How Carbon Black helps agencies meet CDM requirements
February 13, 2020 10:58 am
5 min read
This content is provided by Carbon Black.
When a crime is committed, one of the first things the police do is collect evidence from any security cameras nearby, and these days, cameras are everywhere. That’s a model that federal agencies want to apply to cybersecurity. This constant monitoring of systems to catch bad actors provides the basis for CDM – Continuous Diagnostics and Mitigation.
Garrett Lee, director of Strategic Federal Programs & Partnerships at VMware Carbon Black, said CDM is all about the synergy between having a close coupled protection and visibility strategy, seeing all the activity taking place on an endpoint, on networks, seeing how you’re being attacked, and then pivoting to build the right defenses tailored to those attacks.
“If you think about CDM, it’s modernizing cyber for the civilian government, while simultaneously creating the type of cyber data telemetry that gives the Department of Homeland Security and our federal leaders the ability to understand at large what our vulnerability landscape looks like across the .gov domain, but also be able to take decisive actions to shore up our defenses to threats as they are presented — It’s about prevention and rapid detection working together,” Lee said.
Carbon Black’s CB Protection accomplishes that global view through Software Asset Management, or SWAM — one of the foundational elements of CDM. SWAM automatically identifies all software assets on endpoints: all of the files, applications, the certificates, the devices and the computers in an endpoint environment, as well as platform and software information. It categorizes risk to the software by understanding what versions are being run, in order to approve and ban either manually or automatically. That’s known as a whitelist.
“Some may think they need to design their approved list of software prior to deploying a whitelisting strategy,” Lee explained. “This is not the case with an application control solution as mature as ours.” The better approach is to install the software, allow it to take stock of the environment, and use the trust governance mechanisms and automation the platform offers in order to establish rule-based brokers of trust to achieve increasing enforcement levels.”
While Carbon Black’s application control solution offers software asset visibility and governs and enforces what is allowed to run on endpoints, shrinking what is known as the attack surface, there is still the matter of the endpoint activity itself. This is where endpoint detection and response software comes into play. CB Response allows agencies to have the visibility necessary to implement threat hunting, which is a capability most government agencies currently lack. And even those that do typically lack one of the central elements of CD Response: the unfiltered data approach.
“It is all about the data. If you’re gathering evidence in a crime scene, and you have the ability to gather all the evidence then nothing will get missed. Likewise, we take a view of ‘gather all the evidence we need to be able to determine exactly what happened in an IT environment’ and not leave it on the endpoint itself where it may be vulnerable, but move it to a server offline,” Lee said. “The life story of every system is written to a central system so that threat hunters can examine that data set determine the scope, cause and impact of how they’re being attacked, take real time response remediation actions, to triage the any damage underway, so that you’re not caught with a need to reimage a system and put it back out into the environment with the same vulnerabilities it had yesterday that allowed you to become compromised.”
This allows cyber specialists to surgically remove the data, solve and address the problem after isolating it from the rest of the environment. That type of remediation can be performed directly from the console, without the need to reimage the system. But more importantly, it allows you to find the root cause, scope and impact of the attack, and change protections to tighten defenses against the threat.
Carbon Black is all about maximizing the effectiveness of cyber practitioners, because they’re a scarce resource. That means creating policy-based enforcement about what’s able to run, and getting granular to the point of deciding how you want to govern the use of USB devices. That reduces the burden on the security environment by shrinking the attack surface, turning a single decision into policy across the system. Threat hunters don’t want to operate repetitively; automation is a force multiplier.
Lee said some cyber practitioners shudder when you mention whitelisting, because they’ve had bad experiences with less mature solutions in the past. Scalability, manual tuning, and frustration in establishing rules have been common pain points. But Carbon Black strives to make whitelisting more user-friendly.
“The training we provide is not necessarily to navigate some tool complexity,” Lee said. “It’s more how to think and architect your strategies that you can carry out with this very capable tool set to be able to govern your environment. And so it’s a lot of its people and process training that we give. It’s how to intelligently establish these rule sets and deploy them in a way that is appropriate to each unique environment.”
The same goes for threat-hunting. Using CB Response is intuitive, even for novice threat hunters. Lee said the hardest part is learning how to think like an expert threat-hunter. As threat hunters increase their skill, their appreciation for the power the data CB Response provides them only grows.
And it’s not just easier, it’s effective. Because whitelisting is a SWAM requirement, the CDM program conducted an analysis of alternatives to explore different capabilities. The Department of Homeland Security makes the full report available to government agencies, but the results were clear.
“The Agriculture Department was the agency that served as the Center of Excellence for that. And the prime contractor worked for seven months alongside USDA to really vet out what’s the most appropriate whitelisting solution for the needs of CDM and the needs of USDA,” Lee said. “Five or six vendors went in, were down-selected to two, and Carbon Black won.”