Oak Ridge Considers Supplementing In-House Cybersecurity Operations, CISO Says

Oak Ridge National Laboratory wants to move to managed threat detection and response services, according to the lab’s top cybersecurity official. 

Kevin Kerr, Chief Information Security Officer for Oak Ridge National Laboratory, told Nextgov in an interview he hopes to supplement some of the agency’s cybersecurity operations with a managed service in order to adopt a proactive approach to shutting down vulnerabilities. 

Oak Ridge still has its own in-house security team and security operations center, but Kerr said the volume of threats is simply too large for his team to handle alone. 

“You have a changing environment, you have the ever-changing threat,” Kerr said. “So we started looking at an MTDR-type environment to help us and act as a force multiplier.” 

The idea is that hiring a vendor to help manage and automate security will give Oak Ridge a holistic view of the threat landscape. Working with a vendor that handles security not only for one government agency, but entities in completely different sectors, means Oak Ridge would be able to track potentially dangerous trends before that potential is realized.  

Last year, Oak Ridge partnered with third-party companies to do penetration testing because they didn’t have the time or the expertise to do it all themselves. Kerr said he’s seen serious improvements as a result of the outside testing because it showed not only where the vulnerabilities are but how adversaries exploit those vulnerabilities. 

This process has helped Oak Ridge over the past year begin moving to a DevSecOps framework. Kerr believes moving to a managed threat detection and response service can give the same kind of boost to his security team as the third party penetration testing. 

Kerr was CISO at the lab in 2011 when Oak Ridge experienced a nation-state attack. At the time, Kerr said they didn’t have a team prepared to stop the attack from happening.

“Within 24 hours we had a team of 30 people on site,” Kerr said, describing how they quickly spun up a response group. “But that wasn’t there and it was reactive. With an MTDR, it’s there, it’s proactive.” 

Managed services, Kerr said, also helps agencies navigate budgetary constraints with continuous updates and upgrades. That way, Kerr doesn’t have to buy a tool that becomes obsolete before he can get the authority to replace it. 

September 30 marks an Office of Management and Budget deadline for Federal Information Security Management Act, or FISMA, compliance. By the end of the month, federal agencies are supposed to complete security operations center consolidation or migrate to security operations centers-as-a-service, which means subscription or software-based security services. 

“I don’t know if anybody within the gov environment is 100% here yet,” Kerr said. “So I’m looking at [MTDR] to get me there quicker, faster, cheaper.” 

Editor’s Note: This headline was updated to clarify that service would be in addition to Oak Ridge’s internal operations.