Aubrey Merchant-Dest, Director of Security for Blue Coat Systems, an Iron Bow partner, gives us a view into the General Service Administration’s (GSA), Continuous Diagnostics and Mitigation (CDM) blanket purchase agreement.
Recently, I participated in a panel discussion with IT leaders from the Departments of State and Commerce as well as the National Oceanographic and Atmospheric Administration (NOAA) on Continuous Diagnostics and Mitigation (CDM). It was interesting to hear the perspectives of government agency IT leaders on the importance of CDM and its role in complying with audit and minimizing risk. Most of you reading this piece are likely very familiar with the goals of CDM. I recall a presentation at AFCEA years ago where the speaker stated that ‘we’ve gotten very good at passing audits,’ and that message has resonated with me ever since because passing audits does not make you secure and certainly does not eliminate risk. Risk is always present, and some of it must be accepted. The simple truth is that we can’t have networks that are 100 percent secure; to put another way, we live in a post-breach world.
The exploits are coming faster than industry can respond, but we’re getting better at defending our network assets. We’re faced with malicious code, unauthorized access, improper use and a host of other issues. The attack surface is getting larger all the time, too. Bring your own device (BYOD) and cloud services add another dimension of consideration as we strive to keep our networks secure from nation states, hacktivists, insiders and cyber criminals. Some 80 percent of exploits leverage vulnerabilities that are known or weaknesses in configuration management.
For those not familiar, CDM outlines a three-phased approach to risk management. Phase 1 is endpoint integrity defining configuration management of hardware and software, configuration management and known vulnerabilities. Phase 2 defines the computing environment to include people and networking infrastructure and implements least privilege as well as infrastructure integrity. Phase 3 relates to boundary and event management, enabling a holistic view of situational awareness within and across network boundaries by aggregating and correlating data from Phases 1 & 2.
We can classify the CDM enabling technologies in the following broad categories:
• Security Information/Event Management (SIEM)
• Vulnerability Assessment
• Endpoint Monitoring
The guidelines in CDM allow us to focus our priorities where they are most needed and will have the greatest impact. CDM provides increased situational awareness, improved asset protection and lowered operational risk. Some agencies have reported up to a 90 percent reduction in risk after implementing CDM, and this should be repeatable. A 90 percent reduction in risk is equal to how many person-hours chasing an incident/alert/event? That’s solid ROI we can embrace. For the remaining 10 percent we should consider a lifecycle defense architecture, which provides the needed analytics and visibility to quickly detect activity that may be malicious.