers, then it can probably cause problems for USDA as well. That’s why USDA pays attention to major cyber incidents in both the public and private sectors, as well as availing itself of both commercial threat intelligence as well as information sharing from the intelligence community.
“The most important thing is, no matter how strong your policy is, how strong your compliance is, no matter how how well you follow, whether it be a law or a binding operational directive from [the Cybersecurity and Infrastructure Security Agency], never underestimate the malicious cyber actor out there,” Liberto said.
The post Dashboards, sharing threat intelligence helping USDA improve cybersecurity responses first appeared on Federal News Network.