a149ds had bhi 2qu450isdss z reerk 6r7b9ds . test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test

they are just driving away without breaking into it. there are technologies out there that allow you to prevent that. the previous panel identified one of the major issues of where they were even with the weakness of technology. if you can remove user i.d. passwords and move to something you have and something you know technology, it is hard to penetrate. i might be able to steal what you have but to have what you know, that's difficult. if you limit people's access, it controls what the damage can be.

>> compromised credentials show up on the internet for sale all the time. one of the capabilities for our technology, we will scrape that information, pull it in. there is a tendency, i have two factors of identification. i'm good. it doesn't matter. if they won't be able to extract the pass des woword, we discove hey, i found these 30,000 credentials. here are 800 passwords. go target these users with social engineering tactics. you miss an opportunity. users do their annual security training. they don't think about it after that. they think and print the security certificate and hand it

off to management. what if you could reach out and say, you should expect to be targeted with social engineering tactics. here is a link to some training. now, you are creating additional touch points to help them get engaged in the security process. to add on to that, fairly simple processes. if you have a critical user that can make changes to your administrative system. two people have to able to okay that companywide, you are lowering your risk quite considerably. >> terrific. >> greg, you and i spoke the other day about this. i wanted to give you a chance to talk about it. there are federal agencies integrating as part of this larger conversation. several mentioned leveraging technologies.

you want to share what's going on with that per speck if i havhave perspective? >> everybody has kind of red about it. their initial focus on privileges. the unfortunately, as this gentleman said, everybody is a privilege user. wa that, they want everybody to use a digital representation of themselves. that can't show up on a password. getting rid of user i.d. pass woo word is the key to this problem. the issue the government has is the heteroge neality of the

network. it can homogenize everything from the network. you get to a point where you are giving rights and privilege as opposed to access to a bunch of applications. the other thing is to give people these. give them granular roles. nobody calls the help desk and says, can you take away this access i have? i have too much privilege. please take some away from me. you have to right size the roles to make sure they only have what they have. it keeps them out of trouble. having the authority but also having the responsibility.

you give them boundaries. it is something they have or know. you throw a third authentication on top, it is hard to end up on a dark website. >> talking about voting, i remember working on a project, who won the election. there was immediate funding before 2002 around a project called serve. it was letting the military do it electronically using the pip card. it was a great application. the pip card has been around for 16 years. it would have given great authentication. there are no issues with privacy, which is a major concern in voting. i have been go the password, i know who he voted for. all these solutions are there in technology. just 2000, didn't do it. still not being used today. a lot of reasons for that.

give me a u.s. postal address. give me one e-mail address, one certificate. we need to implement these technologies. >> when you are talking about two factors, the other thing that does, how often does someone have a password for a really secure system. they reach out and pull out the password that's written in the drawer or they lift up the keyboard and it is written down. that's the nice thing about two-factor that reduces the risk that your user will write it down where anyone can find it. >> we talked about the two flavors, malicious and unintentional. regardless of the type, they could have catastrophic outcomes on an organization. the federal government, despite

mandates and requirements to have these programs, it is still not being done across the board. i was curious as to some of your thoughts as to why this is the case and what can be done to change it? >> i think it is a three-pronged approach. it is people, process and technology. you have to train the people. i think it was isc squared. they did a study where they interviewed various departments across different agencies. outside the i.t. department, less than 12% of the people thought cybersecurity was important. the i.t. folks, the highest they got in cybersecurity care factor

was 48%. there has to be better emphasis on training people on what they should do. the second thing is the process. providing that least privilege and the least access. what are the issues we have even with the federal government and the insider threat. people get a chance to go other places. this person is rarely the person that needs wide-open access. it is the person that doesn't have wide-open access but they are able to hack themselves across the network to get to the place where the goods are. if you can provide them least access, as much as they hit the button, they can't go there. you are going to keep them processed. use technology that basically enforces it. >> we had government mandates that came out and said, we need to be doing protections against

insider threats and programs. the trouble is, all these mandates and requirements haven't come with funding. how do you do that? you have to buy systems and technologies to have funding to put behind people to run that program. one of the biggest challenges we all face is we need funding behind this to actually implement these processes to protect all of our critical data? >> if i can add, too, you mentioned insider threat, everybody has heard the term. it is familiar. it is almost like a bad word. one of the challenges agencies have, there is a privacy concern. i don't want to be an insider threat organization looking in on my family. i don't want to find a bad guy. account lockouts, everybody has

locked out their account. to the cybersecurity side, that's a headache. what happened in the lockout. do i have to reset it quickly? is michael an insider? is he being compromised, coming in from the wrong place. if you can give awe user, contextual information, hey, michael fat fingered on a monday morning from the same i.p. address. that's easy to reset. whether than michael was locked out on saturday trying to get access to a system he has never touched before. if you can make it easier, identify insider without saying insider threat. insider threats bring a lot of visibility. we hear about it all the time. a recent case a few weeks ago. another guy. it is never going to end. how do we make our users use better technology to be faster in how they make those decisions. >> insider threat is not a new

problem. it took us 22 years to find robert hanson. we have had corporate espionage. that's not new. we have an unprecedented amount of day that that is ultimately going to make us more effective. it makes a much more solvable problem. you have h.r. data. knowing if someone is on a performance improvement plan or they are at risk of being fire. you also need audit log data. i think organizationings get really scared of the edge cases where how would you stop a scenario where i have an employee, his manager is torturing him. finally, he hits the point, that's t i'm done, i'm going after is this guy. he goes and opens up some files and takes pictures on his cell phones. our users are pretty smart. they see cnn and realize you are watching. they tell you, we are watching you. our users know. now, i can go and let's say he takes his phone out and uploads

it to wikileaks, how would you detect that? that would be really hard to detect and any ramifications could be big. we can't get hung up in the edge cases. let's solve the 90% problems and then start to look at the edge cases. like computer network defense, with insider threat, it is not "if." it is "when." you need to have a recovery and response plan in place. learn from it. were there additional technologies that i could have had that would have prevented it? all of that needs to be thought of. what do we do when it actually happens. >> you also mentioned areas to track, h.r. data, travel data. a lot of disparate and technology data don't touch each other. having solutions in place that

help us track all of that, is solutions that work together to actually be able to have a holistic picture of what our users are doing to protect them and the company as well. necessa that's great. >> we are working on phases one, two, and three. we have recently started talking about phase four, some areas that you have mentioned that is protecting data. what technology and best practices do you recommend to dhs to include in phase four of cdm as we start to put this together? >> the natural thing for phase four or protecting data is data loss prevention products and redactions products that can redact sensitive information based on use. easily filing things so that the wrong eyes don't get access to them. this technology is out there to do that. they are just difficult to

implement. they are extremely policy based and to get them fully working, it will take a lot of time and money. >> cdm phase 4 is going to focus on that. it is going to become very, very important. it sounds clunky on the back end but if you have crossed a main technology that can help you access and transfer those multiple networks from one single location. it becomes easier for your users. the keys to the kingdom, if you will, all that data is in a very secure place. the access controls are there. only certain people can get to that. it is very, very protected. >> there are technologies out there where you can by policy separate things, layer three, four, and five. >> it's funny. when you mentioned this to me, i started laughing.

i remember working on phase one years ago. the agency was rash to deploying it. i am glad the dhs is doing it. it is a great program. one of the comments i would make, the biggest challenge for small vendors, cdm contracts. a great vehicle to get things going. it doesn't always mean that best technologies are leveraged. i was talking to assist. they said, i am buying "x," because it is on cdm, not because it is the best product. that's a bad thing. we need better initiatives to get faster, better technology thoo these programs. they have made a great vehicle to do that. i'm working on my company getting in on phase three and four. i hope people think about how we get the innovative technologies in faster and don't just make a decision because it is on the contract. >> the problem with that is the price is right. >> i understand. it is not just price. it is an wearness. >> price and cost are two

different things. >> the new federal system recently discussed the importance of cybersecurity personnel training. this was mentioned a little bit earlier on some of these panels. what specific programs and methods have been proven most effective to change behaviors? is there a way to leverage technology to influence behaviors and actions of people? >> training is something you have to do. first, it needs to be engaging and people need to feel like they are learning something and getting something out of it. if you are at the point where your users are going through annual security training. i remember when i worked in the department of defense, you had these rooms. you go through the room. someone calls you up on the phone. now what would you do? i would fry to get through as quickly as possible and answer the questions. it needs to be engaging. they need to feel like they are getting something out of it. >> it needs to be something that is thought about throughout the year. one of the speakers earlier took

my cat video jerk. when i was working with the marine corps, everybody wanted to see the steve irwin video. one organization i work with has the most important part of training with actually improving the performance of your users. there is a punitive action if you violate what happens. it doesn't necessarily have to be punitive. it can also be incentiveizing someone. you are going to send five e-mails to test whether they click on it. maybe they get two hours where they are successful for extra vacation. it will cost a little bit of money. when we look at how expensive it is when we have a breach, i am sure if would be a cost effective solution. >> frisch, i agree. customers looking for positive behavior. making people aware when you touch something you shouldn't. this is the first time you touched the server. did you mean to? they are more aware and less likely to step out of bounds.

going back to behavior, give them incentive. i get spammed all the time i get fishing attacks. the curiosity in me, i want to press the button. i'm not supposed to. when you get the spasm, send it to the sock center and share with the team. share that knowledge with people. the other target is text messages. i am getting text spams. if they are aware, share with me the recent attack and exploit. let them see what the result was. it answers the curiosity program. >> if is definitely a culture issue. we all have to be a part of it from senior executives on down to the line level employee. everyone has to be aware of it. why did you do that? >> laugh about the e-mail that comes in. someone will say, make sure you don't click on that. don't open that linked-in e-mail

from the person you don't know. >> what tony scott said earlier is important. we have to get them when they are young. a lot of us older folks didn't grow up with technology. >> i'm pretty sure that everybody on this panel, if i asked what do you think the biggest risk your network, most would say p user. they said,problem between keyboard and chair. we are frayed of our users. there are a lot more of them than there are of us. the quicker we can turn them from the biggest risk we are worried about to a force mult plier where they are engaged in helping us do our jobs the better. >> that is growing with the coming on of the millennials. they are retiring. we are only going to see more of that. they, from the millennial generation are used to technology doing security for them, if there is any security

at all. they don't think about it. they are used to the technology. we take a different, more cynical view of technology. we don't expect it to do what it is supposed to do. they think about it. they move on. that is only going to get worse. >> our final question for the panel is really talking about some of the success stories that are out there. we know there are several agencies and federal cio s, private sector cios that are implementing wide-reaching cybersecurity and hygiene prodprapr programs. can you share some of the good programs and initiatives that are out there that some of the audience, folks watching at home can look to for guidance? what are other ideas na could help an organization put together a good program and change some behaviors you are talking about? >> i think there are success stories in pockets.

everything is pretty much stove piped. i think it is difficult to get everybody on the same shoo et of music. until the executives in the organization, he or she or the group of them get together and say, here is what we are going to do, mandate that. i think that's the attempt on the federal side, to put together a standard of technologies that are mapped to the osi model that you can deploy. all together, it will ork kes straig ork kes straight this one single cybersecurity of the agencies. >> anyone else? >> i was in a meet being a year and a half ago. it was talking about these really advanced things we could do to improve cybersecurity, the cybersecurity posture of the

organization. probably about 100 people in the meeting. somebody said, you are talking about this, we don't patch our systems regularly, right? cyberhygiene is incredibly important. if he are at zero, you are not going from zero to hunting atps in a night. you have to think about this in layers. there are organizations out there. i am very fortunate. some of my customers, i tend to work with customers that are for looking and much more interested in the intent than theler of the requirement. there are great examples where your dcm might say, do these things. it frees me up to add additional capabilities. my response is take advantage of the programs that exist, anything that people are going to give you. that will give you the opportunity to look ahead and get to things with more advanced capabilities. >> things like the i.t.

modernization, rules that are coming online, we need to get our systems up to date. we still have a lot of systems out there, specially in the government, that are running very old versions. le you can only do so much with that. it is not anyone's fault. >> we have to be aware and get the policies in place to get these systems tested in a way that is fast enough. so we as vendors can then bring the technology to you. everybody wants to be there. we have to take that phased approach and chip away at it. >> you asked about agencies and programs that are good or bad. i don't want to call anybody out. there are some that are doing great jobs. tomorrow, they could be hacked. there is a constant world of change. i remember in 2009 i was working with opm and they won some awards for being the most innovative as far as cybersecurity. they were taking advantage of technology at a time that others were not.

we laugh because they got hacked. let's realize today that agency is doing great. only a few months away from being bad. the one that is bad can be good. cybersecurity is always changing. don't penalize people as much when they fail. they learn a lot from these failures. there is only one agency that is a silver bullet. it is dynamic. >> you here the metaphor, cybersecurity is not a marathon. unfortunately, there is no finish line. it is not like i do these five things and i am magically secure. you have to learn from things and incorporate those and make sure it doesn't happen in the future. >> i agree. it will never initially end. anything you can do to reduce your risk surface, to minimize the points of attack and i agree you can't go to college and say you go to high school. >> great. please help me in thanking our

panelists with that. i want to thank all of you for joining us for today's briefing. the papers are available on our website for download. our next meeting is actually our annual gala and benefit at the st. regis on november 10th. we'll be honouring federal cio tony scott and keith alexander. thank you to our speakers. we will see you next time. on the campaign trail, hillary clinton will be joined by senator elizabeth warren. they appear in manchester, new hampshire, with live coverage starting at 12:30 eastern. later, a look at opioid addition in the u.s. they will look at ways to prevent overdoses and provide tr