Federal Chief Information Security Officer (CISO) Chris DeRusha gave broad credit today to Federal agencies for making marked improvements in cybersecurity over the past few years, and cited the ability of one larger agency – which he did not name – with being able to take particularly quick action in the face of the Ivanti vulnerabilities that the government began warning about in January.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Jan. 19 requiring Federal agencies to mitigate “widespread and active exploitation” of vulnerabilities in Ivanti Connect Secure VPN and Policy Secure network access control appliances.
That warning followed Ivanti’s statement earlier in the month about vulnerabilities that allow an attacker to move laterally across a target network, perform data exfiltration, and establish persistent system access.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in January that that the “potential exposure” for Federal agencies was limited, but that there were around 15 agencies that were using Ivanti’s products. Just days later, CISA ordered Federal agencies to temporarily shut down all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products on their networks no later than Feb. 2.
Speaking today at the Zscaler Public Sector Summit in Washington, DeRusha was asked to describe any recent success stories on the Federal government cybersecurity front. He declined to name any particular agencies in his reply but singled out one agency’s quick move to Secure Access Service Edge (SASE) tech in response to the Ivanti vulnerability warnings.
In a discussion with Kavitha Mariappan, Zscaler’s EVP of customer experience and transformation, DeRusha said, “I can talk about some of the anecdotes.”
“You’re a major SASE provider,” he continued, adding, “We’ve definitely seen some real benefits and speed … throughput and latency, I mean big, big, big swings as agencies have switched over to the solutions.”
“And we’ve even seen moments where, for example, in the Ivanti VPN vulnerability event that we all went through recently, we had a huge agency flip, you know, 100,000 people in five days over to a SASE solution and away from something that was looking pretty scary,” he said.
“And what’s interesting about that is it’s not just like a technology play,” he continued.
“That was the CISO and the CIO kind of going to agency leadership and saying, ‘Hey, we’ve got a cybersecurity risk that’s exigent and we need to take an action that is faster than we were planning and could cause disruption to services … but we need to do it.’ And they said yes,” DeRusha recounted.
“I think that is this intangible piece of progress we’re making because this is not just a technology problem,” he said. “I mean, come on, it’s like that’s the smallest part. This is getting people to allow us to sort of do our jobs and see it as a beneficial thing to the organization and to them to do so.”
“I think it’s all the efforts that we’ve had across the board, at the leadership and governance levels as well, that enable these agencies to kind of make big changes which they’ve wanted to make for quite some time,” the Federal CISO said. “But I do feel like we’ve pushed so hard [that] we’ve enabled a lot of the changes that people knew they needed or wanted anyway.”