From the Summer 2014 Issue

Implementing Continuous Monitoring to Combat the Nation’s Cyber Threat

Matt Brown
Vice President | Homeland Security and Cyber Solutions Knowledge Consulting Group (KCG)

Cyber attacks on federal government systems are increasing in volume, vigor and complexity. In fiscal 2012 alone, there were 48,562 cybersecurity incidents at federal agencies reported to the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). That’s a 782 percent increase over the 5,503 incidents in fiscal 2006.

When a cyber attack compromises a network, the costly effects can go beyond the harm of interrupted service, resulting in unauthorized access of sensitive information or significant damage to infrastructure. Overcoming an attack is expensive: on average a single successful cyber attack can cost more than $1 million and take 32 days to resolve, according to a 2013 Ponemon Institute study.

Comprehensive systems designed to protect against these threats need to remain one step ahead to stave off impending attacks, diagnose those “in-progress” and institute policies to rapidly convey risks and repair flaws.

Continuous Diagnostics and Mitigation – Securing .Gov Networks 

Continuous monitoring is the technology process that allows agencies to conduct ongoing, real-time checks for compliance and risk inconsistencies to illustrate an accurate, up-to-the-second state of network security. It examines changes within network interactions – both planned and unexpected – to proactively manage cyber threats and security holes within the government. In the absence of continuous monitoring, agencies remain exposed to additional cybersecurity risks, particularly when reviews on security are sporadic and infrequent.

The U.S. Department of Homeland Security (DHS) created the Continuous Diagnostics and Mitigation (CDM) program, a $6 billion government-wide contract vehicle, to defend against increasingly aggressive and sophisticated attacks targeting government information technology (IT) infrastructure and networks. The goal is to fortify federal civilian “.gov” networks – and the often classified, sensitive and personal data that resides on those networks – as well as to ensure the government’s continued ability to provide services and information critical to the public.

CDM aims to move away from historical compliance reporting and towards combating immediate threats to the nation’s security infrastructure. The goal is to prevent, monitor and eliminate threats. It identifies attacks as they happen and automatically alerts personnel, from systems administrators to Chief Information Officers, to take immediate action. CDM also arms agencies with the tools and processes necessary to send real-time diagnostic sensor data into their own customized dashboards to instantly interpret information and communicate it to the right people. At the federal level, DHS will also maintain a dashboard to allow for a big picture threat assessment across all agencies. Without a comprehensive continuous monitoring strategy, agencies open themselves up to security weaknesses and flaws that can lead to crushing cyber attacks. 

Transitioning to CDM 

Agency and department adoption of CDM is already underway. A previously-awarded task order in January of this year set the wheels in motion, with agencies acquiring additional technology or software licenses for solutions they already owned. A few agencies took that, went further and actually implemented new sensors into their systems. This was only step one.

Over the summer, DHS plans to make single awards for task orders that will deliver significantly more sensors and the services required to implement them throughout multiple departments and agencies. After that, the program becomes even more comprehensive and complex as agencies embed CDM deeper into their own systems and processes. 

Preparing for Upcoming Phases

CDM has three distinct phases which cover 15 continuous diagnostic capabilities. Phase 1 focuses on endpoint integrity to protect systems and data via management of hardware and software assets, configuration management and vulnerability management. Phase 2 centers on Least Privilege and Infrastructure Integrity and Phase 3 deals with Boundary Protection and Event Management.

Given the tools and services coming up in the pipeline, agencies should aim to figure out how they’re going to get near-term wins while also fully preparing for the subsequent phases of CDM. As some new services are already being deployed, agencies must simultaneously plan for the large amount of sensors and services on the horizon, and develop comprehensive implementation strategies. 

To best prepare for the further adoption of CDM, agencies should consider the following:

  1. Implementation and operation of sensors

Agencies need to start thinking about how the implementation of sensors will impact business practices – individual roles and responsibilities will be altered. For example, Information System Security Officers (ISSOs) will shift from documentation to helping facilitate and assess new patches and controls. Systems Administrators will now need to monitor their systems daily to identify and prioritize which security holes to fix.

  1. Data integration

To be able to flag data to the right person at the right time, agencies need to determine how to seamlessly integrate data feeds into their own internal dashboard or correlation technology. This will be an important component for effectively monitoring systems on a continuous basis.

  1. Upcoming technologies

Agencies should understand the technologies utilized in the next CDM phase – including Network Access Control, Manage Trust in People Granted Access, Manage Security Related Behavior, Manage Credentials and Authentication, as well as Manage Account Access/Manage Privilege – to determine how they will fit into their overall strategy. This includes evaluating what they already have in place to satisfy functional requirements, and identifying what they need from the CDM program.

  1. Communities of Interest

Agencies should establish communities of interest, other organizations with similar requirements facing similar challenges. These communities will play a key role in shortening the timeframe from adoption to implementation as they can continuously share information on best practices and lessons learned.

In the coming months, DHS is set to announce task orders for products and services under the $6 billion CDM cyber contract, helping to accelerate the government’s transition to a continuous monitoring approach. Adoption of CDM across the government is the next logical step in combating – and defeating – cyber adversaries looking to penetrate federal mission critical systems.

Leave a Comment