Continuous Diagnostics and Mitigation: A Look Back and Preparing for Phase Three
Continuous monitoring, situational awareness, common operational picture, single pane of glass — these are just a few of the terms with which I’ve become well-acquainted throughout my career. Each one attempts to depict how security operation centers (SOCs) can reach the holy grail of data aggregation.
To prevent, respond to or remediate a security incident, an organization must be able to detect anomalous behavior. Furthermore, an organization can only identify anomalies if it is fully capable of monitoring all assets and activity traversing its network. Unfortunately, realizing the all-encompassing cybersecurity view and building an unobscured line of sight proved much harder than any marksmen cared to admit, especially without the aid of a comprehensive strategy.
Reviewing the Continuous Diagnostics and Mitigation Program
On Nov. 18, 2013, the Executive Office of the President (EOP)’s Office of Management and Budget (OMB) issued a memorandum titled “Enhancing the Security of Federal Information and Information Systems,” which sought to strengthen the nation’s cybersecurity posture through best-of-breed technology, engineering and automation, including monitoring. The Department of Homeland Security (DHS) established the Continuous Diagnostics and Mitigation (CDM) program in conjunction with the memorandum.
The program offered federal, state, local and tribal governments the ability to procure technology to assist in the continuous monitoring of information systems. The goal was to paint a common picture to better understand what resided on government networks, assess relevant risks, learn mitigation techniques and establish line of sight. Ideally, this would lead to more efficient prevention, response and remediation in accordance with maturing federal compliance requirements.
DHS envisioned implementing the CDM strategy in three phases, focusing on endpoints, identities and network traffic. CDM was expected to last five years with a $6 billion ceiling. While we’re entering the fifth year, it’s apparent that the timeline and respective milestones slipped to accommodate the monumental efforts involved along the way.
Enter Phase Three
The third phase of the continuous diagnostics and mitigation program enables enclave boundary protection and event management for managing the security life cycle. It encompasses the following capabilities: Boundary Protection (BOUND); Manage Events; Design and Build in Security; and Operate, Monitor and Improve.
BOUND deals with reducing inappropriate access to networks, systems and data. Managing Events pertains to preparing for security events, gathering threat data, identifying security incidents and assessing vulnerability impact. Design and Build in Security reflects a strategy to reduce the attack surface during acquisition, development and deployment. Finally, operate, Monitor and Improve facilitates security incident investigation, threat source analysis, root cause analysis, mitigation determination, vulnerability impact assessment and mitigation evaluation.
Phase three enables companies to address gaps in their cybersecurity architectures, take advantage of remaining funds and benefit from pre-approved functionalities with advanced planning. Anyone interested in this process should learn more about the upcoming briefing on IBM Watson and CDM.