Government at the Edge: 5 Ways Cybersecurity Tools Can Pave a Path to the Future of Government Work - Ep. 89
Our favorite highlights from Government at the Edge Virtual summit with Senior Vice President G2CI Sean Berg. Sean shares his top 5 takeaways:
- Create a Sustainable Remote Work Strategy
- Remote Work Strategy must include IT Modernization
- People Are the New Perimeter
- Prepare to Address Cyberthreats — New and Old
- Facilitate Industry and Inter-agency Partnerships
Episode Table of Contents
- [01:00] Key Takeaways From the Annual Summit
- [07:25] The Future of Government Work Under a New Normal
- [13:56] The Future of Government Work Under User Activity Monitoring
- [19:27] Going Back to the End Point
- [25:05] Who’s the Belly Button Now
- About Our Guest
Key Takeaways From the Annual Summit
Carolyn: Today, Eric and I are joined by Forcepoint Senior Vice President of Global Governments and Critical Infrastructure, Sean Berg. We talk about our favorite highlights from Forcepoint's recent government at the Edge Virtual Summit. Sean shares his top five takeaways.
Carolyn: Sean, thanks for coming back to To The Point Cybersecurity. We recently had our annual summit. This year we tried something new that everybody else was trying which was a virtual summit. We had a lot of great government speakers. You shared with me that you had some key takeaways from the conference. I'd like to start with those key takeaways.
Carolyn: I'm just going to go through the five, and then let's talk about each one of them. So number one is create a sustainable remote work strategy. Two, remote work strategy must include IT modernization. Number three, people are the new perimeter. Four, prepare to address cyber threats, new and old. And number five, facilitate industry and interagency partnerships. So let's start with the first one.
Sean: There's a lot of key takeaways from that session last week. It was a lot to pull from. If you start with creating a sustainable remote work strategy, the key thing is sustainable. The current remote working is not going to change anytime soon before we have a vaccination out there for COVID-19.
Sean: Probably every single topic that we had that day, this topic came up talking about the remote work strategy. Both the pivot and transition to the remote work strategy. Chris Krebs talked a lot about their strategy for that pivot. Appointing a telework coordinator that focuses on making sure that all of the bigger challenges were taken care of.
The Future of Government Work Requires a Whole Rethinking
Sean: He talked a lot about just the specific challenges around the VPNs and making sure the VPNs were updated. We had enough of them to support the large influx of transition to remote work. How all the new threats that come about because you have individuals from your workforce that are accessing network resources within the agency. That is a big challenge.
Sean: We had leadership from the air force, Frank Konieczny, talking about how the air force made that transition. The reality of it is is that things aren't changing soon. Things may forever change in terms of the amount of the workforce necessary to work remotely. It's going to require a whole rethinking. Not only around the IT infrastructure and how you support all these people remoting in, but how you secure them as well.
Eric: We're talking about a workforce here that traditionally, VA and a couple of exceptions really didn't work from home. Many pieces of the workforce, DOD and the intelligence community, can't do their most critical work from home. It’s because of clearances and security issues around the networks they work on.
Eric: I thought Chris Krebs talk to it a good bit and I know George did. What are you hearing in the industry, what happens when we have COVID and we can't work from home?
Sean: You're saying this on the department of defense side more than anywhere where you have the air force and the army having initiatives. A number of committed fans too, by the way. Having initiatives to increase the amount of remote workers that can access the classified domain. Leveraging commercial solutions for classified solutions, leveraging cross domain technology to be able to access this.
All the Security Controls That You’re Looking For
Sean: This is not something that's new. As George has talked about the FBI they've been using this type of technology for some time. A greater percentage of the workforce can access those classified networks from a work from home or work remote manner.
Sean: That will enable at least a larger percentage of the workforce to be able to connect into and do meaningful work. Across the DOD as well that workforce is a heavy user of desktops as well as laptops. So not having systems that can be used remotely was always a challenge.
Sean: To the second point, this work remote strategy has to include IT modernization. You see this in a lot of agencies now. They're creating heavy use of virtual desktop infrastructure to create ways for remote workers to remote and spin up a desktop in the network. It gives you all the security controls that you're looking for and be able to access a lot of the resources that they potentially could access only if they were onsite.
Sean: I don't think you'll ever be able to work through the challenges of having to work from a skiff during COVID. The current strategy around blue gold teams and different groups working at different times. So you reduce the risk of the whole workforce contracting COVID-19 is an acceptable strategy.
Sean: Ultimately, people need to access the resources so they can do their job, whether that's remote. Whether that's connecting into a classified network securely, remotely using commercial solutions for classified, or other means. That's the only way we can go forward here.
The Future of Government Work Under a New Normal
Sean: What we are learning is a lot right now. The various organizations are learning how to manage this. We as a country, as a defense department, intelligence community, are going to create a new normal as to how we manage through these situations. Certainly, this won't be the last. COVID-19 won't be the last.
Carolyn: Do you think we're going to see a lot of these agencies continuing the remote work?
Sean: Absolutely. Chris Krebs talked about it. Just accessing talent, not being restricted to a geographic region to access talent is opportunity for all agencies.
Sean: That's the new norm. Certainly within the commercial sector, and you'll see this within the government as well, as having a flexibility. We've all proven that we can work remotely and we'll be productive, and do this securely.
Sean: Working remotely will now be expected for new entrance to the labor market. If you want to be competitive in recruiting and talent acquisition, you're going to have a strategy that incorporates work flexibility, and work from remote.
Eric: It opens up a whole new pool of candidates. If you didn't have a hub, an IT hub, a cyber hub, a base, whatever it may be in your state or your region. The odds of you working for an organization that wasn't located near you was slim to none.
Carolyn: How are we going to make sure though that the cyber hygiene at home is on part? Because we've had this problem for years. In David Sanger's book, The Perfect Weapon, he talks about wanting to cry. It was so successful because people didn't update.
Preparing to Address the Cyber Threats
Carolyn: That happened years ago. So this has been a problem for a really long time. What are we going to do, what are the agencies going to do to ensure that the cyber hygiene is good?
Sean: This speaks to people are the new perimeter, and how we're preparing to address the cyber threats, new and old. Certainly, as you move your workforce remotely, when people are working from home, it brings a whole new set of risks. Whether it's a government-issue computer or not connecting to resources on the government side.
Sean: Some really good points were brought out about from Matt Moynihan and Frank Konieczny talking about the imperative to deploy security tools that protect their users wherever they may be. This is everything from endpoint security to zero trust network access and things like that. These constructs to ensure that what's going on the end point is secure and managed, and audited. Then how those resources access to the network has to be done in a very controlled way.
Sean: End points play a really big role here in terms of giving visibility, and management, and control, and protection. I don't think that's certainly not going to change. The whole zero trust paradigm is going to be critical to ensure the security of those connections going into the corporate or the government network.
Sean: Now, where I'd also say is leveraging, back to the infrastructure discussion, leveraging capabilities like virtual desktop infrastructure so you can have an individual that can remote and create a secure zone on that computer to connect with a virtual desktop that's on that particular network that they're trying to access.
The Biggest Area Where You See the Variance
Sean: That gives still a lot of control to the organization that's managing those VDI sessions, and take some of the risk away. As people are working remotely, and they're off the corporate or government network, you lose visibility.
Sean: So those organizations, we're certainly seeing this right now on the commercial side of the business. Corporations are rethinking insider threat tools, user activity monitoring, and things like that to understand what's going on those devices where they don't have a whole lot of visibility around.
Carolyn: I was going to just bring up your panel, Eric. You had a couple of great guests. The CTO from the Air Force, Frank Konieczny, and Jamie Noble. You talked about zero trust, and that term's been kicked around for years, like as long as I've been in the industry. I don't know if we want to talk about what's changed here. How are they approaching zero trust?
Eric: It was interesting hearing everybody's perspective. When I talk to customers in general, not just Frank and Jamie, the perspectives on zero trust are buried. But micro-segmentation, multifactor authentication, they're looking at different levels. The cloud is probably the biggest area where you see the variance. What does that look like? It's interesting, hearing the panelist talk about zero trust. They know they need to go there.
Eric: The macro level piece I'd talk about, or I think is really important is people realize security has to change. What we've been doing isn't working. We're now working at home. You can't just home run everything back to the data center. VPNs are being attacked, VPNs don't scale.
The Future of Government Work Under User Activity Monitoring
Eric: Everything you were saying, Sean, really came up. Jamie was very proud. They just rolled out VDI to the entire organization in February. Great story. They had control.
Carolyn: So with VDI, then you know what Nico Popp said, here's a quote from him. If you've not looked into user activity monitoring, you have to. Because when people work from home, you have no idea what they're doing. So does that narrative change when Jamie's team rolling out VDI? Now, do they know what they're doing?
Eric: I don't think VDI gives them that. But VDI, in my opinion, gives a certain level of isolation to the corporate infrastructure. If I have a computer, and one of the problems they may have is we've had many people talk about this. They didn't have enough laptops for employees, they had to go out and do mass buys.
Eric: So we have employees even to this day in the government using home laptops. Imagine if they could just spin up the VDI session, do their work at home, and then their kid can go and play Fortnite. Do their schoolwork, or whatever on that same system, it provides a certain level of isolation.
Carolyn: George explained it to me that I could understand that it's just an image. There's nothing really on my computer when I'm on the VDI. It's not on my computer and I was like, "Okay, I get it."
Eric: You really get into presentation logic from the client. They can be cheaper, you can have different clients, you can have lots of clients. You can work from anywhere, which helps with the coop plans. But it's primarily presentation logic.
Understanding What’s Normal and Not Normal From a Behavior Perspective
Eric: You can restrict things, corporation controls it. They can patch it, the image. If there's malware, they can wipe the image at night and the next morning and get a new image and the malware is gone. You're short in that window of attack.
Sean: The one thing that I don't think we spent enough time talking about is, especially around ZTNA, Zero Trust Network Access. You don't trust anybody and then they access it and then you'd give them access to resources that they're authorized to. What's critical in all of these discussions around humans as the new perimeter is understanding what's normal and what's not normal from a behavior perspective.
Sean: We probably didn't spend enough time talking about that. Because what that does, when you can understand behavior, and understand what's normal behavior and not normal behavior, you can assess risk on individuals, risk based on their certain behavior. Once you've done that, and you created a risk score, or level, or whatever, that can be leveraged by all parts of the ZTNA.
Sean: It can be leveraged by the authentication. If somebody bops to a higher risk level based on their behavior, you then can re-authenticate them. You can give them an MFA. You can do a whole lot more things with which it weaponizes all of these things. It weaponizes data loss prevention, it weaponizes insider threat tools, it weaponizes a lot of things.
Sean: Because you're not applying the same logic based on everybody with respect to what resources you're going to give them. You still have that, but then it's being enriched with the risk scores of that individual based on their behavior.
Securing the Future of Government Work Under a Whole New Security
Sean: Because of what they're not talking about is that, you can have all the grades ZTNA stuff out there and authentication tools and stuff. But if somebody takes your credentials and they're doing it remotely. Now that becomes a whole new security.
Eric: They're authorized to do anything that you could do, which could be malicious.
Carolyn: But if you have a good baseline, that baseline knows, Eric, exactly how you type, for example, and it's going to pick up that.
Sean: That baseline is derived from how you interact with that system in a lot of things. How you interact with resources within your environment. So that's what I think Nico was getting to when he was talking about user activity monitoring, insider threat. This becomes really, really important in terms of identifying what's normal, what's abberant.
Sean: Those individuals that could have compromised credentials and ensuring that that risk associated with those individuals is leveraged by all aspects of your environment. Whether it's on prem or in the cloud, or whatever.
Sean: That becomes critically important when you're talking about people accessing resources remotely. They're not badging in and going into a site. You can validate a lot of things in those steps. When you're doing it remotely, you're just talking about credentials that need to be continuously validated. Through monitoring individual's behavior and understanding what's normal, what's not.
Eric: We have an opportunity here, Carolyn. We've spent so much on the physical data center, the corporate network and control. What COVID showed us was we weren't ready for full-scale work from home.
Going Back to the End Point
Eric: But as we talk about modernization, as we talk about change, we have a driver. We have an imperative. It's time. We have the ability, it does change. It was in the session with Nico where he talked about a lot of the control now goes back to the end point.
Eric: We were moving away from the end point, we need to almost go back to the end point. Even when the end point is going to be a presentation logic, a dumb end point potentially in VDI. Now you've got to look at what people are doing. People are the new perimeter. You're going to focus there more than maybe the corporate data center.
Eric: That's not where your spend will be, or the badge log-ins you mentioned, Sean. We have different sets of controls we need to look at, understand, and implement. Fortunately, or unfortunately, COVID has really accelerated the schedule, which is probably a good thing.
Carolyn: That's just what I was going to say that this is critical. This is really a matter of life and death at this point, as Krebs pointed out, just around COVID. All the attacks they've been seeing on the vaccination centers, and how we're going to protect those centers.
Sean: He mentioned specifically that nation states going after vaccination studies and formulas and things like that, how people are looking at addressing this through vaccination. That's a new area of intellectual property that nation states are going after.
Sean: Therefore, how we're, and this probably goes to the fourth point around how facilitating industry and inter-agency partnerships, how agencies are working together, working with the community, to the industry to protect those becomes more important than ever.
Protecting the Critical National Resources
Sean: You only need to look at how aggressive these nation states are getting to get access some of this intellectual property. Whether it's COVID-19 vaccination, or whether it's plans for weapons systems and things like that. This becomes an imperative. And it takes a collaborative effort between agencies, and industry that we're sharing information.
Sean: We're sharing the cyber threat information, and security research, and best practices. All of these types of things become more critically important to ensure that we're protecting what is our critical national resources.
Carolyn: That partnership between private and government. That was a mantra throughout the conference and Peter Singer, his session was my favorite. He's always so fascinating. He pointed out all the crazy ways that these breaches can happen. Just the importance of this partnership between private and government.
Eric: Singer was great also in saying it's not always a cyber attack. You have an employee working from home. Maybe they've been working from home for several months, as most of us have been. They aren't getting out, they're on Facebook. Somebody is trolling them. Now we've got social media influencing them, getting back, Sean, to your point of the people being the new perimeter.
Eric: What if I coerce an employee, what if I do that? Now we've got to look at the behaviors again of what that employee is doing versus what they used to do. Because it may not be a piece of malware, maybe we're running a shop operation on them. We're getting them to pull data to support their cause even though they're supporting a foreign nation state like Russia or China.
Partnerships Taking Place to Secure the Future of Government Work
Eric: They just don't know about it. We've seen that before. Singer's talked about it. It really gets back to changing the way modernizing security and the way we look at it in the world we live in today. It's very different than this time last year, very different.
Eric: Coop was, "Your site's going down. You move your people to an alternate site." Nobody planned as Dave McDonald told us, chief resiliency officer, Carolyn, a few months ago. Nobody planned for no sites to be available. Everybody works from wherever.
Carolyn: I love how Krebs pointed out all of the partnerships that are in play right now. What system his organization is doing to protect the upcoming elections, what they've been doing around COVID and the vaccination centers. That partnership is taking place, but there needs to be a lot more of it.
Eric: I've seen this over my career a few times. That type of IP is incredibly valuable to foreign nations. You're talking their entire economy in some cases can be altered by getting a vaccine first, or stealing it and iterating. It's huge. We've seen it time after time. COVID brings it to the forefront.
Eric: What I also saw was the lack of coordination. The lack of control, like who handles an attack on a pharmaceutical company? Is it DHS? The pharmaceutical company? Is it NSA? Or is it local law enforcement? Is it FBI? Or all the above? Pre-COVID, it was everybody and nobody, and it was a disaster. I love those partnerships.
Who’s the Belly Button Now?
Carolyn: Even now, who's the belly button now? As my dear friend, Dan Velez likes to say. Who's the belly button?
Eric: But the good news is that Krebs and the team are working hard on the partnerships so that we are more coordinated. So that we are more capable because you're right, who is the belly button? We need to figure that out.
Sean: I put one other plugin there from the week. Nico Popp's top 10. Old David Letterman style was phenomenal and Desara was great. But Nico's has a way with the articulating the changes that are happening in the cybersecurity industry in a very informative way.
Eric: Sean, do you have one or two you want to share?
Sean: I like this fact that what's old is new and what's new is old around the end point. Coming back into style. He has a great way with how he articulates the critical components that are changing within the cybersecurity industry. I don't want to ruin it for anybody. I'm sure Carolyn can provide the links to the replay of that one.
Carolyn: Nico is always entertaining. The link to the on demand conference will be in our show notes. So you can go watch all of these sessions.
Eric: You can watch them piecemeal too.
Sean: Yes, phenomenal sessions between Matt Moynihan, and Chris Kribs. Eric, your Merseyside chat was phenomenal as well. It was good use of time.
Eric: Matt and Chris talking was riveting, I sat before my session and watched that and that was great. I love Nico's quote, though, as we wrap up here. When people work from home, you have no idea what they're doing.
An Open Source Intelligence Project
Eric: Think about that for a second. You have no idea what they're doing. That's scary.
Sean: All of his comments comes from having many, many discussions with CSOs all across government and commercial. So it's a well-informed view.
Carolyn: My favorite moment, of course, is at the end of Peter Singer's. It was actually during his Q&A. He gave an example of how social media is a scary example. But there was a Japanese pop star and she posted a picture of herself on social media. The creepy stalker was able to knock on her apartment door 24 hours later.
Sean: Looking at her eyes, and seeing a reflection in her eye based on a really high res picture that she took.
Carolyn: Doctor down through street sign reflections in her eye.
Eric: How cool is that? Or scary. We did an open-source intelligence project, just an example, couple of years ago prior employment and we tracked it. We just picked a random guy and we could figure out he was a priest.
Eric: We could figure out where he lived, where he worked, who his parishioners were. It took all of 20 minutes. It's crazy the amount of information that is available that you can pull out of just the most subtle of indicators. It's crazy. So where do we find it, Carolyn?
Carolyn: I'm going to put it in the show notes.
Eric: How many? Three and a half hours of content?
Carolyn: Like you said, you can watch it piecemeal. So you can watch each one of these sessions at your leisure.
Eric: Or listen while you're running, or exercising, whatever. It was a great use of time. Looking forward to the replay. Thanks, Sean.
About Our Guest
Sean Berg is the Senior Vice President and General Manager, Global Governments and Critical Infrastructure at Forcepoint. He’s a technology industry leader with over 25 years of experience in both the government and private sector. He is expanding Forcepoint’s cybersecurity footprint in the cross-domain government security markets and delivering capabilities through their integrated Human Point System portfolio.
Sean and his government focused team brings an innovative approach to security that uses risk-adaptive scoring to recognize the context and intent of user behavior for early and accurate threat detection.