Improving this nation’s cyber defense has been a consistent theme and called out in federal guidance issued by the White House with Executive Order 14028, the National Cybersecurity Strategy, as well as CISA’s Strategic Plan 2023–2025. To accelerate improvements in cyber defense for federal agencies, Cloud Service Providers (CSP) must continue to adopt FedRamp practices to usher in needed innovation to elevate this nation’s cyber defense capabilities. OpenText Cybersecurity is poised to help this nation in Defending and Protecting Forward by offering a range of cloud services and capabilities to anticipate, adapt and evolve cyber defenses to counter threat actors’ behaviors and activities.
Anthony Jimenez 00:00
Welcome back to care cast the podcast from carrier soft the trusted government IT solutions provider subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team. On behalf of Gov exec and Carahsoft we would like to welcome you to today's podcast focused on FedRAMP. listen in as open tech cybersecurity CTO, Kevin green discusses the key to accelerating cyberdefense improvements during the 2023 Go forward FedRAMP headliner Summit. Good
Kevin Greene 00:26
morning, everyone. How's everybody doing? Oh, that was kind of weak. I'm gonna say it again. Good morning. How's everyone doing? Good, good. Good. It's good to be here. I want to thank everyone for this awesome opportunity to present. Once again, my name is Kevin Green Public Sector CTO. At Open tech. Some folks may know me, I see some say quite a few folks in our audience that I know talking about fit ramping. The key to accelerate cyber defense improvements. A lot of this is kind of a read the summary for the session today. And I wanted to kind of make it somewhat relevant, but also leveraged. So my background experience over the last decade or so I spent six years at DHS s&t Science and Technology Directorate, from the I was at MITRE for some time. So some of the some of the influences here in my talk. So I'm gonna talk a little bit about our journey, some of the things we discover, on this fair read journey. Obviously, fan wrapping to accelerate cyber defense is important. I think a lot of people before this previous talk, before me, kind of pulled on to the threads of things that are important from a cyber defense perspective. And I wanted to kind of, you know, share some insights here as well. So we've been on the fair app journey for, you know, about three years or so I think, before we were acquired by OpenText, we were microfocus. And I'm sure people may be somewhat familiar with microfocus, we was on this journey. And the things that we found that was you have to find the right balance between stringent expectations for security controls without breaking functionality, usability, as part of our journey really understand that because obviously, you know, as you're trying to get technologies into, into the pipeline to be fair ramp, you're being forced to onboard more security requirements. So understanding and finding that right balance is very important, enhance security requirements, visit the development teams, which require them in terms of getting your tools, operational developers use tools, right. And these tools become part of the operational context that needs to be part of building out a FedRAMP strategy and getting capabilities into into the fold more security. We know that with FedRAMP, you know, is really kind of the undergirding of that is 153 the catalog the Bible, right? More security means that there there are longer long it takes to to get products readily available to get into the marketplace. Security and Compliance are not synonymous. I think we're learning that or has been something that I've already known. But I think our product teams are starting to realize that FedRAMP isn't just shooting from the hip maybe requires our executive leader team leadership team to be fully committed, and endorse it and invest in that. And I think we're starting to learn that with a new management, executive leader, leadership team at open text. And the other is Bill security in right. We hear it all the time Bill security, and we hear it all the time. It's more than just a catchy, catchy phrase. It's a mindset that I think everyone needs to have. So in terms of the marketplace, we have existing capabilities, and FedRAMP. Today, we have fortify, as well as the break, which is for applicants to security. So today in February, we have fortify, we fortify we have static in application security testing, dynamic application security testing, as well as software composition analysis. In process, we have our open text government cloud, which provides an enterprise content management, low code platform. Also we have open text IT management platform as well. So service and asset management stuff that's expected to get through the process right now is in PMO review. It's been there since April. So hopefully we can expedite that a little longer along the way. So we can offer capabilities and innovation to our customers in a broader federal audience. Next up for us is really trying to take a look at the landscape in terms of what what we're seeing in the marketplace. And one of the things that keeps coming up is data security, right so I voltage fusion platform will be next as part in terms of things that are in the queue Next up, as well as our ability to do insider threat with ArcSight intelligence to do to user entity behavior analytics stuff and do and also the ability to have identity access governance in the foe doing IGA. The ability to understand segregation of duty, the ability to assign read and write access is very important. So I'm just talk a little bit about my experience at DHS and mitre, which led to some of these things. So I was a program manager in s&t Cyber Security Directorate for about six years, I ran the Software Assurance program. So anything called the swamp the software issues marketplace, the exact nature was coming out of my program. I was very upfront and really trying to, you know, talk about the importance of improving software, software security. So things that you see with AES bomb, and all these other things, were part of some of the things that I tried to, to to transition to practice right into just from just beyond research, but get it across the valley of death, so that the larger public sector and private sector can benefit from that, for me, I went to mitre, I worked on CDM programs, what are some of the CDM stuff, I worked on some of the attacks stuff as well, which I'll talk a little bit about here as well. So this kind of shows, I was saying, next step for us is a fusion platform, thank you very much for getting this moving. As well as ArcSight intelligence, we want to be able to not only see what threat actors are doing, and how they move it across the network, but also understand visibility across the entire attack lifecycle. And as I mentioned, our NG net IQ, IGA is really assigning the right access, I think that's very important assignment, right access, providing micro certifications, and things of that nature to make sure that we are giving the right entitlements to people. So there is a breach or compromise account takeover, we can do micro certification, we can automate that process and making sure we can kind of limit the scope and damage. So open Tex, our story, our story is really an information management company, right. But in the beginning of this year, we were acquired microfocus was acquired. So we added a security portfolio into the open text form. It's an open text world so so not only you have the ability, ability to archive and store sensitive data, but also the ability to decentralize that in a way where you can get real real value, and also provide insights to also help predict how how business values to be had within various organizations support business, as well as mission capability. So we're able to build, automate, and connect but also secure that information as well. So it gives you an idea of our portfolio breadth and depth of not just cyber but also other areas around information may Information Management, content management, but today I'm talking about cyber. So open text today just give you an overview of what we do threat intelligence EDR and Dr. application security testing, we pretty much cover a really broad range of cyber capabilities for for public sector, as well as state and local. So in terms of where Brando house White House of brands I should say. So prior to the acquisition market focus has been on open Texas already acquired Carbonite, ZIX Webroot these in nature, come into the fold, we add ArcSight intelligence, we add fortify and brick. We've added net IQ and bolt to just give you an overview of a depth and breadth from from a cyber perspective. So now we got to figure out how do we prioritize all these capabilities getting into February. So that's been one of our challenges, really trying to, you know, test the waters understand how the IRS close to the ground in terms of what are the major priorities and federal government so we can really prioritize and, and kind of be, you know, somewhat providing for Lean capabilities that the government needs in improving yourself improving elevating cyber defense. So in terms of open flow in terms of Zero Trust, right, this kind of shows the alignment around Zero Trust, right, we kind of can furnish the whole house, I say that's just that's just the analogy I use internally about being able to provide capabilities across a broad spectrum of of Zero Trust. And really, this becomes a building blocks for, for building that that cyber defense as part of an environment. And so understanding our destination is FedRAMP. And understanding how we move these technologies into FedRAMP is something that we're strategically and kind of, you know, doing a lot of magic internally trying to make sure we we can innovate and help the government solve some really, really new challenges around cyber. So shifting to cyber defense. So we know that recently there was a NASA cybersecurity strategy that was released by the Office of the White House. We also know that system realists released their 2023 and 2025 strategic plan, which I think both are paramount. I think it clears the roadway for us to understand how to elevate cyber defense, but also something that I've kind of used the ability to defect. I mean, excuse me the ability to defend and protect for I think that's the key days we need to understand that we have to understand how to defend for and protect For, because obviously we're seeing every day ransomware attacks affecting state and local government, we're seeing not only just state and local government, but just other areas of private sector as well, that bleeds into national critical infrastructure and things of that nature. So the ability to do that is very important. One of the things I want to commend system on doubling down on cyber defense, I saw a post from one of my colleagues who was at BlackHat. And he was in a booth at CES. And they had the, the banner is like, it says, National Cyber Defense Agency, I love to see that right, because it shows that the mission is aligned to what we need to do to not only protect critical infrastructure, but high value assets that are very important to to the mission of various entities within government. And since a doubling down on this, so they have four objectives, right, these are the four objectives here, and they kind of sprinkled in the outcomes that they wanted to see, I'm not gonna go over all the outcomes. But, you know, I suggest everyone reads this document, it provides a really, really good plan of how SR wants to elevate cyber defense in public sector. So this becomes, to me the, the the foundation piece in terms of how we want to kind of improve cyber defense. So defending and protecting the four is something I mentioned earlier. So the ability to, you know, under define what cyber defense is, right? It's really a coordinated effort of resistance that guards information. I think a lot of us are used to the CIA model, right? confidentiality, integrity and availability, I think that is still relevant. But the problem with that is the recoverable piece, the recovery piece, and the ability to adapt to threats are kind of you know, 01 is binary, right? So so moving outside of that, that framework, and really trying to understand how to create this coordinated effort, right to leverage threat intelligence and threat intelligence is very important to leverage in terms of how we harmonize security controls. I always think security controls are done, right. It's either there or it's not there, right. And I'm not saying the process is done. I'm just saying the controls and he's the mean even more intelligent in terms of how we build the controls, how we select controls, how we plan for controls. And I think fair, Rob is onto something that that I will get that we'll touch upon a little bit later. But obviously, we're leveraging this to limit your use threat intelligence, to enhance our cyber cyber resiliency, right to be more robust against cyber attacks, right? We're anticipating disruption, right? Part of anticipate is having early warning signals about threats about imminent threats, right, so that we can do things that are very useful, like doing threat, adversary emulation, understanding how threat actors are attacking us, making sure we can use that as a way to elevate our cyber defenses capabilities, right? So we can evolve and evolve our capabilities so we can keep pace with what threat actors are doing. And obviously, we got to be able to adapt, we have to be able to adapt with threat actors are doing and and codifying threat intelligence in your operational environment is one of the ways to do that. So here's this enhancing CDM capabilities. This is an article I wrote when I was at at MITRE in support of the CDM program. And, and I'm going somewhere with this, so just stay with me. So that paper influence a project that was under seated was the center for threatened form defense Automator, which was well ingenuity, the nonprofit arm of mitre. It's called engineering. So part of that project that I learned was JP Morgan Chase, it was industry research project. JP Morgan says CIS as well as a tech IQ that were helped provide a knowledge base of security controls. I say security controls are dumb, right? They don't they don't understand threat actors behavior. So I wanted to have a way to understand look pure all the hear that all the controls, and what are what are the touch points of controls that can be attributed to preventing and mitigating threat actor behaviors, right. So this project in terms of mapping attack to the RMF framework, was a launching pad for some other works that we will see later on in this talk. So I'm, you know, kind of want to set the tone and kind of understanding what some of the things that I think fair rep is leaning towards by having got full indication that this is the way they're going, but I do like some of the things that I'm seeing here is a quote from the Chief Commercial Officer at attack IQ. I talked about the need to kind of elevate what we do from a RMF perspective and infuse more threat intelligence to make to make more informed decisions about how we protect critical assets in government. So this is this here is me is an attempt for me coloring inside the box, right? I'm coloring inside the box. And one of these that I'm starting to learn is threat act as a coloring outside the box. So in terms of us trying to elevate I understand what threat actors do is sometimes we have the color outside the box, right? There's so many things we've learned. Use that to intuition how many how many of us actually deploy systems, whether it's public sector or private sectors by raising how many? How many wrote code before? How many done security engineering stuff. So there's so many things that we've learned from our intellectual experiences that we need to build into how we understand how threat actors attacking us, right? There's so many things we learned about building breaking fixing software that goes into really trying to understand threat actor behavior. So instead of coloring inside the box, we have to start learning how to color outside the box. That's not to say we're doing anything's illegal. But we're really trying to understand threat actor behavior, I think sometimes they don't go inside the box, they go outside the box. So we started thinking about sim swapping, sim swapping was something that we've saw heavily in how many have read the the report that was submitted two weeks ago, by the cybersecurity safety review board. I suggest everyone read that it talks about sim swapping, and how threat actors are going to, to Verizon and all these other places to pay and off. People who work there to get access to send me to your Sim information, and then doing sim swapping. So when you go do MFA, you're thinking your code is going to you but no one's going to the threat actor. So this isn't the things I'm talking about thinking outside the box. We see now live off the land attacks, they are using things like PowerShell, right? They're not doing we call it Marijke fireless malware, malware, right, you're doing things like using our tools, AI native tools that we're used to, right and using that to exploit an attack as I obviously ABTS are very important. So these are things I'm talking about thinking outside the box has become very important. And how do we harmonize that in terms of the FedRAMP process, and just RMF in general is very important that they we should really consider. So starting to something new, so I was doing some research for this talk. And I came up with this paper that was produced by the cysa FedRAMP PMO, and talks about taking a threat based approach. And come to find out this some of this work was leverage from the work that I did at MITRE with the with the project. So I was very pleased to see that. But really, it's really getting getting the government. So think about, hey, we knew we need these capabilities. How do these capabilities align to mitigate the threat actors capability? So we were going to invest in a technology, we need to have some assurance, some awareness, or at least some understanding of how this technology whether the SAS pass, I asked or whatever. I don't want to say as but you whatever, as a service, right. But it's really trying to get the government to really think about how capabilities can can defend against threat actor behavior. So I think this is a very important paper, if people have not seen it, read it, I suggest you read it. But one of the things I'm not sure is if this has been integrated into the overall FedRAMP process, I talked to somebody in Toronto folks who the different they were they have not had, they do not seem to have not seen this till I share that with them. So I'm not sure if this have been transitioning to the overall FedRAMP process. But it should be it should, because it guys will how we can accelerate moving innovative capabilities into into into the FedRAMP marketplace. So in this, he talks about how gov cards use as a way to provide a scoring methodology, it leverages attack and the cybersecurity threat framework, which was developed by NSA. I think these are all good starting points, right to do this security control assessment so that we can understand which controls are most relevant in preventing cyber breaches. And one of the things that that I think is important is, is having a prioritized list of security controls that are very, that are known to mitigate threat actor capabilities, and really trying to do those things religiously. So that we can really shrink the space in terms of which defense threat actors can really attack this. I think one of the things we've known is that you know mitre attack, which is a curated knowledge base of things that already happened in a while, right. And it's important to figure out how do we harmonize that against our threat profile. So when we start looking for technologies, we're picking the right technologies that can help, you know, uplift and defend our threat profile against threat actors. And here, I'm talking a little bit off as a defense. mitre has something called defend how to think defend has been sponsored by NSA, which is a ontology of countermeasures for attack attack, it's considered the offensive stuff that that we are known that attributed threat actors defend is the defending their right to defend things that defenders need to have these countermeasures. So although the Fed rep has the this this threat based methodology, figuring out how do we harmonize these different efforts becomes important, right? Because I do think we're on to something here, because this is allowing us to envision cyberdefense from a different perspective. and also being able to codify that into our operational environments, which I think is very, very, very important. So how did this countermeasure mitigate this particular attack? Right? Starting to think about that, right? From a fundamental perspective, I think it's very important as we select controls, as we design controls, as we implement controls, understand these things are very important. So why is it important because it leverages threat intelligence to emulate threat actor behaviors, right? We can elevate cyber defense, which I call proactive hunting. Right, right. Understanding and being able to use the threat intelligence to do proactive hunting. I think detection is something that is something we should determine as you should kind of throw away, right? Because it's like, 01, right? We detected this, but but I think in order to find adversary behavior, you have to hunt for it. Right detection, say, Hey, here's a smoke signal, right? But where's the fire? Does it does a smoke signal always leads to the fire? Not in all cases, right? Because we do know, with a lot of detection capabilities, there's a great amount of false positives, right? So understanding threat intelligence, and when understanding how threat actors are trying to attack you, allows your team to be proactive in hunting out those type of behaviors and signals in the environment. So this gives us the opportunity. So here, what has happened, that's traditional threat intelligence. Right? And we can learn from a lot of different things, what has happened, right? What might happen, right, being able to codify what what has happened, and really trying to anticipate what might happen, right? And what is happening, right, those early warning signals about threat actor behaviors that we see, to kind of tell us what is happening, having this paradigm is a shift, right. And I think it's important for us to kind of figure out a way to codify that now in the in RMF process, but also as a FedRAMP. Because we need to get more capabilities, we've increased the portfolio capabilities that government has to select from, to elevate its cyber defense. This is a white paper. I mean, this is a book that I did, I gave a talk at a talk by my good friend Tom suitors here. And at the talk, I evolved into this ebook, and the ebook is very important, I think, because it allows us to kind of understand and envision how do we make the right investments around Zero Trust, right, we want to implement the technologies that are known to mitigate threat actor behaviors, right? Why invest in technologies is not going to mitigate threat actor behavior. So if anyone's interested, I suggest you download this ebook, it really share some thoughts about how do we take threat intelligence and kind of infuse that in terms of making informed decisions about Zero Trust and making the right investments? So some important questions to ask in terms of cyber defense, are my security capabilities working as expected and intended? I think that's very important to measure engage the effectiveness of security controls, as we go through this FedRAMP process as we go through our RMF process? Understanding are my security controls, working as intended or expected? The assessment How can I assess and reduce risk understanding, there's always residual risk, no matter what technology or what controls you have, this always reaches a risk, because why threat actors capabilities are always evolving, right? So there's always going to be residual risk. And the sooner you understand what zip whichever residual risk is, the sooner you can elevate and improve your cyber defense. Are we making the right investments and capabilities and technologies and tools right doing Ri and we need to have our we need to make the right investments on the right technology that can help elevate our cyber defense. For is residual risk, as I mentioned, where are the gaps in my cyber defense and understand what that is, and have an actionable plan in terms of reducing that risk, right and mitigating that risk, and creating a more robust cyber resiliency so we can evolve, you know, so we can anticipate, evolve and adapt our capabilities. So here is is something I wanted to share about harmonizing in threat intel to recognize emerging threats. How many people are familiar with storm? 0558? Right, that's the attack that has happened on Oh, wha that that is considered espionage that affected a lot of I'm not going to name the agencies, but a lot of agencies where we're email system information was extracted from Microsoft Azure Cloud, there was a breach around Azure AD. I think, what has happened? That's one something that we know that's in the past what has happened, right? How are we taking that unharmonized and codified it into into the threat model? That data showed up front that FedRAMP has sponsored? Right? How are we learning from from the past? How are we taking that and building that into our understanding of how threat X is trying to attack this right. The cybersecurity states Review Board, from what I understand from what I've read, is going to review this in more detail and he's going to reproduce another report right? And I'm saying from that there should be some indicators of attack indicators of compromised that's going to be putting out a report, right? We need to assess our threat models and cyberdefense make sure our threat models right that we're using are calibrated to include these TTPs that have been associated with this review. And I'm almost certain, I talked to a former friend of mine, Jerry Davis, who was part of the cybersecurity safety review board. And I think, you know, understanding that process and really using that information to, to understand how we can defend better, right, leverage things that we know, that happened in the past. And and that's, that's, that's essentially what threat intelligence is, it's learning from the past, trying to predict what is going to happen, right, I think we need to do that more, right. So diving deeper beyond intelligence, is essential for building that global situational awareness around what might happen, what is happening, I think that's important. So now, how do we use that to improve it upgrade with golf cards doing a lot of these other initiatives that are part of informing how we are building more cyber resiliency into our environments, right through the FedRAMP process or the RMF? process? So as some final thoughts, these are nine points, I couldn't think of 10 I can think of a 10. One, I was gonna say 10 points and Ahmadiyah. Right, but here's some final thoughts. Right. authorizations are points in time, right. So when we get through a FedRAMP process is a point in time, right? There's a lot more work through continuous monitoring, we have to do that focus that shift focus on cyber defense to ensure cyber resiliency is met, right? The most important controls are identity, every attack identity access control, to me are probably one of the most important controls set of controls that we should deploy. If you think initial access, you think of the mitre attack lifecycle, right? Initial access is that first, first first, you know, is the first tactic that I ever say go after either try to do account takeover through phishing, or count compromise. So Identity and Access Control are very, very important. How do we make that more resistance, and I think part of that is, is hardening identities, building more visibility into that. So we can understand anomalies associated with user behaviors, and pinpoint those things where threat actors are trying to do, right, whether they're trying to get credential access, where they're trying to get elevated privileges, how they move throughout the network laterally, all those things become very important. Red Teaming, adversary threat emulation, help eliminate risks, I think that should be part of every TOS mining strategy, you have idea of every threat actor that is essential to your organization, and should be able to model that on an ongoing basis as part of continuous monitoring to identify gaps, right? So then you can shift to figuring out how do we mitigate these, these gaps that may be important. One of the things we've learned through the FedRAMP process is containerization. Is can ease the burden and fat ramping to create operational efficiencies and scale. And even those are the things we're learning. A threatened form, defense centric approach should streamline, RMF and FedRAMP. There are way too many controls somebody can choose. I'm not saying they're not relevant, but I just think they're not relevant to threat actor behaviors and activities. And we should harmonize those set of activities. I mean, those set of controls that are known to be associated with threat, actor behaviors, right mappings are nice, these mappings are nice, but I do think that, you know, threat actors tradecraft evolves over time, so the mappings become stale at some point they become outdated, because threat actors are constantly evolving. So you know, while the mappings provide a starting point, I don't think we should be overly or heavily relying on the mappings I do think it provides some insight in terms of what we should do. You must leverage get gov current methodology and threat intelligence to inform Zero Trust are as federal agencies are starting to implement Zero Trust we need to use this threat and telemetry stone intelligence to form how we build out Zero Trust. How do we account for the next storm 0558 So we need to move beyond indicators of compromise and leverage things that we know that have been associated with threat actors behavior, harmonize that and operational environments to elevate our cyber defense, fair Atmos be a portal for innovation capabilities to elevate cyber defense across federal agencies. So as we kind of, you know, move with more with FedRAMP. And FedRAMP becomes more important and people are starting to try to onboard more capabilities. I think we need to figure out where the bottlenecks may exist in that process and eliminate, eliminate the bottlenecks. They said I got five more minutes of this last than I'm just joking with you. But But really understand how we do that. And I think if we could do that, and I'm here to assist anyway, I mean, I'm just the email away. I just I do think that you know, we have to harmonize and things that we do. And I'm I'm at a point now that things that don't work, we need to we need to fail faster, throw those things away. And the things that working we need to do those things more religiously, because I do think we're we're behind and I think one of the key things I think is very important. I'm very proud of the CIS has taken a stance on on doubling down on cyber defense. I think that's very important. I'm Kevin green, thank you. You can reach me at K drain@overtax.com
Anthony Jimenez 30:04
Thanks for listening and thank you to our speaker Kevin green. Don't forget to like, comment and subscribe to carry cast and be sure to listen to our other discussions. If you'd like more information on how Carahsoft can assist your organization, please visit www.carahsoft.com or email us at fedramp@carahsoft.com. Thanks again for listening and have a great