Advice for young startups eyeing federal: What kind of tech does the U.S. Government need?

High-profile cyberattacks against federal systems and critical infrastructure underscore the importance and urgency of strengthening U.S. cybersecurity capabilities. The landmark bipartisan Infrastructure Investment and Jobs Act of 2021 (IIJA) (H.R.3684), signed into law this week, includes about $2 billion in cybersecurity funding for new cybersecurity initiatives across Federal, State, Local, Tribal and Territorial governments. While the investment is welcome, sadly even $2 billion will not make our government systems immune to attack. The scope of the attack surface and dynamic nature of the threat environment make holistically strengthening cybersecurity a complex endeavor. Equally important, high levels of technical debt resulting from a reliance on legacy systems further hinder modernization efforts.

Given the scope and scale of the federal government, building momentum for modernization efforts can be daunting. The Executive Order (EO) on Improving the Nation’s Cybersecurity, issued in May of this year, responds to this challenge by laying a foundation for progress. With its focus on pushing organizations, both in government and industry, to follow best practices for maturing cloud adoption and zero trust, as well as enhancing software supply chain security, the EO has the potential to drive significant advancements in security and resiliency across the federal enterprise.

Adopt security best practices

Recognizing that modernization done right drives security advancements, the EO prompts agencies to:

  • Adopt a cloud-service governance framework
  • Implement a zero-trust network architecture (ZTNA)
  • Enhance software supply chain security

Adopt a cloud-service governance framework

Fundamentally, the EO encourages agencies to continue their cloud adoption journey by transitioning to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The migration of legacy IT systems to secure cloud services can have cascading positive impacts on agency operations as systems are updated to take advantage of native capabilities around resiliency and reliability; protection of sensitive data; and proactive threat detection, prevention, and response. As agencies move forward in adopting a cloud-governance framework, they will need to reevaluate their approach to security, and in many cases adopt new types of technologies that were not needed in legacy architectures. This presents an opportunity for startups, as often there is no incumbent in place yet in the Federal market, and agencies may be more willing to take a risk on an earlier stage company. For example, agencies may never have had a significant need for Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) or Infrastructure as Code (IaC) solutions to date, but as the balance of on-prem to cloud shifts, these become vital parts of a security architecture. Similarly, with the cloud making old concepts of network boundaries obsolete, identity is being described as the new perimeter, opening opportunities for novel approaches to identity and access management. And those identity solutions play a big part in our next section, zero-trust.

Implement a zero-trust network architecture

Zero trust is now an integral part of the federal government’s strategy to strengthen cybersecurity in the face of increasingly aggressive and resourceful attackers. In addition to being a multi-year journey, the move away from perimeter-based network defenses toward zero trust security principles of ‘never trust, always verify,’ will require a major paradigm shift in how federal agencies approach cybersecurity. Throughout all aspects of the infrastructure, zero trust embeds security monitoring, security automation, microsegmentation, and granular access controls based on risk to limit access to only what is needed. DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a zero trust architecture that defines five pillars agencies must consider in a mature zero trust architecture:

  • Identity
  • Device
  • Network/Environment
  • Application Workload
  • Data

Each of these pillars plays a vital role, and there is room for innovation in all of them. Identity in particular is a key foundation to a successful zero trust implementation, so better approaches to existing identity solutions like Identity and access management (IAM), Privileged access management (PAM) and Single sign-on (SSO) are needed. CISA’s maturity model for zero trust pushes for a future that is more reliant on continuous monitoring and validation across all pillars, real-time risk analysis, and improved machine learning capabilities to allow these systems to make better, faster decisions.

Enhance software supply chain security

Modernizing federal cybersecurity is just one element of the EO. It also results in a monumental shift in supply chain security requirements by establishing baseline security standards for any software—especially critical software—sold to the federal government. Per the EO’s directive, during the initial phase of the EO’s implementation, products identified as critical software will have to meet the technical requirements issued under Section 4(e) of the Executive Order.

Further, aiming to protect government agencies from the risk of supply chain software attacks, the EO calls for the National Institute of Standards and Technology (NIST) to create new supply chain security protocols and establish best practices, guidelines, and criteria for the future standards that software suppliers will need to comply with to be able to sell software to the federal government. This in and of itself may be the most impactful element of the entire EO, with a potential to improve both government and private sector systems. The EO does not mandate commercial industry change how they handle software supply chain security, but by instead using the carrot of federal government acquisitions, the EO has the potential to finally push much of the commercial software market to change their thinking on the importance of securing their development process.

While many of the software supply chain security requirements are high level, with more detail to be developed by NIST over time, the EO does give some insight into what the expectations for future software products will be. These include, among other things:

  • Employing encryption for data
  • Employing automated tools to maintain trusted source code supply chains, ensuring the integrity of code
  • Automated vulnerability discovery and remediation
  • Maintaining provenance of all software code or components, and implementing controls on internal and third-party components and tools used in the development process

As you can see above, one notable element of the new requirements is for more visibility into the software development process. Any organization that provides software meeting NIST’s definition of critical software will need to provide a Software Bill of Materials (SBOM) that attests to product and supply chain security. An SBOM is a machine-readable document that lists all components in a product. The SBOM ingredient list includes every library—both open-source software (OSS) and commercial off-the-shelf (COTS)—that is included in an application’s code as well as services, dependencies, compositions, and extensions.

We realize the EO can be complex topic, but understanding it will help you understand where to focus your efforts when bringing your capabilities into the Federal market. For help on navigating the Executive Order’s key requirements, deadlines, and solutions, we encourage you to visit Merlin Cyber’s Cyber EO Resource Center.

As agencies mature their cloud adoption; transition from protecting well-defined networks to securing blurry, fluid perimeters; and pivot from trusted systems to zero trust, the need to embrace new, innovative technologies capable of protecting identities representing people, services, and devices on-prem and in the cloud has never been more urgent. The government undoubtedly has a large task ahead of it as it works to modernize its approach to cybersecurity and adopt strategies to ensure ongoing mission success. Its best hope in doing so is to leverage the capabilities being developed by today’s and tomorrow’s startups.

Advice for young startups eyeing federal: Do certifications matter?

One of the things we pride ourselves on at Merlin Ventures is preparing our portfolio companies for the federal market. What that means varies by company, but one area we like to focus on up front is helping you to understand the various federal certifications that exist (there are a bunch!) and which ones you actually need to be concerned about. Perhaps even more important than understanding which certifications matter is developing a timeline that makes sense for your company. Getting it right means you are prepared to take orders when customers are ready to place them. Getting it wrong means potentially wasting hundreds of thousands of dollars on a certification that may expire before it ever helps you.

My goal in this blog post is to spotlight four key certifications. That’s not to say you should drop everything in your roadmap and refocus your engineering team on these immediately. Rather, these are some of the more common ones we see and companies interested in federal should have a plan to address them at the right time.

Before diving into certifications, I should probably clarify that “certifications” isn’t even necessarily the right word. There are a few terms to be aware of, and sometimes they are used interchangeably when they should not be.

  • Compliant – A pretty low bar, compliance means you are following the rules, but no one has verified what you are doing. You’ll see this quite often with companies claiming to be FIPS (Federal Information Processing Standards) compliant, which should not be confused with being FIPS validated.
  • Validated or Certified – This is where a third-party has inspected what you are doing, validated that it does in fact meet the requirements, and certified the results. While validation is technically part of a certification process, these two terms are often used interchangeably. Most notably, you will typically see products referred to as being FIPS validated, meaning they have gone through the FIPS testing process and been shown to meet the requirements.
  • Authorized – This typically refers to a government agency validating that your solution meets their agency requirements and authorizing it for use. You will often see this referred to as an ATO, or Authority to Operate. While getting one ATO can often help you get others, ATOs refer to specific implementations and are not a stand-alone product certification.

Section 508 Compliance and VPAT

Section 508 of the Rehabilitation Act provides accessibility guidelines and requires that information and communications technology (ICT) used by the federal government or organizations funded by the federal government be in compliance with the law. Compliance, while mandated, is self-regulated as there is neither a certification process nor a certification authority that evaluates and attests to compliance.

To assist organizations in demonstrating compliance, the Information Technology Industry Council (ITI) has established a template called the Voluntary Product Accessibility Template (VPAT). A VPAT is a document that explains how ICT products such as software, hardware, electronic content, and support documentation meet laws and standards for IT accessibility. If your organization wants to conduct business with the federal government, you will need a VPAT. While self-assessment is possible, it can be complicated to complete the form internally without substantial accessibility experience. Firms therefore often rely on accessibility consultants to conduct a full audit and check for all applicable portions of Section 508, which includes the technical requirements; the functional performance criteria; and the information, documentation, and support requirements. While this is a requirement for selling into many agencies, the good news is that getting a VPAT is relatively easy and inexpensive.

Federal Information Processing Standard (FIPS) 140-2/140-3 Cryptographic Certification

FIPS 140 is a set of security requirements defined by the National Institute of Standards and Technology (NIST) for cryptographic modules deployed in the federal government. FIPS 140 accreditation validates that hardware and software cryptographic modules produced by private-sector firms meet requirements designed to protect a module from being altered, cracked, or otherwise tampered with. FIPS 140 validation is mandatory for federal agencies that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information and extends to their contractors and service providers.

While FIPS 140-2 has been the standard for the last 20 years, FIPS 140-3 was approved on March 22, 2019 as the successor to FIPS 140-2 and became effective on September 22, 2019. Both FIPS 140-2 and FIPS 140-3 are accepted as current and active, but there are some gotchas to be aware of. While FIPS 140-2-certified modules will be valid until September 21, 2026, unless you are already in the queue, you can no longer apply for FIPS 140-2 validation in the traditional ways. (I say “the traditional way,” because there are some loopholes that still allow you to get a FIPS 140-2 certificate.)

Both FIPS 140-2 and FIPS 140-3 define four security levels, depending on the level of security that is needed. For most commercial software products, we find that level 1 is appropriate. However, FIPS is one place where the difference between “compliant” and “validated” comes into play. While there is some debate about it, many federal agencies will accept software so long as the encryption libraries it uses are FIPS 140 validated, which means the overall solution is compliant. However, some agencies will require that the entire product receives its own validation. We typically recommend our partners set themselves up to be able to go through the validation process, if necessary, but stick with compliance until they get to that point. While the standard FIPS validation process is extremely lengthy, there are some alternative approaches that we can recommend that can get companies through the process in a couple of months if it becomes necessary.

National Information Assurance Partnership (NIAP) Common Criteria Certification

Operated by the National Security Agency, NIAP is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP’s mandate is to provide neutral third-party testing of Commercial Off The Shelf (COTS) Information Assurance (IA) and IA-enabled IT products used in National Security Systems (NSS). NIAP certification is mandated by federal procurement requirements (CNSSP 11) for layered COTS product solutions to protect information on NSS and is most applicable to the Intelligence Community (IC), Department of Defense (DoD), and DoD contractors or affiliates.

NIAP evaluations are conducted by Common Criteria Test Labs (CCTLs) that are accredited by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). All products evaluated under NIAP must demonstrate exact compliance to the applicable Protection Profile (PP), which is an implementation-independent set of security requirements and test activities for a particular technology that enables achievable, repeatable, and testable evaluations. Evaluations can be completed in less than 90 days, but must not exceed 180 days.

Common Criteria evaluation includes both cryptographic and non-cryptographic security functions of an IA or IA-enabled COTS IT product. In many cases, the cryptographic portion of a product will be evaluated under FIPS 140-2/FIPS 140-3. To eliminate duplicate test activities, NIAP accepts Cryptographic Algorithm Validation Program (CAVP) and CMVP certificates to demonstrate compliance to certain test requirements. To be posted on the NIAP Product Compliant List (PCL), the product’s cryptography must have a CAVP certificate, and optimally, a CMVP certificate. A NIAP certificate indicates that the product has successfully completed an evaluation and complies with the requirements of the NIAP program and, where applicable, the requirements of the FIPS validation program.

If and when to pursue Common Criteria certification is dependent on where you expect to sell your product within the U.S. Government. As mentioned above, while much of DOD will require it, most civilian agencies do not.

Federal Risk and Authorization Management Program (FedRAMP)

Established in 2011, FedRAMP is one of the government’s most rigorous security compliance frameworks. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for commercial cloud products and services used by the U.S. government. While difficult to achieve, the beauty of a FedRAMP ATO is that it qualifies a cloud service offering (CSO) to be used at multiple agencies.

Before a CSO can be used by a federal agency, it must demonstrate compliance with all FedRAMP requirements, which are outlined in NIST 800-53. Additionally, a cloud service provider (CSP) must implement continuous monitoring and regular evaluation against this standard to maintain its status.

Because of the various gates that are part of the process, FedRAMP typically takes at least six months to get through, although it’s not unheard of for companies to take two years to complete it.  For SaaS-only products, FedRAMP can be a significant barrier to entry to the federal market, and it’s one that’s important to plan for. Even before a company is necessarily ready to invest in going through the formal process, there is pre-work that can be done to set yourself up for success, and understanding that timeline is key to entering the federal market at the right time.

Merlin has built out its own FedRAMP managed service called Constellation GovCloud to help companies get through the process more easily. If you’re looking for more info on FedRAMP, the Constellation site and blog are great sources of information.

Section 508, VPAT, FIPS, NIAP, FedRAMP… In this world of regulations that read like alphabet soup, we understand the challenges of complying. A big part of taking on the federal market is knowing when is the right time to pursue critical certifications. If you’re uncertain which standards you need to comply with – and when – we’re here to help.

Advice for young startups eyeing federal: Does the U.S. Government buy Israeli tech?

With many Israeli startup founders coming out of Unit 8200 and other cybersecurity-related groups within the Israeli military, the solutions they develop are often a natural fit for the types of threats government agencies face. As a result, it’s not surprising that Israeli CEOs are deeply interested in knowing whether they can sell their products to U.S. government agencies. When they ask, we try to give as definitive an answer as we can: Yes, no and maybe.

To answer the question more conclusively, we need to consider that there are multiple groups within the U.S. government, and the security profile and needs of agencies within those groups can vary widely. So, let’s start by understanding those groups:

  • Civilian agencies typically deal with the issues of running the country and primarily focus on providing citizen services: Education, Labor, State, Health and Human Services. These agencies have an IT budget of nearly $60 billion.
  • Department of Defense (DoD) agencies are related to the military, like the Army, Navy and Air Force. In 2021, DoD reported a budget of about $36 billion for IT programs, although actual numbers are higher considering some of this budget is classified.
  • Intelligence Community (IC) agencies gather intelligence for the U.S. government. These are sometimes referred to as the “three-letter agencies,” and include CIA, NSA, NGA and others. Depending on the agency and how it is chartered, it may fall under a DoD reporting structure. Much of the IC budget is classified and not directly reported.

As you may imagine, different agency missions call for different levels of concern about using foreign software. Because of their intelligence backgrounds, we find many Israeli founders gravitate toward wanting to sell to the IC right away. While such technology may serve an obvious need for intelligence agencies, these agencies are also the most sensitive as to where their software comes from and tend to strongly prefer U.S. suppliers. Given that, the IC is not a place we advise Israeli startups to spend their energy.

However, that does not mean the entire U.S. government is off-limits. While there are always exceptions, civilian agencies tend to be far less sensitive to the use of software from allied nations, and some (like DHS) even have programs to encourage Israeli companies to bring their innovations to the U.S. Civilian agencies have massive enterprises, are constantly being targeted by adversaries and are very much in need of the best cybersecurity capabilities available. And these are not small accounts by any measure – the Department of Veterans Affairs alone has more than 300,000 employees, and the U.S. Postal Service has more than 500,000. Meanwhile, as the frequency of attacks against these agencies increases, there is an increased awareness (and budget) around the need for better cybersecurity solutions.

Civilian agencies are generally where we steer Israeli companies to spend most of their initial efforts, but DoD should not be entirely avoided either. While there are certain parts of DoD that will lean heavily toward only using domestic software, a good portion of the DoD is open to using the best solution available that meets their needs. The good news is that this mindset has led to programs like the Air Force’s AFWERX, which is designed to bring innovation into DoD. The challenge for foreign startups, however, is that many of the funds from these programs (Small Business Innovation Research—SBIR—grants, in particular) are limited to U.S.-based companies.

This means that while much of DoD is open to using Israeli startup technology, the sales process can be more difficult than it is for U.S.-based companies. Again, this is not a showstopper, but something to be aware of because many Israeli entrepreneurs get excited when they hear about all the DoD programs that fund innovative startups. That is until they go down the path and eventually realize they need to follow more traditional sales methods.

The U.S. Federal Government is a massive enterprise with some of the most challenging cybersecurity needs in the world. We encourage Israeli companies to take their capabilities to the agencies that need and want them. Ultimately, the startups with a clear strategy for the federal market and an understanding of where to focus precious sales resources are the ones that succeed.

What Merlin Ventures looks for in startups

There’s no doubt that 2021 has seen record-setting attacks, including last week’s announcement about an Atlassian Confluence vulnerability being exploited in the wild. Driven in part by the geopolitical climate, cyberattacks against U.S. federal, state, and local governments are growing in frequency, sophistication, and boldness. Between high-profile attacks such as the SolarWinds and Kaseya breaches and a shift to cloud computing that has rendered traditional perimeter security obsolete, government agencies are facing an increasingly urgent need to prioritize security.

With a $200 billion annual spend for public-sector IT solutions, of which about $120 billion is federal, the U.S. government is the largest market in the world. It’s also a critical path for cybersecurity startups looking to transition into the next phase of growth. While startups serve as a fertile ground for much-needed innovation in cybersecurity, navigating the federal market is incredibly complex for any emerging company, and doubly so for those based outside the U.S. Even knowing when the right time to actively engage these markets can be difficult, and getting it wrong can cost startups, both in terms of direct spend for unnecessary outlays and the potential for missed opportunities.

For starters, a company must invest in certain compliance regimes in order to even sell into federal. For SaaS companies, one particular challenge is FedRAMP authorization, which, depending on your approach, can cost as much as $2 million and take as long as two years to complete. The good news is there are faster, more efficient approaches, but understanding them and having a trusted voice to turn to throughout the process is key. But even beyond compliance, federal sales are expensive and time-consuming; it can easily take 18 months to see revenue coming out of the federal market. That’s why having someone there to advise and help you on that journey is so important.

Given that opportunity, most companies eventually reach a point where they realize the need for a strategy for tackling the government market. But that point often comes a bit later than it should, when their competitors are already in the market and they have a lot of ground to make up. That was one of the drivers behind creating Merlin Ventures – to find companies that were strong fits for government and help guide and prepare them to enter the market at the best time for them.

So which companies are we looking to invest in? Merlin Ventures looks for visionary companies on the cybersecurity frontier that address the nation’s most critical cybersecurity challenges. Technologies especially essential for the security and resiliency of the country – and most sought after – include those addressing supply chain security, cloud security, Zero Trust, identity and multi-factor authentication – as well as those that align with the recent Executive Order.

Given the size of federal agencies, our ideal candidates have the ability to scale to large enterprises, but we also recognize that not every Series A startup is ready to conquer organizations with hundreds of thousands of employees on Day 1. What we’re looking for is the desire to get there, along with the expertise to make it happen so that they can tackle the problems of the largest, most complex enterprises in the world

Every investment in our portfolio benefits from our expertise within the public sector markets and enjoys critical engineering, go-to-market, sales, and support services from Merlin’s team. By investing in companies at the Seed to Series B stage before they are ready to take on the federal market, we can provide guidance that will help them achieve commercial traction and ultimately propel them into the U.S. public-sector market faster.

A success story for us is to strategically invest in promising startups at the Seed or Series A level before they are necessarily ready to focus on federal. We want our companies to be as successful as possible, and a big part of that is knowing when is the right time to pursue government markets. Go too early and you risk distracting from the faster sales cycle of commercial. Wait too long and you risk letting competitors become entrenched in this very lucrative market.

While Merlin Ventures’ greatest strength lies in our government knowledge, we work with our companies to help them succeed wherever we can. Sometimes that means introductions to commercial advisors and partners. Sometimes that means working with them on their commercial marketing strategies. And when they are ready, we work with them on their federal strategy to help them accelerate into that market as quickly as possible. Initially, that means working with you on your government go-to-market strategies, staffing, and certification timelines. But as those take hold and you start to build up a sales pipeline, that also includes working with our Merlin Cyber sales team to come up with pricing and procurement strategies, get you onto the right federal contracts, and help you close your sales.

Like any investor, Merlin Ventures’ ultimate goal is to see our companies be wildly successful with strong outcomes for all involved. But where we differ is our ability to leverage a toolbox we’ve built over 25 years of bringing some of the world’s most successful cybersecurity companies into government. Will yours be next?

Why we created Merlin Ventures

There are 607 venture capital firms operating in Israel. (Trust us. We had our poor analyst count them.) Of those, 146 do cyber investments. So clearly what Israel, and the world at large, needs now is pretty much anything other than one more cyber-focused VC.

Given what some might perceive as a glut in the VC market, one may ask, “What drove us to create yet another cyber-focused VC? Why not just take the money being invested in this effort and put it into something useful, like Dogecoin?”

To answer that, let’s start by taking a step back and looking at where Merlin Ventures came from. Our story begins 25 years ago, when our fearless leader David, drawing on experience gained from his time in the Navy as well as with various defense contractors, decided to start a new company. Over those 25 years, Merlin International did many things, including software development, government services, and software sales.

As the company grew, the Merlin team realized that they excelled in bringing the best cybersecurity players in the commercial market into the U.S. federal market. By helping them navigate the federal market, Merlin International (by now renamed Merlin Cyber) brought the federal government best-of-breed solutions from companies that otherwise might never have been ready to operate within the public sector.

That brings us to today. Merlin Cyber continues to work with some of the most successful software companies in the world, helping them to solve the critical cybersecurity challenges of one of the most important customers in the world. But larger, established players are only part of the cybersecurity ecosystem. Many of the most forward-looking solutions come from startups unencumbered by existing business models and the need to support legacy products. Such companies bring together the best and brightest minds from industry, academia, and the military and create truly amazing solutions that federal customers desperately need.

I saw this first-hand during my five years at In-Q-Tel, a VC firm stood up by the U.S. government to help bring the most innovative startup technologies into the Intelligence Community (IC). But IQT focuses on just bringing capabilities to the IC. As a result, most of its efforts focus on U.S.-based startups. IQT is also a non-profit. While they do their best to help startups meet the needs of their customers, there are legal limits as to what they can provide in terms of helping such startups to sell products.

Thus, when Merlin approached me about building up a new VC that could leverage the capabilities of Merlin Cyber to help bring novel technologies into federal agencies, something clicked. Here was a chance to work with companies from Israel and other allied nations that had amazing capabilities and actively help them to succeed in a market that desperately needs their innovations.

To be clear, Merlin Ventures is not looking to bring early-stage startups into the federal government on Day One. A company that has just raised its Series A funding typically needs to focus on building commercial traction before it can invest the resources needed to successfully tackle the federal market. But having the right guidance at that stage to know where and when to invest to prepare for the massive federal and broader public sector market is key.

That’s where the Merlin Ventures’ model comes in. We are looking for emerging startups that are going to turn the cybersecurity world on its head. We want to find them before they are ready to tackle the public sector market, serve as an advisor to help them succeed in the commercial market, and, when they are ready, equip them with resources that will help them accelerate into federal far faster than they’d be able to do on their own.

So that’s why there are now 607 VCs in Israel. Because with 606, there was still a gap that needed to be filled.

For more about Merlin Ventures, watch my recent interview with Gartner Israel:

Amazon Web Services acquires Merlin Ventures portfolio partner Wickr

Amazon Web Services announced today that they have acquired Wickr, the IT industry’s most secure, end-to-end encrypted, communication platform. The 10-year-old company has grown rapidly and has been a Merlin Ventures portfolio partner since 2019. Merlin congratulates Wickr on this exciting next step in its evolution!

You can read more about the acquisition in the AWS Security Blog.

Why fly when you can SOAR? 5 things you’re getting wrong about security orchestration, automation and response

Security orchestration, automation, and response (SOAR) solutions are often billed as a panacea that will solve all of a security operations center’s (SOC) problems, reduce mean time to repair (MTTR), improve efficiency, act as a single pane of glass, and even make a really good cup of coffee. You name it and someone somewhere has claimed that a SOAR platform can do it. The truth, however, is a little more complicated.

Yes, a SOAR solution can automate a great number of tasks—if properly implemented. If a task can be broken down into steps that are repeatable, reusable, and consistent, then it has the potential to be automated. But if an organization tries to take on too much at once or is unfocused in its approach, the implementation can rapidly get out of hand and lead to failure and ultimately shelfware. Here are a few examples of common mistakes and misconceptions about SOARs.

Boiling the ocean

A SOAR solution can be incredibly powerful; the initial desire to automate everything in sight is akin to the first time you get a label maker. You want to apply it to everything, all at once. Some of the worst experiences I’ve seen have come from an environment where they tried to build a complex interweave of use cases and became bogged down in the details and frustrations. The key to a successful implementation is to start small. Find one or two simple use cases that allow the SOC team to get a handle on what can be done and the thought process to build the use case. Initial simple automations and response actions such as threat enrichment of an IOC (indicator of compromise), hash, or URL are particularly effective as they can be easily reused as part of more complex actions later.

Training? I don’t need any stinkin’ training!

Yes, you do. While this is often the first thing on the cutting room floor when budgeting for a new solution, training usually makes the difference between a successful implementation and a package becoming shelfware. This is the opportunity for your team to ask questions of the people who implement and use the technology daily. Take advantage of it. A SOAR platform, like most integration-focused solutions, has many hidden features and nuances to how complex actions like a workflow are created. These are going to be automated actions that are hopefully going to run your business and you’ll need to understand how they are constructed.

I have scripts, isn’t that the same thing?

Most engineers, analysts, or administrators who have worked in IT for more than a few years have ended up running into tasks that they find themselves doing repeatedly. Inevitably, someone on the team will write a script, whether it is Visual Basic, a batch file, or a snippet of Java for each of those routine tasks. Those scripts are running continually in SOC near you right now. So, the question becomes: If I’ve already got scripts running, why do I need a SOAR? Remember, SOAR stands for security orchestration, automation, and response. Automation refers to performing singular tasks repeatedly, orchestration is putting multiple singular tasks together, and response is really the key because it’s the ability to evaluate, make a choice, and then perform additional actions. The ability to build-in complex response actions, either in an automated fashion or via human interaction, is one of the primary differentiators of a good SOAR platform. This doesn’t mean throwing the scripts out, it means taking them and converting them into SOAR workflows that can provide response choices, in-depth auditing and error tracking, and consistent integration across multiple platforms. This is where SOAR sets itself apart.

It will be done tomorrow right?

Not likely. While an initial set of use cases or workflows can usually be imported from the SOAR vendor, they still need to be customized to your environment. For instance, it may have been written for a different firewall or threat feed vendor. Each of these steps will need to be verified and tested with the current version of the existing platforms deployed in the environment. A simple version difference in the target platform can make a huge difference. Which brings us to…

Integrations are simple

Umm, no. To be successful, a SOAR platform will need to communicate with many different platforms that already exist in your environment. Let’s face it, the IT space is full of companies that are often competing with one another in multiple verticals and one vendor is rarely sole-sourced throughout the organization. It’s not uncommon to see vendors significantly change APIs, database structure, architecture, and platforms in between versions with either missing or incorrect documentation to go with it. These changes are not made to purposefully break outside integrations but are instead made with their own interests in mind. Simply put, IT infrastructures are complex environments with lots of moving parts that need to be carefully integrated to get the best value from the solutions. Often the response from vendors’ support teams will boil down to “not my problem.” Ultimately, a good SOAR vendor will try and keep up with the integrations as new versions are released, but some of this will also come back to a good relationship between you and your vendor. Simply letting them know that a new version released and that you intend to upgrade soon can change the integration team’s process to better support you.

Things to keep in mind

So, what are the main takeaways? SOAR solutions can be incredibly powerful enablers of the cyber and operations teams if some simple rules are followed:

  • Stay focused. Choose a singular task to learn what works in your organization. Use this as your inhouse training scenario to learn the process.
  • Take your time. Diagram the workflow on a whiteboard and take your time finding the lowest common denominator to help pick one or two use cases to leverage as your showcase.
  • Identify simple integrations. Choose the deployed solutions that can be easily integrated to start with. Typically, they will be API driven and allow you to combine with threat enrichment to see immediate benefits.
  • Re-use. Ideally, your SOAR platform allows you to reuse the work you’ve already done. You’ve created the first piece of the puzzle for the future and you can leverage that same structure and concept again to reduce the amount of effort on your next workflow.

Merlin Cyber has partnered with Swimlane to help our public-sector customers avoid these and many other challenges that they encounter. Swimlane provides a comprehensive SOAR platform leveraging a drag-and-drop workflow builder that enables organizations to rapidly build and deploy workflows to the field. With built-in case management, auditing, reporting, and a robust integration library, Swimlane provides environments with the tools they need to be successful.


If your organization wants to rapidly improve staff efficiency and drastically decrease MTTR by leveraging a powerful SOAR platform, we can demo Swimlane and help customize a solution that meets your objectives. 

Cyber hygiene starts with good tools configuration

Last month, the Government Accountability Office released a new report titled DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. The GAO report found that the Defense Department is behind on three major cyber hygiene initiatives and lacks cybersecurity accountability among its leadership. If a critical government agency like the DOD struggles with cyber hygiene, what about a regular company?

An average-sized company usually has 25-plus security vendors. Organizations have implemented tool after tool in efforts to secure their data, systems, and users. This has left them with misconfigured, repetitive, or siloed tools and an uphill climb toward proper cyber hygiene.

RELATED: 5 of the biggest cyber hygiene myths

While proper cyber hygiene involves tools, training, and policies, having a fragmented toolset makes the concept a non-starter. Tool fragmentation and overlapping tool capabilities put additional burden on IT staff, making it difficult to respond to threats, quantify risks, or effectively manage an organization’s most critical security controls. As a result, the organization’s cyber hygiene suffers.

Poor cyber hygiene creates security vulnerabilities that require decisive action. It’s vitally important to correctly configure, maintain, and ensure that your security tools are effective. In other words, cybersecurity leaders should consider maximizing the ROI on already-purchased tools before adding new ones to their crowded ecosystem.

Tool-proof your cyber hygiene

Practicing proper cyber hygiene goes beyond just purchasing and implementing security tools. Using the tools correctly is what helps solidify overall cybersecurity posture. And it all starts with proper configuration of the tools you have.

Establishing configuration baselines is a fundamental but often overlooked cyber hygiene task. Why else is tool misconfiguration a frequent cause of breaches? While we rely on security tools to maintain proper hygiene, their effectiveness is entirely in our hands.

Here’s how to weigh the performance and usage of existing security tools:

  1. Analyze if the tools you’re using are engineered properly and behaving correctly. For example, if it’s a vulnerability scanner, is it updated and scanning your entire IT landscape? If it’s a next-generation firewall, are you using all the features appropriately?
  2. Review and score every tool with a critical eye. Try to rationalize each tool against your organization’s current and future needs. Move past qualitative descriptions and into quantitative analysis by ranking and scoring them with questions like:
    • Does this tool have a niche or special purpose?
    • Is it more or less secure than other options?
  3. Examine each tool’s actual configuration. Is it configured securely? Does it have default passwords or other weak controls? How easy is it to harden?

The complexity of today’s IT infrastructures coupled with security tool fragmentation and misconfiguration makes cyber hygiene challenging for companies of all sizes. Security tools are only as strong as an organization’s internal process for maintaining them. Luckily, there are solutions that automate much of the work and provide organizations with a comprehensive way to implement and maintain proper cyber hygiene.

5 of the biggest cyber hygiene myths

Tackling common misconceptions about enterprise security

Proper cyber hygiene is a desirable but sometimes elusive practice for many organizations. And it can be hard to separate fact vs. fiction. Read on as Miguel Sian, Merlin’s Director of Solutions Architecture and Engineering, busts a handful of security posture myths.

Cyber muyths busted graphic

 

Most organizations would agree that proper cyber hygiene is essential for maintaining their cybersecurity posture. Each will also likely affirm that they practice good cyber hygiene; yet, we find that many have considerable blind spots. We’ll shine a light on these blind spots by exposing five of the biggest myths about cyber hygiene.

First, a primer. What is cyber hygiene? The CERT Resilience Management Model (CERT-RMM) defines cyber hygiene as a set of practices for effectively managing the most common and pervasive risks to the organization. The Center for Internet Security (CIS) defines cyber hygiene as a set of baseline cybersecurity protections that help to secure an organization. Fundamentally, cyber hygiene involves the strategies and activities that ensure your enterprise IT security is in tip-top shape (health) and protecting your organization from threats (prevention).

RELATED: Cyber hygiene starts with good tools configuration

Proper cyber hygiene spans people, process, and technology. It starts with having complete visibility of all your assets, followed by effective security tools and processes to identify, detect, and protect your assets against threats. Last but not least, you must implement effective access management. With this as the backdrop, let’s quash five common myths about cyber hygiene.

MYTH #1


“We have several management tools (i.e., NAC, SCCM) and a CMDB that ensure we know precisely what’s on our network.”

How many CISOs honestly believe that they have a truly accurate count of their hardware and software assets? Just one glance at two systems management tools (vulnerability management and Active Directory) would likely reveal a discrepancy of the total number of computer accounts in your enterprise. Furthermore, increasing cloud adoption and remote work can undermine what you believe might be on your network.

 


MYTH #2

 

“My users and endpoints are adequately protected with endpoint security tools such as anti-virus and EDR, along with policies we’ve implemented to protect our devices.”


Anti-virus and endpoint detection and response (EDR) solutions have long been good practices for endpoint hygiene, but they are no longer enough. New, emerging threats in the hardware layer – on mice, keyboards, webcams, switches – can go undetected by these endpoint security solutions. Furthermore, attacks on the supply chain compound the risks from these emerging threats.

 


MYTH #3

“We have security tools and processes established for configuration management, patch management, and vulnerability management that ensure our basic security hygiene.”

Organizations often overlook and fail to adequately monitor the tools themselves and processes that ensure these basic security hygiene tasks. This is likely a result of lacking a central place to monitor the configuration and effectiveness of all their enterprise tools. Furthermore, organizations typically can’t relate these security challenges to overall business impact. For a complete picture of cyber hygiene, it’s important to know the tools’ security posture and effectiveness in meeting the organization’s security controls, and how they protect the applications that deliver on the business outcomes.


MYTH #4

“Our annual compliance audits against industry security frameworks provide adequate security and communications for our stakeholders.”

Regular audits are essential and frameworks such as NIST CSF provide a comprehensive set of security guidance. Yet, we’ve found that organizations are unable to continuously monitor their most critical security controls. As a result, organizations are unable to prioritize what’s truly important nor effectively communicate the risks across the enterprise.

 


MYTH #5

“We have controls that ensure proper access management.”

If this is true, we should not be seeing an increase in data breaches since a majority start with privilege credential abuse. Organizations must take a comprehensive approach to access management. There are silos of identity sources and disparate identity management tools in the enterprise. This makes securing access across the enterprise challenging. It’s critical to establish visibility, then monitor the security controls for access to critical systems.

It’s time to take a strategic approach to cyber hygiene. With today’s rapidly shifting situation in IT and business, risks and uncertainties abound. A renewed focus on the basic fundamentals of cyber hygiene provides us with the key principles and foundation needed to establish a comprehensive cybersecurity posture for our enterprise.

Eliminate the strain

Fundamental health hygiene is more important now than ever before. The same holds true for cyber hygiene – this is your foundation for proactive cyber defense. We’re already seeing cyber criminals, as well as nation state sponsors, taking advantage of the COVID-19 situation by attacking hospitals, corporate enterprises, supply chains, as well as senior executives with a variety of phishing scams, malware deployments, and attacks designed to penetrate vulnerabilities in the network.

The strain being put on your remote employees to access your network is immense. In order to ensure the security of your enterprise infrastructure and to step up to ensure business continuity, you need to understand and maintain pristine cyber hygiene on your existing network VPN, firewalls, endpoints as well as remote access.

Implementing a cyber hygiene monitoring tool like Cyber Observer enables you to track and score cybersecurity in near real time. By continuously measuring the status of your security environment with Critical Security Controls from relevant security tools, Cyber Observer empowers you to make insightful decisions to help you ensure the security you have in place is doing what it is intended to do while equipping you with the data and knowledge you need to make the right risk-based decisions. The platform provides a comprehensive view of enterprise Cyber Readiness to improve your ability to prevent and detect cyber-attacks.

As important as it is to assess personal health, now is the time to also assess your cybersecurity health. Doing so with Cyber Observer gives your security team confidence and control, and enables them to concentrate their time on mission- and business-critical priorities.

Contact us to learn more about our special offer.