To understand how cybersecurity experts help protect the government’s most valuable intelligence and defense secrets, just look at the way shipbuilders design Navy vessels.
They use a technique called “containerizing” to help the ship survive an attack that pierces the hull. A series of hatches and compartments prevents water from flooding the entire ship—a few compartments may fill with water, but the vessel will stay afloat.
Cybersecurity experts use that same technique to protect the U.S. military and civilian computer networks. If hackers find a way to infiltrate a network, the multiple layers of defense will still protect the data that’s most important.
“Even in a hermetically sealed system, people have to come in and out,” said Mark Orlando, Chief Technology Officer of cyber services for Raytheon, a defense and cybersecurity company. “So, it’s a matter of understanding risk and risk tolerance, understanding not only the machines but the human point.”
With nation-state hackers aggressively attacking private companies as if they were military targets, the same people who defend the government’s networks are taking the “containerizing” approach to commercial security.
Increasingly, those same contractors who protect government agencies believe that cybersecurity in the corporate world has national security implications as well. Critical infrastructure like utility companies and hospitals provide services of national importance. The financial industry keeps our economic engines running. Corporations employ millions of people and must be kept operating.
As the war against cybercrime escalates, corporations are turning to firms with deep experience in protecting our nation’s most sensitive data to battle increasingly sophisticated attacks. What follows is an examination of how seasoned defense contractors assess corporate cybersecurity vulnerabilities—and employ cutting edge solutions specific to each touchpoint to defend against threats, no matter where they arise.
Today, data is the core value of enterprises. Access to data enables the business to grow. “A 20-year-old in Silicon Valley wants to put everything on the cloud and make it available to everybody,” said George Kamis, chief technology officer of Global Governments at Forcepoint, a cybersecurity company majority-owned by Raytheon. But working with the Department of Defense has taught Kamis the value of segregating data and protecting it at multiple security levels.
The government keeps troves of data that are unclassified. Other, more sensitive data resides on a secret network. Even more sensitive data is protected by a top secret network, with limited access. Enterprises can do the same, employing high-assurance gateways that inspect data transferred between different domains. High-assurance gateways strip out or transform suspect data before allowing it to pass either in or out of secure domains.
“The government uses a combination of firewalls and guards within their networks.
If we apply the same idea to the commercial industry, say a power plant, the main business processes can be achieved using a standard firewall. But you still need to interact with the plant’s control systems, which are much more sensitive. For that, you should use a gateway, where we can do more fine-grain inspection of the data coming in and out,”
Unlike Defense Department networks, where the premium is on confidentiality, commercial networks must prioritize speed and availability. But speed is a challenge when the network has tens of thousands of users and an overwhelming number of vulnerabilities. Fortunately, that scale also creates enough data to yield valuable insights if analyzed properly. For example, usage patterns reveal consistent characteristics, which means uncharacteristic usage can serve as red flag markers.
“If you sat down at my laptop and I gave you my username and password, analytics would be able to tell, based on the things that you access, that it wasn’t me accessing my system.
Someone who is unfamiliar with my machine will access files and go into that data in a very different way than me–this computer lives in my backpack and travels everywhere with me. For you, it would be a new place that you had to learn your way around, and analytics would see that,”
That familiarity is within the realm of analytics to detect. Behavioral analytics developed by Defense Department contractors allow cybersecurity analysts to understand which actions are consistent with correct usage patterns and which could signal malicious threats.
In the national security world, apps exist in environments that can be spun-up and sealed off. Access to apps is allowed only to the people who need it, and those people have access only to the apps—nothing deeper in the network. When access to more sensitive data is necessary, Virtual Private Networks (VPNs) secure data transactions over the internet. VPNs also provide visibility into which data is going where, and checkpoints for stopping or limiting the flow of data.
Smaller enterprises could benefit from the sorts of managed services that defense contractors have developed for DoD clients.
“Our automated threat intelligence platforms ingest over 100 intelligence feeds.
We then use statistical analysis, machine learning and AI to sort the most critical indicators to the top,”
In other words, the platform sees threats long before businesses do.
The U.S. Government established a requirement that by December 31, 2017, all main- and sub-contractors must meet a stringent checklist of 166 cybersecurity requirements for IT systems. Enterprises, though, can’t always dictate what level of security their suppliers may use.
Supply chain security then becomes a matter of applying segmentation to data. “Do you allow vendors unfettered access to your network? I hope the answer to that is no,” said Mark Orlando.
But segmentation is more than just creating zones. The Defense Department spends years studying how a device communicates into the network and how the network communicates back. “It’s about monitoring and really understanding your network first,” Orlando said. Then anomalies can be detected by watching network traffic and log analysis.
Sensors and other devices in the Internet of Things are like small computers. Keeping them updated—and patched—is a challenge most enterprises fail. The U.S. military can’t fail that challenge. Instead of focusing on each individual vulnerability in the IoT, defense contractors focus on how devices are accessing a network—or other devices. Is the system providing the service expected to the user, or has the system shifted to provide service that’s beyond what makes sense for that sensor?
The same should work in private enterprise.
“If I’m monitoring an insulin pump, there’s only a couple of entities that pump should communicate with, and there should be certain patterns of behavior.
Maybe it’s programmed to send a message out every fifteen minutes about sugar levels. If it starts beaconing out once every minute, that’s a behavior pattern that doesn’t make sense and we can take action. I can’t get ahead of every possible attack factor but I can watch behaviors and know what I can expect out of the system,”
There are many technological insights the private sector can gain from the military, but there are other important influences, too. Many people who work for or in the military are inspired by the mission—they’re on the front lines, physically and virtually, of our country’s efforts to protect and defend what’s most important.
For defense contractors, that sense of mission can transform cybersecurity from another business role to a task infused with a higher meaning. And when the stakes are as high as they are today, and as the cyber battlefield expands even further, that distinction can make all the difference.