Lessons in Cybersecurity from a 19th Century Undertaker

Establishing trust is the new phase of securing IT systems, networks, and enterprises

09-16-2020
Russ Smith
CYBER

Cybersecurity advice from a 19th-century undertaker: address vulnerabilities and create trust

Almon Brown Strowger was an undertaker in 1878 in Kansas City, Missouri. In Strowger’s day, telephone calls required speaking to a switchboard operator who connected the calls to the desired persons or businesses.

Strowger discovered he was losing business to a competitor in town when a friend of his died and he was not contacted. It turned out his competitor’s wife was a switchboard operator and diverted all undertaker requests to her husband’s business.

Instead of dealing with the switchboard company, Strowger put switchboard operators out of work. After years of development, Strowger received a patent for a direct-dial automatic switching system.

He saw switchboard operators as a vulnerability to his business and removed a barrier to his customers, creating a trust relationship. Switchboard operators were not inherently bad, but Strowger’s story is an analogy for the proliferation of IT ecosystem vulnerabilities. Industry advancements in firewalls, intrusion detection and prevention, proxy servers, and more served as critical capabilities until they became vulnerabilities.

 

Cybersecurity evolves from patching vulnerabilities, to countering threats, to establishing trust

As malicious actors began exploiting software vulnerabilities, organizations responded with rapidly deployed software patches. The vulnerability-based approach to cybersecurity emerged, which in addition to patching software, created a strong network boundary to prevent adversaries from accessing vulnerable software. In this approach, the security appliances at the network boundary create a “trust zone.” When a user gains access into the trust zone and is inside the network, all resources are available.

While patching vulnerable operating systems, applications, and network devices is important, it is not sufficient. The adversary still frequently penetrates the trust zone.

In response, organizations have added such capabilities as security operations centers, cyber threat- and intelligence-based warnings, and rapid incident response, focusing cybersecurity efforts on identifying and responding to malicious actors. Of course, these capabilities are in addition to patching vulnerable software. We call this new phase of cybersecurity, where cyber defenders actively respond to threats, the threat-based approach.

 


Much like Strowger’s situation, cybersecurity is ultimately about establishing a trusted data exchange connection.

 


 

Today’s information ecosystem extends far beyond an organization’s network boundary through tools like virtual private networks (VPNs). But they are insufficient to address today’s challenges like the proliferation of Internet of Things (IoT) devices, cloud computing, mobile phones, and an exponentially larger workforce remotely accessing network resources.

Much like Strowger’s situation, cybersecurity is ultimately about establishing a trusted data exchange connection. We are now in the “trust-based” phase. Establishing trust between two resources anywhere within the enterprise is the desired end state. We design and implement Zero Trust Architectures (ZTAs) to meet today’s challenges.

 

Almon Brown Stroger used innovation to bypass a rogue switchboard operator and estabish a direct trust customer relationship. Likewise, a Zero Trust Architecture establishes a direct trust connection between a user and an IT resource.

 

What is trust-based cybersecurity? Breaking down NIST’s Zero Trust Architecture framework.

A trust-based approach requires shrinking the trust zone as close to the resource as possible. For today’s cyber defender, limiting an adversary’s freedom to laterally move throughout the enterprise greatly enhances the protection of an organization’s critical cyber resources.

To help organizations and businesses understand how to implement a ZTA, the National Institute of Standards and Technology (NIST) released a draft publication outlining seven tenets. The tenets help organizations establish a roadmap to achieve Zero Trust. They are:

  1. Identify all data sources and computing services as resources.
  2. Implement secure communication between all resources regardless of location.
  3. Only grant resource access on a per-session basis.
  4. Ensure all resources are checked dynamically for specific characteristics to determine policy compliance.
  5. Ensure all devices are monitored to ensure they are in the most secure state possible.
  6. Establish dynamic resource authentication and authorization through Identity, Credential, and Access Management (ICAM) before granting access.
  7. Design the enterprise security architecture to collect as much information as possible about network infrastructure and communications to improve security posture.

According to NIST, all data sources, including the identities of users logging into the network, and computing services are resources. This can be challenging if the organization does not have situational awareness and an understanding of all its resources. To have a successful transition to ZTA, organizations must have an effective approach to gaining cyber awareness of their enterprise resources and implement effective tools to protect those assets.

Mapping capabilities to tenets: how SAIC delivers on ZTA

Cybersecurity professionals cannot transition to a trust-based approach and implement a ZTA with a single product.

SAIC offers all the components necessary to migrate our customers toward a ZTA. We are the exclusive reseller of Stealth™ to the federal government, which can implement the first four tenets provided by NIST for ZTA without requiring a hardware investment. Stealth enables our customers, through software-based microsegmentation, to move all resources into a secure Community of Interest (CoI).

This ensures customers only access resources on a per-session basis, and that access adheres to the policies assigned to each resource. Stealth also encrypts all communication between resources based on the FIPS 140-2 encryption standard and approved through the National Information Assurance Partnership (NIAP), the federal government program which validates that a COTS product can protect data at the highest standard.

To achieve the next two tenets, SAIC has integrated additional tools into Stealth to ensure all network devices are at their highest security state. These additional tools integrate with Stealth under SAIC’s TrustResilienceTM portfolio of ZTA capabilities. Some of these integrated tools include end-user device comply to connect, identity management, and identity governance.

 

 

The final tenet requires continuous improvement of the security environment, an area SAIC has a distinctive track record in many security operations contracts as well as at our own security operations center in Oak Ridge, Tennessee.

Tying everything together for our customers is the Cybersecurity Edge™ (CSE) framework. CSE has three distinct phases: discover, mitigate, and manage. The framework is an iterative process that includes the people, processes, and tools to continuously monitor and rapidly respond to malicious activity in the enterprise.

The CSE process begins by looking for gaps and shortfalls in security coverage (discover) to include adherence to regulatory policies. Next, we propose solutions to address those gaps (mitigate), and finally, our specially trained cybersecurity experts manage the security baselines through security operations and incident management (manage) while always looking for ways to improve our customers’ security posture.

The full-coverage combination of Stealth, TrustResilience, and Cybersecurity Edge ensures SAIC is the premier partner to enable our customers to implement their own ZTA strategies. No one tool can ensure today’s version of Strowger’s direct dial invention, but through the application of a holistic approach, SAIC leads customers in their Zero Trust journeys.

FURTHER READING: Always-On Security with Unisys Stealth®

Posted by: Russ Smith

Vice President of Cyber

Russ Smith is vice president of the cyber practice for SAIC’s Solutions and Technology group, with responsibility for leading cyber strategy and solution development for the customer groups while driving continuous improvement across the enterprise cyber workforce. Smith joined SAIC after a 30-year Air Force career culminating as the Deputy Chief Information Officer at the United States Special Operations Command. During his tenure, he commanded tactical cyber units at the group and squadron level and deployed to Iraq during Operation Iraqi Freedom. He also supported the Defense Department’s initiative to enhance the Defense Industrial Base’s cybersecurity posture as a research analyst with the Institute for Defense Analyses. Smith holds master’s degree in Systems Technology (Joint Command, Control, Communications and Computers) from the Naval Postgraduate School and Military Operational Art and Science from Air University, and a B.S. in Computer Information Science from Bloomsburg University of Pennsylvania. He is also certified as an Information Systems Security Professional (CISSP), Chief Information Secuirty Officer (C-CISO), and Project Management Professional (PMP).

Read other blog posts from Russ Smith >

Connect with Russ Smith: linkedin icon

< Return to Blogs