May- 20199GOVERNMENT CIO OUTLOOKusing MFA. With the support of our senior leadership, we continue to take significant steps to further enhance the security aspects of our remote access solution. We have also made new mandatory "always on" VPN profiles for all remote connections. From the outside, when an agency employee connects to the Internet using the agency-issued workstation, such as a laptop or mobile device, the VPN connection is established, thereby greatly enhancing the security of both the workstation and the agency network. As an added layer of security, this standard VPN profile also requires the use of the employee's government-issued PIV card to connect to the VPN.Network Protection ­ As part of the ISCM, strategy we perform routine activities such as scanning our internal network for the published Indicators of Compromise (IOC); patching all known critical vulnerabilities; reducing the number of privileged system accounts; accelerating enforcement of multi-factor authentication using the PIV card; and performing an inventory of high-value assets. Our defense-in-depth configuration is based on the Intrusion Prevention System (IPS), Network Admission Control (NAC), and the Security Information and Event Management (SIEM). We have deployed the essential Data Loss Prevention (DLP) solution to encrypt all external email messages that contain PII. Last year we expanded our DLP solution to scan for PII in the subject line of all emails. This enhancement has reduced the amount of false-positive incidents to less than 7 per month. Without proper encryption controls, these emails would have resulted in significant privacy risks. Security Operations Center (SOC) - Our SOC is equipped with robust infrastructure to support real-time monitoring and Network Admission Control (NAC). Our authentication and authorization process is three fold ­ first the device must have a trusted certificate; second, the user must have a trusted identity in the network; and third, the Active Directory and NAC look for the trusted agreement of the user-device combination. Leveraging the Certificate Authority (CA) server, we generate agency tailored certificates for all of our devices. In general, all agency staff have federal PIV cards. In the limited scenarios where these PIV cards are not available, such as the case of a privileged login, or a new employee, the agency issues smart cards with certificates from the CA server. Our goal is to improve cybersecurity performance by focusing on the data and information entering and exiting our network, knowing what components are on this network and when their status changes, and who is logged on to our systems. We continue to manage the risk of the critical infrastructure and improve our response times to critical status alerts. Our SOC has large screen dashboards with multiple feeds related to InfoSec monitoring along with real time notifications sent to the mobile devices of the Incident Handler staff. Senior Leadership Support - With the establishment of the Senior Agency Official (SAO) for Risk Management, the agency's leadership is actively involved in risk-based decisions. CISOs today are implementing a risk scoring system that assists decision-making, and encourages involvement from the system owners with data transparency and information sharing. Our risk management aim is to prevent high-risk material impact, and to establish a potent threat prevention, detection, and threat eradication program. Building partnerships with DHS/CDM, we embrace cybersecurity intelligence collection and ubiquitous sharing.Cybersecurity and privacy has been in the news on several fronts this past year, and our objective is to proactively identify cyber-attacks or intrusions. My mantra to stay ahead of the cyber-attacks is to act like we are breached. Continuous monitoring is the new firewall. With the DHS partnership, our SOC is elevated to use threat intelligence, advanced analytics, and automation. Our systems engineers are educated to purposely segment the network using different domain controller accounts for routine network maintenance, thereby limiting the intruder traversing the network with compromised credentials. Users are often the weakest link, and besides raising awareness through continuous education, we are implementing Advanced Threat Analytics (ATA) as an on-premise Windows defender to protect links in email messages and on the Internet. With limited SOC resources we cannot fix everything, and the best risk management approach is to automate with current technology such as enhanced DLP with User Entity Based behavior. Last, but not least, my cybersecurity team is our greatest asset ­ we influence, develop, retain, and expand the cybersecurity skill set by investing in staff training and certifications in rapidly evolving technologies. Ram Murthy
< Page 8 | Page 10 >