A Department of Homeland Security program is automating the cyber attack detection process to manage the bulk of intrusion detection and mitigation work in real time across the entire civilian government. This effort addresses a long-time shortcoming for detecting attacks and intrusions into government computer networks. Traditionally, this activity has been a time-consuming and manpower-intensive process that would take place days or weeks after the incident.
Countering the continuing sophisticated and persistent attacks on federal networks is the goal of the Continuous Diagnostics and Mitigation (CDM) program. Launched in August 2013, the program seeks to use a dynamic approach to defend unclassified networks through automated intrusion detection and prevention techniques.
According to Department of Homeland Security (DHS) officials, the CDM program is designed to provide network administrators with the capabilities and tools to know their network’s health at any given time. The system developed by the program allows agency personnel to understand the risks and threats to their networks while also identifying and mitigating vulnerabilities in real time.
The CDM would allow government organizations to expand their continuous monitoring and diagnostic capabilities through the use of network sensors, automated data collection and prioritized risk alerts. With the sensors in place, agencies will be able to scan their entire network for weaknesses within 72 hours, DHS officials say.
The DHS is working with federal agencies to deploy sensors across government networks. These sensors will conduct hardware asset management, software asset management and whitelisting, vulnerability management and compliance setting. This collected data about the state of an agency’s cybersecurity systems will be displayed to administrators in an automated and constantly updated dashboard. In addition to the federal government, DHS officials say, the CDM also will be available as a service to state, local and tribal governments and the defense industrial sector.
Information from the diagnostic sensors and the automated searches is fed into the enterprise-level dashboards, which then produce customized reports to alert and direct administrators attention to the most pressing and immediate threats. DHS officials add that agencies also can share reports and data to look for trends and to prioritize risk assessment and mitigation.
The CDM provides federal computer networks with resiliency, explains Greg Boison, director for homeland and cyber security at Lockheed Martin, one of the program’s contractors. “It improves the weakest link and provides consistency across federal networks,” he says. It also helps enable compliance with regulations such as the Federal Information Systems Management Act (FISMA). Boison notes that FISMA compliance is costly and it does not necessarily create security, but adds that strong CDM-provided security does provide for efficient compliance.
The CDM program has three phases. The first phase will emphasize endpoint integrity and focus on hardware and software asset management, configuration settings, known vulnerabilities and malware. Phase two concentrates on infrastructure integrity and focuses on account and privilege management, configuration settings and ports/protocols for infrastructure devices. The final phase deals with boundary protection and event management while emphasizing audit and event detection/response, encryption, remote access and access control.
One of the key technologies at work in the CDM program is Einstein, which provides the program’s automated network intrusion detection and prevention capabilities. A separate DHS program of its own, Einstein is an automated system for collecting, correlating, analyzing and sharing computer security information across the federal government. Einstein filters packets at the network gateway and alerts the U.S. Computer Emergency Readiness Team (US-CERT) at the DHS when it detects an anomaly. According to the DHS, Einstein was developed because federal agencies only sporadically shared intrusion incident data with US-CERT, and the technology was created as a way to automate this process.
In addition to detecting intrusion, Einstein helps administrators spot worms and anomalous network activity; allows US-CERT to counsel agencies on configuration management issues; and allows US-CERT to create cross-government trends analysis studies based on collected data.
The latest version of the system, Einstein 3, can identify predetermined attack or intrusion patterns and can automatically detect and respond to cyber attacks. The intrusion detection system also uses deep packet inspection to study suspect network traffic, and it features additional threat identification signatures developed by the National Security Agency to look out for specific types of attacks. It also can detect and prevent malware installed on government networks from communicating with known or suspected malicious Internet domains through a process known as sinkholing. Einstein filters email entering .gov networks for malicious attachments, uniform resource locators and other types of malware before being delivered. Infected email may be quarantined or redirected from the target address to another location for analysis by cybersecurity analysts, DHS officials say.
One of the key benefits of the CDM is the elimination of low-level, opportunistic threats, Boison says. Many of these security problems can be solved just by patching an organization’s system, he adds. The CDM stops the many hundreds or thousands of low-level threats that do succeed in getting through to the network in federal and commercial networks.
Not using CDM systems costs organizations more money in the long run than they should be spending on network security, Boison maintains. Agencies and firms spend too much money “by dealing with that which is avoidable,” he says, adding the CDM eliminates this issue by dealing with it efficiently.
To help support the DHS CDM program, Lockheed Martin established its own Continuous Diagnostics and Mitigation laboratory. The CDM lab is part of Lockheed Martin’s Insight Laboratory in Gaithersburg, Maryland. Boison notes that the Maryland facility is part of a global network of company information technology laboratories in the United States, the United Kingdom and Australia.
The laboratory supports the DHS by serving as an instance of the department’s network—such as a sample government agency, Boison explains. Federal agencies and commercial customers come to the laboratory to determine what they require to meet their particular security needs. The laboratory also works with agencies to see which security tools function best in their network environments, he adds.
One of the most important lessons federal agencies need to learn to launch their own CDM systems is first to make an assessment of their own existing capabilities before looking to buy new technology, Boison says. “This can’t be overstated,” he adds, noting that agencies must appreciate and use what they have before turning to new tools.
Agencies also need to have an understanding of how their various information assets work, Boison states. For example, administrators may need to know information about a specific computer’s performance through data network monitoring tools. A need exists for tools that provide immediately actionable information about a given computer and its status. “Most tools will not provide that,” he says.
The CDM technology is tested in Lockheed Martin’s enterprise and in the laboratory’s sample agency enterprise. The DHS CDM currently is focused on four functional areas: hardware inventory management, software inventory management, configuration setting management and vulnerability assessment. Boison notes that these are just the first four of 15 distinct security focus areas. The others are network/physical access control management; access control management; security-related behavior management; quality management; credentials and authentication management; privilege management; preparing for incidents and contingencies; responding to incidents and contingencies; requirements, policy and planning; operational security; and generic auditing/monitoring. Although most of the work, research and effort currently is focused on the first four areas, the program is beginning to examine the other security considerations, he says.
One of the challenges of Lockheed Martin’s work for the DHS and for itself is that the first four information technology security focus areas cover about 80 percent of the threats to federal and private sector computer networks, Boison explains. Once these areas are addressed, the remaining 20 percent of the threats remain, such as insider threats, he offers.
Lockheed Martin developed its own CDM system to protect its enterprise several years before the DHS program. This technology is mature, Boison says. Instead of the old, time-intensive manual labor of checking network records for data breaches long after the attacks have occurred, Lockheed Martin’s and the DHS’ CDM systems detect and deal with them in machine time. “There is no human in the loop,” he explains. One of the major advantages of this is that it provides speed and responsiveness to an intrusion. The CDM also can help with staff retention. Because the system is highly automated, analysts can focus on more challenging threats and issues, creating a more exciting and stimulating work environment, he says.
As part of the CDM program, the General Services Administration (GSA) is offering all federal departments and agencies and state, local, regional and tribal governments access to a multiple-award blanket purchase agreement (BPA) offering continuous monitoring as a service and related products and services with stepped pricing discounts. The GSA is responsible for providing the BPAs that allow the DHS to oversee the procurement, operations and maintenance of the diagnostic sensors, tools and dashboards installed in government agencies.
The BPAs were awarded to 17 industry firms in August 2013 in a five-year, $6 billion multivendor contract. The participating companies are: Booz Allen Hamilton, CGI Group Incorporated, CSC, Digital Management Incorporated, Dynamics Research Corporation, General Dynamics Information Technology, HP Enterprise Services, IBM, Knowledge Consulting Group, Kratos, Lockheed Martin, ManTech, MicroTech, Northrop Grumman, SAIC, SRA International and Technica.