This article is an excerpt from GovLoop’s recent report titled “Your Guide to Key Advancements in Government Cybersecurity.” Download the full report here.
Government agencies see that the best offense is a strong defense amid escalating cybersecurity threats.
The Continuous Diagnostics and Mitigation (CDM) program demonstrates this by helping federal agencies fortify their networks and systems’ cybersecurity. This risk-based approach uses agency-installed sensors to perform automated, ongoing searches for known cyber flaws and evidence of real-time and historical attacks. Sensor results alert network managers about their most critical cyber risks, prioritizing them to help allocate resources based on severity.
The Department of Homeland Security (DHS) and the General Services Administration (GSA) launched CDM in 2013, with Phase 1 focusing on what was on an agency’s network and Phase 2 centering on who was on those networks. CDM’s Phase 3 is known as DEFEND and focuses on what is happening on an agency’s network and how it is protected. It also fixes and upgrades gaps from earlier phases as well as incorporating new and emerging technologies.
To better understand how agencies can successfully leverage DEFEND, GovLoop spoke with Ralph Kahn, Vice President of Federal at Tanium. Tanium is an endpoint security and systems management company and an approved DEFEND vendor.
“DEFEND is happening five years after Phase 1,” Kahn said. “The solutions, the requirements, the state of the art technologies, and the attackers have all changed dramatically.” DHS acknowledges this and has refocused the program to encourage agencies to continually upgrade and procure new cybersecurity technologies across the board rather than via sequential phases. DEFEND will now field capabilities previously slated for Phase 4 – protecting valuable data.
Kahn said that many adversaries commit more sophisticated cyberattacks today than when CDM began. “Attackers are moving faster, and there are new classes of cyber defense technologies, best practices and metrics that agencies must adopt to counter today’s threat environment.”
Phase 1 required the management and control of devices, software, security and configuration settings and software vulnerabilities. Phase 2 added controlling and managing account access and trust for people granted access, credentials and authentication and security-related behavioral training.
DEFEND moves beyond asset management to more extensive and dynamic security control monitoring. Security incidents can be mitigated and contained to prevent threats from spreading through the infrastructure. Its capabilities include incident response, event management, myriad forensics tools and mitigating security threats to prevent spreading.
Kahn said DEFEND gives agencies greater input on what tools are installed. Using the Request for Service (RFS) process, agencies can cite specific requirements rather than taking what integrators prescribed in Phases 1 and 2.
“We know that bad things are going to happen, so how do we implement a system that enables us to detect them, minimize their impact and recover from them quickly?” he asked. “That’s where most agencies should aim in the DEFEND era.” Kahn said that agencies are changing their defensive postures for an evolving cybersecurity landscape.
“It’s about continuous monitoring and continuous visibility to enable finding bad guys rapidly,” he said. “We all know adversaries will breach our perimeters. The goal is to build resilience into our defenses, find them faster, remediate intrusions quicker and resume normal operations with minimal disruption.”
Tanium provides agencies the ability to scan their endpoints in real time, enabling cyber defenders to more quickly and easily spot anomalies and start remediating them. “Today many attackers operate at faster speeds than defenders can defend,” Kahn said. “Tanium levels the playing field, allowing cyber defenders to defend at the same speed as the attackers.”
“When CDM first came out, 72-hour compliance was state of the art,” he said. “Today continuous compliance is the gold standard. Agency leadership should demand compliance every hour of every day to reduce their organization’s attack surface.”
CDM Phases 1 and 2 also revealed that the acute labor shortage of skilled cybersecurity professionals is growing. Agencies leveraging DEFEND should investigate automating routine cyber tasks at which machines excel. More automated cyber work leaves agency workforces freed for other things.
Many agencies use Tanium as a force multiplier, utilizing its built-in automation and orchestration for hunting, mitigation, compliance and forensic analysis. A platform with built-in capabilities orchestrated in workflows designed for promoting best practices is a huge advantage for cyber defenders over today’s complex stovepiped environments.
Agencies implementing DEFEND can pursue updated metrics, automate and orchestrate their core security processes and increase operational resilience. Successfully performing these measures should dramatically improve agencies’ security postures at significantly reduced costs.