Lessons from the NSA: Know Your Assets

Over the past decade, Chris Kubic has worked to secure the US intelligence community's information systems and environment, architected the National Security Agency's cloud infrastructure, and, for his past three years, led the agency's network-security efforts as the chief information security officer. 

His lessons for public companies? Focus on your assets. Not enough companies know what is in their environments — the first step to knowing what to protect, he says.

"Securing the NSA is not that much different to securing a large, complex environment in the commercial sector," he says. "It comes down to this: You just need to be good with the basic blocking and tackling of cybersecurity. What I mean by that is you really need to start out by gaining a very firm understanding of the environment that you are trying to secure."

Kubic, who joined Fidelis Cybersecurity in October, spent 32 years at the NSA, working his way up from a security project engineer to CISO. During that time, the National Security Agency has had many successes but quite a few high-profile information-security failures, from the massive leak of operational data and tools by contractor Edward Snowden to the overreach of a surveillance program that Congress is now calling to end. In July, NSA director General Paul Nakasone argued for the agency to refocus on cybersecurity, following years of reportedly failing to prioritize the discipline. 

While Kubic would not discuss the details of his time at the NSA, he did discuss his thoughts on cybersecurity strategy that could be applied to the private sector. A key component of that is situational awareness, he says.

"You need to understand all your assets that are part of the enterprise that you are securing," Kubic says. "You need to understand how those assets are configured, where they are deployed, how they are connected, how they are patched and updated — all those kinds of details are important when you are trying to secure your domain."

With nation-states continuing to develop their capabilities, assistance from the government will become increasingly important, he says. The government has a lot to offer companies, he adds.

"Coming from the government, not surprisingly, I think it is a good idea to have more government involvement to defend nations' networks," Kubic says. "It gets a little dicey when you are talking about private industry, and it's really hard to mandate government involvement in that, but I think the government has a lot to offer, and certainly can offer, to be that independent broker that helps by connecting the dots across industries."

Looking toward 2020, Kubic sees the application of machine learning and artificial intelligence to security as inexorable. With a shortage of knowledgeable workers, using analytics to sift through the massive data produced by companies and detect threats is critical, he says.

"On the cybersecurity side, the continued use of analytics, machine learning, and artificial intelligence will be important in securing our environments, but on the negative side, I think we will see a lot more adversary use of such technology to disguise their attacks, making it even harder for folks to defend their network," he says.

The majority of cybersecurity workers see machine learning and artificial intelligence as a positive benefit. A July 2018 report by the Ponemon Institute found 60% of respondents believed AI would help them enrich security information and simplify the detection and response to security threats. Only a third of respondents, however, thought the technology would reduce workload for security teams.

For companies overwhelmed with data, Kubic recommends the security team identify the truly critical data and systems and focus on making sure those are secure. 

"Not all assets are created equal," he says, "so you really need to sit down and understand what are those high-value assets that need to be protected better than the rest of the enterprise. That is either where you have your critical data stored or assets that are supporting your business' critical functions. It is not easy to map out those workflows, but without that it is hard to prioritize where you need to make investments in cybersecurity."

Most of all, companies need to do the basics right, he says. 

"In 2020, people need to stay focused on the basics of cyber hygiene," Kubic says. "It is the unpatched systems and unmitigated vulnerabilities that are the easy button for the cyber adversary. You cannot take your eye off the prize there."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"