In the commercial world companies estimate annual sales and make a budget. Hard to apply basic management 101 to the Continuous Resolution situation that many federal agencies have found themselves in the past few years.

Today’s interview brings together several experienced federal professionals who give guidance on the new world of budgeting. Issues brought up include critical timing concerns, technical definitions, and the impact of shortened periods to accomplish annual goals.

Timing. An agency can set a budget, then not know when, or how much, they will get funded. Somehow, agencies manage to get by, but most of the lessons learned are part of institutional knowledge of each respective agency and are not shared.

For example, what if an agency plans an expenditure, then only gets 75% of what was planned? If a chunk of a budget is eliminated, how does an administrator prioritize what projects to continue and which ones to cut?

Definition. Under a CR, an agency cannot begin any projects. This leads to the legal parsing of the meaning of “new.” If a system replaces an existing system, is it new? When a system is maintained, is this a new project? If a vulnerability is found, can it be remedied with a new patch?

Compressed year. How long will the CR last? 30, 60, 90 days? Does this mean that each agency must produce an administrative plan for each shortened year?

The interview ends on a bright note. Elizabeth Field shows the GAO understands the challenges this presents. They have issued a report called Selected Agencies and Programs Used Strategies to Manage Constrains of Continuing Resolutions.

An argument can be made that the Solar Winds breach precipitated the interest in Zero Trust in the federal government.  Thousands of words have been written, justly, about the incident.  However, much less attention has been given to how SolarWinds has handled the situation. 

SolarWinds has provided us with a classic case study on how to handle a crisis.  They have been transparent, changed leadership, and have made strategic acquisitions that help them serve customers better. 

An example of that strategy is today’s interview with Gregory Fetterhoff, the CEO of Monalytic. It was acquired by SolarWinds and operates as a separate company. An argument can be made that new leadership at SolarWinds has objectively looked at how to improve service to federal customers and made the acquisition of Monalytic to remedy the situation.

During this interview, Gregory Fetterolf gives three reasons why this partnership is effective: the skill set Monalytic brings, accommodations made for corporate culture, and the synergy gives Solar winds the ability to serve the federal government in other areas.

Monalytic is comprised primarily of people who have served in the military or federal government.  SolarWinds had extensive experience in commercial environments.  The credentials that Monalytic brings to the table allow them to have a deep understanding of federal needs.

Consultants like to say culture eats strategy for breakfast.  What happens when two completely different cultures get thrown into the same room?  Leadership at SolarWinds has the confidence to allow the successful culture at Monalytic to continue, garnering respect from all employees.

The strength of this new partnership is revealed in the interest of both federal as well as commercial organizations.  From the government side, they appreciate the ability of Monalytic to understand their needs.  Commercial entities know that federal compliance is difficult; if they start with federal compliance, the commercial concerns go away.

Sometimes, it takes an event to show the true strength of a company.

The three subject matter experts in this discussion give the listener a wonderful perspective on challenges and solutions to moving to Zero Trust.

The interview revolves around tools needed to audit a network, risks inherent in a hybrid cloud, a why a Zero trust platform gives an agency the flexibility it needs to deploy zero trust effectively.

Every discussion about zero trust for government agencies starts with trying to determine what is on your network. Smurti Shah from Michigan notes that tools that commercial organizations can use to accomplish that task may not work in a government environment. Therefore, State and local organizations must select Governance, Risk, and Compliance (GRC) solutions that are permitted.

Ian Farquhar from Gigamon brings up a fascinating issue with the “discovery” aspect of network analysis: cognitive bias. For example, a systems administrator may swear on a stack of bibles that they have documented every single item on the network. Ian mentions simple questions like: What about that copier? Does it ever have sensitive documents on it? What about the printer? If your organization allows employees to bring in devices, what kind of security implications does that bring?

During the discussion, the concept of “trust” was unpacked. We know that trust applies to “who” and “what,” but what about the system itself? Ian Farquhar applies trust to logging and Cloud Service Providers (CSPs).

The Solar Winds event looks like it started with the modification of the logs themselves. If you trust the logs, then you can be vulnerable to attack, one should apply zero trust to log controls.

One approach to minimizing vendor lock-in is to use a hybrid cloud. This adds complexity to an already complicated situation. The CSPs certainly do a wonderful job at telling people about the security of their cloud. Be careful to apply controls to that cloud environment, offloading trust to them can put you at risk.

All participants agreed that zero trust gives the flexibility to handle attacks today and in the future.

When the World Wide Web was developed in the late 1980s the idea was you could get information from the platform easily. Well, that certainly worked. In the past thirty years, this “interconnectedness” has brought benefits and unexpected risks.

One of the dangers is the ease of one system connecting to another. Great if you want to validate a person’s identity; also beneficial for a malicious actor to place code in a system that automatically updates.

The most egregious example of the danger of automatic interconnectedness is the Solar Winds event. Systems were set where network “A” trusted code from network “B.”  The cyber attackers took advantage of this trust and inserted code into the target system.

The application for systems managers is obvious – if your architecture is designed to connect to trusted third-party solutions providers, how can know the code is clean? If you combine that with the lack of staff that most state and local governments have, then you have a serious problem. Just to amplify the situation, remote connections blossomed in COVID and the number of logs to manage is out of control.

This is a discussion where subject matter experts from software companies, federal leaders, and county practitioners sit down to provide some suggestions to solve the vexing problem. One possibility is to treat code in a “suspected” manner. Take each system update and consider it as malicious and run it in a sandbox before deploying. Unfortunately, this is a labor-intensive process, and we are assuming a situation with a lack of professionals.

Bill Harrod from Ivanti suggests that systems administrators can take advantage of artificial intelligence and automation to vet patches and updates quickly. If there is an issue, remediation can take place rapidly.

Another remedy discussed was including text in future contracts where software vendors must assure end users that the code they provide has been thoroughly evaluated. This does nothing for a system in place today, but it is a good long-term preventative measure.

This interview is a terrific primer for preparing your agency to prevent ransomware.  We have four experienced thought leaders who discuss issues like knowing what is on your system, where to find free prevention resources for a limited staff, and best practices for maintaining a safe network. 

Knowing what is on your system is the basic starting point for security, however, this simple concept can be difficult to accomplish.  Auditing your system can be compromised through users avoiding consolidation through shadow IT.

The term “shadow IT” has had Its peaks and valleys of interest in the past decades – some refer to it as “unauthorized modifications.” The origins are obvious.  If a system administrator makes it onerous to comply with security directives, users will come up with a workaround and use a credit card for an application, unknown to management.

The federal government understands the staffing challenges of state and local governments. As a result, the Cybersecurity & Infrastructure Security Agency (CISA) provides guides and training for these groups. During the interview, we learn that CISA is developing guidelines for an attestation letter.  This would act as a trust mechanism for smaller agencies concerned about malicious code coming from vendors.

Even if your system is thoroughly reviewed and current with updates and patches, you can still be vulnerable.  One simple instance of best practices is offered by Bill Harrod from Ivanti.  He suggests that each update must be tested and validated before being installed.  This is because of the complicated nature of hybrid systems today.  One update can have an impact on another system that is dependent on it.

Much to unpack in the group discussion – they talk about automation, machine learning, and the software lifecycle as it is applied to the software supply chain.

Today’s interview looks at ways state and local government entities can prevent ransomware. Traditionally, these organizations are understaffed and underfunded when it comes to cybersecurity professionals.

The unintended consequence of this budget constraint is making them vulnerable to ransomware attacks, with its thousand-fold cost. The interview will give you a plethora of free resources to help your organization prevent a ransomware attack if you have a limited budget.

A part of the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) has assembled a Joint Ransomware Task Force. It had its first meeting in September of 2022. One of the ambitious goals was to provide free information to help organizations, like State and Local Governments, with ransomware prevention.

Well, they delivered. StopRansomware.gov https://www.cisa.gov/stopransomware is authentic. It provides information on DNS blocking and even offers a free phishing assessment. Additionally, they offer best practices for backups, multi-factor authentication, and user training.

During the interview, you will learn there are over 90,000 State, Local, Tribal, and Territorial (SLTT) groups who lack the resources to establish a reasonable defense against attack. Many do not realize that just because you pay the ransom does not mean they will not attack again. Even worse, you may pay the ransom and then the data can be released anyway. There is no honor among thieves.

Doug Levin, K12 Security Information Exchange, gave an intriguing four-part summary of risks SLTT organizations face:

1 Primary attack vector will be email phishing – CISA can help in training

2 Legacy systems may not be patched, making them exposed

3 Due to a lack of budget, organizations may have vulnerable legacy applications

4 Passwords can be  compromised (The result of a phishing attack)

SLTT groups are not alone in ransomware prevention. Federal organizations are stepping into the gap by helping in many ways.

When one reads the current literature on federal systems and zero-trust architecture, one gets overwhelmed by diagrams, charts, and prescriptive messages.

Lots of “should” and not many “we did.”

Well, this podcast will fill in the gaps. This is a discussion between a subject matter expert from Palo Alto Networks and a federal zero-trust practitioner. They dissect the best approaches to Zero Trust and give practical guidelines for migrating to a zero-trust architecture for a federal environment.

The discussion starts with how to select priorities. Everyone knows that Zero Trust is not a minor change that is merely adopted overnight. If zero trust is a journey, where does one start, and what priorities should be set?

Drew Epperson Palo Alto Networks provides the most practical advice on this concern. He suggests that you should identify the public attack surface and gain an understanding of where your valuable assets are located. The fantastic point he makes is that if you have a zero-trust system that does not allow the protection of assets dynamically, then you should start from scratch.

Beau Houser, US Census Bureau, makes a valid point when he suggests that a move “left” in the software development process will make Zero Trust much easier to deploy. In the parlance of software developers, a security move “left” means, on a timeline for a project, security considerations are given during the actual process of putting together the code.

One risk that is pointed out is that a systems administrator may be relieved that the code is being developed with security considerations, some may say “baked in.”  The concern is that that person may get lulled into not worrying about continuous monitoring of the code. There very well could be a zero-day attack built into the code that will only be released later.

The interview concludes on a positive note. Beau House relates how his agency is having remarkable success in training technical staff. The dual benefit is it aids in staff retention and makes the transition to zero trust much smoother.

Ransomware is targeting vulnerable populations at hospitals. A hospital presents a “perfect storm” for attackers: thousands of apps, a multiplicity of medical equipment connected to the Internet, and sensitive information being stored.

In today’s podcast, Scott Pross applies his healthcare background and technical savvy to offer suggestions to prevent these attacks.

From his background in healthcare, Scott Pross knows that healthcare professionals have a wide variety of applications that they can use. He suggests that a good approach is to interview users to see exactly what applications they constantly use and what ones are relegated to the back shelf. Armed with this knowledge, a systems administrator can prioritize which applications to lock down.

Also, there are several areas to monitor and the approach he suggests is to develop a dashboard system that has areas for topics like the network, Email server, Accounting, and Marketing. This way, managers can get an idea of which systems can be used and which ones should be avoided.

Scott Pross suggests a dashboard system provides three main benefits, especially in a healthcare environment. First, the simplicity of a dashboard could translate IT issues into business issues. Rather than being informed of a specific event in a log, a graphical description could be given to show how that incident would impact the functions of, for example, the Email server. That way, managers could inform staff about issues and resolutions.

Second, because leaders have a visual element in front of them, it stops them from physically going down to the server area to interrupt network administrators doing their work.

Third, information from the dashboard could empower managers to make business decisions. For example, if there were storage issues, a business decision could be made to add storage arrays to eliminate concerns in the future.

When you read the current literature on cloud systems management, one key factor is what is called “observability.”  With so many moving parts, one tends to focus on a specific group of indicators and miss the overall activity.

When Vivek Kundra started to talk about “Cloud First” back in 2009. He had no idea the size and complexity of clouds that would evolve in his desire to reduce cost and increase flexibility for federal projects.

SolarWinds has been a leader in system observability for decades. Today, we have a person who has successfully used Solar Winds on a variety of systems and relates some of the best practices for gaining this elusive observability.

Scott Pross has seen systems managers look at specific aspects of federal systems in silos. For example, a manager may have data coming in on servers, or even the network itself. Another set of metrics may give information on applications. Managing virtual environments has evolved into a category in and of itself.

When a problem arises, a troubleshooter may microfocus on an area, but not realize how it impacts the entire ecosystem. Scott suggests that using solutions from SolarWinds can give a systems analyst a view from 40,000 feet instead of ten feet off the ground.

Another consideration is how to monitor activity in a cloud when its architecture is changing. The change may be for compliance reasons, expanding applications, or something as basic as running out of room and having to adapt to an influx of data.

Leaders of federal agencies are not interested in extremely detailed observations about logs.  They want to know when their application will be available for citizens or employees. Addressing this issue, Scott details how, using SolarWinds, he can assemble dashboards to give leaders a better understanding of what has gone wrong to enable them to make data-based decisions.

We all read the Executive Order on Improving the Nation’s Cybersecurity when it came out. It was great at telling federal technology leaders “what.” Unfortunately, it was not too detailed on “how.” Today’s discussion gives the listener a fantastic dose of practical applications.

We have tech visionaries from the DoD, CISA, GSA, and CrowdStrike. They offer suggestions based on years of federal experience. The discussion ranges from gap analysis to prioritize needs to the evolution of the Trusted Internet Connection (TIC) from 1.0 to 3.0.  Further, an analysis is given of the progress of agencies on incorporating point of a reference architecture to specific recommendations for the DoD to comply with zero trust.

Kevin Gallo gives an overview of TIC. Initially, its goal was to limit the number of connections a federal agency had to outside sources. Since its inception in 2007, the federal government has seen an explosion in endpoints and cloud services. As a result, some view TIC 3.0 has a distributed cybersecurity policy enforcement tool.

Speaking of the multiplicity of clouds, there are so many moving parts that any solution must include the ability to interconnect with many systems. Ned Miller from CrowdStrike talks about the millions of endpoints CrowdStrike has already secured in an incredibly complex system.

For civilian agencies, the GSA is offering a Buyer’s Guide that can assist leaders in assessing offerings that can lead to a stable zero-trust architecture. Additionally, they offer free workshops on implementing Zero Trust where hundreds of federal technical people have participated.

From the DoD Randy Resnik gives the listener a detailed description of the 45 capabilities and the 151 activities that must be accomplished before an effective deployment of Zero Trust can be accomplished.

If that is not a full plate, the interview ends with a serious overview of threat hunting. Perhaps this august group and meet again and provide more details on this important topic.