As we have seen with recent security breaches – including the SolarWinds attack – it can be challenging for Federal security leaders to effectively detect cyber threats across their networks. In the last few decades, private sector organizations have established tools to help monitor for malicious activity, but until recently, the Federal government hasn’t had one centralized method.
The Continuous Diagnostics and Mitigation (CDM) program standardizes how civilian agencies monitor their networks for cyber threats while improving their cybersecurity posture. The program operates under the direction of the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Through this centralized strategy, the CDM dashboard empowers an ideal threat hunting environment for cybersecurity professionals to identify threats before they strike. DHS is leading the way in exploring advanced endpoint detection and response technologies available to the agency personnel that need them.
The May 12 release of the Executive Order on Improving the Nation’s Cybersecurity greatly accelerated these efforts. The Order requires agencies to deploy an Endpoint Detection and Response (EDR) capability. CISA is tasked with prescribing an EDR deployment initiative to support host-level visibility, attribution, and response regarding Federal Civilian Executive Branch (FCEB) Information Systems at scale. The Order also mandates the authorization of much-anticipated changes to the agreements between FCEB agencies and DHS, which now requires agencies to share detailed information about their systems through the CDM program.
For the first time, the CDM program now has both the technical ability to hunt for threats at scale, and policy authorizing it to do so. Here’s how Federal cyber professionals can leverage these updates and make the most out of the CDM program:
Standardization Makes it Possible to Hunt at Scale
Until now, the lack of normalized data formats has contributed to poor data quality and made it challenging to identify potential vulnerabilities at scale. Open technology tools and common schema specifications hold the power to unlock previously disparate data.
The CDM dashboard maximizes common schema tools, and the increased support for the dashboard means data from various sources, locations, and formats can be more quickly synced and analyzed.
Under the Chief Financial Officers (CFO) Act, there are 23 agency-specific dashboards that feed into the wide-spanning Federal CDM dashboard, as well as data from more than 70 non-CFO Act agencies. As even more agencies adopt the centralized CDM dashboard, the amount of valuable intelligence will continue to grow, delivering the comprehensive government-wide threat visibility required to combat increasingly sophisticated cybercriminals.
Finding Hidden Threats Quickly Depends on Data
Successful threat hunting begins with having the right data to answer the right questions at the right time. Without that data, there is no hunt. Why? Because dwell time – the time between when a compromise first occurs and when it is detected – is on the rise.
Sophisticated state-sponsored threat actors can remain undetected for months; foreign adversaries’ average dwell time is 10-plus days, and in the SolarWinds case we saw dwell times of 300-plus days. The only way to accurately analyze these long dwell times is to retain telemetry for longer periods of time so that historical analysis can be performed.
Data consolidation opens up more insights that can be gathered quickly and cost effectively. While this is good for threat hunters – the more data you have, the more effective your threat hunting process will be – it can easily overwhelm agency systems with its sheer volume and velocity. Further, some degree of data normalization is necessary to enable automated detection at scale, and to help analysts find what they’re looking for. The CDM dashboard provides a model for government-wide data normalization, and helps search through mountains of data – fast. And more data means determining where a breach occurred, what it impacted, and how it might be related to other events.
From Reactive to Proactive Cybersecurity
Agencies need an offensive mindset in today’s security environment and must always assume they’re at risk of being compromised. It’s in this zero-trust world where threat hunters can play a critical role. They understand where and how to look for security threats and can analyze the trends the CDM dashboard generates. Threat hunters are prepared to “fight the network” to eradicate adversaries from within ever-expanding agency perimeters.
It’s not a matter of if, but when, the next cyberattack occurs. When we started writing this article, the Microsoft Exchange breach “Hafnium” was discovered; by the time this article is published, the next big breach – or several big breaches – will have already taken place.
With a more unified approach to how we consume, manage, and analyze data, the nation’s defenders can stop observing the problem and start playing offense, making CDM’s government-wide vision of proactive security a reality of our cyber defense.
The effort has gained significant support from policymakers as well. This year, the National Defense Authorization Act (NDAA) gives CISA the ability to collect data from Federal agency networks and proactively hunt for vulnerabilities without notifying the individual agencies. The Executive Order on Improving the Nation’s Cybersecurity contains dozens of new and enhanced provisions which provide CISA with the authority to make a significant impact. In order to maintain transparency across government, DHS will be required to report the findings of this proactive threat hunting to Congress. With the CDM dashboard, this information is easily shareable, but adhering to the NDAA while continuing to increase threat hunting efforts requires agencies to change the way data is stored, accessed, and analyzed.
In its continuous evolution, more features will be added to the CDM dashboard during the government’s next fiscal year, and updated capabilities are already being piloted at a handful of smaller agencies to measure potential impact. These enhancements include a CDM-enabled Threat Hunting capability, which pulls EDR and log data into the agency dashboard, and enables query across agencies from the Federal dashboard. Generating deeper insights from across the government to alert threat hunters is a giant step forward, and the CDM dashboards can enable this – identifying threats in time to make a difference.