The Department of Homeland Security (DHS) risks losing the initial investment in its cyber network diagnostics program if it does not make the data more actionable, an expert said May 27.
“We’re right on the edge of completely wasting the money,” Alan Paller, director of research at Baltimore-based SANS Institute, said the AFCEA Cybersecurity Summit in Washington.
Despite initial cost savings and widespread interest from federal agencies to upgrade network security, the Continuous Diagnostics and Mitigation (CDM) program needs to move from monitoring to mitigation, he said. While “mitigation” is in its name, CDM has often been associated with simple monitoring for intrusions versus actively protecting against them. Paller said the information collected from network monitoring needs to be more effectively transferred to the system administrators (sysadmins) who remediate malware infections.
“If you decide you want to be in this for longer than this year…then you have to figure out how to deliver the data to the sysadmins in the morning in a prioritized way,” he said.
CDM is part of a government-wide effort to move from periodic checks of networks to continuous security. DHS and the General Services Administration (GSA) last August announced the selection of 17 vendors eligible to sell products and services to interested federal agencies under a $6 billion blanket purchase agreement. CDM saw a $26 million savings on its first task order, which totaled $60 million for network sensors and tools.
DHS Director of Federal Network Resilience John Streufert, who oversees CDM, agreed with Paller.
“If we don’t apply that large body of data…to actually change the risk profile…then the entire trip has been wasted,” he said at the summit. The program will not have been worthwhile “if we don’t deliver up that data, put it into a dashboard and begin tracing our results.”
Streufert acknowledged that CDM is being implemented in phases and that there are roadblocks to immediate changes. Current policy under Officer of Management and Budget (OMB) A-130 only requires network checks every three years in what agencies describe as extensive and time-consuming reports that become outdated the moment they are printed. CDM–a voluntary program–requires network checks every 72 hours at minimum using automated tools. Yet even agencies investing in CDM still must fulfill their obligations to OMB, leaving them splitting funds among the two.
Adapting from monitoring to mitigation is also part of a cultural change. Streufert said agencies need to better understanding what occurs at the local and enterprise levels and where there might be discord. For example, the agency leadership may put out a security directive but a local office may still be using a long-outdated program that cannot be adequately protected.
“It begins with the visualization of what’s under control of the local people,” he said.
Paller said cultural change will also occur when security policy officers become more closely aligned with their technical counterparts. Reporting requirements and divergent benchmarks have created tension between policymakers and technicians under the regulations of the Federal Information Systems Management Act (FISMA).
“That’s what comes out of FISMA reporting–that anger,” he said.
In addition to culture, Paller said agencies need better information about the 17 contractors and software providers on the CDM blanket purchase agreement. He said SANS is working on an assessment for release in August that will rate the contractors and prevent agencies from wasting scarce IT resources.