CDM and automation

Attacks aimed at government networks are increasing in frequency and sophistication, so much so that earlier this year Sens. John McCain (R-Ariz.) and Jack Reed (D-R.I.), the leaders of the Senate Committee on Armed Services, organized a hearing with top U.S. government officials and cybersecurity experts to address the growing concern of domestic vulnerability to cyberattacks. The hearing revealed a key takeaway: cybersecurity risks will only continue to grow without a proper strategy that informs more effective policy.

These cybersecurity concerns are further confirmed by industry threat analysis that show when compared to healthcare, retail and financial sectors, the U.S. federal government has experienced the highest number of acknowledged data breaches. The situation is exacerbated by the avalanche of internet of things and operational technology devices hitting agencies' networks.

You name the device -- soil acidity sensors, census handhelds, etc. -- they can support an agency in achieving its overall mission, but can also create serious security challenges. Simply detecting and identifying the types of devices connected to government networks can be a challenge. If agencies don't know a device is there, then it hasn't been patched or had its software upgraded. And it's probably not running any of the security tools that allow agencies to scan things. An undetected device is what we call "unmanaged." Herein lies the problem that some have dubbed "Shadow IT," or "Shadow IoT," i.e. technology systems and solutions built and used within an organization without explicit approval.

Several years ago, both the Department of Homeland Security and the U.S. Congress recognized the need to create a comprehensive, government-wide effort to ensure all agencies practice robust (not just minimal) cyber hygiene in accordance with National Institute of Standards and Technology best practices. The result was the initiation of the Continuous Diagnostics and Mitigation Program. The objective of this program is for federal departments and agencies to deploy best-in-class cybersecurity tools to identify, prioritize and mitigate risks on a real-time and continuous basis.

The multi-phased CDM program represents a fundamental shift in how the U.S. government approaches cybersecurity risk assessment and mitigation. One of the program's core goals is to move agencies away from point-in-time security scans to real-time, continuous monitoring and assessment of network posture and endpoint hygiene. CDM is not only ambitious in the scope of capabilities it will deliver, but also in the size and diversity of agency architectures it covers. CDM offers two important carrots for agencies to participate: It creates tangible efficiencies for agencies through shared services, common platforms, and aggregate buying power and it provides funding for agencies to procure pre-vetted, best-in-class cybersecurity tools according to NIST's recommended controls.

Phase I of CDM is focused on delivering complete, continuous network visibility into agencies. Visibility, what the Defense Department calls domain awareness, is at the heart of the well-known adage: "You can't protect what you can't see." The sheer scope and ambition of CDM, however, has meant slow and uneven progress across government agencies. Some are closer to full Phase I implementation, whereas others are less far along. In order for later phases to be successful, it is imperative for Phase I to be completed in its entirety. Building on the complete visibility delivered in Phase I, the second phase monitors user privileges and behaviors for controlled access management. The third phase will focus on boundary protection, event management and incident response to provide agencies the capabilities to mitigate threats found in the earlier phases of the program in an automated manner (and thus far more efficiently).

The ability to automate cybersecurity functions that enable response to threats without human intervention will play a critical role in reducing cyber risk for federal agencies. Automation helps reduce the burden on existing technology and personnel resources. Without automation, an engineer must go out and manually configure or patch newly discovered or newly compromised devices. This requires time and resources that no federal agency has, especially if a breach compromises thousands of devices to execute an attack – as was the case in 2016 with the Mirai botnet attack on Dyn, which leveraged thousands of compromised IP cameras and digital video recorders. Given the broadly acknowledged shortage of qualified cybersecurity personnel, there is simply no way an agency can keep pace with today's changing cyber landscape and escalating threats without automation, particularly those posed by connected devices.

As we continue to transition to a world where cybersecurity tools are expected to perform with less and less human involvement, the concept of orchestration plays a pivotal role in security as it enables enterprise cybersecurity tools to work together, to talk bi-directionally and share contextual data. Orchestration breaks down silos and allows tools to collaborate -- even tools from disparate vendors. This provides a greater amount of rich data for analytical tools, and in turn facilitates smarter, instantaneous and automated mitigation. Sophisticated tools like artificial intelligence will eventually be layered on to support security intelligence and decision making, and to further automate processes.

When it comes to cyber "best practices," there is no doubt that visibility – the ability to detect all the assets on your network – remains number one. But in a world where tens of thousands of lightbulbs in a single building can now be networked, security automation is running a close second in its level of importance to managing overall cyber risk. As CDM Phase I continues to roll out, more and more agencies are gaining true visibility. But the sheer volume of endpoints being discovered during CDM Phase I (about 44 percent more than anticipated) significantly raises the stakes for Phase III (remediation) and demands a greater focus on automation. 

DHS and CDM leaders realize that the key to improving the cybersecurity posture of U.S. civilian agencies is to make the unknown as known as possible and to be able to operate securely even when 100 percent of what you have on your networks cannot be "fixed." The CDM approach shifts more government attention and resources to the ruthless implementation of well-tested cyber basics, as opposed to merely triaging incidents. CDM is the most ambitious cybersecurity project in the world – ever. It is nearing the completion of its first and most important milestone. We will soon dive head-first into questions about remediation, control and automation. But, for now, let's simply appreciate that government agencies are cooperating on cyber risk mitigation to an unprecedented degree and will be well positioned to achieve CDM's ultimate ends.