#InfosecNA18: NSA Weighs In on SOC Defense
In his opening keynote presentation kicking off the second day of this year’s Infosecurity North America conference in New York, the technical director of cybersecurity threat operations center for the NSA, Dave Hogue, talked about how innovations in policy, technology, and people can lead to break-through results in one of the largest 24-7-365 operational environments across the US government.
Hogue said the threat operation center is equivalent to security operation centers in industry, and his teams are on the front line of defending against cyber threats every day. The fully operational teams are divided into threat analysts and countermeasure engineers.
Noting that the NSA director often describes cyber as the ultimate team sport, Hogue said this philosophy is embodied in operations center, which has representatives from different government agencies, including the FBI, among their team. “If something happens that affects one agency network, they are there and given the information needed to do their jobs.”
On the unclassified Department of Defense information networks it defends, there are 36 million emails coming in every day. While it’s a challenge to defend against that magnitude, Hogue said that 85% of user emails are rejected daily. In addition, once a vulnerability is disclosed, the network is scanned within 24 hours.
“It is incredibly easy for adversaries to take advantage of released vulnerabilities, so you need to understand your attack surface and understand how fast you can push patches out, because vulnerabilities are turned around extremely quickly,” Hogue said.
Increased attacks from nation-state actors have grown more sophisticated, with the majority of geopolitical events coming from Russia, Iran, North Korea and China. Commenting on events coming from Russia, Hogue said, “We see their cyber activity very much guided by what they are doing in real time. Every time we severed their malware or took down their IP addresses, they established a new one.”
China, on the other hand, has transformed how it conducts its activity, but it continues to use cyber-espionage as a prime enabler to acquire transformative technologies as part of its long-term plan to be a global superpower.
The NSA is diligent in deploying its cyber defenses, and because of those efforts, Hogue said it has not responded to an intrusion using a zero-day exploit in the last 24 months. As is the case with the private sector, 90% of its cyber incidents are due to human error. In fact, 93% of the 2017 incidents were preventable with basic best practices of application whitelisting, role-based access controls and two-factor authentication.
Five key strategies that will lead to successful defense include instituting well-managed and defendable perimeters and gateways; ensuring visibility and continuous monitoring of the network to include traffic and endpoints; hardening networks, endpoints and services to best practices; creating and fostering a culture of curiosity and embracing innovative approaches; and using comprehensive and automated threat intelligence sources.
Source: Information Security Magazine