Future-proofing technology stimulus spend

During the COVID-19 outbreak, agencies have shifted much of their workforce to telework. The strain on existing infrastructures has made headlines, whether it be the DoD asking employees to avoid non-essential services while on the VPN or other agencies staggering work schedules and limiting overall Citrix users. Further complicating these issues is the increase in cloud-based resources. 

I recently heard from an agency user attempting to participate in a required training session. Even though the training was hosted in the cloud, the user needed to use the overburdened VPN to access it, and the result was poor video quality. The problem is clear: current remote access systems were not scoped for this flood of users. 

As it always seems to be, while IT operations and security teams deal with new complexities and challenges, malicious actors see newfound opportunities. CISA recently released a new alert (AA20-073A) that includes the following considerations regarding teleworking:

  • As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
  • As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
  • Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
  • Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
  • Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks. 

The COVID-19 stimulus bill passed in March provided agencies the resources necessary to address telework infrastructure and security needs. Rather timely to this funding, there is new guidance from OMB regarding updates to TIC 2.0, providing the ability to use cloud-based solutions to assist with these issues. More specifically, the OMB memorandum regarding TIC 3.0 provides for the following new use case:

Remote Users: This use case is an evolution of the original FedRAMP TIC Overlay (FTO) activities. This use case demonstrates how a remote user connects to the agency’s traditional network, cloud, and the Internet using government-furnished equipment (GFE).

So how can agencies leverage these new TIC 3.0 guidelines to alleviate current strain and security concerns, while future-proofing their investments? TIC 3.0 allows agencies to modernize and move towards embracing a zero trust architecture (ZTA) by removing the outdated “trusted vs. untrusted” model and instead focusing the perimeter around the endpoint. To do this, the focus should be on the following key principles:

  1. Remove traffic destined for the cloud from current remote access infrastructure, thus lessening the load on the overburdened systems.
  2. Leverage the scalability and elastic nature of the cloud to deal with any further unexpected surges of remote access.
  3. Institute the principle of least privilege for remote access to overcome some of the shortcomings of VPN technologies.
  4. Where possible, move to an “identity as the perimeter” approach, targeting security at the remote user.
  5. Secure both new and legacy applications as the move to ZTA occurs, thus ensuring critical legacy systems are not left unsecured.
  6. Provide the least amount of friction to the end-users!

By embracing TIC 3.0 and ZTA, agencies can augment current remote access capabilities (VPN, Remote Desktop, Citrix, etc.) by providing access to cloud applications without the need to use old remote access systems. Further, this can be done alongside the current infrastructure, avoiding the dreaded “rip and replace,” and increasing security along the way.

At Merlin, we scout innovative, emerging technologies and establish technology partnerships that allow us to effectively implement unique remote access strategies that incorporate zero trust principles. As the model below illustrates, we provide end-to-end secure access, leveraging highly scalable and elastic solutions. Using cloud-based and cloud-native technologies like Okta and Netskope Private Access can increase security while lessening the load on remote access infrastructures. Adding Silverfort unique SSO capabilities can bring those legacy systems into the security of today. 

While there is no quick fix for legacy remote access systems, agencies can take the first steps in their zero trust journey while augmenting the capacity of current systems and increasing overall security. 

Cyber hygiene starts with good tools configuration

Last month, the Government Accountability Office released a new report titled DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. The GAO report found that the Defense Department is behind on three major cyber hygiene initiatives and lacks cybersecurity accountability among its leadership. If a critical government agency like the DOD struggles with cyber hygiene, what about a regular company?

An average-sized company usually has 25-plus security vendors. Organizations have implemented tool after tool in efforts to secure their data, systems, and users. This has left them with misconfigured, repetitive, or siloed tools and an uphill climb toward proper cyber hygiene.

RELATED: 5 of the biggest cyber hygiene myths

While proper cyber hygiene involves tools, training, and policies, having a fragmented toolset makes the concept a non-starter. Tool fragmentation and overlapping tool capabilities put additional burden on IT staff, making it difficult to respond to threats, quantify risks, or effectively manage an organization’s most critical security controls. As a result, the organization’s cyber hygiene suffers.

Poor cyber hygiene creates security vulnerabilities that require decisive action. It’s vitally important to correctly configure, maintain, and ensure that your security tools are effective. In other words, cybersecurity leaders should consider maximizing the ROI on already-purchased tools before adding new ones to their crowded ecosystem.

Tool-proof your cyber hygiene

Practicing proper cyber hygiene goes beyond just purchasing and implementing security tools. Using the tools correctly is what helps solidify overall cybersecurity posture. And it all starts with proper configuration of the tools you have.

Establishing configuration baselines is a fundamental but often overlooked cyber hygiene task. Why else is tool misconfiguration a frequent cause of breaches? While we rely on security tools to maintain proper hygiene, their effectiveness is entirely in our hands.

Here’s how to weigh the performance and usage of existing security tools:

  1. Analyze if the tools you’re using are engineered properly and behaving correctly. For example, if it’s a vulnerability scanner, is it updated and scanning your entire IT landscape? If it’s a next-generation firewall, are you using all the features appropriately?
  2. Review and score every tool with a critical eye. Try to rationalize each tool against your organization’s current and future needs. Move past qualitative descriptions and into quantitative analysis by ranking and scoring them with questions like:
    • Does this tool have a niche or special purpose?
    • Is it more or less secure than other options?
  3. Examine each tool’s actual configuration. Is it configured securely? Does it have default passwords or other weak controls? How easy is it to harden?

The complexity of today’s IT infrastructures coupled with security tool fragmentation and misconfiguration makes cyber hygiene challenging for companies of all sizes. Security tools are only as strong as an organization’s internal process for maintaining them. Luckily, there are solutions that automate much of the work and provide organizations with a comprehensive way to implement and maintain proper cyber hygiene.

Stepping up security with speed during the Covid-19 crisis

We are witnessing unprecedented times. Times that test our aptitude, abilities, and resilience. It’s during these critical times that organizations need to lean on cybersecurity innovation to help them confidently navigate uncharted waters. And they need a partner they can rely on to help them do that quickly and efficiently.

At Merlin, we bring best-in-class cybersecurity brands together with emerging technologies to deliver groundbreaking solutions purpose-built to help you tackle your most vexing cybersecurity challenges. Whether you need to secure remote workers or gain greater visibility and control across your enterprise, we are here to help you get it done. We are fortunate to work with amazing partners who are pitching in during this time of crisis to support your security needs with speed and flexibility. Here is an overview of just a few of our partners and how we can help you quickly meet cybersecurity needs:

 

Time is essential. If you need to ensure the security of remote collaboration in light of mandatory work-from-home requirements, Wickr’s end-to-end encrypted enterprise collaboration platform helps you create and manage secure networks in hours.

Wickr is designed from the ground up to act as the foundational secure collaboration platform for security operations. Wickr has taken battle-tested secure communications and collaboration and built deep integrations with productivity and security tooling. The result is a communications and collaboration platform which allows network defenders and mission owners to ensure that they are able to securely carry through with their communication and response processes during incidents.


Protecting credentials is essential to maintaining a solid security posture. CyberArk’s Privileged Access Management (PAM) solution does just that.

CyberArk is the global leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk delivers the industry’s most complete solution to reduce the risk created by privileged credentials and secrets.

 

As employees work remotely, now is the time to implement and modernize your identity and access management with Zero Trust — an essential security control during this COVID-19 crisis.

The Okta Identity Cloud is a secure, reliable and scalable platform that provides comprehensive identity management, enabling customers to secure their users and connect them to technology and applications, anywhere, anytime and from any device.

 

Remote workers need a VPN or a smart, secure alternative. Netskope Private Access can be implemented very quickly to help ensure users are securely accessing essential apps and other resources.

Netskope Security Cloud enables enterprises to extend their data security and threat protection policies to users and data, wherever they may be. Including approved and unapproved cloud apps, public cloud infrastructures, websites, and private apps in data centers or in the cloud.

Reflections on HIMSS Discussions

Meeting HCO security needs on a budget

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if the budget did exist he’d face the further difficulty of finding the right talent to fill positions.

The biggest challenge: staffing

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

The affordable technological solution

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360-degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.