How to Transition Federal Cybersecurity from Reactive to Proactive

When it comes to cybersecurity, it’s far better to know your risk early and well so you can manage it proactively and on your terms, as opposed to constantly playing catch-up and responding to vulnerabilities only after they’ve been exploited.

Unfortunately, too many federal agencies operate in a reactive mode most of the time. A big reason for that is they lack two things: 1) accurate visibility into their IT infrastructure and the cyber vulnerabilities present there; and 2) actionable intelligence to help prioritize and manage those vulnerabilities from a risk-management perspective.

For example, federal agencies too often don’t know what the End-of-Support/End-of-Life (EOS/EOL) dates are for their software and hardware assets today and in the future. Many also don’t know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.

For example, there are 31 million naming conventions that exist for 1.8 million hardware and software products — including, for example, 16,000 ways that inventory tools refer to SQL Server. This lack of uniformity across the industry for how specific products are referred to results in a confusing hodgepodge of data that undermines any effort at obtaining a comprehensive view of a network’s IT asset inventory and risk profile. The result is that federal IT managers often don’t know which network-attached assets are on their approved and unapproved lists – or which are “rogue” assets that are on neither list.

Without this kind of intelligence and visibility into the enterprise’s IT infrastructure, it is impossible to adopt proactive practices and policies for addressing cyber risk. For example, imagine what could be done by having a comprehensive view of which network-attached assets are EOL today and which will be EOL six months or a year from today. This information enables an agency to be proactive in prioritizing those vulnerabilities. One approach for doing that, for example, is to take the list of assets that are EOL or nearly EOL and then see which of those assets are also unapproved —and then see which of those assets carry high CVSS values.

BDNA offers agencies a truly unique capability — demonstrated by more than 55 federal sole-source awards – of delivering this degree of visibility and intelligence. The IT intelligence behind this unique capability is BDNA Technopedia®, the world’s largest and most comprehensive repository of market intelligence on enterprise software and hardware. Constantly updated and curated, BDNA Technopedia includes data from more than 1.8 million products and more than 34,000 suppliers of timely, relevant, and not-otherwise-discoverable product intelligence.

BDNA marries IT data informed by Technopedia with the NIST-managed National Vulnerability Database (NVD) catalog of vulnerabilities and then applies that to the normalized inventory of IT assets throughout the enterprise. That produces a detailed database of vulnerabilities and EOL assets installed throughout the enterprise. BDNA further filters that information to highlight vulnerabilities and EOL assets that do not comply with the agency’s approved list or that are rogue assets.

BDNA feeds that data to downstream applications and systems, such as an agency’s Security Information and Event Management (SIEM), IT Service Management (ITSM), and cybersecurity scanning tools. BDNA interfaces with all major vendors, including Microsoft SCCM, BMC, Tanium, ForeScout, ServiceNow®, Symantec, McAfee, RSA Archer, Tenable Nessus, Splunk and more.

Not only does this kind of visibility and actionable intelligence inform IT security staffs about which assets they need to focus on and when, but it also helps informs agency planners in advance of the budgeting, contracting and logistical needs associated with replacing EOL hardware and software. One large federal civilian agency even uses BDNA Technopedia to screen IT purchase requests: If the specific IT assets being considered for purchase have an EOL date of 12 months or less, the purchase is denied.

Having comprehensive, actionable data about vulnerabilities residing across the IT infrastructure enables federal IT managers to better understand their existing environments and to proactively transition to their desired end-state environments. But this cannot be done when there are significant blind spots crippling an agency’s view of its infrastructure and vulnerabilities. Consider that, among the many federal agencies we have worked with, BDNA typically finds between 35 percent and 55 percent of hardware and software assets are EOL — much to the surprise and chagrin of those agencies’ CISOs and CIOs.

To illustrate the scale of the problem, former Federal CIO Tony Scott said that between 2016 and 2019, more than $3 billion of federal IT assets will become end-of-life. That means no patch management, no upgrades, no more vendor service or support. These EOL assets are known vulnerabilities where hackers and malware come in.

Many of the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back 10 or 15 years or more. And although these vulnerabilities are well-known, they continue to be successfully exploited by hackers and malware. That is because EOL software and hardware possessing these CVEs continue to live on federal networks without the knowledge of IT staff.

That’s unnerving news if you’re a Federal Chief Information Officer or a Chief Information Security Officer. It’s even worse if you don’t have good, actionable data to tell you exactly where your blind spots are and how to prioritize the mitigation of those vulnerabilities.

BDNA delivers a proactive cybersecurity posture through comprehensive risk visibility and actionable data.

Specifically, BDNA provides these six critical benefits to federal enterprises of all sizes:

  • EOL Visibility. Knowing End-of-Support/End-of-Life (EOS/EOL) data for all an enterprise’s network-connected hardware and software provides more comprehensive cybersecurity risk awareness — something no other tool does. And knowing what IT assets are EOL today, and which will be EOL in the future, empowers security teams to get ahead of their risk so they can proactively mitigate them.
  • Approved/Unapproved IT Asset Visibility. It is one thing to have an approved/unapproved list of IT assets — it’s another thing to enforce it. BDNA enables security teams to know all hardware and software on their networks — including rogue assets that are unmanaged — and then break out which assets are approved and unapproved. Just as important, it tells them which IT assets on their networks are neither approved nor unapproved and need to be categorized. Actively managing hardware and software so that only approved assets are connected to or installed on the network are the first two controls of the SANS Center for Internet Security Critical Security Controls.
  • Common Vulnerability Scoring System (CVSS) Values. Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology (NIST), contributes to better and more proactive decisions for how to direct limited risk-mitigation resources.
  • The Marriage of EOL and CVSS Data. Plotting the enterprise’s most severely at-risk assets (as measured by CVSS values) with those at or near EOL offers a quick way to prioritize mitigation efforts and proactively neutralize ticking time bombs on your network.
  • A Single Source of Truth. BDNA aggregates data from all available discovery tools and data sources, then filters, dedupes and normalizes it. That cleansed data set is then enriched and aligned to the most trusted and comprehensive hardware and software asset information source, BDNA Technopedia. This means that all corners of the enterprise can work from a single, manageable, and authoritative source of knowledge. That’s critical when developing and executing a cybersecurity strategy across the enterprise.
  • Greater Value for Existing Security Tools. Federal agencies have invested heavily in numerous tools to manage IT assets, configurations, and security on their networks. Those tools deliver value, but they also have limitations in their reach and visibility. BDNA’s value is to aggregate the data from those tools and make it actionable by deduping, normalizing, and enriching it with unrivaled Technopedia market intelligence to provide a clear, comprehensive, single picture of the most critical vulnerabilities needing attention.

Contact BDNA at www.bdna.com to learn more about how we can help move your agency from a reactive cybersecurity posture to a proactive one.