Gigamon Comments to the CISA FCEB Operational Cybersecurity ALignment (FOCAL) Plan

Federal Civilian Executive Branch (FCEB) agencies are diverse with unique missions. Each agency has tailored environments to support their missions in service of the American people. The continued onslaught of cyber espionage and cyber-attacks is propelling CISA to better secure the FCEB and other critical infrastructure that we rely on daily. The recently released FCEB Operational Cybersecurity ALignment (FOCAL) Plan is intended to align the FCEB to address and mitigate cyber risk from an operational perspective.

The FOCAL Plan delineates five priority areas:

• Asset Management
• Vulnerability Management
• Defensible Architecture
• Cyber Supply Chain Risk Management (C-SCRM)
• Incident Detection and Response

Next, we'll look at each priority in more detail.

1. Asset Management

Asset Management continues to be a multi-year priority for CISA. In October 2022, CISA released Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, which requires agencies to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.

Continuous visibility into assets is imperative for mitigating risks and security monitoring. As FCEB environments become more complex and expand into multi-cloud and on-premises environments, to include containers, having operational visibility into assets, including their vulnerabilities, is a key first step in identifying and reducing cyber risk.

2. Vulnerability and Attack Surface Management

Vulnerability and Attack Surface Management remains an ongoing challenge. Vulnerability scanning has historically only provided a snapshot-in-time' view. Given the rapidly increasing attack surface across the FCEB, the FOCAL Plan is looking to be more preemptive in anticipating and mitigating risk over time.

Gigamon can help FCEB organizations gain insights into the avenues of attack and provide a continuous view of the attack surface across intra- and inter-networks and systems (e.g. containers) to help complement vulnerability awareness efforts.

Active vulnerability scanning is inherently disruptive and runs the risk of causing outages, which makes it difficult to do in environments where availability is critical. To supplement active scanning, organizations can use passive vulnerability scanning, which uses analysis of network traffic to detect potential issues and generate alerts without negatively impacting ongoing operations.

For this to work properly, visibility into network traffic moving within an environment (also known as East-West traffic or traffic moving laterally) is available from on-prem environments, private cloud, public cloud, and even containerized workloads. Gigamon can deliver this visibility, providing vulnerability scanners total access to the environment without disruption. Passive vulnerability scanning is also useful for asset management, where a feed from the passive vulnerability scanner into the asset management system can identify both unexpected systems and applications.

3. Defensible Architecture

The goal of the Defensible Architecturepriority is to make the FCEB's environment more resilient. There is a common saying in security that you cannot protect what you do not know you have. Gigamon helps provide network-derived insights into how traffic from devices, applications, and containers is moving through an environment. Having adequate visibility into FCEB organizations' information environments is an essential building block for building a defensible architecture that aligns with the principles of Zero Trust Architecture (ZTA).

The Gigamon approach is simple: any packet, in any environment (on-prem, container, private cloud, public multi-cloud) into any tool that needs to see it. Universal visibility means attackers have nowhere to hide.

4. Cyber Supply Chain Risk Management

Cyber Supply Chain Risk Management is an ever-increasing threat against FCEB agencies. Having robust operational monitoring of applications and their activities on the network can be valuable in detecting nefarious activity or software (COTS and GOTS) on premises or in the cloud.

Analyzing application metadata and higher assurance telemetry from observed network traffic allows organizations to identify when cyber adversaries are trying to leverage trusted software within an environment because such nefarious activity will result in visible network traffic, even if the adversary evades or manipulates traditional logs.

For an example of such an attack where the adversary successfully executed a supply chain attack and manipulated logs to cover its tracks, see Solarwind's advisory on the Sunburst and Supernova exploits and Mandiant's report on Suspected Russian Activity Targeting Government and Business Entities Around the Globe.

Since hardware implants and software backdoors on endpoint-based tools are unlikely to announce their presence via traditional logging, logs from endpoint-based tools cannot be relied upon exclusively to detect threat activity.

Organizations can, however, detect such activity by monitoring network traffic and observing the command-and-control channels from such implants. Even if logging is disabled or manipulated, adversary communications and lateral movement will generate network traffic that Gigamon will be able observe, record, and send to one or more threat detection tools. This will shine a light on the adversary and enable the agency to mitigate the threat.

5. Incident Detection and Response

Incident Detection and Response maturity across the FCEB varies between organizations. As cyber threats leverage novel and sophisticated attack techniques that evade detection by current tools and reduce or eliminate an attacker's need for malicious code, many Security Operations Centers (SOCs) will struggle to detect attacks, adequately respond, and eradicate the threat across the entire scope of the attack.

This struggle is exacerbated by two adversary techniques:

• First, sophisticated threat actors tamper and clean up logs in order to hide their tracks
• Second, adversaries discover areas where inadequate or incomplete logging exists such that they can evade detection as they obfuscate their command-and-control activity.

Gigamon Can Help

To achieve security outcomes, the ability to see traffic in complex hybrid multicloud environments and send it to the sophisticated tooling found in government agencies is essential. The Gigamon Deep Observability Pipeline gives you that capability: reliability, efficiently, and economically. You cannot protect what you cannot see, and Gigamon gives you the visibility to see the threats, irrespective of the sophistication level of your adversary.

Public link

Please use the above public link if you want to share this noodl on another website.