The Continuous Diagnostics and Mitigation (CDM) program began emphasizing vulnerability detection and response because agencies altered their network architectures to accommodate increased remote work during the pandemic, according to the head of the program.
Employees connecting to federal networks remotely, often via unsanctioned internet connections, altered the cyberattack surface for agencies — forcing the CDM program to evolve.
CDM helps agencies understand what’s happening on their networks in near-real-time by implementing tools that feed data to dashboards for proactive risk management. But lately, those dashboards have flagged more vulnerabilities than understaffed agencies can readily fix.
“We have to figure out a way to almost direct our stakeholders on what they need to do, instead of just letting them drown in the data because there’s just too much out there,” said Richard Grabowski, CDM acting program manager within the Cybersecurity and Infrastructure Security Agency, during the Billington CyberSecurity Summit on Thursday.
Adversaries have learned to flood agencies with data so they miss threats, which means better CDM tools are needed to cut through the noise. And threat intelligence needs to go beyond Internet Protocol addresses and pings to identifying threat actors, what they’re attempting to accomplish and the information they’re sharing, said Gilman Louie, CEO of LookingGlass.
Recent CDM discussions around threat hunting aren’t enough.
“The authorities are also going to need to expand if we’re going to have an effective program,” Louie said. “The authorities in which CDM operates are good authorities, but they’re not broad enough to actually execute the mission going forward.”
CDM has started correlating information from its vulnerability management capability with threat reports to reveal what’s actually being exploited and sharing the results in a report to agencies. That allows them to perform triage based on real-world factors.
Figuring out threats and vulnerabilities should be a shared responsibility for agencies and CISA, Grabowski said.
“That’s a model for how we can try to make this more poignant for agencies,” he said.
An endpoint prediction scoring system complements information on the severity of vulnerabilities with the likelihood one will be exploited by a threat actor, but the system requires information sharing.
Such capabilities need to be deployed much faster than they are, said Michael Daniel, president and CEO of the Cyber Threat Alliance.
For that, cybersecurity must become an enterprise service. Small agencies and commissions don’t have the resources and shouldn’t be expected to do their own cyber, Daniel said.
“We don’t have every agency run its own payroll; we have seven payroll providers across the federal government, and the agencies have to pick which payroll provider they want to use,” he said. “Much more of the cybersecurity needs to be centrally provisioned across the federal government from a few of the larger, more sophisticated agencies.”