Commentary: Defending CDM
The recent data breach at the Office of Personnel Management has put a spotlight on the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program. There have been articles and blog posts that call into question the usefulness and logic of CDM because it didn’t detect the attackers or block the exploit at OPM. This criticism misses the mark.
The General Services Administration awarded the Group B Task Order to Booz Allen Hamilton on April 14th, 2015. OPM is included in Group B, but it will take some time before BAH implements CDM at OPM. Even then it will only be covered by Phase I of CDM.
Some argue that CDM (btw: the “M” stands for “Mitigation”, not “Monitoring”) is simply about basic cyber hygiene and that even when fully deployed CDM is not designed to detect attackers. I disagree for two reasons. First, a key function of Phase I is to identify all hardware and software assets in the network. Seems to me it would be easier to find an attacker if you knew about all the places they could hide. Second, although we’ll need to see the final requirements, DHS has defined Phase III to allow for the detection of attackers.
The CDM Program At-A-Glance
- Phase 1 – Main Goal: Endpoint Integrity
Scope of Focus: Local Computing Environment (Devices)
Areas of Focus: Hardware and Software Asset Management, Configuration Settings, Known Vulnerabilities, Malware
- Phase 2 – Main Goal: Least Privilege and Infrastructure Integrity
Scope of Focus: Local Computing Environment (People), Network and Infrastructure (Devices)
Areas of Focus: Account and Privilege Management; Configuration Settings and Ports/Protocols/Services for infrastructure devices
- Phase 3 – Main Goal: Boundary Protection and Event Management
Scope of Focus: Local Computing Environment (Events), Network and Infrastructure (Events), Enclave Boundary (Devices, Events)
Areas of Focus: Audit and Event Detection/Response, Encryption, Remote Access, Access Control
- “Event Management, Event Detection/Response” could include the correlation of data that would identify an attacker.
Even if CDM were to ultimately focus only on cyber hygiene it will still provide federal departments and agencies with a much improved cybersecurity posture. DHS has been very clear and consistent when describing the intent of the CDM program, which is to find and fix the most severe vulnerabilities first. CDM does this by defining the desired state of an IT system in accordance with the Federal Information Security Management Act (FISMA), scanning it once every 72 hours to determine the actual FISMA state and remediating the deficiencies. All three phases work this way, with each phase covering additional capabilities that map back to the National Institute of Standards and Technology Special Publication 800-53.
What’s Behind Phase I?
To understand how CDM will improve the government’s cybersecurity posture, let’s look at Phase I of CDM.
Phase I is divided into four functional areas (FA1 through FA4): Hardware asset management, software asset management, configuration management and vulnerability management.
First, scan your IT System to identify all hardware (FA1) and software (FA2) assets. This is done first because you can’t defend what you can’t see. Once identified, you scan the assets to make sure they are configured properly (FA3) and to look for any known vulnerabilities (FA4). An asset that is misconfigured or has an unpatched vulnerability is a threat vector for a hacker to exploit and needs to be mitigated to lower the asset’s exploitation potential. Phase I will detect the defect in the asset, but the department or agency will do the actual mitigation, focusing on the greatest threat first.
DHS chose the functional areas of Phase I for a reason. They are effective in reducing cybersecurity events. Phase I is for the most part identical to the first five of the SANS Institute’s Top 20 Critical Security Controls and is also reflected in the Australian Government’s Top 35 Mitigation Strategies. DHS quotes a study conducted by the Center for Strategic and International Studies that showed an 85 percent reduction in cyber events when the strategies detailed in Phase I are followed. Yes, the remaining 15 percent is a large number, especially in today’s fast-paced, sophisticated environment, but look at it this way; Phase I gets rid of 85 percent of the proverbial hay in the haystack, reducing the number of events an IT staff has to chase down.
Would CDM have helped OPM if it had been in place before the attack? It could have. At minimum, a fully deployed Phase I would have made an attacker’s job more difficult. The vast majority of attacks depend on the presence of a misconfigured or unpatched system to exploit. Had CDM Phase I been fully deployed it could have detected the vulnerable assets at OPM so they could be remediated. It is possible CDM could have led to the remediation of the threat vector used by the attackers who infiltrated OPM and stole personal data belonging to millions of current and former federal employees.
Phase I is happening now, but it clearly doesn’t find attackers. So do we de-emphasize CDM in favor of finding the attackers? Clearly not and here’s why. One analogy floating around suggests that deploying CDM now is like locking all your doors and windows when the burglar is already in the house and that we should instead focus on first getting rid of the burglars. Sounds reasonable, but the analogy is flawed. It ignores the fact that there are hundreds of burglars still trying to get in the house every minute of every day. Locking all the doors and windows as fast as you can reduces the number of burglars you need to search for in your house. Furthermore, how can we find the burglars if we do not know where to look for them? If Phase I capabilities are not in place it would be like doing a search and rescue in a building with no blueprints and all of the rooms are filled with smoke. The deployment of CDM should not stop, rather it should be accelerated.
We should also remember there was a real financial justification for deploying CDM. According to DHS, manual plans, reports and audits cost about $1,400 per page and total between $600 million and $1.9 billion a year. The automation CDM brings to the government is designed to bring these costs down, freeing up dollars that could be used to deploy additional security capabilities. Even if the automation doesn’t materialize, government agencies are already seeing a financial benefit from CDM. At a recent CDM conference an agency chief information security officer told the audience he was planning to buy and deploy Phase I type tools using his own budget. Now that DHS is picking up the tab he can use his budget to deploy data loss prevention tools.
Is CDM perfect? No. The roll-out is taking too long, leaving departments and agencies vulnerable. But the strategy and intent of the program is sound. Who can really argue with making sure all departments and agencies have the ability to discover their IT assets so they can conduct regular scanning for potential exploits? Let’s do all we can to find the attackers lurking in federal networks, but let’s do it with the understanding that CDM is part of the solution, not the problem.
Ken Durbin is the Unified Security Practice Manager for Symantec Public Sector.