Episode 9 - Federal Cyber Defense: Legacy Debt, Cloud Shifts, and Network Truth
Episode 9 - Federal Cyber Defense: Legacy Debt, Cloud Shifts, and Network Truth
0:00 / 0:00
About the episode
Richard Bejtlich sits down with Jean Schaffer, Corelight’s Federal CTO, to discuss the unique hurdles facing government agencies in an era of escalating state-sponsored threats. Jean highlights the persistent challenge of legacy IT infrastructure and the "technical debt" that complicates modernization efforts across the Department of Defense, the intelligence community, and the civilian sector. The conversation explores the strategic shift toward cloud adoption as a means to decommission vulnerable on-premise hardware and the evolving "whole of nation" defense strategy that requires deeper public-private partnerships. Jean also offers her perspective on the risks and rewards of open-source software in government environments, emphasizing the importance of code provenance. Finally, they delve into why Zero Trust architectures still require robust network telemetry as a foundational element to verify that security policies are actually working in the real world.
Episode transcript
Download transcriptEpisode 9 - Federal Cyber Defense: Legacy Debt, Cloud Shifts, and Network Truth
Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response. Today, I'm speaking with Jean Schaefer, Federal CTO at Corelight. Welcome, Jean.
Hi, how are you? I'm fine, thanks. I'm so glad you're joining us today. This is an interview I've been looking forward to for some time. How would you characterize the challenges that our, our friends in the federal sector have to face? Um, the first of all is the legacy IT infrastructure that many agencies and departments are still, um, running, right? That is their operational network. As they have been modernizing over the last, I'll even say, decade, um, because of the expanse of their networks within the government, um, they still have quite a bit of infrastructure that's legacy. So on top of the legacy-ness that they have, the threat has continued to rise, and we see the adversaries continuing to go after not only the upper grade, uh, government agencies, like the intelligence agencies or the DoD, but they're actually going after all of the industry supporting that. So we often talk about the DIB, the Defense Industrial Base, um, and that those industrial bases, whether it's the defense industrial base or the critical infrastructure bases, um, have even more vulnerabilities, and because of the legacy infrastructure that they're running. Commercial industry, I believe, generally can upgrade and modernize their infrastructure at a much quicker pace than many of the legacy government agencies are. I think that's a really interesting point, because you could be in a situation where private sector entities go out of business, or they get bought and their IT is replaced. Or you can imagine all these scenarios where what they were running previously does not exist anymore. Whereas in the government, generally, agencies continue to exist. The, the function needs to be fulfilled. And even when I said government, I painted over a huge...
I treated it like it was a homogenous thing. Whereas you, you pointed out, well, we've got different, you know, aspects. You've got the DIB, you've got, uh, civilian sector. So even just talking about a government in terms of one thing doesn't really make any sense, right? Right.
And, and, and each agency and department is actually very different, um, from the way they function, the way their networks were put together over the years. Um, so, so they're really not homogenous at all. This is why over the last, oh, I don't know, six, seven years, you've been hearing, um, policy guidance coming down that says, "Hey, federal agencies, we need you to move toward the cloud infrastructures."
Because they know, one, there's not enough cash that is flowing into the government to actually replace most of their legacy infrastructures, and so therefore, they can get rid of and decommission their infrastructure by moving much of that into the cloud infrastructures.
Amazon, Googles, all of them are picking up some of that cybersecurity for their own cloud infrastructure, and they share that information with the government, but they themselves, um, are kind of sharing some of that technical depth, if you want to say that, because they're being able to protect their own infrastructure, um, at a much different, faster pace.
Yeah, and it sounds like, or at least my perception would be, that where necessary, government entities, uh, coming from either the law enforcement or the intel side, they can add their special insights into what threat actors might be doing or targeting, and guide the defensive aspects of their private infrastructure providers, as opposed to the defense solely being against whatever you think might be happening. Correct. And the government's actually getting much better about trying to push that information out to, um, providers and to critical infrastructure, um, and just share more of that information. Because, again, when you think about the government, um, it really is the whole of the US that we're looking at, and everybody kind of needs to step up and rise, um, their defensive posture, purely because the adversaries continue to just get, um, smarter, more stealthy.
They're using much more AI for some of their attacks. Um, they, they're just getting much better. So that, in turn, means we, as the US, um, need to rise up to that challenge and make sure we're staying ahead of the game on that.
Yeah, it seems like the pool of adversaries who can draw upon the highest-end techniques just continues to expand. Are there any, uh, pieces of advice you might give or recommendations? Um, I actually came out from the government.
I retired after about thirty-four years from the intelligence community. Um, we were very much of a mindset of, of we were partners with industry, but at the end of the day, um, the government folks really sort of ran the show, and we thought we had a bunch more information and can do things a lot better. And now, being out in the commercial world, what I will tell you is, um,
I wish we can have an even better private-... public partnership between the organizations, the cyber defending organizations, all of industry, um, and the government. Because what I'm finding is, yes, commercial cares about the bottom dollar, um, but so many people in the industry really are just trying to assist, and help, and making sure the innovations that they're doing in the private world actually are transferring into the government, so that the government can also take advantage of many of those innovations and steps forward. Um, so that's probably one of the biggest eye-opening things I, I have seen now that I'm out in the private world. Elements of the government are uniquely qualified to perform some missions that just by statute, the private sector is not allowed, or at least as of the recording of this video. That is inherently sort of a governmental function. Um, but that doesn't mean we can't rely on our industry partners to help in some of those innovations. Not actually performing the actions, but, but making sure that we're, we're keeping pace and getting ahead of our adversaries who's doing the same thing. Because the one other thing that I can remind you of is, in the US, there's, um, rules, there's laws, there's, um, these conditions that we put upon ourselves that many of the adversaries don't worry about, right? So, so it's kind of like you're doing your job handcuffed, but yet we want to do that because that's our law and order. But yet sometimes that, um, keeps us, uh, uh, from, from actually excelling in some of those areas. Um, but interesting enough, this administration,
I, I think you are gonna hear more and more about how we are using offensive cyber in many areas, um, before we go into, um, any, any kind of conflict situations. When I said that there isn't threat elimination on the private sector side, strictly speaking, there isn't. You know, Microsoft doesn't put anyone in jail.
But Microsoft, as an example, and I'm trying to give them some praise here, has been very aggressive with their legal pursuit of taking down infrastructure. And so I think that's had a huge effect i- a- against, uh, j- just making it more difficult for adversaries to carry out, you know, their mission. Absolutely, one hundred percent.
And, and we need th- those companies like Microsoft to continue to do that. Correlate is a open core company. We, we sponsor the Zeek Open Source project. Can you talk a little bit about, um, what you've seen maybe with open source in the, in government entities? Open source is wonderful because there are so many eyes, so many experts that get to actually understand, look at the code, um, help move that open source technology forward. Um, that's the best of open source, and it is all based around, um, collaboration that actually moves it forward. Um, the, the flip side of that is, um, y- you really need to know and understand who are those members of the open source, so that you don't inadvertently get, um, an adversary who's going to, um, put backdoors, or, um, really, for some reason, hijack a portion of that code that, that would be hidden, and then it would be deployed widely throughout, say, like, the, the US infrastructure. Um, and so, so open source is wonderful, as long as you understand the provenance of everything that's coming into open source and using the goodness of that collaboration to move forward. People can laugh at certain o- operating system vendors as much as they want, but the fact that they've gotten better at application security has simply pushed the attack pressure to other areas, like you said, where it makes more sense now for an intruder to poison GitHub repos and have those smaller projects... Or not smaller projects, but, you know, when I say smaller,
I mean one or two devs, but are used by thousands of organizations, have that code just propagate all over the Internet, and suddenly you've got this huge problem, um, as opposed to, you know, a- attacking millions of, of computers via an application exploit. So yeah, I, I completely agree with that. Could you talk to me a little bit about the role of network data or network evidence in, in defensive security for the federal sector, or perhaps maybe how it's not being used as well as you might like to see it? I, I would like many of our cybersecurity policies, whether I'm talking about the AI policy or the zero trust, um, architectures, to explicitly recognize the value of network data completeness. And what that I really mean is, if we're missing the data that's going on at the network layer, that's really where, where the truth comes in. All network data is not equal, and saying that you have network covered because you have, for example, a signature-based IDS, that is a piece of, of network data that you could have. You know, my, my own NSM approach, there's four different types of network data, and even within the, the area of trying to acquire situational awareness, network is only one of the four of those. So, uh, you have to be very careful and not deceive yourself that by simply saying: "Well,
I have this, so that must cover the network piece. I'm okay." Uh, it turns out if you're not gathering the right kinds of network data, and as you said-... Are you retaining the right type of data? Is it, is it in the right format? Is it actionable? Can I enrich it? Does it make sense to my analysts? All of that is, is nuanced, but very important. Yep, absolutely. Um, a- and, and I've actually had this discussion with a lot of the folks who put together so- some of the zero trust, um, strategy documents that have been published. Um, a- and the pushback from them is, "Hey, but we're saying don't trust your network. Um, you know, protect the data, protect the identity, and then you don't have to worry as much about the network."
Um, and that's a way to look at it, but when I have these conversations, what I really try to tell them is, sure, if everything is working one hundred percent perfectly in your environment, and it- and you know you have a hundred percent coverage, perhaps you'll never have to come back and look at the network data.
But having ran global WANs and local area networks for much of my career, um, what I could tell you is that's just not reality, right? Um, you think you have something implemented, everything's going well, and then, lo and behold, you find out the configuration you believed you were protecting yourself from isn't actually the configuration that's in operations. You need to include your network data and telemetry as a foundational element, um, to anything you're doing within your cyber defense.
Yeah. As you might expect, I completely agree, and you reminded me, uh, almost twenty years ago now, I joined General Electric, and when I joined the company, the CISO asked me, when he saw my proposal for network sensors, he said: "Do you really think we need these? Do you think we will have a network anymore, you know, very soon?" Because the cloud was just taking off. Mm-hmm. And we ended up implementing a huge NSM deployment, and the funny thing is, that network has survived the demise of General Electric as a company.
So GE doesn't exist anymore, but the network does. Yep. I have had many of those conversations myself. Gee, this was a very interesting conversation. You know, I've been involved with this, uh, f- for several years as well, and I always learn something new talking with people who, who make this their, their daily job, so I appreciate you, uh, being on the podcast. Oh, thank you so much for having me. It's always a pleasure. Thank you for joining us on the Network Defenders. Podcast, sponsored by Corelight. We will see you on the network. You've been listening to Corelight. Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you? never miss an episode. We'll see you' on the network.
Hi, how are you? I'm fine, thanks. I'm so glad you're joining us today. This is an interview I've been looking forward to for some time. How would you characterize the challenges that our, our friends in the federal sector have to face? Um, the first of all is the legacy IT infrastructure that many agencies and departments are still, um, running, right? That is their operational network. As they have been modernizing over the last, I'll even say, decade, um, because of the expanse of their networks within the government, um, they still have quite a bit of infrastructure that's legacy. So on top of the legacy-ness that they have, the threat has continued to rise, and we see the adversaries continuing to go after not only the upper grade, uh, government agencies, like the intelligence agencies or the DoD, but they're actually going after all of the industry supporting that. So we often talk about the DIB, the Defense Industrial Base, um, and that those industrial bases, whether it's the defense industrial base or the critical infrastructure bases, um, have even more vulnerabilities, and because of the legacy infrastructure that they're running. Commercial industry, I believe, generally can upgrade and modernize their infrastructure at a much quicker pace than many of the legacy government agencies are. I think that's a really interesting point, because you could be in a situation where private sector entities go out of business, or they get bought and their IT is replaced. Or you can imagine all these scenarios where what they were running previously does not exist anymore. Whereas in the government, generally, agencies continue to exist. The, the function needs to be fulfilled. And even when I said government, I painted over a huge...
I treated it like it was a homogenous thing. Whereas you, you pointed out, well, we've got different, you know, aspects. You've got the DIB, you've got, uh, civilian sector. So even just talking about a government in terms of one thing doesn't really make any sense, right? Right.
And, and, and each agency and department is actually very different, um, from the way they function, the way their networks were put together over the years. Um, so, so they're really not homogenous at all. This is why over the last, oh, I don't know, six, seven years, you've been hearing, um, policy guidance coming down that says, "Hey, federal agencies, we need you to move toward the cloud infrastructures."
Because they know, one, there's not enough cash that is flowing into the government to actually replace most of their legacy infrastructures, and so therefore, they can get rid of and decommission their infrastructure by moving much of that into the cloud infrastructures.
Amazon, Googles, all of them are picking up some of that cybersecurity for their own cloud infrastructure, and they share that information with the government, but they themselves, um, are kind of sharing some of that technical depth, if you want to say that, because they're being able to protect their own infrastructure, um, at a much different, faster pace.
Yeah, and it sounds like, or at least my perception would be, that where necessary, government entities, uh, coming from either the law enforcement or the intel side, they can add their special insights into what threat actors might be doing or targeting, and guide the defensive aspects of their private infrastructure providers, as opposed to the defense solely being against whatever you think might be happening. Correct. And the government's actually getting much better about trying to push that information out to, um, providers and to critical infrastructure, um, and just share more of that information. Because, again, when you think about the government, um, it really is the whole of the US that we're looking at, and everybody kind of needs to step up and rise, um, their defensive posture, purely because the adversaries continue to just get, um, smarter, more stealthy.
They're using much more AI for some of their attacks. Um, they, they're just getting much better. So that, in turn, means we, as the US, um, need to rise up to that challenge and make sure we're staying ahead of the game on that.
Yeah, it seems like the pool of adversaries who can draw upon the highest-end techniques just continues to expand. Are there any, uh, pieces of advice you might give or recommendations? Um, I actually came out from the government.
I retired after about thirty-four years from the intelligence community. Um, we were very much of a mindset of, of we were partners with industry, but at the end of the day, um, the government folks really sort of ran the show, and we thought we had a bunch more information and can do things a lot better. And now, being out in the commercial world, what I will tell you is, um,
I wish we can have an even better private-... public partnership between the organizations, the cyber defending organizations, all of industry, um, and the government. Because what I'm finding is, yes, commercial cares about the bottom dollar, um, but so many people in the industry really are just trying to assist, and help, and making sure the innovations that they're doing in the private world actually are transferring into the government, so that the government can also take advantage of many of those innovations and steps forward. Um, so that's probably one of the biggest eye-opening things I, I have seen now that I'm out in the private world. Elements of the government are uniquely qualified to perform some missions that just by statute, the private sector is not allowed, or at least as of the recording of this video. That is inherently sort of a governmental function. Um, but that doesn't mean we can't rely on our industry partners to help in some of those innovations. Not actually performing the actions, but, but making sure that we're, we're keeping pace and getting ahead of our adversaries who's doing the same thing. Because the one other thing that I can remind you of is, in the US, there's, um, rules, there's laws, there's, um, these conditions that we put upon ourselves that many of the adversaries don't worry about, right? So, so it's kind of like you're doing your job handcuffed, but yet we want to do that because that's our law and order. But yet sometimes that, um, keeps us, uh, uh, from, from actually excelling in some of those areas. Um, but interesting enough, this administration,
I, I think you are gonna hear more and more about how we are using offensive cyber in many areas, um, before we go into, um, any, any kind of conflict situations. When I said that there isn't threat elimination on the private sector side, strictly speaking, there isn't. You know, Microsoft doesn't put anyone in jail.
But Microsoft, as an example, and I'm trying to give them some praise here, has been very aggressive with their legal pursuit of taking down infrastructure. And so I think that's had a huge effect i- a- against, uh, j- just making it more difficult for adversaries to carry out, you know, their mission. Absolutely, one hundred percent.
And, and we need th- those companies like Microsoft to continue to do that. Correlate is a open core company. We, we sponsor the Zeek Open Source project. Can you talk a little bit about, um, what you've seen maybe with open source in the, in government entities? Open source is wonderful because there are so many eyes, so many experts that get to actually understand, look at the code, um, help move that open source technology forward. Um, that's the best of open source, and it is all based around, um, collaboration that actually moves it forward. Um, the, the flip side of that is, um, y- you really need to know and understand who are those members of the open source, so that you don't inadvertently get, um, an adversary who's going to, um, put backdoors, or, um, really, for some reason, hijack a portion of that code that, that would be hidden, and then it would be deployed widely throughout, say, like, the, the US infrastructure. Um, and so, so open source is wonderful, as long as you understand the provenance of everything that's coming into open source and using the goodness of that collaboration to move forward. People can laugh at certain o- operating system vendors as much as they want, but the fact that they've gotten better at application security has simply pushed the attack pressure to other areas, like you said, where it makes more sense now for an intruder to poison GitHub repos and have those smaller projects... Or not smaller projects, but, you know, when I say smaller,
I mean one or two devs, but are used by thousands of organizations, have that code just propagate all over the Internet, and suddenly you've got this huge problem, um, as opposed to, you know, a- attacking millions of, of computers via an application exploit. So yeah, I, I completely agree with that. Could you talk to me a little bit about the role of network data or network evidence in, in defensive security for the federal sector, or perhaps maybe how it's not being used as well as you might like to see it? I, I would like many of our cybersecurity policies, whether I'm talking about the AI policy or the zero trust, um, architectures, to explicitly recognize the value of network data completeness. And what that I really mean is, if we're missing the data that's going on at the network layer, that's really where, where the truth comes in. All network data is not equal, and saying that you have network covered because you have, for example, a signature-based IDS, that is a piece of, of network data that you could have. You know, my, my own NSM approach, there's four different types of network data, and even within the, the area of trying to acquire situational awareness, network is only one of the four of those. So, uh, you have to be very careful and not deceive yourself that by simply saying: "Well,
I have this, so that must cover the network piece. I'm okay." Uh, it turns out if you're not gathering the right kinds of network data, and as you said-... Are you retaining the right type of data? Is it, is it in the right format? Is it actionable? Can I enrich it? Does it make sense to my analysts? All of that is, is nuanced, but very important. Yep, absolutely. Um, a- and, and I've actually had this discussion with a lot of the folks who put together so- some of the zero trust, um, strategy documents that have been published. Um, a- and the pushback from them is, "Hey, but we're saying don't trust your network. Um, you know, protect the data, protect the identity, and then you don't have to worry as much about the network."
Um, and that's a way to look at it, but when I have these conversations, what I really try to tell them is, sure, if everything is working one hundred percent perfectly in your environment, and it- and you know you have a hundred percent coverage, perhaps you'll never have to come back and look at the network data.
But having ran global WANs and local area networks for much of my career, um, what I could tell you is that's just not reality, right? Um, you think you have something implemented, everything's going well, and then, lo and behold, you find out the configuration you believed you were protecting yourself from isn't actually the configuration that's in operations. You need to include your network data and telemetry as a foundational element, um, to anything you're doing within your cyber defense.
Yeah. As you might expect, I completely agree, and you reminded me, uh, almost twenty years ago now, I joined General Electric, and when I joined the company, the CISO asked me, when he saw my proposal for network sensors, he said: "Do you really think we need these? Do you think we will have a network anymore, you know, very soon?" Because the cloud was just taking off. Mm-hmm. And we ended up implementing a huge NSM deployment, and the funny thing is, that network has survived the demise of General Electric as a company.
So GE doesn't exist anymore, but the network does. Yep. I have had many of those conversations myself. Gee, this was a very interesting conversation. You know, I've been involved with this, uh, f- for several years as well, and I always learn something new talking with people who, who make this their, their daily job, so I appreciate you, uh, being on the podcast. Oh, thank you so much for having me. It's always a pleasure. Thank you for joining us on the Network Defenders. Podcast, sponsored by Corelight. We will see you on the network. You've been listening to Corelight. Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you? never miss an episode. We'll see you' on the network.
Subscribe now
