As agencies accelerate efforts to move to secure cloud services and zero trust architecture in line with the requirements of the Biden administration’s executive order on cybersecurity (EO), many are challenged to close visibility gaps and blind spots in their technology environments. In a MeriTV interview, Sean Connelly, program manager for Trusted Internet Connections at the Cybersecurity and Infrastructure Security Agency (CISA), and Michael Dickman, chief product officer at cloud visibility and analytics firm Gigamon, assessed those visibility gaps and what it will take to close them – ensuring that data is secure across physical, virtual, and cloud networks.
Gaps persist across the breadth and depth of agency networks, Dickman noted. Breadth gaps happen when portions of the network are not well monitored or it’s difficult to centrally aggregate telemetry gathered across the enterprise. Depth gaps happen when agencies don’t have visibility into application metadata to understand what devices are actually doing, or when threat actors use encryption to cover their tracks.
The most significant blind spots today are in the core network and in east-west traffic – within agency data centers, Dickman said.
The Department of Defense, in particular, “found that east-west traffic pain point was very real, and it required a visibility fabric” connecting all devices and resources and centralizing all network telemetry to ensure that no security events went unseen, Dickman said.
Over the last 10 years, CISA launched a series of programs designed to help agencies gain persistent visibility across the enterprise, Connelly noted. These include EINSTEIN, which saw CISA place sensors at agency Trusted Internet Connections access points to monitor traffic going from agency data centers to the internet; Continuous Diagnostics and Mitigation (CDM), through which CISA supports installation of cybersecurity tools on agency premises; and Cloud Log Aggregation Warehouse, through which agencies send cloud logs to CISA. More recently, CDM, in line with the administration’s EO, is preparing to roll out endpoint detection and response solutions for agencies.
Office of Management and Budget Memorandum M-21-31 to Federal agencies addresses requirements in the EO for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center of each agency.
Agencies are putting a lot of momentum behind the M-21-31 logging memo; in addition, CISA’s Zero Trust Maturity Model guides agencies toward visibility across the model’s five pillars: identity, device, network, application, and data, Connelly said.
“The visibility question is one we are just starting on with the agencies,” he said. “And as we promote zero trust, we need to ensure that we aren’t blinding ourselves, because zero trust promotes both encryption and microsegmentation.”
Dickman agreed. “The real irony is as you get more microsegmentation and encryption, which sound like good things, it actually creates fragmentation and new blind spots. As always, there is the push and pull.”
Check out the full interview for more insight from Connelly and Dickman on how agencies can close old – and new – blind spots to achieve consistent, end-to-end visibility.