Just Deploying Best-of-Breed Security Tools Has Proven to be Insufficient in Mitigating Today’s Cyber Threats...
In light of the massive data breach at the United States Office of Personnel Management (OPM), the need to protect government networks is more urgent than ever. These networks and systems contain sensitive data on everything from healthcare information to national security. In response to mounting cyber threats, the Department of Homeland Security (DHS) initiated the Continuous Diagnostics and Mitigation (CDM) program to safeguard and secure Federal Information Technology networks. The big question remaining is whether the DHS CDM program can really strengthen the security posture of government networks.
The data breach at OPM, which resulted in the exfiltration of sensitive data belonging to 22 million current and former federal employees, highlights the advanced threats Federal networks are confronted with on a daily basis -- as well as the severe consequences of inadequate threat defenses. In 2013 the Office of Management and Budget (OMB) mandated all agencies to manage information security risk on a continuous basis using organizational risk management principles. The centerpiece of this initiative, the DHS CDM program, is being deployed in three phases between now and the end of fiscal 2017:
Phase 1: Equips agencies with tools, sensors, and procedures to know what IT hardware and software assets they have on their networks, how they are configured, and where existing vulnerabilities exist.
Phase 2: Provides network boundary controls, tools, and procedures to ensure all persons using Federal networks are known and authenticated and that their access is properly managed based on their individual levels of information privilege.
Phase 3: Provides physical boundary controls and tools to enable agencies to respond to events and incidents in a risk-based, prioritized fashion.
Since the CDM program is still taking shape, it’s not surprising that the OMB issued a new memorandum on October 30, 2015 that outlines critical steps for improving Federal information security in the interim. These steps include Federal adoption of the NIST Cybersecurity Framework, increased CyberStats and Privacy Program reviews, implementation of a Cybersecurity Sprint, and more stringent reviews of security in third-party contracts. Otherwise, the OMB continues to push for the efficient and effective acquisition and deployment of existing and emerging technology under the CDM program umbrella.
However, just deploying best-of-breed security tools has proven to be insufficient in mitigating today’s cyber threats. The data breach at Target was a good example of this. The greatest challenge to protecting against cyber threats is establishing a timely and actionable warning system to identify attacks and vulnerabilities within the network and IT supply chain. Detection and timely remediation remains a significant technical challenge.
Considering the massive volume of assets, associated controls, and vulnerabilities that agencies have to deal with under a continuous monitoring concept, they often lack the resources to handle the aggregation, normalization, and correlation of this data. This results in lengthy remediation cycles. Another challenge facing government IT is putting vulnerabilities into the context of the risk associated with them. Without proper risk-based scoring of vulnerabilities, organizations often misalign their remediation resources. This is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit critical vulnerabilities. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw.
Instead of solely relying on scans of Federal networks to detect flaws, anomalies and suspicious incidents, and alert IT through various dashboards, more progressive government agencies have started to leverage emerging big data risk management technology to create a security orchestration overlay. This model enables security teams to break down data silos and correlate threat information to achieve an intelligent, integrated, risk-based approach to vulnerability response management. It also establishes processes for automatically generating tickets to remediate prioritized vulnerabilities, tracking them until closed and providing reports when they are successfully mitigated.