Metrics and Automation Can Improve Federal Cybersecurity Measures

July 9, 2020 — Metrics are a new frontier for automating certain cybersecurity measurements, according to Mariam Baksh, a staff correspondent at Nextgov. In a Thursday Nextgov webinar, moderated by Baksh, panelists discussed the benefits of utilizing automation to gather data for more informed metri

Metrics and Automation Can Improve Federal Cybersecurity Measures
Screenshot of Nextgov Staff Correspondent Mariam Baksh from the webinar

July 9, 2020 — Metrics are a new frontier for automating certain cybersecurity measurements, according to Mariam Baksh, a staff correspondent at Nextgov.

In a Thursday Nextgov webinar, moderated by Baksh, panelists discussed the benefits of utilizing automation to gather data for more informed metrics, in order to ultimately solve pressing cybersecurity issues in both the federal and private sector.

“It’s important to remember when we say ‘metrics,’ we just mean measurements,” said Brandon Valeriano, senior advisor of the Cyberspace Solarium Commission.

Automation and metrics are currently being utilized by the Continuous Diagnostics and Mitigation Program, a leading effort to reduce cyber risk and provide asset visibility to the federal government.

By distributing automated tools to federal agencies, their ability to monitor and manage the threat of cyber vulnerabilities is strengthened.

The goal of CDM is to improve the federal governments respective security posture, said program manager Kevin Cox.

“Agencies are not aware of their attack surface,” Cox said, referring to all of the places an advisory is able to exploit a network.

When the CDM program was utilized, researchers “found that agencies have 75 percent more assets than they were manually reported,” Cox said.

The objectives of the program are to reduce agencies’ threat surface, increase visibility into the federal cybersecurity posture and improve federal cybersecurity response capabilities.

Valeriano, who Baksh mentioned had more experience in the private sector than his fellow panelists, spoke of utilizing metrics and automation to solve an alternative problem.

“We’re generally collecting data on security risks for no real purpose of analysis,” Valeriano said. “We only know about what we’re already looking for.”

Valeriano called for utilizing metrics to develop a better situational hyper-awareness, so eventually attacks could be predicted and mitigated.

Other panelists reported that they are not doing the type of work that Valeriano described, revealing a division in development between segments of the private and public sector.

“Automation is the way to go,” said Vijay D’Souza, director of the information technology and cybersecurity team at the Government Accountability Office. “The more tools you have to handle the vast amounts of data we’re dealing with the better.”

However, automation may not catch major threats, such as attackers going for harder to exploit targets, D’Souza said.

To solve this, a “marriage of artificial intelligence and human intelligence is ideal,” he said.