Private sector on OPM hack: Ditch signature-based security
Cybersecurity experts across the country renewed calls for the U.S. government to modernize its IT security systems in the wake of one of the biggest data breaches of federal computer networks ever.
As the Office of Personnel Management deals with the fallout of having information on more than 4 million current and former government employees taken from its systems, there have been multiple calls to move away from the reactive, signature-based system that discovered the breach four months after it first occurred.
“Legacy IT architectures simply can’t keep data secure from the new threats facing organizations today,” Box Inc. CEO Aaron Levie said. “The only solution is to adopt new, modern technology that delivers security from the ground up, not bolted on as an afterthought.”
Information about the breach’s depth was discovered by the Department of Homeland Security’s Einstein system after OPM moved to enhance its security practices in the wake of prior breaches. According to multiple reports, the attack used zero-day exploit, tapping into a previously unknown vulnerability, to gain access to a system.
The use of zero-day exploit shows that the government needs to quickly move away from signature-based security systems, which only recognizes known malicious actors. Anup Ghosh, CEO of security firm Invincea, said the federal government should invest in endpoint security, meaning monitoring the activities of devices connected to their networks.
“The investments that have been made in security [are] a breach happens, bad things happen, and what do you do? You call in consultants,” Ghosh said. “What they do is end up selling you a solution. They end up selling you a retrospective analysis. They give you the ability to see what happened long after it happened, but it still requires someone to tell you have been breached.”
Ghosh said a focus on endpoint security would close windows on “dwell time,” allowing agencies to eliminate malicious actors in hours and eliminating the need to rely on other departments to sound the alarms.
“If you think about where the detections are today, it’s not coming from your network,” Ghosh said. “It’s coming from the FBI, the NSA, customers, partners or the Internet. You find out you’re breached only because the data that you’ve should have been protecting ended up someplace else, rather than a true detection center that would alert us and saying, ‘Hey, there’s something running on this machine that’s out of place.”
Ryan Kazanciyan, chief security analyst at endpoint security company Tanium, said a better focus on endpoint security would give agencies better visibility into their networks so they don’t end up becoming victims of multiple attacks.
“A lot of times organizations detect and alert that they’ve been compromised, and they fail to successfully scope the incident,” Kazanciyan said. “As a result of that, there may be 20 systems and 10 different user accounts that are compromised, but they only identify 80 percent of them. So [analysts] think they’ve cleaned up the incident, but due to a lack of visibility and a lack of context, they actually haven’t taken the attacker out at all. What appears to be a re-compromise later is really just a continuation of the same attack.”
Tyler Reguly, manager of security research for Tripwire, said while reactive security technologies are never going to go away, it’s more about having a holistic view of the network.
“Why attackers are successful is because we create these security silos,” Reguly said. “We have to look at everything: databases, networks, hosts, Web servers. We need to start looking at everything like one giant, living organism.”
It’s not as if OPM isn’t trying to move toward this stance. According to a fiscal year 2016 budget justification released in February, the agency called for $32 million above its previous year’s appropriation to increase its IT security.
“This updated network must be maintained over time to ensure that OPM’s system does not revert to antiquity and insecurity,” the justification read. “It must also continue to employ the best security tools to protect OPM’s IT infrastructure from ever-increasing and exponentially sophisticated network attacks. As a result, additional funding is needed to support operations and maintenance of the additional hardware, software and staff.”
Even as OPM fights for the additional funding, Reguly said the best tools in the world only go so far.
“Unfortunately, it’s a game of who’s smarter,” he said. “That ball bounces back and forth over the years, months and even day to day. We’re going to have to sink a lot of man hours and a lot of brain power into determining how we stay ahead of the attackers.”