All systems, including federal systems, are full of vulnerabilities. The question is, given a limited number of hours in the day and a limited staff, how can you optimize your resources to remedy this issue?

Well, the Cybersecurity & Cyberinfrastructure Security Agency has released a Binding Operative Directive that targets that concern. It was released on November 10, 2023, and is titled, “Transforming the Vulnerability Landscape.”

During today’s interview, Willie Hicks from Dynatrace will look at the whole issue of discoverability and what impact this new BOD will have on the federal community.

If you examine the BOD from 40,000 feet, it transfers the focus from the federal technology leaders to the vendors. Instead of having a security announcement buried on a vendor’s website, CISA suggests it be posted in a machine-readable format. This way, updates can be automatically sent out so they can be ingested.

The Vulnerability Exploitability eXchange helps users know if a given product is impacted. The military knows that if you defend everything you defend nothing. It allows links to the Software Bill of Materials so users can know about which vulnerabilities they should worry.

Finally, they look at something called the Stakeholder Specific Vulnerability Exchange. This reinforces the fact that not all vulnerabilities impact all federal agencies. CISA suggests that agencies consider vulnerability frameworks that can assist in reducing risk.

Will Hicks applies his years of experience in federal technology to unpack many of these concepts during the interview. He reinforces the concept of visibility. One cannont set appropriate priorities if one doesn’t know what is on the network.  Once that essential step is accomplished, then an administrator can use guidelines to set priorities.

It is all about alignment.

When you hit a pothole, you need to get your car aligned; if you do not your tires will wear out and can cause an expensive repair to the bushings and ball joints of your car.

Anybody who has worked on a federal technology project knows the world of digital potholes. Only in this case, the project halts because your agency’s data is not aligned with the agency’s goals.

During this interview, Tom Scurlock from Talend explains how to make sure your data is clean and dependable. If you decide to jump into machine learning, you will discover the importance of data scientists give to having reliable data.

The Talend website takes a quote from ancient Rome and applies it to today’s digital transformation. The phrase is “Fortune Favors the Prepared.”  You can take this to mean that if you are seriously looking at machine learning and artificial intelligence, it would benefit you to have a complete assessment of the quality of your data.

The federal government is taking this ancient maxim to mind as well. The Evidence-Based Policymaking Act of 2018 established the Chief Data Officer’s Council. Currently, there are ninety members. This is a strong vote for the federal government to realize the importance of data.

One of the results of being careful with data is it will allow agencies, and researchers analysts to produce reliable repeatable decisions and results. That sidesteps the inevitable arguments about the starting point of the analysis and gives most of the time to federal leasers for actual analysis and getting value for the data.

Once upon a time scientists would dream of the day when they could have enough information to make decisions based on data.  Young readers may have to go to history books to see computer science majors take stacks of punch cards to a computer room so they can get an answer in the morning.

Fast forward to 2022, we have so much data we don’t know how to handle it.  The overview is simple – gather up a reasonable number of data sets and pour it through an algorithm and then out pops the answer. 

For example, back in 2017, it was reported that the DoD collected 22 terabytes of data a day. You would have to add many zeros to that number to see what they are collecting today.

As a result, people with a doctorate in mathematics, like Dr. Elsa Schaefer from LinQuest, must wrestle with questions about what data to gather to make valid decisions.

During the interview, she used terms like Data Wrangling, Machine Language Operations (MLOps), and data brittleness.  It appears that there is as much an art as it is a science to competently gather data for decisions to be made.  The term “brittle” is intriguing. 

Let’s say you have an application with a large data set that is working well.  It is quite possible that a systems architect can pour that data into a data set, and it may cause problems.  Because it may cause a system to break, it is called “brittle.”

LinQuest is developing a platform to help federal leaders gain a better understanding of using machine data.

Data scientists try different scenarios and algorithms to see how they hold up.  If you would like to pursue this topic further, you may want to download a fact sheet that details their Harness for Adaptive Learning. 

When it comes to a federal agency making the transition to Zero Trust, sometimes, ya gotta bring in the big dog.

Greg Garret has written 24 business books and has decades of experience helping federal agencies solve complex problems.  Seems to me he might be able to give a good perspective on understanding the federal government’s transition to zero trust better than most.

During the interview, Greg covered a wide range of topics on making this transition. He was asked to put on his CISSP hat, then his Vice President hat, then his CISO hat.  The overall conclusion is no one company has the magic sauce.  Each agency will have to review what options are available and put together a “stack” that fits their unique requirements. 

The problem is, of course, it is not a trivial matter to understand all the permutations of offerings available to the federal government.  In a timely manner, a survey must be done to know your current situation and then be able to know what combination will optimize the spending to accomplish your goals.

Greg Garrett offers a couple of solutions. First, Peraton has put together a “Test Kitchen” for federal technology called the “Ecosystems Lab Environment.”  They have spent millions of dollars assembling proposed products and considering options that may have an impact on an agency.

Second, Peraton has put together a case study called, ”Guiding Federal Agencies on their Zero Trust Journeys” that includes case studies that put various combinations of technology into play.

If you were to do a “thought cloud” of technology, you would see the usual suspects, companies like Microsoft, AWS, and Google.

Nobody would include Elastic Search in this discussion, yet it is seen all over the place, perhaps the best kept secret in federal technology. Because it is capable of being modified in so many ways, it is difficult to categorize it. Elastic is a flexible tool that allows a federal agency to gain visibility on a wide range of fronts.  

As a result, we see many federal projects where Elastic is in the background acting as the “glue” to get information from disparate sources. 

Elastic is based on open-source code. During the interview, Christopher Towsend from Elastic defines the difference between Open Source and Open Security, referencing Elastic Search Technology.

Let’s toss around some cybersecurity concepts that may produce data for a federal agency.  You may have systems that handle Security Information Event Management (SIEM), Security Orchestration Automation Response (SOAR), Extended Security Response (XDR), and even the lowly Endpoint Security (still seeking a snappy acronym).

Because this is such a complex topic, Elastic has put together a free report titled, “Elastic 2022 Global Threat Report: A Roadmap for Navigating Today’s Growing Threatscape”

There was a time in American culture when “living on the edge” was a social construct. Perhaps a person was a test pilot or motorcycle racer.  In terms of federal information technology, we all live on the edge.

The edge referred to is, of course, the digital edge.  The wall protecting federal data has long been breached and technologies like Zero Trust are being implemented to protect vital assets.

The term Secure Access Service Edge was coined by Gartner in 2019. It was a stodgy concept at the time and then COVID hit. The millions of remote sessions were causing technology leaders to evaluate the way they handled security.  Suddenly, the acronym SASE was born, along with its unique pronunciation: “Sassy.”

During the interview, Dr. Tim Robinson from WWT gives a detailed description of SASE.  He is uniquely qualified to speak to the federal audience because he was a Marine and has worked his way up to a Ph.D. in Computer Science. 

A rough description may be cloud technology is being leveraged to optimize network connectivity to allow for consistent policy enforcement, centralized visibility, and scalability.

It is always good to look at an emergency and, later, do a course correction. An argument can be made that COVID forced technology leaders to use Virtual Private Networks (VPNs). After all, they were available and easy to deploy.

In hindsight, most can conclude that the VPN has strategic weaknesses.  It is simply not optimized for the cloud.

Listen to the interview to get an expert’s view on ways to increase security and reduce costs to protect federal data. 

It is not just lemmings that follow a herd off the cliff; technology professionals are garden-variety humans and subject to herd thinking as well.

If you try to keep up with trade publications you are subject to the editorial selection process of the folks who run the periodicals, newspapers, blog sites, newsletters, and podcasts.  Catchy phrases pop up and it puts some joy into the drudgery of a daily tech column. You can take that from experience, I wrote over 500 weekly technology columns for The Washington Post.

Occasionally, you need to get your head out of the sand to get a wider perspective.  For each of the past fifteen years, Verizon has provided the community with the Data Breach Investigative Report, or the DBIR.

During the interview, Melissa Gilbert tells listeners of the 23,816 incidents and 5,212 confirmed breaches included in the report. They gather information from over eighty organizations all over the world.  She elucidates upon the difference between an event, an incident, and a breach. She details the data schema used for the report and explains the 4 A’s:  Actor, Action, Asset, and Attribute.

You can get your own copy of the free report here: The Verizon Data Breach Investigative Report

One of the key findings was the 13% increase in ransomware reported in the 2021 survey.  If your agency has an initiative to prevent ransomware, you can be assured that you are not diving into an arcane topic.

The conclusion is to focus on securing credentials. Most of these attacks start with credential theft and then move deeper into the system.

In today’s interview, Darin Curtis from Menlo Security gives an overview of how to protect against these kinds of threats. To describe this new category, he uses a curious acronym HEAT, Highly Evasive Adaptive Threats.

Malicious actors leave no stone unturned in creative ways to attack federal technology. We all know that the perimeter has been breached and we must rely on Zero Trust Architecture.

The next level of attack is to attack the word “trust” itself.

Traditionally, file formats like PDFs have been viewed as unbreakable. When most people get an email from a colleague with a PDF file, they would normally trust it. This is also true with Excel or Word documents that are transferred on a normal business day.

Today, these files can have malicious code injected into them.

Another approach is to take advantage of that “trust” in HTML code. Some malicious actors will disguise malware into HTML code, called HTML Smuggling. This time, instead of a PDF in an email, it may be an innocent link. This is made possible by HTML5’s ability for download capability.

During the interview, Darrin reinforces the concept that compliance does not ensure an agency is secure. Some studies show ransomware is one of the biggest single threats to government networks; the delivery mechanism can include these HEAT files.

If this interview piques your interest in Menlo Security, then you can download the free report titled “Modernizing Secure Access Through Zero Trust”

Ten years ago, it was a major accomplishment to move an application from a federal on-premises server to the cloud. Fast forward to 2022.

There is so much data flooding into a wide variety of clouds used by the federal government that the term “terabyte” is tossed around like a stickie note. Updated terms are being generated to make sense of the large data stores: phrases like “data lakes” and “data warehouses” are being coined to give some structure to the fire hose of zeros and ones.

During this increase, large secure systems are being tasked with a transition to the cloud – while preventing attacks and absorbing data twenty-four hours a day.

Federal leaders have seen the problem and have attempted to generate ways to understand data being presented from networks, storage arrays, servers, and much more. At this level, automation is the only way to be able to present information in a manner where someone can make a decision.

At one level, there is a challenge to get observability of federal systems. Taken to the next level, can we harness data to be able to make predictive decisions?

Today’s interview with Andrew Churchill gives a view of how technology companies can combine to help understand how the complex federal cloud can be managed. Rather than one ring to rule them all, he suggests assembling a team of disparate skills to be able to take advantage of unique skill sets.

Andrew gives an overview of this approach in the interview. He touches on automation and real-time operational intelligence. If you want a deeper dive, he suggests you attend an event called “Cloud Modernization with AWS and Qlik.” It will take place near the Metro in Rosslyn, Virginia on November 14, 2022. It will have subject matter experts with serious federal experience teamed with data scientists and analysts.

Attacks on the software supply chain have grown by an average of 742% a year since 2019. It makes complete sense if you look at several factors.

Years ago, a software developer would write code as part of a large project. It is quite possible they had the opportunity to examine all aspects of their code for vulnerabilities. That transitioned to developers grabbing blocks of code from libraries. Even then, they had at least a chance to review code grabbed from software repositories.

Federal mandates regarding cybersecurity are forcing systems administrators to speed along work by using code from software libraries. Unfortunately, remote work and cloud transition has made projects so complex that, if they tried to examine each line of code in the project, it would never get done.

One solution is to look at options for examining open-source code before being incorporated into a project. Today’s interview is with Dr. Stephen Magill from Sonatype. He gives a detailed description of how software developers can be assured code they develop is safe. He reminds the audience that, even with bespoke code, newer versions must be added along with improved code over the long haul.

Dr. Magill brings up an interesting aspect of software risk – artifacts. In this sense of the word, an “artifact” is a bit of code that can make binaries work in a system. As a result, they must be managed as carefully as traditional binaries.

If you would like to have more details about security and open-source software, consider downloading the annal report from Sonatype called the “2021 Start of the Software Supply Chain” from Sonatype.