This blog is an excerpt from GovLoop’s recent industry perspective, Getting the Most from Continuous Diagnostic and Mitigation. Download the full perspective here.
The Continuous Diagnostics and Mitigation (CDM) program supports the shift in government cybersecurity to continuous monitoring of information systems and networks. Implementing CDM requires an integrated threat defense strategy that supports automation and simplicity in your security architecture.
Federal networks become increasingly complex as they evolve to support critical internal missions and the delivery of citizen services. At the same time, they face a continuous barrage of probes and attacks from increasingly sophisticated adversaries. To protect complex networks in the face of these threats, federal cybersecurity is evolving beyond periodic assessment of static security controls to continuous monitoring.
To support this shift, the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program provides a suite of commercial off-the- shelf products to help agencies know what is on their networks, who is on their networks, what is happening on their networks and respond to suspicious activity—in as close to real time as possible. The value of continuous monitoring was demonstrated as early as 2009 at the State Department, where then-CISO John Streufert showed that a monitoring program that included accountability and risk-based prioritization reduced vulnerabilities by 90 percent in one year and cut the costs of accrediting IT systems by 62 percent.
The key to implementing a successful continuous monitoring program is an integrated threat defense strategy supporting a holistic security architecture rather than a collection of point solutions. Integration enables automation, which allows faster detection and remediation of problems, and simplicity, which produces actionable information that can be used to make decisions.
The program was initially implemented with the following three phases, with the possibility that a fourth will be added soon.
Phase 1: Endpoint Integrity
Endpoint integrity is about knowing what’s on the network, and managing endpoint configurations and vulnerabilities. This phase leverages sensors to enable discovery and management of all network hardware and software.
The configuration of all hardware and software is evaluated, and settings are managed so that they comply with security and mission requirements. Vulnerability management identifies known security vulnerabilities and scores them for prioritization, allowing the most serious issues to be addressed first. Not all vulnerabilities can be eliminated; some are mitigated to present the least risk possible, and some can be accepted if they are minor and the systems they affect are low-impact.
Phase 2: Least Privilege and Infrastructure Integrity
Many agencies are now moving into this phase, which has two purposes: to know who is on the network, and to manage their access privileges and activities.
The goal is to ensure that only trusted users are on the network. Through the effective management of credentials (including passwords and hardware or software tokens) used for accessing network resources, it’s possible to then manage individual privileges. Users are provided access only to those assets and activities needed for their jobs.
“While this might seem a simple task, it is no small undertaking in large federated cabinet agencies where employees and contractors change roles frequently; moreover, the ongoing dependence upon legacy systems often presents both a technical and financial challenge,” said Cisco Systems’ Fellow, and former CIO for the U.S. Department of Health and Human Services, Frank Baitman.
Knowing who is on the network and managing what they are allowed to do not only reduces the opportunities for outsiders to breach defenses, but also reduces insider threats.
Phase 3: Boundary Protection and Event Management
This phase focuses on managing the complete security lifecycle. The goal is to ensure that all network equipment and tools have security built in so that agencies can plan for and respond to events, effectively manage risk, mitigate the impact of incidents, and document security policies and activities. Agencies should be able to not only understand and maintain their current security status, but also to track it and learn from it over time. Ultimately, it will allow administrators to make better-informed decisions and evolve network security.
No one product performs all of these functions, and the best choice of tools for achieving these results will vary for each agency, depending on mission, the existing environment, and other conditions. This puts a premium on the ability to integrate products in an end-to-end solution.
To learn more about how you can adopt CDM, download GovLoop’s recent industry perspective, “Getting the Most from Continuous Diagnostic and Mitigation.”