Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Sept 2016 Digital Edition
Aug 2016 Digital Edition
July 2016 Digital Edition
June 2016 Digital Edition
May 2016 Digital Edition
Continuous diagnostics and mitigation: Improving security through visibility
Wallace Sann, ForeScout
By Wallace Sann, public sector Chief Technology Officer, ForeScout Technologies, Inc.
The number of cyber incidents reported by federal agencies to the United States Computer Emergency Readiness Team (US-CERT) has risen sharply over the last decade, from 5,500 in fiscal 2006 to more than 67,000 in fiscal 2014. But the significance of these incidents goes far beyond their numbers. The data put at risk in government breaches includes, but is not limited to, classified national security intelligence, key US infrastructure information and sensitive personal information. Recent breaches at the Internal Revenue Service (IRS) and the Office of Personnel Management exposed data on millions of taxpayers as well as tens of millions of current and former federal employees and their families. These incidents not only create national security risks and enable wholesale identity theft, but they can also end the careers of those responsible for security.
The potential exists for a perfect storm. Governmental staff members struggle to maintain increasingly complex IT systems as cyberattacks are becoming cheaper and easier to perform, while our cyber adversaries remain highly motivated, sophisticated and well-funded. Federal Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and IT administrators now are working to get ahead of these threats to ensure our national security and to protect the privacy of citizens.
Continuous monitoring and mitigation (CMM) has emerged as the primary vehicle for meeting this goal of privacy protection. The ability to make IT networks, endpoints and applications visible; to identify malicious activity; and to respond immediately is critical to defending federal information systems and networks.
The Evolving Response
The government’s response to cyber threats has been laid out in legislation via the Federal Information Security Modernization Act, or FISMA. In the Department of Defense (DoD), the Defense Information Systems Agency and the U.S. Cyber Command have initiated the Command Cyber Readiness Inspection, or CCRI, program. This program is a comprehensive review of DoD cybersecurity posture for both classified and unclassified information systems, and agencies are using the Comply to Connect initiative, remotely scanning and remediating devices connecting to .mil networks to ensure they are in compliance with security requirements.
The CCRI assessments evaluate all aspects of network security and information assurance programs, including all endpoints connecting either directly or through wireless access. Failure to meet CCRI requirements can result in a network being disconnected from the DoD’s Global Information Grid.
Civilian legislators and regulators have recognized that laws and mandates cannot keep pace with fast-changing technology. Legislation such as Health Insurance Portability and Accountability Act (HIPAA) and FISMA set out broad, technology-neutral goals for agencies, and requirements for compliance are based on agency needs and the threats they face. This means technical specifications continue to evolve.
As the limitations of reactive, perimeter-based security have become apparent, civilian requirements have followed the lead of DoD, shifting their focus from checklist compliance to effectively measuring cybersecurity. FISMA guidance from the Office of Management and Budget has moved from periodic assessment of static security controls to continuous monitoring of IT resources and activities. This can ensure not only that required controls are in place, but also that the IT environment is being effectively defended. The culmination of this shift is the Department of Homeland Security’s Continuous Diagnostics and Mitigation, or CDM, program.
The CDM enables better real-time visibility of all IT networks and systems. It provides off-the-shelf technology to help agencies in the .gov domain perform continuous assessments of status, threats and activity. The program specifies 15 monitoring capabilities, which can be either performed by agency sensors or provided as a service.
Phase 1 of the CDM program went into effect in 2013 and focused on endpoint security; phase 2, called Least Privilege and Infrastructure Integrity, began in 2014 and focuses on identity and access management and puts a premium on an agency’s ability to see and respond to network activity.
No one product provides complete CDM capability by itself. The key to achieving the goals of the program is the ability to take full advantage of the various security products already deployed in the network.
Leveraging Existing Security Infrastructure
Agencies have already invested in security products to provide defense that is in-depth for their networks. Unfortunately, these products often fall short of their promised value because they operate independently, cannot adequately discover assets they are supposed to protect and do not collaborate. They can provide periodic assessments, logging and alerts, but when working on their own, they do not provide the context, real-time monitoring, information sharing and automated response needed to meet modern security requirements.