The Continuous Diagnostics and Mitigation (CDM) program won praise from tech-sector officials at MeriTalk’s CDM Central virtual conference on Dec. 3. for its mostly unheralded work in helping Federal agencies make quick fixes to security during this year’s coronavirus pandemic. CDM Program Manager Kevin Cox offered insights as part of MeriTalk’s CIO Crossroads program in June into how his office jumped in to help agencies in need.
Mike Guercio, CDM Strategy and Business Development Manager at Splunk, spoke at the Dec. event about the increase in “opportunistic” malicious cyber actors during the pandemic, and noted work that the CDM program office undertook to provide an “extra layer of security” for agencies including the Small Business Administration (SBA) and the Department of Health and Human Services (HHS).
He said the CDM program and the security technologies deployed through it are “extremely valuable” for agencies to understand the threats they are facing, especially during times of emergency and quick change. “We are stressing out those systems,” he said, adding that before the pandemic, “I don’t think anyone thought let’s do 90-percent-plus telework.”
Chris Jensen, Federal Business Development Manager at Tenable, said the CDM program’s DEFEND contract proved its worth in allowing agencies to adjust quickly. “We had a need to move in a direction that nobody expected,” he said, and DEFEND made it possible to move resources to different agencies. “This is an example of something that really worked … this flexibility was invaluable when it came time to respond.”
Bryan Rosensteel, Public Sector Cybersecurity Architect at Duo Security, explained how authenticating network users was simpler before the pandemic, and more difficult after teleworking Federal workers began using a greater variety of devices. That has led security teams to “expand our view” of authentication and take a more holistic view, he said. “Now that we are nine months in [to the pandemic] … it has been a time to go back and rethink what we thought and what we are doing,” he said.
With the initial rush to telework over and the status quo continuing, “now the task of supporting all of those remote users” comes into play, along with “building an internal resilient environment,” said Brian Hajost, President and CEO at SteelCloud.
Mobile, Cloud Security Concerns
With an increasing share of data coming from mobile and cloud sources – rather than on-prem networks – Rosensteel commented, “placing a sensor to get this data with mobile and cloud is really challenging, and it may not be the way to go.” He added, “endpoint security becomes rather irrelevant as we move to that.”
“Authentication is going to be consistent whether you are coming from any device,” he continued. “Let’s get data from that, some of that can be done without an agent at all … Let’s make sure we can do real-time decisions with that as well.” He also noted the rapid approach of widespread 5G mobile services, and said that was an opportunity to reevaluate issues raised by mobile security.
Jensen offered that because the pandemic has limited the physical mobility of many people, “this is a window of opportunity to focus on mobile when we are being less mobile in our home offices.”
He continued, “When this passes, and it will, I think people will be more mobile than ever. Now is the time to prepare for what is coming … If you’re going to make mistakes and have issues, now is the time to do it … the onslaught is coming and it’s not far away.”
“Authentication becomes an issue with smaller and more mobile devices, and security from the edge and into the network becomes absolutely critical,” said Hajost, adding that 5G “provides a real challenge for security.”
Guercio noted that mobile devices present different facets of security problems in the CDM context, with discussion about how to secure private devices inside the network, alongside devices connecting from outside the network with 5G services. He said that CISA’s TIC 3.0 program office is working to address security of connectivity, while CDM is trying to address it within the network. And he said automation and orchestration will get a lot of discussion in the mobile security context, adding, “it’s a much broader topic but will have more visibility as we get into this space.”
Asked about the CDM program’s cloud security pilots, Rosensteel said they offered a similar challenge as mobile security, and that both eventually point to adoption of zero trust security concepts. “That’s what’s going to change with CDM, the notion of a sensor, or data … it is going to be looking at commonalities regardless of whether we are in the cloud, or on prem, and where I can gain relevant pieces of information for authentication,” he said.
Guercio talked about the security tools already used by cloud security providers, and said it’s “important to talk about integration” of those tools.
On the topic of the CDM programs efforts to protect high-value agency assets, Jensen noted that security efforts in that direction by CDM and TIC 3.0 “are two sides of the same coin.” He continued, “what is clearly important is that those two initiatives are well coordinated because they are moving toward the same thing.”
Guercio said it might make more sense to apply zero trust concepts to a larger number of agency assets, rather than segmenting some assets into the high-value class that would get more protection. “Some assets may be more valuable today than tomorrow,” but if you adopt a zero trust concept then that may raise the security posture for a wider range of assets, he indicated.
“The identification of high-value assets is very important,” said Hajost, but must be done without “de-valuing the network, because the network has to be protected.”
“It’s that flexibility that is so important,” said Rosensteel. “Assets change, the value of assets change … so we have to make sure that the system is flexible, and we don’t solution-lock ourselves.” In addition, he counseled against defining everything as a high value asset, because “then you have over-engineered the system and made things harder … having flexibility allows you to shift priorities.”
For more discussion of CDM challenges and opportunities, check out MeriTalk’s recent research on defending high value assets.
And for a look at how the CDM’s secret sauce is prepared, please enjoy the accompanying CDM Central video.