Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program (CDM) Industry Perspective Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 1 “The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, understand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed.” Continuous Diagnostic and Mitigation (CDM) website. 1 Symantec Industry Perspective Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program (CDM) As your agency continues to adopt new and innovative technologies, you must take the proper steps to secure information. Since information networks are becoming increasingly complex and connected, there are more opportunities for information to become compromised. Now, more than ever before, you rely on safe, secure and efficient technology to meet mission needs. That’s why the Department of Homeland Security (DHS) has created the Continuous Diagnostic and Mitigation (CDM) program, which is an important step for governments to improve their security posture. CDM supports civilian Federal agencies in becoming more secure, and deploy a cost-effective cybersecurity program. The CDM website states, “The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, un- derstand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed.” Undeniably, government leaders are challenged to combat and mitigate new cyber attacks and threats. Yet these attacks to government agencies are not only growing in volume, but also in sophistication. To assist in improving an agency’s security posture, CDM will provide the tools needed to protect the network, giving agencies the ability to monitor and quickly mitigate day-to-day cyber attacks, protect critical information, and improve risk management. Throughout this report, we will explore what CDM is and how it can help your agency. This report also includes how to identify best practices and what to consider when adopting CDM, through interviews with two Symantec experts, Ken Durbin, the Cyber and Continuous Monitoring Practice Manager, and Jennifer Nowell the Director of Strategic Programs for Public Sector. Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 2 EXPLORING THE CONTINUOUS DIAGNOSTIC MITIGATION (CDM) PROGRAM The CDM program provides agencies the ability to automate and enhance their monitoring capabilities by providing diagnostic and mitigation tools along with dashboards. DHS is currently working with the Federal executive branch agencies to conduct the following activities: • Deploy and manage sensors for hardware asset management • Deploy and manage sensors for software assets and whitelisting • Mitigate vulnerabilities • Set compliance standards • Capture data about an agency’s cybersecurity flaws • Present those risks in an automated and continuously updated dashboard 3 The scope of the CDM initiative includes the 15 Functional Areas listed below: 1. Hardware asset management 2. Software asset management 3. Configuration management 4. Vulnerability management 5. Manage network access controls 6. Manage trust in people granted access 7. Manage security related behavior 8. Manage credentials and authentication 9. Manage account access 10.Prepare for contingencies and incidents 11.Respond to contingencies and incidents 12.Design and build in requirements policy and planning 13.Design and build in quality 14.Manage audit information 15.Manage operation security According to the CDM site, “Capabilities are established at every level of the network, not just the periphery, which gives agencies the ability to see how effective their systems are. The first phase of CDM focuses on four of the capabilities, management of hardware and software assets, configuration, and vulnerabilities.” The first phase will allow your agency to create a baseline to measure the effectiveness of your cyber defense program. HOW DOES CDM WORK? CDM is a powerful program that allows agencies to expand their continuous monitoring capabilities through increasing sensor capacity and automation, and increasing risk awareness. The goal of the CDM program is to scan networks once every 72 hours to detect potential vulnerabilities or attacks. The CDM website provides additional insights on how the program works: • First, agencies install and/or update their diagnostic sensors and the agency-installed sensors begin performing automated searches for known cyber flaws. • In a future phase of CDM, scanned results will be fed into an enterprise-level dashboard that produce customized reports, alerting IT managers to the most critical cyber risks. These reports will enable them to readily identify which network security issues to address first, thus enhancing the overall security posture of agency networks. GSA’S BLANKET PURCHASE AGREEMENT FOR CDM In order to participate in the program, the General Services Administration (GSA) and DHS have used the GSA IT Schedule 70 as a contract vehicle. The Continuous Monitoring as a Service (CMaaS) contract provides CDM tools and integration services to all federal agencies, state, local, regional, and tribal governments under a blanket purchase agreement. One important element of CDM is that if a civilian government agency participates, the Department of Homeland Security will pay for the cost of the tools and integration. For fiscal year 2014 alone, DHS has allocated $185 million to spend on CDM tools and services. The Department of Defense, intelligence community, and state, local, and tribal government can also purchase from the CMaaS contract to procure CDM solutions, but they must use their own funding. 011101110111101010001010101 101011010101111011011111110 011101110111101010001010101 0010010101011010101Virus010 The goal of the CDM program is to 101001010101101010101010110 scan networks once 001111010101111011011001110 every 72 hours to detect potential 011101110111101010001010101 • Progress reports that track results can be shared within and among agencies. Summary information can feed into an enterprise-level dashboard to inform and prioritize ongoing cyber risk assessments. vulnerabilities or attacks. Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 4 CDM RESOURCES FROM AROUND THE WEB This report provides a quick overview of the CDM program, but there are a lot of great resources around the web describing the program as well. From our research, we’ve pulled out the core documents for you to review, and give you the need-to-know access to information. DHS Press Release: https://www.dhs.gov/blog/2013/08/13/major-step-forward-betterprotecting-federal-state-and-local-cyber-networks GSA Contract Announcement: http://www.gsa.gov/portal/content/176671?utm_ source=FAS&utm_medium=print-radio&utm_term=cdm&utm_ campaign=shortcuts CDM Implementation: http://www.dhs.gov/cdm-implementation 5 BEST PRACTICES WHEN IMPLEMENTING CDM Symantec’s CDM tools not only ensure compliance with government cyber mandates, but also provide the technology to leverage CDM to excel in mission goals. In our expert interview with Ken Durbin he explained that adopting CDM solutions is more than checking a box for compliance. Durbin explained, “If an agency implements CDM tools correctly, they are going to improve their cybersecurity posture. There’s just no doubt about it.” The following are five best practices in order to fully leverage the benefits of CDM. 5 Symantec Industry Perspective 1. OPERATE WITH A BROAD VIEW OF CONTINUOUS MONITORING When imagined comprehensively, CDM can allow an organization to determine if they are effective, efficient, secure and compliant. The first step to getting the most out of CDM is to visualize the programs complete potential. This means having a full view of what assets are on your network, and being able to monitor them to spot abnormalities. 2. SECURE EXECUTIVE BUY-IN Implementing CDM requires employees at all levels to understand the importance of cyber security measures. However, the decision to implement CDM must be made at the top. Ultimately, it will be the decision of the Chief Information Security Officer (CISO) to invest in a CDM solution. The NIST Risk Management Framework recommends securing support from management, including the CISO, the CIO, and the department heads. In order to fulfill the mandates of CDM, Durbin said, “Upper level management has to decide that CDM is going to be a priority, and are going to devote the time and resources to get it done and get it done correctly.” Durbin warned, “If it’s just a CIO that hands it off or passes it to an individual who doesn’t have the authority to put any teeth behind it, it’s either not going to be very successful or it’s going to be window dressing to show compliance. It’s doubtful they will see any improvement in their overall cyber security.” • Data Aggregation: Data collection occurs at many different points, but the key is to bring that data together into a single repository for your agency to monitor compliance and effectiveness. This provides valuable insights to your agency, and can provide alerts of abnormal activity to system administrators. 3. COLLABORATE IN IMPLEMENTATION AND COMPLIANCE Once the CISO makes the decision to pursue CDM, they will depend on their entire organization to implement the program in order to meet compliance. Durbin said, “In a typical IT organization, jobs are divided into areas of responsibility. One area may focus on deploying and managing sensors, another on compliance and another on reporting. The CISO is going to rely on those people to find out what he or she needs and understand his/her environment and requirements.” As you consider a solution that will best meet your needs, it’s important to consider all the employees and stakeholders engaged throughout the process. Every stakeholder plays an essential role in bringing value and security to your CDM solution. The various actors can be broken down into the following categories: • Sensor Deployment and Management: These are employees within your agency who are responsible for the implementation of the sensors that track usage and produce data; the data collected by the sensors will then be used for network analysis. • Reporting and Presentation: Once data has been housed and framed into a single repository, information must be presented in a way that is valuable and flexible to satisfy the complex needs of the agency. The reporting and presentation methods used will also need to take into account additional compliance reporting, executive-level reporting and non-security use cases to provide a full view of your agency’s cyber program. • Risk Based Decisions: Everyone from Chief Information Officers to auditors require data to make decisions regarding the effectiveness, efficiency, security and compliance of a program. Decisions that affect an agency’s cybersecurity posture are made every day. If CDM is implemented correctly, decisions can be made in terms of risk priority, resulting in a more secure IT environment and a better use of time and resources. 4. KNOW YOUR MATURITY LEVEL For agencies, the maturity level of their IT organization will differ and require a different kind of cyber security solution. In some cases, agencies will just be getting started and in other scenarios, agencies will already be using certain aspects of CDM. In order to adopt the right CDM solution, agencies must assess their preparedness level. Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 6 Jennifer Nowell provided insights as to how agencies can know what solution is best for their needs. “Agencies and organizations can understand their maturity level if they use the NIST Risk Management Framework to assess where they are in the life cycle,” said Nowell. Furthermore, she agrees with DHS’s recommendation to start with the following first four Functional Areas: nually to the public by the Office of Management and Budget (OMB). “Every year DHS produces a document that defines a set of Cyber Security metrics. An agency can use the metrics as a guide to plan that year’s cyber security efforts. Each agency submits a monthly, quarterly and annual report to DHS that documents their progress against the defined metrics,” said Durbin. 1. Devices: An agency should know if a new device has come into the environment, what that device is, and where it is located. Nowell said, “You can’t secure what you can’t see.” The OMB uses this data to produce a “scorecard” that ranks each agency according to how well they have met each metric. This is commonly known as the “FISMA Scorecard.” “The Scorecard details where an agency has succeeded as well as where they have missed the mark. It’s actually a good tool for planning next year’s security efforts,” said Durbin. For more insights on the federal governments goals, be sure to visit the following links: 2. Inventory: Agencies should maintain an inventory of the software operating in their environment. This ensures that software can be patched appropriately or defended when no patches are available. Cross Agency Priority Goal: 3. Configuration: Defining baseline configurations shows what the system should look like and makes it easier to determine if anything in the baseline configuration has been changed. Q3 Status Goal: http://technology.performance.gov/initiative/ ensure-cybersecurity/home Improving Cyber Security: http://technology.performance.gov/initiative/ensure-cybersecu- 4. Vulnerability: Agencies must focus on vulnerability management by keeping up with emerging threats. Nowell advised that prior to implementing a CDM solution, it’s essential to know your organizational needs. “Depending on what your agency’s needs are, this could mean purchasing a tool that removes current vulnerabilities, analyzing gaps in protection or creating a dashboard to make better security decisions,” said Nowell. 5. DEFINE METRICS The government has defined IT Security metrics that help agencies prioritize their cyber security efforts. These metrics are tracked and reported an- 7 Symantec Industry Perspective rity/home These five best practices are just the start of your journey to adopt a CDM solution. CDM provides you the opportunity to drastically improve your awareness of network vulnerabilities and threats, affording you the ability to mitigate cyber threats. You now have a choice. Your agency can simply implement the minimum requirements to fulfill compliance, or you can implement a CDM solution that will transform your operations. CDM will increase your security, productivity, and efficiency when paired with the right tools and best practices. ABOUT SYMANTEC Symantec protects the world’s information, and is the global leader in security, backup and availability solutions. Their innovative products and services protect people and information in any environment – from the smallest mobile device, to the enterprise data center, to cloud-based systems. Their industry-leading expertise in protecting data, identities and interactions gives their government customers confidence in a connected world. More information is available on Symantec’s GovLoop Page. For more information about this report, please reach out to Pat Fiorenza, Senior Research Analyst, GovLoop, at pat@govloop.com, or follow him on twitter: @pjfiorenza. Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program 8