It’s a lot of data — and by law, all of it must be kept confidential and protected. That keeps Beau Houser, the bureau’s chief information security officer, and his team of roughly 100 security specialists and developers focused not only on daily security threats but also on many projects to modernize the security of the bureau’s complex IT infrastructure.

When Houser joined the Census Bureau in the fall of 2019, following security stints at the Department of Homeland Security, the Centers for Medicare & Medicaid Services, and the U.S. Small Business Administration, he recognized several challenges faced by many federal agencies that needed immediate attention.

Among other concerns, improving and enhancing visibility into the bureau’s IT environment was needed to strengthen the ability to detect and respond to cybersecurity threats. The bureau also faces burdens with managing a large number of servers supporting enterprise log management, which requires extensive maintenance and resources. Additionally, the bureau’s security practices were centered primarily around compliance, which had become increasingly ineffective at protecting against new and rapidly evolving cyber threats.

Focusing on the challenge

While the Census Bureau had been actively migrating many IT operations to the cloud, Houser determined that one critical area to address was the need to “implement a different approach to enterprise audit and log management.”

Part of that was driven by new agency mandates issued in an August 2021 White House memo (M-21-31) outlining steps to establish a more mature log management system to detect, investigate and remediate cyber threats on-premises and across increasingly distributed third-party services. Prompted partly by the SolarWinds malware incident, the memo also required agencies to prepare to share incident information with other federal agencies to help the government respond to incidents more quickly.

Another factor was what Houser described in a recent interview as “a big data problem” involving multiple terabytes of data per day. Storing and analyzing that data required maintaining and patching roughly 50 aging servers dedicated to the enterprise logging service. “You’ve got logs coming from tens of thousands of devices — simultaneously feeding logs into a centralized repository. And we saw how critical it is for us to get that right to quickly recognize and respond when something bad happens.”  

Transformative solution

Houser knew the bureau needed a cloud-native enterprise logging solution aligned with its ongoing cloud migration strategy. Specifically, he sought a solution that met several critical criteria: It had to be flexible and scalable to manage and aggregate the massive amounts of log data generated by the Census Bureau’s operations during peak periods. It had to provide comprehensive visibility across the bureau’s entire IT environment. It needed to lower operating costs and complexity. Lastly, Houser wanted a software-as-a-service solution that reduced his team’s maintenance activities to allow more time to hunt potential threats proactively.

After a careful evaluation, the Census Bureau transitioned from an on-prem logging service to a cloud-native enterprise logging analytics solution, delivered and maintained as a service by one of the leading federal cloud and enterprise providers.

Improved outcomes

The transition, once complete, started paying dividends almost immediately, according to Houser, by providing:

• Full integration – “From a log source standpoint, we’ve been able to aggregate all logs from the entire enterprise,” said Houser. That includes logs from on-prem devices, the bureau’s data center, and other cloud services. “So you’re talking about a cloud-to-cloud communication from that standpoint.”

• Wider visibility – The transition provided a broader window on security data not just for security operations staff but also for operations and maintenance personnel who need this information for troubleshooting errors and communication bottlenecks. The security problems captured in the log files “are expansive,” he said, so it’s important that “there’s a lot of experts dealing with those problems and reviewing the logs to figure out exactly what’s going on. We’ve been able to improve our collaboration pretty significantly.”

• Greater granularity – Adopting advanced cloud-native solutions increases zero-trust capabilities that “allow you to be very granular with [user] access. It’s helping tremendously,” said Houser.  “Before, if you could read something, you could copy it. Now what we’re seeing is broken down even further, where you can give someone read access and deny them access to copy it.”

Zero-trust implementation

That added granularity also helps the Census Bureau apply conditional or attribute-based access policies versus role-based ones. “More and more cloud service providers are beginning to build those capabilities into their cloud natively,” Houser explained.

“Once you’ve got your authentication and policy engine in the cloud, you can configure those policies to say, ‘You’ve got to have this login with multi-factor. You have to be on this specific device. And you have to be coming from this geographic location.’ So, you open up a whole new set of attributes that you can use for that login process. We’ve seen so many attacks where someone takes over an account, and then they run through a system. If you have the conditional access set up, the account alone won’t let you in.”

Another advantage of a cloud-based software-as-a-service that Houser’s team is now working to capitalize on is the ability to configure endpoint products centrally. “So if malware hits a laptop, we can configure the automation to say, ‘Automatically download the forensics package, automatically quarantine the box, automatically do this step, and that step.’  So, you can create logic related to the workflow that the analyst would typically do.”

Lessons learned

In addition to achieving greater security practices and lowering operating costs, Houser believes working with cloud-native solutions to support zero-trust will yield additional benefits.

“As we continue moving down this path, we’re going to be able to really improve the user experience,” on par with the experience consumers routinely encounter engaging with their bank. There’s a lot of flexibility with zero trust. It sounds rigid when you say zero trust, but it’s very flexible.”

Additionally, Houser sees a longer-term benefit in picking up the tempo of technology deployment.

“The vendors in this space are all very, very capable. But at the end of the day, our IT folks have to maintain whatever we set up.” The challenge organizations increasingly face is “there’s not enough IT expertise — and certainly not enough cyber expertise” to keep up with the pace of change.

Leveraging cloud-native software-as-a-service solutions helps address that and allows new capabilities to be implemented quickly. “We’re always seeing new functions and capabilities creep into the portals we use to access the data. Queries get more optimized, intelligence gets more streamlined and integrated, and you’re able to do more AI and machine learning type activities that allow your analysts to focus on higher-level analysis.”

This report was produced by Scoop News Group for FedScoop as part of a series on technology innovation in government, underwritten by Microsoft Federal.

The post How the U.S. Census Bureau leveraged cloud services to modernize security appeared first on FedScoop.

While the bureau uses cloud services, it can’t abandon its wide network perimeter in favor of smaller ones around particular IT assets until more of those assets are in the cloud, Houser said during the Federal Zero Trust Virtual Summit on Tuesday.

A hybrid model mixing on-premise and private and third-party cloud services is required, and Houser hopes to get to a point where the bureau can share its data with researchers more easily.

“We feel like zero trust will also give us a lot of flexibility with customers who want to do different types of research projects,” Houser said. “So we can be very flexible with what the customer is doing and still maintain a strong security posture around the data.”

The bureau still uses a virtual private network as its primary remote access method. A VPN serves as the point at which the agency enforces security, but that’s not always helpful if an attacker has acquired an employee’s username and password through a phishing attack. Once the attacker is on the network, it becomes very difficult to distinguish their movements from legitimate traffic, Houser said.

“I do believe that zero trust is going to offer a new paradigm for cybersecurity that I hope begins to level the playing field with the attackers because I feel the attackers still have the advantage on us,” Houser said. “And I’m optimistic that zero trust will help us balance that out.”

Once the bureau adopts zero-trust security, a breach will be assumed and all data requests will be treated with the same level of scrutiny. That will happen when migration shifts in favor of the cloud, at which point users will want to connect directly to it — instead of using a VPN, Houser said.

But agencies can’t make the transition overnight.

“It’s going to take a lot of research and education, so go look at what other people have done before you,” said Sean Frazier, advisory CISO of federal at Duo Security. “Look at Google, look at Intel, look at Microsoft, look at Cisco, but also talk to your peers.”

Without a VPN, the bureau will need to choose new policy enforcement points for securing applications and data. That will require a level of visibility across devices and users and use of metadata the agency currently lacks, Houser said.

Further cloud migration will also require a culture shift on the part of bureau users, one that will eventually help them embrace zero trust.

“I still see in many federal agencies the tendency to go with the traditional model when it comes to technology management and technology delivery, and so it’s really hard to help people imagine things differently,” Houser said. “And that’s why I’m a big supporter of cloud because I really feel like it helps us to work through that mental exercise of imagining a different approach across the board.”

The post The Census Bureau’s move to zero trust begins with the cloud appeared first on FedScoop.

Beau Houser, who has been the Small Business Administration’s CISO since October 2017, will start in his new role Sept. 15. Houser starts the job at a critical time, just as the bureau is gearing up for a decennial census in 2020.

Census’ previous CISO, Tim Ruland, retired almost one year ago in September 2018. He had been with the bureau since 1991.

SBA CIO Maria Roat congratulated Houser on the new role on Twitter. “We will miss your expertise, energy and innovative spirit!!,” she tweeted.

Federal News Network first reported Houser’s move.

The post Census Bureau hires new CISO Beau Houser appeared first on FedScoop.

One of the agency’s key objectives is to build a workforce that can meet the security challenges of the future, said Rick Driggers, deputy assistant secretary for cybersecurity and communications at DHS’s National Protection and Programs Directorate, said Thursday. He called on the private sector for help.

“How do we build a cyber workforce not for us to recruit against, but how do we build a cyber workforce as a national asset,” he said at the Cyber Threat Intelligence Forum presented by FireEye and produced by FedScoop and CyberScoop.

DHS has long advocated to share more threat-based information with a variety of industries as a way to strengthen current cyberdefenses. In addressing the global shortfall of cybersecurity talent in the public and private sectors, Driggers said the two should extend their partnerships to collaborate on better ways to stock a pipeline of skilled workers.

“Right now, we’ve got about 300,000 unfilled cybersecurity positions as a nation,” he said. “So what are we doing to engage K-12, what are we doing to engage academic universities? What are we doing, at least in the federal government, to change our hiring practices so we can bring on cybersecurity talent, we can keep them engaged? But we can’t do this alone. This is something we are going to have to work with industry [on.]”

Exacerbating that challenge is the widening scope of skill sets needed for new threat intelligence-based cyberdefenses. The threat-based cybersecurity model works best with a multidisciplinary cybersecurity team that contains not only IT experts but also other specialized analysts as well who can mimic a likely adversary and use their methods to test an entity’s system, said Beau Houser, CISO at the Small Business Administration.

“At the SBA, we have a program that centers around 24/7 security operations, a small cyberthreat intel team made up of intel analysts. Not IT people or forensics people, intel people,” he said on a panel using threat intel to improve cyber risk management,” Houser said. “I have a small team of penetration testers, a small team of cyberthreat hunters and forensics. So now I am able to say, ‘Pen testers, imitate cybercriminal X against that high-value system.’ That not only proves the resilience of that specific system, it also — working with the 24/7 monitoring — can show you if the [Security Operations Center] has the right visibility and the right triggers in place.”

There has been no shortage of proposals on how the federal government can plug significant gaps in its cyber and IT workforces, ranging from reskilling current federal workers to deploying private-sector tech talent to the federal government on a limited, but rolling, basis.

But given that the talent in the market is in such demand, Driggers said collaboration between the public and private sector could best serve the country.

“You guys are facing the same challenges that we are,” he said. “It’s obvious that you guys have some different incentives that you can put on the table that the federal government can’t, but at the end of the day, from a nation perspective, how do we build out a cybersecurity pipeline so that we can have this type of skill and talent at the ready to help us with this particular mission?”

The post Should developing cybersecurity talent be the next public-private partnership? appeared first on FedScoop.