Continuous Diagnostics and Mitigation capability requirements need re-prioritization
There is a lot to like in the $6 billion Continuous Diagnostics and Mitigation (CDM) program being administered by the DHS across more than 100 federal civilian agencies. The DHS has done an excellent job creating 15 different capabilities broken up into four implementation phases that agencies need to have to strengthen their cybersecurity postures.
These measures will also be used to build cybersecurity dashboards that will be reviewed by the Office of Management and Budget (OMB) for determining funding levels and will get congressional review.
The implementation phases are laid out in the following order to be implemented between 2013 and 2017.
1. Manage assets
2. Manage accounts for people and services
3. Manage events
4. Manage the security lifecycle.
The DHS set up a purchasing vehicle for all agencies and tasked them with defining their requirements for phase one, which included asset (hardware and software) management, vulnerability assessment, configuration management and managing boundaries. This was supposed to build a foundation for the other phases. However, according to a 2014 SANS Institute survey, just 21 percent of federal IT respondents indicated they had conducted a formal foundational assessment prior to starting the program.
Considering you can only improve security by knowing your baseline and where the holes are, this indicates that many groups may need to go back and conduct additional preparation work before starting phase two. Phase two of the program is more interesting, as it includes managing access, monitoring privileged accounts and managing trust in people and security-related behaviors.
While all the phases and capabilities are fairly well defined, there is no prioritization for implementing the capabilities across the different phases. This was likely left to the agency to sort out based on its current capabilities. Given the types of data breaches we are seeing today and in growing numbers, the implementation and capabilities schedule won’t yield results in the fastest possible way. The attackers are using stolen credentials to gain access to systems and steal data.
Given all the government data breaches we’ve seen in the last year from the White House, United States Postal Service, the U.S. Department of Veterans Affairs and other agencies, to not be aligned with attacker methods and methodologies would be ignoring, as they say, “conditions on the ground.” Credentials are the most coveted asset an attacker can get and they are using them to great effect.
There are those who would argue that you have to walk before you run and without getting the foundation 100 percent right, the other phases fall apart. Many civilian agencies are ready for phase two today, and some may be ready for phase three. Some may still have work to do on phase one, but should also be implementing parts of phases two and three simultaneously.
The agencies need to be given free reign in partnership with the DHS to put together a customized implementation plan that stands the best chance of protecting data today by detecting attackers that use stolen credentials. The CDM implementation plan needs to be focused around access.
Agencies need to know what systems they have and what their vulnerabilities are, and possess good change management tools and processes. But how does having that information stop an attacker with valid credentials? Nothing is vulnerable if it can’t be accessed, and only through access is something vulnerable. You can have good change management monitoring and processes, but humans are still fallible and can leave a door unlocked for an attacker. Rouge devices may allow an attacker to see part of the network, but data has to be accessed either directly or through remote controlled malware to be stolen.
The fifteen capabilities are terrific; the goal of the program is very good and should be an implementation model outside of government agencies for corporations. However, we urge the DHS to offer the flexibility that would offer more of an a la carte option to civilian agencies that have the most sensitive data. This would include agencies such as the Social Security Administration, Department of Energy, the Veterans Administration and those organizations that oversee very sensitive citizen data or manage critical infrastructure. This is also a way to apply more focused pressure on today’s problem—detecting attackers using stolen credentials to access and steal data, and potentially destroy systems.
On February 5, 2014, John Podesta, counselor to President Obama, said to reporters in a conference call promoting the White House data protection proposals, “Hardly a week goes by when the problem is not on the front pages of the newspapers. With each breach there is more need for the legislation.” This sense of urgency needs to be transformed into alignment for better security inside government agency security initiatives as well.