Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 1

Industry Perspective

Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program (CDM)

Symantec Industry Perspective1

“The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, understand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed.”

Continuous Diagnostic and Mitigation (CDM) website.

Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 2

Improving Your Security Posture with the Continuous Diagnostics and Mitigation

Program (CDM)

As your agency continues to adopt new and inno-vative technologies, you must take the proper steps to secure information. Since information networks are becoming increasingly complex and connected, there are more opportunities for information to become compromised.

Now, more than ever before, you rely on safe, se-cure and efficient technology to meet mission needs. That’s why the Department of Homeland Security (DHS) has created the Continuous Diag-nostic and Mitigation (CDM) program, which is an important step for governments to improve their security posture.

CDM supports civilian Federal agencies in becom-ing more secure, and deploy a cost-effective cyber-security program. The CDM website states, “The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, un-

derstand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed.”

Undeniably, government leaders are challenged to combat and mitigate new cyber attacks and threats. Yet these attacks to government agencies are not only growing in volume, but also in sophistication. To assist in improving an agency’s security posture, CDM will provide the tools needed to protect the network, giving agencies the ability to monitor and quickly mitigate day-to-day cyber attacks, protect critical information, and improve risk management.

Throughout this report, we will explore what CDM is and how it can help your agency. This report also includes how to identify best practices and what to consider when adopting CDM, through interviews with two Symantec experts, Ken Durbin, the Cyber and Continuous Monitoring Practice Manager, and Jennifer Nowell the Director of Strategic Programs for Public Sector.

3

EXPLORING THE CONTINUOUS DIAGNOSTIC MITIGATION (CDM) PROGRAM

The CDM program provides agencies the ability to automate and enhance their monitoring capabilities by providing diagnostic and mitigation tools along with dashboards. DHS is currently working with the Federal executive branch agencies to conduct the following activities:

• Deploy and manage sensors for hardware as-set management

• Deploy and manage sensors for software as-sets and whitelisting

• Mitigate vulnerabilities

• Set compliance standards

• Capture data about an agency’s cybersecurity flaws

• Present those risks in an automated and con-tinuously updated dashboard

The scope of the CDM initiative includes the 15 Functional Areas listed below:

1. Hardware asset management

2. Software asset management

3. Configuration management

4. Vulnerability management

5. Manage network access controls

6. Manage trust in people granted access

7. Manage security related behavior

8. Manage credentials and authentication

9. Manage account access

10. Prepare for contingencies and incidents

11. Respond to contingencies and incidents

12. Design and build in requirements policy

and planning

13. Design and build in quality

14. Manage audit information

15. Manage operation security

According to the CDM site, “Capabilities are es-tablished at every level of the network, not just the periphery, which gives agencies the ability to see how effective their systems are. The first phase of CDM focuses on four of the capabilities, manage-ment of hardware and software assets, configura-tion, and vulnerabilities.” The first phase will allow your agency to create a baseline to measure the effectiveness of your cyber defense program.

Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 4

0011110101011110110110011100111011011110

1010110101011110110111111100111011011110

0010010101011010101Virus01010110010101101010010101011010101010101100101011010100

0111011101111010100010101010101011110001

0111011101111010100010101010101011110001

0111011101111010100010101010101011110001

HOW DOES CDM WORK?

CDM is a powerful program that allows agencies to expand their continuous monitoring capabilities through increasing sensor capacity and automation, and increasing risk awareness. The goal of the CDM program is to scan networks once every 72 hours to detect potential vulnerabilities or attacks. The CDM website provides additional insights on how the program works:

• First, agencies install and/or update their di-agnostic sensors and the agency-installed sen-sors begin performing automated searches for known cyber flaws.

• In a future phase of CDM, scanned results will be fed into an enterprise-level dashboard that produce customized reports, alerting IT manag-ers to the most critical cyber risks. These re-ports will enable them to readily identify which network security issues to address first, thus enhancing the overall security posture of agency networks.

• Progress reports that track results can be shared within and among agencies. Summary information can feed into an enterprise-level dashboard to inform and prioritize ongoing cy-ber risk assessments.

GSA’S BLANKET PURCHASE AGREEMENT FOR CDM

In order to participate in the program, the Gen-eral Services Administration (GSA) and DHS have used the GSA IT Schedule 70 as a contract vehicle. The Continuous Monitoring as a Service (CMaaS) contract provides CDM tools and integration ser-vices to all federal agencies, state, local, regional, and tribal governments under a blanket purchase agreement.

One important element of CDM is that if a civilian government agency participates, the Department of Homeland Security will pay for the cost of the tools and integration. For fiscal year 2014 alone, DHS has allocated $185 million to spend on CDM tools and services. The Department of Defense, intelligence community, and state, local, and tribal government can also purchase from the CMaaS contract to procure CDM solutions, but they must use their own funding.

The goal of the CDM program is to scan networks once every 72 hours to detect potential vulnerabilities or

attacks.

Symantec Industry Perspective5

CDM RESOURCES FROM AROUND THE WEB

This report provides a quick overview of the CDM pro-gram, but there are a lot of great resources around the web describing the program as well. From our research, we’ve pulled out the core documents for you to review, and give you the need-to-know access to information.

DHS Press Release: https://www.dhs.gov/blog/2013/08/13/major-step-forward-better-

protecting-federal-state-and-local-cyber-networks

GSA Contract Announcement: http://www.gsa.gov/portal/content/176671?utm_

source=FAS&utm_medium=print-radio&utm_term=cdm&utm_

campaign=shortcuts

CDM Implementation: http://www.dhs.gov/cdm-implementation

1. OPERATE WITH A BROAD VIEW OF CONTINUOUS MONITORING

When imagined comprehensively, CDM can allow an organization to determine if they are effective, efficient, secure and compliant. The first step to getting the most out of CDM is to visualize the programs complete potential. This means having a full view of what assets are on your network, and being able to monitor them to spot abnormalities.

2. SECURE EXECUTIVE BUY-IN

Implementing CDM requires employees at all lev-els to understand the importance of cyber secu-rity measures. However, the decision to implement CDM must be made at the top. Ultimately, it will be the decision of the Chief Information Security Of-ficer (CISO) to invest in a CDM solution.

The NIST Risk Management Framework recom-mends securing support from management, includ-ing the CISO, the CIO, and the department heads. In order to fulfill the mandates of CDM, Durbin said, “Upper level management has to decide that CDM is going to be a priority, and are going to de-vote the time and resources to get it done and get it done correctly.” Durbin warned, “If it’s just a CIO that hands it off or passes it to an individual who doesn’t have the authority to put any teeth behind it, it’s either not going to be very successful or it’s going to be window dressing to show compliance. It’s doubtful they will see any improvement in their overall cyber security.”

5 BEST PRACTICES WHEN IMPLEMENTING CDM

Symantec’s CDM tools not only ensure compliance with government cyber mandates, but also provide the technology to leverage CDM to excel in mis-sion goals. In our expert interview with Ken Durbin he explained that adopting CDM solutions is more than checking a box for compliance. Durbin ex-plained, “If an agency implements CDM tools cor-rectly, they are going to improve their cybersecu-rity posture. There’s just no doubt about it.” The following are five best practices in order to fully leverage the benefits of CDM.

Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 6

3. COLLABORATE IN IMPLEMENTATION AND COMPLIANCE

Once the CISO makes the decision to pursue CDM, they will depend on their entire organization to implement the program in order to meet com-pliance. Durbin said, “In a typical IT organization, jobs are divided into areas of responsibility. One area may focus on deploying and managing sensors, another on compliance and another on reporting. The CISO is going to rely on those people to find out what he or she needs and understand his/her environment and requirements.”

As you consider a solution that will best meet your needs, it’s important to consider all the employees and stakeholders engaged throughout the process. Every stakeholder plays an essential role in bringing value and security to your CDM solution. The vari-ous actors can be broken down into the following categories:

• Sensor Deployment and Management: These are employees within your agency who are responsible for the implementation of the sensors that track usage and produce data; the data collected by the sensors will then be used for network analysis.

• Data Aggregation: Data collection occurs at many different points, but the key is to bring that data together into a single repository for your agency to monitor compliance and effectiveness. This provides valuable insights to your agency, and can provide alerts of abnormal activity to system administrators.

• Reporting and Presentation: Once data has been housed and framed into a single re-pository, information must be presented in a way that is valuable and flexible to satisfy the complex needs of the agency. The reporting and presentation methods used will also need to take into account additional compliance report-ing, executive-level reporting and non-security use cases to provide a full view of your agency’s cyber program.

• Risk Based Decisions: Everyone from Chief Information Officers to auditors require data to make decisions regarding the effectiveness, efficiency, security and compliance of a pro-gram. Decisions that affect an agency’s cyber-security posture are made every day. If CDM is implemented correctly, decisions can be made in terms of risk priority, resulting in a more secure IT environment and a better use of time and resources.

4. KNOW YOUR MATURITY LEVEL

For agencies, the maturity level of their IT orga-nization will differ and require a different kind of cyber security solution. In some cases, agencies will just be getting started and in other scenarios, agen-cies will already be using certain aspects of CDM. In order to adopt the right CDM solution, agencies must assess their preparedness level.

Symantec Industry Perspective7

Jennifer Nowell provided insights as to how agen-cies can know what solution is best for their needs. “Agencies and organizations can understand their maturity level if they use the NIST Risk Manage-ment Framework to assess where they are in the life cycle,” said Nowell. Furthermore, she agrees with DHS’s recommendation to start with the fol-lowing first four Functional Areas:

1. Devices: An agency should know if a new de-vice has come into the environment, what that device is, and where it is located. Nowell said, “You can’t secure what you can’t see.”

2. Inventory: Agencies should maintain an in-ventory of the software operating in their en-vironment. This ensures that software can be patched appropriately or defended when no patches are available.

3. Configuration: Defining baseline configura-tions shows what the system should look like and makes it easier to determine if anything in the baseline configuration has been changed.

4. Vulnerability: Agencies must focus on vul-nerability management by keeping up with emerging threats.

Nowell advised that prior to implementing a CDM solution, it’s essential to know your organizational needs. “Depending on what your agency’s needs are, this could mean purchasing a tool that removes current vulnerabilities, analyzing gaps in protection or creating a dashboard to make better security decisions,” said Nowell.

5. DEFINE METRICS

The government has defined IT Security metrics that help agencies prioritize their cyber security efforts. These metrics are tracked and reported an-

nually to the public by the Office of Management and Budget (OMB). “Every year DHS produces a document that defines a set of Cyber Security met-rics. An agency can use the metrics as a guide to plan that year’s cyber security efforts. Each agency submits a monthly, quarterly and annual report to DHS that documents their progress against the de-fined metrics,” said Durbin.

The OMB uses this data to produce a “scorecard” that ranks each agency according to how well they have met each metric. This is commonly known as the “FISMA Scorecard.” “The Scorecard details where an agency has succeeded as well as where they have missed the mark. It’s actually a good tool for planning next year’s security efforts,” said Durbin. For more insights on the federal govern-ments goals, be sure to visit the following links:

Cross Agency Priority Goal: Q3 Status Goal: http://technology.performance.gov/initiative/

ensure-cybersecurity/home

Improving Cyber Security: http://technology.performance.gov/initiative/ensure-cybersecu-

rity/home

These five best practices are just the start of your journey to adopt a CDM solution. CDM provides you the opportunity to drastically improve your awareness of network vulnerabilities and threats, affording you the ability to mitigate cyber threats.

You now have a choice. Your agency can simply implement the minimum requirements to fulfill compliance, or you can implement a CDM solu-tion that will transform your operations. CDM will increase your security, productivity, and efficiency when paired with the right tools and best practices.

Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 8

Symantec protects the world’s information, and is the global leader in security, backup and availability solu-tions. Their innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Their industry-leading expertise in protecting data, identities and interactions gives their government customers confidence in a connected world. More information is available on Symantec’s GovLoop Page.

For more information about this report, please reach out to Pat Fiorenza, Senior Research Analyst, GovLoop, at pat@govloop.com, or follow him on twitter: @pjfiorenza.

A B O U T S Y M A N T E C