What SolarWinds revealed about the gaps in enterprise IT security
Federal agencies have taken significant steps to fortify their IT environments over the past couple of years. But as the latest cycle of security breaches and ransomware attacks have made abundantly clear, cybercriminals are only growing more sophisticated and persistent.
One global cybersecurity leader that successfully sidestepped the malicious impact of the SolarWinds software supply chain attack and is helping government agencies adopt zero trust strategies is Palo Alto Networks.
In this exclusive interview, FedScoop talks with Dana Barnes, senior vice president U.S. public sector sales at Palo Alto Networks, about the security giant’s perspective on zero trust, what it learned during the SolarWinds incident, and what security steps government agencies still need to focus on most.
FedScoop: The White House executive order on cybersecurity put a bright spotlight on the need for agencies to adopt zero trust security practices and modernize their security operations. What impact do you think the EO will have in actually moving agencies from a security compliance mindset to truly embracing zero trust?
Dana Barnes: First, there’s a lot more in that executive order than just zero trust. The EO reinforces a wide range of cybersecurity measures that are already out there. If you think about the FY ‘21 appropriations as an example, there were dollars set aside for cybersecurity. The National Defense Authorization Act also had funding for cybersecurity and tech modernization. And then there was America Rescue Plan Act. All of these things were driving funding to address the problem long before the EO was released.
Most EOs often don’t have teeth, because there’s no funding tied to them. Here’s a case where the EO is picking up on themes where the federal government has already moved on the funding. So I believe that you’re going to see a significant move by these agencies over the next six months to start to address these issues.
And all you have to do is look at the Colonial Pipeline incident to know how bad things can get quickly, if you haven’t secured your environment. And, as you know it took them some time to get up and running once they fixed everything, so I think you will see federal agencies move more quickly. In fact, we have been receiving hundreds of calls from government in the federal, state and local space to discuss our approaches on zero trust, on threat hunting and securing the network as an offshoot of the President’s executive order.
FedScoop: What did you see from Palo Alto Networks perspective from the SolarWinds incident that could offer useful lessons as agencies begin to implement some of the steps outlined in the executive order?
Barnes: SolarWinds showed that the traditional [cybersecurity] approaches that have been in place are not necessarily going to meet some of the highly sophisticated attacks that we’re seeing now. The things we’re seeing with our customers is they’re confused — they just don’t know where to start. They are fatigued. They’re understaffed. And they’re not necessarily funded to do some of the things that they need to do.
From a Palo Alto Networks perspective, what we now understand and are advising customers is that you have to know what your attack surface actually is. How do the folks who are trying to break into your environment — how do they view you? What we’ve learned is that these bad actors actually analyze the customer; they analyze the network from the internet side of it, and if they can get in, they assess and look at everything.
I’ll give you a prime example. We procured a company called Expanse. They give us the ability to see how our environment touches the outside world. What are those open ports? What are those devices and their vulnerabilities outside in? A lot of federal agencies don’t do as great a job of understanding that. That’s step one.
Once you’ve done that assessment, and you know what your attack surface is, then you have to assess your entire environment. You need to know what problem you’re trying to actually solve. That’s the confusion piece — where do I start? And then, identify where are the gaps and then you can prioritize and figure out where to go.
That’s a large part of what we do at Palo Alto Networks. It’s not just about the firewall. It’s not just about having a data lake and machine learning and analytics, which are very important. What we want our customers to do is understand what you look like; understand where your risks are; and then we can get into, how do we address the threats?
We can look at your network security, your firewalls, your endpoint protection, at your cloud protection — and see, how do you secure all these different connections to the cloud? What’s my attack surface? How does the enemy view me? And where will they attack?
FedScoop: You mentioned the American Rescue Plan that allocated almost $2 billion towards cybersecurity. That’s on top of nearly $10 billion requested in the President’s upcoming FY 2022 fiscal budget. Given those funding opportunities, what are the biggest issues agencies still face in actually modernizing their security operations?
Barnes: I think it’s a combination of size, complexity, manpower. If you look at some of our largest agencies, they have multiple contracts for cybersecurity going across multiple integrators. We have funding that has been locked and set that dictates what technology can be used. So what you’re going to deploy today isn’t sufficient because the requirements were done four years ago, and it just took that long to get the contract. So that’s a challenge.
Another challenge is you can’t just throw away what you already have. It’s not like Homeland Security can start completely from scratch and build an entire new cyber security structure. You have tools and processes in place, and you have to build upon them and leverage them. So you need approaches that allow you to take advantage of what you have — and weave in new capability — while you’re slowly upgrading those older capabilities. All of those older tools are still generating data. So how do you leverage the older tools? I think that’s where a platform approach is so crucial.
I think one of our strengths is we can come in and leverage what you already have today. We can slowly begin to replace those older things with new things that are fully integrated into what we have. So you can go on this journey, based upon where you are. Some customers have the ability to just start from scratch and go all the way. Other customers have to keep doing what they’re doing and take it step by step.
I would say the last challenges is that senior leaders in government need to become even more engaged in cybersecurity — and better understand the importance of cybersecurity to the overall mission, by asking questions. If you’re a director of an agency, you need to know what’s needed. It’s not just the sole responsibility of the network people and the CIO and CISO. It’s the job of every person in that organization. If leaders at the top don’t understand the urgency at the same level that the CIO and CISO does, agencies will still struggle.
FedScoop: Given the vast range of security solutions available to agencies, what would be your recommendations for what agencies should focus on most?
Barnes: The first thing is to know what you have and what your current security posture really is. Then you can start deploying things like next generation firewalls, focusing on things like role filtering and enterprise data loss prevention. We would argue that we have some of the best technology in that space.
But then you have to take another step. And this gets into taking anti-ransomware measures. Ransomware is huge right now and the government in particular is a heavy target. So having the ability to leverage behavioral threat analysis is key.
One thing we learned from SolarWinds, using our Cortex XDR capabilities, was that artificial intelligence and machine learning capability was what saved us, because we were able to identify and see abnormalities and behavioral changes that weren’t normally there — and that an analyst who’s inundated with data may have missed. And that’s critical. So that automation piece is key.
From there, you can start to leverage things like data lakes, and the ability to collect all that data and do the analysis.
But we also recommend four critical components to securing your enterprise, starting with having integrated endpoint detection and response (EDR). We also recommend investing in modern security, operations, automation and response (SOAR) platforms — especially at the federal level. Another important security component, or pillar, is having internet operations management in place. And finally agencies need to commit to zero trust architecture and the strategies to achieve them.
I would argue that no one has fully implemented zero trust. People have different flavors and pieces. There are so many parts to your cybersecurity. But understanding where you are right now, what you look like, and what your posture is — that’s the most important thing to focus on first. If you can do that, then you know where to put your resources, you can prioritize, you can do your risk assessments to secure your environment.
We are urging our customers to leverage our experience and capability to give them that visibility into what they didn’t see. Every customer where we’ve leveraged Expanse — it’s really opened their eyes to what bad actors are seeing, and saying things like, “I didn’t realize that I was so at risk here, here and here.”
Learn more how Palo Alto Networks is helping government organizations to “solar proof” their cybersecurity foundation.