Posts

CDM Designed to Help Federal Agencies Understand Risk Posture and Become Digitally Resilient

Government Technology Insider | October 24, 2018

The goal of the Continuous Diagnostics and Mitigation (CDM) Program is for all civilian agencies included in the program under the Chief Financial Officers’ (CFO) Act to feed data to the federal government-wide cybersecurity threat dashboard. With each individual agency’s information compiled, the dashboard consolidates threat information from individual agency feeds to give an overall understanding of the cyber risks facing civilian agencies and enables them to prioritize the most critical issues. 

RedSeal and DHS CISO’s Current Priorities

In early August, at MeriTalk’s Cyber Security Brainstorm, Paul Beckman, chief information security officer (CISO) at the Department of Homeland Security (DHS), said that his biggest new priorities are:

  • Increasing use of software-defined networking (SDN)
  • Adopting a zero-trust model
  • Optimizing DHS’ security operations centers (SOC)

He added that the ability to leverage micro segmentation in cloud or SDNs is an efficient way to provide network data security services.

Which is true to an extent.

Unfortunately, Mr. Beckman puts too much trust in SDN security. If that word “software” does not concern you, then you are not thinking about the problem hard enough.  Humans make and deploy software and humans make mistakes, even in something called “software-defined.” They often don’t see what’s exposed as they build out their architecture. They may have intended to have something segmented and not realize it isn’t.

SDNs grow and change quickly. An equally agile modeling solution can ensure that any mistakes are caught and fixed rapidly. There can easily be millions of rules to check as workloads spin up and down too fast for any human to keep up. RedSeal will validate all your security rules over time to ensure that configuration drift doesn’t cause segmentation violations.

Agencies can create risks, too, by making multiple changes over time without comprehending the combined effect those changes have on end-to-end security. This problem is exacerbated by SDNs because of the ease and speed of change they offer. To reduce the risks and realize the true power of SDNs, agile change control should be part of your approval process. This will allow you to model changes at machine speed to see exactly what effect a change will have on end-to-end security.

Added to architecture, updating and workflow issues, is the fact that most SDNs exist in hybrid data center environments, connected to other SDNs, public clouds and physical assets. RedSeal’s model of your network includes all your environments, so you can see access between and within each one. While I agree that SDNs are an improvement on the earlier way of providing security services, they are not a silver bullet.

Mr. Beckman also said, “One of the things that I think we are, as an IT organization, going to be evolving to, is that zero-trust model. Traditionally the perimeter was your primary means of defense, but once you got into the squishy center, you were generally a trusted entity. That needs to go away.”

With zero trust, he said that you need to authenticate everything a user is trying to access inside the perimeter. It’s a great idea for any organization to trust no one on the inside of a network and make them prove they’re authorized to be there. But what happens when credentials are compromised? It is harder to do today, after implementation of two factor authentication procedures and password managers, but not impossible. Hackers still find a way.

Lastly, Mr. Beckman wants to consolidate 16 independent SOCs into four or five centers operating in a “SOC-as-a-service” format. These kinds of consolidation efforts have happened before. The government has put a lot of effort into merging SOCs, only to have them split apart again due to performance issues or mission requirements.

What is new and admirable is a focus on grading the performance of each individual SOC. Identifying poor performers and merging them with high-scoring SOCs seems like a logical way to take advantage of the limited numbers of highly skilled security professionals and improve outcomes. Again, this sounds good in theory. We will see how it works in real life environments.

For more information about how RedSeal meets the DHS’s highest priorities this year, visit our website at: www.redseal.net/government.

RedSeal and DHS CDM DEFEND

This year, the big news in government cybersecurity is the DHS CDM DEFEND program and task orders being announced by various federal departments. The DHS CDM DEFEND, which stands for Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense, task orders are awarded under the General Services Administration’s Alliant 1 Unrestricted contract. GSA and the Department of Homeland Security (DHS) jointly run CDM to secure civilian agency “.gov” networks from cyber attacks.

RedSeal and Government Cybersecurity

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s network modeling and risk scoring platform is installed in numerous defense, intelligence, and civilian organizations for continuous monitoring.

At the highest level, RedSeal delivers three core security controls:

  • Visibility: Automated network mapping and situational awareness
  • Verification: Continuous comparison of network security architecture against desired posture
  • Prioritization: Analysis of vulnerability scan data and network architecture to identify the highest risk vulnerabilities that must be remediated immediately

These controls apply to both legacy deployments and new architectures. In legacy deployments, RedSeal allows you to understand the existing environment and identify security control gaps. In new architectures, RedSeal validates that the network is built and operated as designed. And in all situations, RedSeal increases the value of scanning and penetration testing by prioritizing those vulnerabilities that are the most dangerous cybersecurity threats – based on how each network is put together.

The objective of the DHS CDM DEFEND program is to discover, assess and plan for 100% agency network coverage and provide context for prioritizing the closure of coverage gaps. Winners of task orders must discover all networked assets in an agency – including perimeter, cloud and mobile environments. Plus, they must develop a plan to protect all environments within six months of work commencing, and on a continuous basis after implementation. What’s more, merely visualizing what’s on the network isn’t enough, but vendors must prioritize fixing the worst problems first.


How Does RedSeal Fit with DHS CDM DEFEND Solution Requirements?

RedSeal supports six of the eight DHS CDM DEFEND solution requirements.

Hardware Asset Management: RedSeal’s complete network map and network device inventory provides a framework for hardware inventory processes and discovery. The solution also provides a complete inventory of in-scope Layer 2 and Layer 3 network devices.

Configuration Settings Management: RedSeal automatically analyzes individual device configurations to see if they are secure. This includes password policies for firewalls, routers, load balancers, and wireless controllers, services enabled, logical port configurations, and networking parameters. You can also create custom checks and be notified automatically about any deviations from baselines.

Vulnerability Management: At the highest level, vulnerability management consists of two tasks: vulnerability scanning and remediation. RedSeal can determine if you have any gaps in your vulnerability scan coverage and identify the device blocking it. In addition, RedSeal has a unique ability to prioritize remediation by identifying the vulnerabilities that pose the highest risk—in each network. RedSeal combines results from top scanners (such as Rapid7 InsightVM, Tenable Nessus, and Qualys) and centralizes scoring and prioritization. Then, it overlays its detailed knowledge of all network paths to prioritize the specific systems and vulnerabilities that could be used to do the most damage if they were exploited. Without this, organizations waste huge amounts of time remediating “high priority” vulnerabilities that could wait, because the potential damage from an exploit is very limited. And they ignore “low priority” vulnerabilities that are actually dangerous because they can be used to pivot into higher value targets in a network.

Boundary Protection: Effective boundary protections are typically based on network architecture and access policies on routers, switches and firewalls. In practice, it is extremely difficult to operationalize this control, especially in multi-vendor environments. However, RedSeal Is able to analyze networks continuously and evaluate possible connectivity against desired policy. This enables even the largest organizations to implement boundary protections on multi-vendor networks in an operationally efficient manner. And this, in turn, makes it realistic to implement multi-layer segmentation policies, where assets can be isolated from the rest of the internal network to better protect sensitive data, and limit the ability of malware to spread after initial compromise.

Incident Response: Many information sources and technical disciplines must work in concert for effective incident response. Once an indicator of compromise is identified by a SIEM, RedSeal brings network topology and reachability information to help determine how significant the risk is and what systems may be at risk. Normally this is a manual and time-consuming process, relying on traceroutes and network maps that are often out of date. Staff must comb through configurations to piece together the potential malware exploit paths. This delays an organization’s ability to respond appropriately to the event, increasing both risk and the eventual overall damage. RedSeal automates this entire network investigation process, providing incident response teams with accurate information about network exploitation paths so their response can be quicker and more focused.

 

  RedSeal Capabilities
CDM DEFEND Requirements Hardware Config Vuln Mgmt Boundary Response
Rapid Assessment Yes Yes Yes
Boundary Architecture Changes Yes Yes Yes Yes
Evaluate multiple CDM states Yes
Vuln Mgmt and Triage Yes Yes Yes Yes Yes
Change Control & L2/L3 Auditing Yes Yes Yes Yes
Incident Response Yes Yes Yes Yes

 

Summary

The federal government’s DHS CDM DEFEND program is a response to today’s cybersecurity reality. By encouraging organizations to rely less on auditing static preventive measures but instead on implementing CDM, the program better positions agencies to ensure their defenses are well established at all times. The program also encourages agencies to put in place procedures to detect, evaluate, and respond to incidents, no matter when they occur.

RedSeal provides a substantial contribution to the CDM framework by delivering a unique control set for boundary protection, situational awareness, vulnerability mitigation prioritization, and configuration management.

RedSeal is a “must-have” part of any CDM team currently bidding for DHS CDM DEFEND task orders.

Want to learn more about RedSeal’s integration with cybersecurity tools and its integral part of any CDM program? Click here to connect with RedSeal today.