CDM and automation

The next frontier for Continuous Diagnostics and Mitigation.

Shutterstock image: open lock.
 

Attacks aimed at government networks are increasing in frequency and sophistication, so much so that earlier this year Sens. John McCain (R-Ariz.) and Jack Reed (D-R.I.), the leaders of the Senate Committee on Armed Services, organized a hearing with top U.S. government officials and cybersecurity experts to address the growing concern of domestic vulnerability to cyberattacks. The hearing revealed a key takeaway: cybersecurity risks will only continue to grow without a proper strategy that informs more effective policy.

These cybersecurity concerns are further confirmed by industry threat analysis that show when compared to healthcare, retail and financial sectors, the U.S. federal government has experienced the highest number of acknowledged data breaches. The situation is exacerbated by the avalanche of internet of things and operational technology devices hitting agencies' networks.

You name the device -- soil acidity sensors, census handhelds, etc. -- they can support an agency in achieving its overall mission, but can also create serious security challenges. Simply detecting and identifying the types of devices connected to government networks can be a challenge. If agencies don't know a device is there, then it hasn't been patched or had its software upgraded. And it's probably not running any of the security tools that allow agencies to scan things. An undetected device is what we call "unmanaged." Herein lies the problem that some have dubbed "Shadow IT," or "Shadow IoT," i.e. technology systems and solutions built and used within an organization without explicit approval.

Several years ago, both the Department of Homeland Security and the U.S. Congress recognized the need to create a comprehensive, government-wide effort to ensure all agencies practice robust (not just minimal) cyber hygiene in accordance with National Institute of Standards and Technology best practices. The result was the initiation of the Continuous Diagnostics and Mitigation Program. The objective of this program is for federal departments and agencies to deploy best-in-class cybersecurity tools to identify, prioritize and mitigate risks on a real-time and continuous basis.

The multi-phased CDM program represents a fundamental shift in how the U.S. government approaches cybersecurity risk assessment and mitigation. One of the program's core goals is to move agencies away from point-in-time security scans to real-time, continuous monitoring and assessment of network posture and endpoint hygiene. CDM is not only ambitious in the scope of capabilities it will deliver, but also in the size and diversity of agency architectures it covers. CDM offers two important carrots for agencies to participate: It creates tangible efficiencies for agencies through shared services, common platforms, and aggregate buying power and it provides funding for agencies to procure pre-vetted, best-in-class cybersecurity tools according to NIST's recommended controls.

Phase I of CDM is focused on delivering complete, continuous network visibility into agencies. Visibility, what the Defense Department calls domain awareness, is at the heart of the well-known adage: "You can't protect what you can't see." The sheer scope and ambition of CDM, however, has meant slow and uneven progress across government agencies. Some are closer to full Phase I implementation, whereas others are less far along. In order for later phases to be successful, it is imperative for Phase I to be completed in its entirety. Building on the complete visibility delivered in Phase I, the second phase monitors user privileges and behaviors for controlled access management. The third phase will focus on boundary protection, event management and incident response to provide agencies the capabilities to mitigate threats found in the earlier phases of the program in an automated manner (and thus far more efficiently).

The ability to automate cybersecurity functions that enable response to threats without human intervention will play a critical role in reducing cyber risk for federal agencies. Automation helps reduce the burden on existing technology and personnel resources. Without automation, an engineer must go out and manually configure or patch newly discovered or newly compromised devices. This requires time and resources that no federal agency has, especially if a breach compromises thousands of devices to execute an attack – as was the case in 2016 with the Mirai botnet attack on Dyn, which leveraged thousands of compromised IP cameras and digital video recorders. Given the broadly acknowledged shortage of qualified cybersecurity personnel, there is simply no way an agency can keep pace with today's changing cyber landscape and escalating threats without automation, particularly those posed by connected devices.

As we continue to transition to a world where cybersecurity tools are expected to perform with less and less human involvement, the concept of orchestration plays a pivotal role in security as it enables enterprise cybersecurity tools to work together, to talk bi-directionally and share contextual data. Orchestration breaks down silos and allows tools to collaborate -- even tools from disparate vendors. This provides a greater amount of rich data for analytical tools, and in turn facilitates smarter, instantaneous and automated mitigation. Sophisticated tools like artificial intelligence will eventually be layered on to support security intelligence and decision making, and to further automate processes.

When it comes to cyber "best practices," there is no doubt that visibility – the ability to detect all the assets on your network – remains number one. But in a world where tens of thousands of lightbulbs in a single building can now be networked, security automation is running a close second in its level of importance to managing overall cyber risk. As CDM Phase I continues to roll out, more and more agencies are gaining true visibility. But the sheer volume of endpoints being discovered during CDM Phase I (about 44 percent more than anticipated) significantly raises the stakes for Phase III (remediation) and demands a greater focus on automation. 

DHS and CDM leaders realize that the key to improving the cybersecurity posture of U.S. civilian agencies is to make the unknown as known as possible and to be able to operate securely even when 100 percent of what you have on your networks cannot be "fixed." The CDM approach shifts more government attention and resources to the ruthless implementation of well-tested cyber basics, as opposed to merely triaging incidents. CDM is the most ambitious cybersecurity project in the worldever. It is nearing the completion of its first and most important milestone. We will soon dive head-first into questions about remediation, control and automation. But, for now, let's simply appreciate that government agencies are cooperating on cyber risk mitigation to an unprecedented degree and will be well positioned to achieve CDM's ultimate ends.

NEXT STORY: House panel advances FISA reform

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.