• Home

  • Documents

  • Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security...
6
P2 CDM ROLLOUT PRESSURED BY INCREASING THREATS P3 WHAT’S NEXT FOR CDM? P4 ALLIANT GWAC USED FOR SOME CDM NEEDS P5 PHASE 3 REQUIREMENTS FINALLY EMERGE P6 SUPPORT, SIGNATURES AND POLICIES WILL MATTER INSIDE FACE DOWN CYBERTHREATS WITH CDM ONLINE REPORT SPONSORED BY:

Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

  • Upload
    others

  • View
    3

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

P2CDM ROLLOUT PRESSURED BY INCREASING THREATS

P3WHAT’S NEXT FOR CDM?

P4ALLIANT GWAC USED FOR SOME CDM NEEDS

P5PHASE 3 REQUIREMENTS FINALLY EMERGE

P6SUPPORT, SIGNATURES AND POLICIES WILL MATTER

INSIDE

FACE DOWN CYBERTHREATS WITH CDM

ONLINE REPORT SPONSORED BY:

Page 2: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

2SPONSORED REPORTFCW.COM/2016CDMGUIDE

CONTRACT GUIDE: CDM

CDM ROLLOUT PRESSURED BY INCREASING THREATSSophisticated attacks on several agencies accelerate urgency of CDM program.

The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program was first launched several years ago. This

was a major factor in the push to strengthen the overall security of government IT. Events of the past year have only increased the pressure for a faster rollout.

There were several sophisticated attacks on government agencies this year, but the most damaging was clearly the one suffered by the Office of Personnel Management (OPM). It was officially reported by the agency in June 2015. Analysts now suspect it may have been present in OPM networks for at least a year prior to that, however, and perhaps even longer.

By the time all attack assessments were complete, more than 20 million federal employee records are thought to have been compromised. Attacks at the Internal Revenue Service and other agencies also recently exposed hundreds of thousands of records.

Attacks on the RiseIn a recent report on the progress of the Federal Information Security Modernization Act (FISMA), the Office of Management and Budget (OMB) states that despite “unprecedented improvements” in securing federal information resources in FY 2015, greater numbers of attackers still managed to get into government networks and systems. Agencies reported more than 77,000 incidents, representing a 10 percent increase over the previous year.

The OPM attack was suspected to have been launched by a Chinese, state-sponsored hacking group using OPM employee access credentials obtained through a phishing exploit. Part of the CDM program is designed to combat precisely that type of attack, providing agencies with tools to improve access controls. The CDM program was originally expected to deliver those tools to agencies

by the end of 2017. Given the nature and extent of the 2015 breaches, though, and the expectation that those types of attacks will only increase in number and severity, this may not be fast enough.

In an April 7 letter to Shaun Donovan, director of the OMB, Sen. Tom Carper (D. Del), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, says that while federal agencies are under “a constant, yet evolving” threat from cyberattackers, flaws in the federal acquisition process can limit the tools agency defenders can obtain to counter these threats.

In terms of the CDM program, he says, agencies can partner with the Department of Homeland Security (DHS) to deploy cybersecurity tools and services while saving taxpayer dollars by leveraging government-wide buying power and buying in bulk. It’s starting to deliver those tools and services directly to agencies.

The slow pace of the CDM program rollout has been a concern of many people almost from the beginning. In an interview on a comprehensive 2014 report put out by the SANS Institute, John Pescatore, director of emerging security trends at SANS, points out that from the procurement side; it’s harder than it should be for agencies to buy tools from the CDM program.

“The bottom line is that capabilities are badly needed by government agencies,” he says, “but (the program) is not moving quickly enough.”

DHS secretary Jeh Johnson, in his final state-of-the-agency speech earlier this year, says the program has provided needed sensors to some 97 percent of the civilian agencies during 2015. In 2016, he says, the second phase of the program will focus on providing tools to manage access privileges and device configuration “to 100 percent of the federal civilian government.” •

Page 3: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

3SPONSORED REPORTFCW.COM/2016CDMGUIDE

CONTRACT GUIDE: CDM

WHAT’S NEXT FOR CDM?

If the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program is as broadly implemented across federal agencies as was

originally intended, government agencies should have far more sophisticated cybersecurity defenses in place over the next couple of years. That is still not a guaranteed outcome, however.

The tools and services that will form the technology bedrock could most likely be in place, or at least getting to that point, by the end of 2016. There’s still a lot of work to be done after that, though, to integrate those tools with agency networks and systems and deliver the right kind of data.

The $6 billion CDM program was set up to be implemented over a five-year period starting in 2013, in three distinct phases:

Endpoint integrity: The scope of this is the local computing environment. It focuses on identifying and managing agency hardware and software assets, listing known vulnerabilities and malware, and managing device configuration.

Least privilege and infrastructure integrity: This is focused more on the people involved, managing their account and network privileges, and the configuration of network infrastructure devices and services.

Boundary protection and event management: This encompasses such functions as event detection and response, encryption, remote access management and access control. It’s aimed at ensuring security is built into networks, instead of being added on later as an after-thought.

The tool delivery aspect of the first phase is more or less complete. Department of Homeland Security (DHS) secretary Jeh Johnson says the sensors needed for that phase had reached nearly all of the civilian agencies who had signed on to the CDM program by the end of 2015.

The second phase, initially expected to be done in 2017, will get tools and services to 100 percent of agencies in 2016, he says, though bids covering the four

functional areas of Phase 2 were only just due on March 30. In the meantime, the Defense Department is actually implementing its own CDM program.

Awards for the eleven task areas needed to support agencies in installing, operating and managing the tools, and getting data from them to CDM user dashboards, are also in progress. There are several already made. Phase 3 requirements are still being ironed out. It covers seven of the program’s overall 15 functional capabilities:

Plan for Events Respond to Events Generic Audit/Monitoring Document Requirements, Policy, and so on Quality Management Risk Management Boundary Protection (Network, Physical, Virtual)

In March 2016, the DHS issued initial draft requirements for boundary protection, listing Manage Network Filters and Boundary Controls (BOUND-F), Encryption (BOUND-E) and Physical Access Control Systems (BOUND-P) as the three boundary protections functions to be covered.

Under the CDM program goals, all three phases need to be implemented in order to provide the kind of pervasive security envisioned by the Obama Administration and Congress. Not only would each agency be covered, but agencies would be able to share information about incidents, and coordinate with each other over a standardized security infrastructure.

The first two phases aren’t really meant to improve agencies’ security posture by themselves, says Ken Ammon, a senior advisor with CA Technologies. They’re intended to improve agencies’ visibility into their networks and systems. It will also help them come up with plans that would improve security.

“However,” he says, “simply by virtue of what phases one and two bring (in terms of discovery of assets and vulnerabilities) that means agencies will have a significantly better security posture just by putting that better reporting in place.” •

Page 4: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

4SPONSORED REPORTFCW.COM/2016CDMGUIDE

CONTRACT GUIDE: CDM

ALLIANT GWAC USED FOR SOME CDM NEEDSThe Department of Homeland Security (DHS) took

a different route with the last group of agencies covered under the second contract task order. It

opted for a shared services strategy, instead of the direct order approach using the GSA BPA as it did with the previous five groups.

GSA’s Alliant government-wide acquisition contract (GWAC) will cover task order 2F, released in December 2015. This is a 10-year contract with a $50 billion ceiling awarded in May 2009 to replace several of GSA’s expired GWACs. It supports a variety of IT services programs, and has proven particularly attractive to agencies looking for new and emerging technologies.

Groups A through E cover either single large agencies or a number of mid-size agencies. Group F pools 42 of the remaining smaller agencies. This includes organizations such as the American Battle Monuments Commission, the Federal Trade Commission and the U.S. International Trade Commission. The needs of these agencies to comply with CDM program requirements vary widely. Many of them have little infrastructure in place and few IT resources.

These agencies will be able to choose from any of the 80 or so vendors who hold Alliant contracts to fulfill their CDM needs. The other five groups awarded individual task order contracts under the GSA BPA to Knowledge Consulting Group, Booz Allen Hamilton (which was awarded two of the task order contracts), HP Enterprise Services and Northrop Grumman.

In another departure from the norm, the agencies in Group F will be able to cover needs for both Phases 1 and 2 as a way of making up lost time in issuing the task order. Other groups of agencies will buy only tools and services to meet requirements for Phase 1 of the CDM program.

The Alliant contractor “shall design, build and operate a CMaaS (continuous monitoring as a service) solution for the agencies” in Group F, states the task order RFP.

The solution will include all necessary tools, sensors and integration support services.

Secure shared services will be the platform for delivering these. That shared services solution “must recognize and incorporate the IT governance models at participating agencies [that] may or may not have a centralized acquisition model,” the RFP says. “Small agencies may also leverage shared acquisition offices for cost savings purposes or utilize a centralized-like model without having the benefit of an official acquisitions office.”

The task order also says all tools and sensors have to be bought off the BPA contract, and provided for the 2F task order with no markup or fee beyond the purchase price. The GSA’s Federal Systems Integration and Management Center (FEDSIM), which issued the task order, expects this CDM shared service platform to “yield significant benefits” for those Group F agencies. Those benefits will include cost savings, reduced impacts to infrastructure and reliable service levels, along with the intended security improvements.

There had been earlier speculation that if the Group F task order were to use shared services, any viable solution to use that kind of a platform may also be used by vendors to deliver Phase 2 capabilities to Group A through E agencies. However, FEDSIM executives have shot that down.

“This is really about the unique requirements [for Group F] and how we are going to deliver something for that,” says Chris Hamm, FEDSIM director, at a 2015 Federal Computer Week CDM conference. “I don’t see future activity moving outside of that.” •

The GSA’s Federal Systems Integration and Management Center expects this CDM shared service platform to “yield significant benefits.”

Page 5: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

5SPONSORED REPORTFCW.COM/2016CDMGUIDE

CONTRACT GUIDE: CDM

PHASE 3 REQUIREMENTS FINALLY EMERGE

While the entire Continuous Diagnostics and Mitigation (CDM) program is aimed at boosting the security of government agency IT,

the contract itself can be separated into two primary areas of operational significance. Phase 1 and 2 provide the tools and services agencies will need to manage their hardware and software assets. Phase 3 is where this baseline capability data will help with security improvements.

Managing network access controls will be a major part of those improvements. A first look at that came in March 2016 with the publication of detailed functional requirements for what the Department of Homeland Security (DHS) calls N-BOUND tools. These are sensors and other tools needed to monitor and manage both physical and logical access to department and agency networks and data.

The draft addresses three requirements: BOUND-F: To monitor and manage network filters

and boundary controls BOUND-E: To monitor and manage encryption

(more generally defined, according to the document, as cryptography mechanism controls)

BOUND-P: To monitor and manage physical access controls

These boundary protection functions all have cross capability functions both within the BOUND application and other CDM tools. For example, BOUND-F tools employ encryption using data gathered by CDM sensors to describe attributes used for BOUND-E policies. BOUND-F network filters include firewalls and gateways that sit between various regions a network, such as a trusted internal network and a less trusted external network.

The goals of these boundary devices include “limiting or denying access by unauthorized users while simultaneously allowing access by authorized users; preventing undesired software such as viruses and other malware from getting into the trusted network; preventing undesired content from getting into the trusted

network; and preventing, limiting, or monitoring the exfiltration of sensitive data or applications from the trusted to the less trusted network.”

BOUND-E is aimed at providing greater visibility into the risks associated with various cryptographic devices and mechanisms used on an organization’s network. Failures at this level are behind many of the recent security breaches at government agencies. The BOUND-E function is divided into a cryptography category, which covers encryption techniques as well as monitoring and managing cryptographic keys and certificate authorities.

The draft document also briefly examines requirements for BOUND-P, basically those needed to collect and verify all authentication and access control lists used to get authorized people through doors and gateways. DHS says more details on BOUND-P will come later.

The document also mentions what it calls “special considerations” required for Internet-based connections to government-mandated security programs such as EINSTEIN. The EINSTEIN program provides integrated intrusion detection and prevention for agencies and Trusted Internet Connection (TIC), through which agencies can optimize external connection security. The latter two are important elements since the intent is for government to complement and eventually integrate CDM with these types of capabilities.

While that would also stop many of the more common types of attacks hitting agency networks, the N-BOUND tools are aimed directly at the sort of advanced persistent threat (APT) attacks recently used against the Office of Personnel Management OPM and other agencies. These are expected to pose the greatest danger.

The purpose of this section of the CMD program is to manage network access controls, the document says. The intent is to limit unauthorized access that “would allow attackers to cross internal and external network boundaries and then pivot to gain deeper network access and/or capture network resident data at rest or in transit.” •

Page 6: Face Down Cyberthreats with CDM - Broadcom Inc. · 2019-08-24 · standardized security infrastructure. The first two phases aren’t really meant to improve agencies’ security

6SPONSORED REPORTFCW.COM/2016CDMGUIDE

CONTRACT GUIDE: CDM

SUPPORT, SIGNATURES AND POLICIES WILL MATTER

As the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program continues to roll out, certain factors that

aren’t perhaps directly associated with the program could still have a big impact on how well it’s taken up, and how effective it eventually becomes. Those include executive support, attack signatures, and policy revisions.

Executive support: After the 2015 revelation of the systems breach at the Office of Personnel Management (OPM) and the potential compromise of millions of government employee records, the Obama Administration launched a 30-day “Cybersecurity Sprint.” This was intended to force federal agencies to take actions to immediately boost security. These actions include patching critical vulnerabilities and tightening up on authentication and privileged access practices.

It seemed to work. In one dramatic measure, the number of known critical vulnerabilities in federal systems dropped from 363 to just three just a few months. A big reason for that was public support from a number of senior executives, says Ken Ammon, a senior advisor with CA Technologies. Not every agency shared the same commitment to the Cybersprint, he says, but those that did had that kind of support.

“Problems that before would have taken months to solve ended up being dealt with in hours,” says Ammon. “As Stage 2 of CDM rolls out, those organizations that want to be successful with it will find they’ll have to have that same level of executive backing.”

Beyond signatures: One major problem looming for the CDM program, that has also afflicted the DHS EINSTEIN intrusion detection/prevention program, is the available incident and intrusion detection tools have only used known attack signatures. That’s useless against more stealthy attacks, such as Advanced Persistent Threats.

The DHS is moving to resolve that by putting so-called reputation-based tools onto these programs.

DHS said in February it is piloting reputation scoring. This will prioritize threats by their likely severity, as a part of EINSTEIN. It will also be able to identify potential new threats.

That kind of capability will also be added to the tools available under the CDM program, which will eventually be integrated with EINSTEIN. The agency and federal dashboards that will be installed as part of the CDM program will also provide data that can be used for reputation scoring and emerging threat detection.

Circular A-130: The Office of Management and Budget (OMB) has proposed a revision to the federal government’s Circular A-130. This is the central governing document for policies affecting federal information resource management. The revision is meant to reflect changes prompted by IT that evolve faster than the last A-130 revision in 2000.

One central motivation of the revision is “the federal workforce managing IT must have the flexibility to address known and emerging threats while implementing continuous improvements,” according to the OMB.

Revision proposals include the need to “implement a risk management framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems and environments of operation.”

Other parts of the OMB’s suggested revisions, which also fit the goals of the CDM program, stress the need to focus on risk management as a central plank of government IT security. The larger goal of current government IT security improvements is to replace the “bolted-on” approach of the past with a more expansive and dynamic risk-oriented approach. This is also something the CDM program is intended to address. •


Broadcom Adv Suite

Broadcom Adv Suite

Documents
BROADCOM CORPORATION

BROADCOM CORPORATION

Documents
Risky Business - Cyberthreats and Security · Service Management, cloud security, enterprise risk management (NIST) for federal agencies and ISO 27001 compliance for commercial clients

Risky Business - Cyberthreats and Security · Service Management, cloud security, enterprise risk management (NIST) for federal agencies and ISO 27001 compliance for commercial clients

Documents
Introduction to Security Operations and the SOC Chapter 1: Introduction to Security Operations and the SOC One exercise to help people understand the inevitability of cyberthreats

Introduction to Security Operations and the SOC Chapter 1: Introduction to Security Operations and the SOC One exercise to help people understand the inevitability of cyberthreats

Documents
Broadcom BCM2835

Broadcom BCM2835

Documents
Internet Security Threat Report ISTR - Broadcom Inc

Internet Security Threat Report ISTR - Broadcom Inc

Documents
Broadcom NetXtreme™

Broadcom NetXtreme™

Documents
Optocouplers - Broadcom Inc

Optocouplers - Broadcom Inc

Documents
Closer to metal: Reverse engineering the Broadcom ... · Closer to metal: Reverse engineering the Broadcom NetExtreme’s rmware Guillaume Delugr e Sogeti / ESEC R&D guillaume(at)security-labs.org

Closer to metal: Reverse engineering the Broadcom ... · Closer to metal: Reverse engineering the Broadcom NetExtreme’s rmware Guillaume Delugr e Sogeti / ESEC R&D guillaume(at)security-labs.org

Documents
IoT Security Reference Architecture - Broadcom Inc

IoT Security Reference Architecture - Broadcom Inc

Documents
CyberThreats April 09 2013

CyberThreats April 09 2013

Documents
Broadcom net xtreme_server_205

Broadcom net xtreme_server_205

Technology
Broadcom NetXtremeII Server

Broadcom NetXtremeII Server

Documents
How to Sense & Act On Cyberthreats With the Most Advanced Security Analytics Platform

How to Sense & Act On Cyberthreats With the Most Advanced Security Analytics Platform

Technology
Lan Broadcom Release

Lan Broadcom Release

Documents
Telco Security Trends Q4 2020 - Allot: Network Intelligence & … · 2021. 7. 6. · TELCO SECURITY TRENDS | DEC 2020 CSP customers are aware and concerned about cyberthreats. They

Telco Security Trends Q4 2020 - Allot: Network Intelligence & … · 2021. 7. 6. · TELCO SECURITY TRENDS | DEC 2020 CSP customers are aware and concerned about cyberthreats. They

Documents
Today’s Top Cyberthreats and How Zero Trust Network Access

Today’s Top Cyberthreats and How Zero Trust Network Access

Documents
Cyber Security Services - Broadcom Inc

Cyber Security Services - Broadcom Inc

Documents
Broadcom Model

Broadcom Model

Documents
AST-0128312 the Evolution of Corporate Cyberthreats 2014

AST-0128312 the Evolution of Corporate Cyberthreats 2014

Documents
Symantec Security Analytics - Broadcom Inc

Symantec Security Analytics - Broadcom Inc

Documents
Broadcom v Qualcomm

Broadcom v Qualcomm

Documents
Cyberthreats 2009

Cyberthreats 2009

Technology
Broadcom to Acquire Symantec Enterprise Security Business

Broadcom to Acquire Symantec Enterprise Security Business

Documents
A Guide to State-Sponsored Cyberthreats

A Guide to State-Sponsored Cyberthreats

Documents
Managementul Riscului Operational in IT Cyberthreats 2012 v6

Managementul Riscului Operational in IT Cyberthreats 2012 v6

Documents
ISTR - Broadcom Inc

ISTR - Broadcom Inc

Documents
Fundamentally Better Cloud Security - Broadcom Inc

Fundamentally Better Cloud Security - Broadcom Inc

Documents
2017 Annual Security Roundup: The Paradox Of Cyberthreats · TrendLabs 2017 Annual Security Roundup 5 | 2017 Annual Security Roundup: The Paradox of Cyberthreats Ransomware brings

2017 Annual Security Roundup: The Paradox Of Cyberthreats · TrendLabs 2017 Annual Security Roundup 5 | 2017 Annual Security Roundup: The Paradox of Cyberthreats Ransomware brings

Documents
Put an end to cyberthreats - Panda Security

Put an end to cyberthreats - Panda Security

Documents