Feds at the Edge FedInsider

The federal government is playing a game of cyber-ack-a-mole. When networks are hardened, malicious actors go after endpoints; then Endpoint Detection & Response systems evolve. When endpoints are secure, the apps get attacked.
Today, we have a group of experts looking at sophisticated attacks on federal apps and APIs. The first line of attack is to make sure the database of code libraries is authenticated to be safe. Around 2018 the concept of a Software Bill of Materials became popular. This would ensure safe code at one point in time.
However, as Jerry Cochran points out, the SBOM concept is weak because of the constant change of code that is taking place. The static concept of “safe code” is altering with updates and new compliance changes. Peter Chestna from CheckMarx points out that even if an issue is detected, the remediation process can be cumbersome and time-consuming.
Artificial Intelligence has been shown to detect vulnerabilities in this dynamic code. Unfortunately, the attackers also have access to AI and have used it to search for weaknesses.
When a cyber professional examines code, they frequently use a signature-based approach. During the interview, Nate Fountain suggests that a better approach is to use behavior analytics. That way, a federal leader can have compromised code, but it cannot exfiltrate data because it does not have permission.
The battle is still continuing; recent reports indicate that 41% of attacks are on the next level: the API itself. 

Years ago, anti-virus software updates were sent on floppy disks in the U.S. Mail. Today, the attack surface is so large, we need continuous diagnosis and mitigation (CDM).
Legacy solutions like Security Information and Event Management (SEIM) would isolate data to point solutions. Andrew Manos suggests that if you consider today’s volume, the only way to handle is centralizing data.
Today, we have experts sit down and discuss how to take this CDM concept and deploy a solution for federal agencies. The discussion opens with best practices for a transition to CDM and follows with some guidance for the transition.
After gaining an understanding of what is on a network, it is recommended to start to experiment to evaluate rapidly innovative technologies. This process will need to have a workforce – more flexible than in the past.
Data surges have caused agencies to seek solutions to this vexing problem. One way to break this bottleneck is with the cloud. James Scobey observes the cloud allows data to be managed through an API that can go across environments.
Once a mature approach to CDM is viable, then advanced considerations like sharing data with other agencies can be considered.
 

Every reader has heard the phrase, “Lulled into complacency.”  One may have completed a checklist and can sit back and feel secure. It can be a false security.
Today’s explosion of data and reliance on compliance has led to a situation where federal agencies can be subject to attack from a vector that was not anticipated.
The Zero Labs report from Rubrik shows how much data has grown:   
Data:             25% growth in data year-over-year for most organizations  
Cloud:            61% growth in cloud
SaaS:           200% increase
This growth is detailed in statistics from data.gov. They state that 250,000,000 data sets being used by the public sector. The bad news: generative AI will create more data.
Best practices to steal yourself against attack include identifying where the data is stored, prioritizing what to protect, and collaborating with humans to determine who has access and when.
Travis Rosiek from Rubrik explains how he was working with an agency in a backup capacity. When they tried to determine what to back up, they discovered sensitive data where it should not be.
All agencies have a limited budget for data protection. Travis Rosiek recommends finding the most sensitive data and prioritizing protection there.
Malicious actors know the vulnerable moments in a large organization. When someone leaves, weekends, and holidays. Managers should consider covering aspects of security when these events present themselves.
One entertaining “human” problem Travis Rosiek reveals is hoarding data. Simply keeping data for eternity can open a federal agency to malicious actors who have hidden attack codes in the data.
The lesson: move beyond compliance and think strategically about how your agency will get attacked.

By now, we have seen demonstrations of Artificial Intelligence summarizing content and even producing images. These are all great YouTube videos for a rainy Saturday afternoon, but what about the work of the government?
With AI, one must begin with the data. When it comes to explaining how to leverage the petabytes of information, Karen Hall has a memorable quote.
“Generative AI can unlock the knowledge trapped in data.”
Her four guidelines for releasing this information are
·       Make sure the data is authoritative
·       Enable connectivity to other systems
·       Be aware of data standards
·       Use AI in a responsible manner.
AI requires mountains of data to see patterns and help humans make conclusions. Government agencies may have sensitive information in their data stores, making it difficult to assemble meaningful data stores.
Dr. Travis Hall from NTIA suggests that you can use AI to protect personal information. AI can be used as a privacy enhancing technology by being able to obfuscate data so trends can be seen to save money and speed up operations.
Our expert from California, Hong Sae, provides many ways AI can assist government functions. He lists predicting traffic patterns, locating potholes, voice analytics customer service, gunshot detection, and predicting crime patterns.
It is the early days of applying AI in a fast and secure manner. This discussion gives listeners the basic building blocks for success,

Everyone wants to pick up the phone and quickly get a human who has an immediate, correct, response. On the other hand, government institutions are characteristically understaffed and underfunded. The challenge is to apply modern technology to improve customer service within the allotted budgetary constraints.
Amanda Nabours suggests that an answer that is one hundred percent correct must begin with the data used to provide answers. Data stores must prevent bias and privacy must be protected.
Right now, her agency is in an exploratory phase, but she notes that one key aspect of a successful deployment must be training employees before a role out of what to expect when AI is relied upon to provide answers to citizen questions.
Google’s Tony Orlando expands on the robust nature of adding AI to citizen experience. He details how AI can improve the speed of response, automate reporting tasks, provide a more personalized experience, and even reduce fraud.
During the interview Tony Orlando expands on six models to improve citizen experience, everything from improved reporting to optimizing traffic.
This may be a great practical application of AI for government.

Compliance is difficult enough in an air-conditioned data center; taking this essential concept to an austere geography that has spotty communications with the potential of bullets flying makes it almost impossible.
This disruption of communication has a new term, Denied Disconnected Latent, or DLL. When communications are restored, they still must maintain compliance standards.
Today we get some perspectives on how to manage this arduous task.
From a design perspective, an agency may have a process where the developers who deploy the application may not be the ones who make end points secure. As a result, a process must be worked out where the apps are updated and the security process for the end points are systematized as well.
Jay Bonci from the U.S. Air Force describes how compliance can be checked during a regular maintenance process where central compliance information can be transferred to the field.
Nigel Hughes from Steel Cloud shares that today, many systems administrators are executing this update through a set of tools. This manual process may have been tolerated with a few end points, today there is such a profusion that automation is needed.
In a perfect world, one can scan assets, determine policy posture, examine apps, browsers, databases, baseline. If there is a drift – they can be snapped back into compliance.
For more details, listen to the discussion because it delves into federated vs. centralized compliance and the theoretical debate over defining an end point in a world of platform-as-a-service.