Stay Smart and Secure: Taking Control of Cyber Intelligence [Commentary] Photo Credit: Symantec Today’s threat landscape continues to evolve, making it more unpredictable and dangerous than ever. In 2015, a record breaking number of cyber threats were reported – 429 million identities were exposed, mega-breaches increased by 125 percent and 431 million new pieces of malwares were created, according to Symantec’s 2016 Threat Report. In just the first three months of 2016, 54 zero-day threats were identified and attacks across the public sector continued to grow. Against this backdrop, public sector organizations are collecting more and more security data, but in many cases, it is more than they can successfully manage, let alone glean true intelligence from. To make real progress, agencies must put the proper tools and policies in place to analyze the data they collect – across mobile devices, on premise and in the cloud. As they evaluate these tools and policies, government agencies should closely examine data loss prevention (DLP) protocols. Looking at the recent breaches of the Democratic National Convention, Office of Personnel Management, Yahoo! and many more, the biggest loss for the affected organizations was access to critical information. Ensuring agencies have a strong DLP framework in place is crucial to protecting valuable government information. It’s not just external players that threaten organizations; they must also look internally for threats – both malicious and unintentional – and find out how to detect and remediate them to ensure a strong cybersecurity framework. Turning Data into Actionable Intelligence Intelligence helps organizations understand the enemies that may threaten their networks. But with agencies collecting more security data than ever before, it is often difficult to prioritize information and determine which attacks pose the greatest threat in a given moment. Tools such as DLP, multi-factor authentication (MFA) and endpoint protection can give organizations insight into an infected environment. These tools leverage information to inspect the data – the more data collected, the better chance agencies have of identifying patterns, detecting threats and stopping them in their tracks. Agencies can collect information in two ways: Collecting their own data and collecting information from industry partners. Internal data management requires a holistic approach with log management capabilities, a strong network and email infrastructure and technology in the data center to ensure loss prevention. To leverage industry intelligence, agencies must examine the capabilities of each threat collection tool, as well as the visibility it provides, including the number of sensors and devices the tool touches. By doing so, agencies can determine how much of a system was compromised and where an attack originated. Using information from both their own data pool and the industry data pool can help agencies best detect patterns and other threat indicators. In addition, agencies must determine how advanced an attack is, which can present its own challenges. The National Institute of Standards and Technology (NIST) Cybersecurity Framework identifies five stages of an attack. Comparing where an agency’s attack is in its lifecycle to the framework can enable the agency to determine next steps. The framework identifies what the response team should do at each stage of an attack to help stabilize the environment and protect information. Deploying the right tools during this critical timeframe can make the difference between an inconvenience and a catastrophic event. Protecting Against Future Threats Strong DLP and MFA tools are the most important components of a strong security posture, as agencies work to protect against attacks and retain information on the network. To protect against internal threats, organizations can restrict access to information to certain employees. Additionally, locking down applications when an internal threat is flagged gives IT departments better control to assess the application’s behavior. Whether the threat is internal or external, implementing robust policies will help prevent a breach. Talking about cyber threats with peers and other agencies can help create a resilient cyber defense. Sharing lessons learned from mitigated attacks and the associated successes or failures enables agencies to learn from one another and recognize and mitigate future attacks. However, it’s not enough to just count on intelligence from other agencies; organizations must also focus on their most important resource – their employees. In today’s landscape, battling against cyberattacks requires all hands on deck. Building and managing an efficient cyber team and articulating how an organization’s security assessments contribute to its general security strategy will make awareness and training programs more effective. Staying Smart and Secure If there’s one thing agencies need for a strong cyber defense, it’s to understand that the amount of security data is not going to shrink – if anything, it will continue to grow. Quickly identifying a threat allows an organization to leverage the information to prevent any data loss or a further breach into the system. Whether a breach occurs from an internal or external source, a cyberattack often originates from in-depth reconnaissance. Once an attacker is inside the network, he can compromise identities and do serious damage to the data and applications. Following the NIST framework, collaborating with relevant agencies and creating a strong response plan will help agencies protect and fight against the next cyberattack. Robert Potter, vice president, public sector, Symantec, is responsible for developing and delivering the strategy, services and solutions that support Symantec’s customer needs across the geography. With nearly 25 years of industry experience, he has a solid track record of partnering with private and public enterprise organizations to improve their security and information management requirements.