By Stephen Kovac, Global Chief Compliance Officer, Zscaler
The U.S. government’s Zero Trust progress is paying off as organizations across the public and private sectors address Ivanti security breach risks.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring agencies to disconnect from all instances of the solutions and continue monitoring for signs of compromise, and can turn the solution back on after patching. Bad actors exploiting the vulnerabilities can move laterally, perform data exfiltration, and establish persistent system access – resulting in full compromise of target information systems.
The silver lining is that the Federal government’s Zero Trust progress has reduced the potential impact of the Ivanti threats for many agencies. Recognizing this progress will keep us on the right path.
Staying Safe and Vigilant
Armed with guidance from the Office of Management and Budget (OMB) and CISA, Federal leaders are modernizing cyber infrastructure and cloud connection strategies using a series of guiding principles.
#1 Assume Breach; Contain Threats
The Federal Zero Trust Strategy emphasized the importance of Zero Trust architectures that include enhanced identity governance, micro-segmentation, and network-based segmentation – all of which block the lateral movements of adversaries if they do breach and gain entry to the network, reducing the potential for broader, undetected compromise that can result from scenarios including a VPN vulnerability.
#2 Reduce the Attack Surface; Connect Trusted Users to Trusted Applications
While there is more work to do, Federal leaders have made significant progress reducing reliance on vulnerable legacy VPN technology, adopting modern cloud access approaches enabled by the Trusted Internet Connections (TIC) 3.0 policy. TIC 3.0 is critical – giving agencies the flexibility to secure modern cloud environments and move beyond a “one-TIC-fits-all” approach. Supported by TIC 3.0 guidance, agencies are implementing TIC solutions that are more effective than traditional perimeter-based Trusted Internet Connection Access Provider (TICAP) and Managed Trusted Internet Protocol Service (MTIPS), including a “trust to trust” approach, meaning a specific trusted user is connected to a specific trusted environment.
This approach reduces risk as it gives users specific access to specific applications, instead of access to everything. Traditional VPNs place the user directly on a network, increasing data exposure risks by magnifying the attack surface. If a vulnerability like Ivanti occurred in the past – adversaries would have the keys to the castle, as they could move laterally undetected. The organizations who are most impacted by this recent threat are using legacy technology.
#3 Improve Visibility and Analytics
CISA’s Zero Trust Maturity Model calls on agencies to move towards a state where they continuously inventory all applicable agency data and employ robust data loss prevention (DLP) strategies that dynamically block suspected data exfiltration. Data exfiltration is an impact of the Ivanti vulnerability – organizations with mature DLP monitoring are prepared.
Understanding the software supply chain is another critical aspect of improving visibility, and Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, calls on agencies to create Software Bills of Materials (SBOMs) inventories of software components. CISA is actively supporting these important efforts through education, resources, and events. In the case of the Ivanti vulnerability, leaders with an SBOM have an instant list of systems with the impacted software.
A third aspect of improved visibility is the ability to continuously monitor system logs. OMB’s Memorandum for Federal leaders (M-21-31), built on SolarWinds lessons, addresses the importance of log visibility before, during, and after a cybersecurity incident. M-21-31 established a maturity model for event log management (per EO 14028). The guidance includes recommendations for logging, log retention, and log management, with actions designed to ensure the enterprise security operations center (SOC) for each agency has centralized access and visibility to view log files from on-prem systems and cloud service providers.
Threats Can’t Hide
M-21-31 established requirements for agencies to increase threat information sharing to accelerate incident response efforts – so those impacted will know more quickly than was possible, for example, when SolarWinds hit.
In addition to faster incident reporting across Federal agencies, new incident reporting requirements from EO 14028 have sped up the time for information dissemination to the public. The timeline from the identification of the Ivanti vulnerability to public notification was very fast, alerting impacted organizations in other industries and potentially speeding the development of new remediation options.
Taken together, improved visibility means leaders can detect threats faster, alert those impacted, and remediate vulnerabilities as quickly as possible.
Recommendations – What’s Next?
U.S. Federal agencies are more prepared to address threats than ever before – but cyber modernization and digital transformation progress is not uniform across government, and continued progress will yield a stronger collective defense.
Threats from Ivanti vulnerabilities underscore we are collectively on the right path and agencies should continue to follow CISA and OMB’s guidance, and importantly – continue to accelerate Zero Trust Maturity Model and begin SBOM adoption.
We also must continue to support (and evolve) the FedRAMP program – that means funding and staffing – to put the latest and most secure cloud solutions into the hands of Federal leaders.
And finally, as we continue to see – agencies need cloud-based services for a more secure, more modern future. A true Zero Trust platform removes the threat of zero day vulnerabilities that plague legacy VPN solutions by removing all remote access entry points. True Zero Trust means no exposed devices or IP addresses to attack, because authorization happens before an inside out connection is ever made. Traditional VPNs must go.
The Federal government’s industry partners likewise have continued work to do. While we can’t anticipate the next threat, we can – clearly – see the value of OMB and CISA’s strategies and the progress we are making together.