Lessons learned from the initial two phases of the Continuous Diagnostics and Mitigation (CDM) cybersecurity program have given government agencies a lot to think about as they move into the Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) phase.
Potential challenges have been exposed but so have opportunities, as agencies focus on security solutions that will be most effective.
A recent Market Connections and Forcepoint survey revealed some concerns among public sector IT professionals as they prepare for DEFEND. Let’s take a look at how survey respondents currently feel about the state of the CDM initiative, including their perspectives on interoperability, prioritization of risk-adaptive security, and differing viewpoints between managers and implementers.
Interoperability and modernization obstacles are real
Ninety-two percent of respondents expressed concern over insufficient compatibility of CDM tools with existing systems. Some respondents noted they already have tools to satisfy certain CDM requirements, but those tools may suffer from a lack of integration with other tools on the CDM-approved products list. Managers have 70,000 products to choose from, but without the ability to easily integrate solutions those options may as well be close to zero.
Indeed, integration and interoperability issues resulting from past uncoordinated security purchases have created a number of problems. Managers lack visibility into what is happening on their networks, and are receiving an increasing number of security alerts from disparate sources. These alerts require human interaction in the absence of automated responses and detailed analytic insights. This all adds up to costly and time-consuming implementations that fail to solve the security directives and challenges laid out in DEFEND.
While the CDM program was designed to help agencies modernize their cybersecurity initiatives — and somewhat mitigate interoperability concerns posed by legacy technologies — most agencies have opted to take a very tactical approach. One product is replaced with another comparable solution, and the focus is on tools, rather than the larger mission of bolstering security for the long-haul. That’s not really modernization; those are short-term fixes.
The move from Phases 1 and 2 to DEFEND provides government agencies with a fantastic opportunity to truly make a clean break and address their modernization and interoperability concerns. DEFEND can essentially be seen in part as a funding platform for modernization allowing agencies to fund innovative new technologies. It offers a number of grants and access to external consultants, all of which agencies can use to invest in a more holistic and long-term view of cybersecurity modernization.
With the resources provided through DEFEND, agencies can replace disparate ineffectual and costly legacy technologies. They can dispense with the added costs derived from the lack of interoperability, and begin investing in flexible and automated cybersecurity solutions that are designed to easily integrate with other technologies to bolster agencies’ security postures. These technologies can replace legacy technologies that no longer meet the modern security needs of the agency, addressing modernization needs and lessening interoperability concerns.
Risk-adaptive security is a top priority for agency managers
Risk-adaptive security solutions are one example of a modern security technology that managers are keen to implement. In fact, more than half of survey respondents listed risk-adaptive security as a top priority for their organizations.
DEFEND is all about understanding how users are behaving on the network, and risk-adaptive security hits this sweet spot. Risk-adaptive security involves analyzing users’ behaviors and events in order to protect against and adapt to threats. It is an ideal method for addressing the fundamental question: Who is on my network and what are they doing there?
Unlike traditional static security policies, which take a binary “good and bad” approach to enforcement across the agency, risk-adaptive security provides context and insight based on the unique patterns of individual users. Those patterns can change depending on a user’s role and how they typically interact with systems and data. A deviation from normal behavior patterns likely indicates a potential problem that needs attention. Risk-adaptive security leverages automation to compensate for the limited human resources, and more rapidly identify problem areas needing attention.
Risk-adaptive security considers changing user patterns over time, and enables agencies to monitor and respond to potential threats in real-time. Security policies can be highly refined and adjusted to address specific threats, rather than unnecessarily penalizing the entire workforce for the actions of one individual.
The majority of survey participants rated the need for risk-adaptive security as either “extremely” or “very” important. They clearly see risk-adaptive security as an ideal complement to Phase 3, which focuses on user behavior and calls for ongoing assessment of risks and security policies and automated threat analysis. However, it also dovetails neatly into Phase 4, which addresses the need for emerging tools and technologies.
A split decision on CDM—but most people agree on one thing
Additional revelations from the survey underscored the disparity in opinion between managers and implementers on the efficacy of CDM. Eighty-eight percent of managers felt optimistic toward the current state of CDM effectiveness at their agencies, while only 31% of implementers concurred. This could indicate that the implementers, who are responsible for the hands-on management of the solutions required for their CDM programs, are also experiencing the integration pains mentioned above.
However, despite these differences, a majority of respondents agreed the CDM program will be “very” or “somewhat” effective once all of its phases have been rolled out. This optimistic outlook appears to assume that many of the challenges will be ironed out by the time DEFEND is complete, and that top priorities, including risk-adaptive security, will be firmly in place.
Clearly, there are more hurdles to overcome before we reach that point, but as agencies enter into DEFEND, their priorities are coming into sharper focus. Greater interoperability among technologies and risk-adaptive security are at the top of their CDM wish lists. Checking those two boxes will help agencies maximize their security efforts and achieve the CDM’s stated goal of providing “adequate, risk-based, and cost-effective cybersecurity.”