How Honey Pots and Maturity Models Keep Government IT Systems Secure

The day-to-day work in running an IT department can be all consuming at times, often leaving information security a lower priority than keeping the lights on and delivering business value. Even in organizations that have set up security programs, many times administrators are not aware of a security flaw until the system has been breached.

It is important for organizations to get proactive on IT security, not just reactive when there is a breach, according to Bill Wyatt, CIO and CISO at State of Georgia, The Office of the State Treasurer. His organization uses maturity modeling to accomplish this — assessing their preparedness and making preventative improvements.

Wyatt’s team has embraced the National Institute of Standards and Technology (NIST) 800 Series in order to cost-effectively meet the requirements of the Federal Information Security Management Act (FISMA).

“The NIST 800 series is our platform for identifying security controls,” Wyatt said. “It starts with having a framework and knowing what that roadmap for success looks like.”

According to Wyatt, NIST has outlined nine steps towards meeting FISMA compliance.

• Categorize the data and information you need to protect

• Develop a baseline for the minimum controls required to protect that information

• Conduct risk assessments to refine your baseline controls

• Document your baseline controls in a written security plan

• Roll out security controls to your information systems

• Once implemented, monitor performance to measure the efficacy of security controls

• Determine agency-level risk based on your assessment of security controls

• Authorize the information system for processing

• Continuously monitor your security controls

In addition to adhering to the standard 800 series steps to establish and optimize your security framework, Wyatt embraces the NIST Special Publication 800-53, which was created to heighten the security of government information systems, covering mobile and cloud computing, insider threats, application security and supply chain security.

“As you flow through the 800-53 model of low, moderate or high, your goal is to continue to strengthen controls within the enterprise,” he said.

“Once adequate controls are in place, then it’s all about the monitoring for change and making sure there’s change management mechanisms in place.”

Being Proactive Means Monitoring Effectively

For Wyatt, being proactive is all about monitoring network and end device activity so admins can be aware of potential threats before there is a security event such as a breach.

“Being able to effectively monitor your technology ecosystem, and especially mitigate all the false positives, is an important part of ensuring that what you are seeing is what really needs your attention.  I want to have a higher sense of confidence that most events that are popping up are things that really need a response,” he said.

The efficacy of any IT security maturity program improves over time as the model within the environment is exercised. This leads to addressing common low-hanging fruit activities such as performing proactive security scans and the ability to fingerprint what normal behaviors look like, according to Wyatt.

“Unfortunately, it seems to take years for programs to mature, not that your staff is incapable, but mostly due to a lack of resources, priorities and overall leadership commitment.”

In the meantime, the IT team has to manage audits, upgrades, employee changeover and users requests.

“It’s about being proactive at that maturity level and working to educate and adequately inform one’s leadership to enable them to make, what should be, straight forward decisions. An environment lacking in leadership involvement and support will likely struggle to find sufficient success in building a more mature technology program.”

Catching Bees with Honey Pots

In addition to being in lock-step with NIST 800 standards to ensure compliance with FISMA, to be even more proactive in his security stance, Wyatt detects unwanted activity in his network by employing honey pots to help ID and track suspicious activity.

“I like the Attivo solution as well, it’s kind of a honey pot network,” he said. “We put a bunch of fake systems around and they are all configured to be vulnerable. From the network perspective you cannot tell what is real or what is fake. Then we wait for someone to attack it and take control of the system.”

This forensically captures what’s going on and tells Wyatt’s team if someone is trying to get into the system. He said this is just one of many layers for being proactive in IT security.

“Placing various honeypots throughout the environment opens a view into malicious activity that you likely may not know about and many times is undetectable from other threat detection solutions when the threat activity attempts to model common behaviors,” he said. “In the past, you might not see evidence of anything lurking in the environment. The only symptoms you know about are the ones users are providing. And if the users are saying something, you are probably too late and the damage is done.”

He said, “even worse, some users may have symptoms for months and never say anything. That can end up being a bad day as well.”

“I like having an environment using the Attivo approach, to give you a chance to have that awareness. All those components help in maturity at that top layer.”

Brian Carlson is a contributing writer. He is Founder of RoC Consulting and was Editor-in-Chief of CIO.com and EE Times. Follow him on Twitter @bcarlsonDM.

© 2020 Nutanix, Inc. All rights reserved. For additional legal information, please go here.