Paul Beckman, chief information security officer at the Department of Homeland Security, said Thursday at MeriTalk’s Cyber Security Brainstorm that software-defined networking, adopting a zero-trust model, and optimizing DHS’ security operations centers (SOC) are his biggest emerging priorities to promote better security across the department.
Beckman said DHS CIO John Zangardi is “very ambitious” in his desire to promote DHS’ modernization efforts, which has led to the Department bringing in additional integrators to aid in that investment. Beckman says within those new priorities, he’s looking most ambitiously toward promoting better authentication principles and recruiting better security talent – including those working outside of the National Capitol Region (NCR).
“This is something that I’m extremely excited about, because when you start talking about becoming much more effective and efficient, software-defined networking is just where it’s at,” Beckman said.
SDN allows network administrators to use a centralized control console to shape the flow of traffic and delivery of services throughout the network. Beckman said he’s able to “break out planes” – for management, data, security – and access, for example, those security controls to be deployed wherever they are needed in the network. This process “alleviates the requirement to have IDS’s [Intrusion Detection Systems] and firewalls spread throughout the entire region of the entire network,” he said.
“It becomes a much more efficient way to provide security services to the data on the network,” the CISO added.
“One of the things that I think we are, as an IT organization, going to be evolving to, is that zero-trust model,” Beckman said. “Traditionally where the perimeter was going to be your primary means of defense, but once you got into your squishy center, you were generally a trusted entity. That needs to go away.”
The zero-trust model is, exactly as Beckman described, a principle that suggests all connections and endpoints, even those already inside the network, need to be verified. No trust is applied to things traditionally seen as inside the network, and established privileges and micro-segmentation prevent users from moving laterally. This works to wall off systems from accessing data for which they aren’t authorized in the event that those systems are compromised.
“Inside the perimeter you need to authenticate to everything you try to access,” Beckman said.
Beckman said when the President’s May 2017 Cyber Executive Order prioritized, among other things, the use of shared services across agencies, DHS quickly discovered that SOC monitoring presented an attractive opportunity to leverage cybersecurity talent as a shared resource across DHS component agencies.
“I’m getting into a little bit of trouble when I say it, but a SOC is a SOC is a SOC. They generally aren’t different with respect to how you execute that SOC mission across the different components despite what your mission is,” he said.
Beckman noted how DHS is looking to consolidate the operation of some 16 independent SOCs. DHS would look to establish “maturity standards” for security performance, and those SOCs deemed to be excelling would be certified as SOC “centers of excellence,” a practice he said is based on a Defense Department model. Those not meeting maturity standards would be transitioned into the certified centers. He said it could perhaps look like four or five consolidated centers operating in a “SOC-as-a-service” format.
That format could help alleviate persistent cybersecurity workforce shortages compounded by a “fiercely competitive market” in the NCR, Beckman said.
“That’s unique here to the NCR, but not necessarily the same case in other parts of the country, where there are perfectly qualified cybersecurity professionals, where that competition isn’t so fierce,” he said, adding that DHS could soon see a geographic shift in its cyber monitoring operations.
“I can do SOC monitoring anywhere in the country, with extraordinarily acceptable talent and pay significantly less amount of money to do it,” he said. “I’m seriously considering placing some critical security services outside of the NCR, where I can get out of this rat race, get out of this very competitive nature, and save some money doing it.”