Category Archives: cdm

DHS cyber tool finds huge amount of ‘shadow IT’ in U.S. agencies

Posted on by

New cybersecurity tools being deployed across the U.S. government found huge numbers of uncatalogued and unmanaged computer devices connected to federal networks — a phenomenon known as “shadow IT” — that necessitated urgent modifications to many hundreds of millions of dollars’ worth of contracts. Some departments and agencies had “several hundred percent” more devices on their networks than they expected and the average across government was about 44 percent more, Department of Homeland Security official Kevin Cox said last week at the McAfee Security Through Innovation Summit, hosted by CyberScoop. “There was something of a ‘oh shit’ moment,” said a person familiar with the discovery, made during the recent rollout of phase one of Continuous Diagnostics and Monitoring tools. CDM is a DHS-funded, government-wide acquisition program that buys and installs cybersecurity tools on U.S. departmental and agency networks. The tools found every kind of device imaginable on federal networks, this person said, from […]

The post DHS cyber tool finds huge amount of ‘shadow IT’ in U.S. agencies appeared first on Cyberscoop.

Continue reading DHS cyber tool finds huge amount of ‘shadow IT’ in U.S. agencies

DHS’s diagnostics open door to collaboration among agencies, says Commerce official

Posted on by

A funny thing happened when the CIO Council at the Department of Commerce sat down to figure out how to deploy the new tools coming from the Department of Homeland Security’s Continuous Diagnostics and Monitoring, or CDM, program. Rod Turk, the department’s CISO and acting CIO, said people on the council —which brings together the CIOs from all the various agencies and bureaus that make up Commerce — started asking questions. “Questions like, ‘Why do we have multiple Security Operation Centers and Network Operation Centers?’ … We have three SOC’s just in [the Commerce headquarters building] … What can we do  more efficiently?” recalled Turk, who said he’s sat on the council for about eight years. Turk spoke at a breakout session on CDM on Thursday at the 2017 McAfee Security Through Innovation Summit hosted by FedScoop and CyberScoop. Under the governmentwide CDM program, DHS pays for cybersecurity tools and services that monitor the IT networks […]

The post DHS’s diagnostics open door to collaboration among agencies, says Commerce official appeared first on Cyberscoop.

Continue reading DHS’s diagnostics open door to collaboration among agencies, says Commerce official

DHS’s diagnostics open door to collaboration among agencies, says Commerce official

Posted on by

A funny thing happened when the CIO Council at the Department of Commerce sat down to figure out how to deploy the new tools coming from the Department of Homeland Security’s Continuous Diagnostics and Monitoring, or CDM, program. Rod Turk, the department’s CISO and acting CIO, said people on the council —which brings together the CIOs from all the various agencies and bureaus that make up Commerce — started asking questions. “Questions like, ‘Why do we have multiple Security Operation Centers and Network Operation Centers?’ … We have three SOC’s just in [the Commerce headquarters building] … What can we do  more efficiently?” recalled Turk, who said he’s sat on the council for about eight years. Turk spoke at a breakout session on CDM on Thursday at the 2017 McAfee Security Through Innovation Summit hosted by FedScoop and CyberScoop. Under the governmentwide CDM program, DHS pays for cybersecurity tools and services that monitor the IT networks […]

The post DHS’s diagnostics open door to collaboration among agencies, says Commerce official appeared first on Cyberscoop.

Continue reading DHS’s diagnostics open door to collaboration among agencies, says Commerce official

Hearing Witness Doesn’t Understand CDM

Posted on by

This post is a follow up to this post on CDM. Since that post I have been watching hearings on the OPM breach.

On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.

A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.

During his opening statement, and in his written testimony, he made the following comments:

“The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying them when they are inside government networks.

EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.

CDM, on the other hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-the-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level.” (emphasis added)

All of the text in bold is false. CDM is not “identifying [threats] when they are in inside government networks.” CDM is not “an embedded system of sensors on internal government networks” looking for threat actors.

Why does Dr. Gerstein so misunderstand the CDM program? The answer is found in the next section of his testimony, reproduced below.

“CDM operates by providing

          federal departments and agencies with capabilities and tools that identify
          cybersecurity risks on an ongoing basis, prioritize these risks based upon
          potential impacts, and enable cybersecurity personnel to mitigate the
          most significant problems first. Congress established the CDM program
          to provide adequate, risk-based, and cost-effective cybersecurity and
          more efficiently allocate cybersecurity resources.” (emphasis added)

The indented section is reproduced from the DHS CDM Website, as footnoted in Dr. Gerstein’s statement.

The answer to my question of misunderstanding involves two levels of confusion.

The first level of confusion is a result of the the CDM description, which confuses risks with vulnerabilities. Basically, the CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a “find and fix flaws (i.e., vulnerabilities) faster” program.

In other words, the CDM description should say:

“CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize these vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”

The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads the CDM description and its mention of “risks,” he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.

As I wrote in my CDM post, we absolutely need the capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with the operational capability to detect and remove threat actors. CDM could be deployed across the entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.

Essentially, the government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.

It is critical that staffers, lawmakers, and the public understand what is happening, and not be lulled into a false sense of security due to misunderstanding these concepts.

Tweet

Copyright 2003-2015 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Continue reading Hearing Witness Doesn’t Understand CDM

Posted in cdm

Hearing Witness Doesn’t Understand CDM

Posted on by

This post is a follow up to this post on CDM. Since that post I have been watching hearings on the OPM breach.

On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.

A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.

During his opening statement, and in his written testimony, he made the following comments:

“The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying them when they are inside government networks.

EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.

CDM, on the other hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-the-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level.” (emphasis added)

All of the text in bold is false. CDM is not “identifying [threats] when they are in inside government networks.” CDM is not “an embedded system of sensors on internal government networks” looking for threat actors.

Why does Dr. Gerstein so misunderstand the CDM program? The answer is found in the next section of his testimony, reproduced below.

“CDM operates by providing

          federal departments and agencies with capabilities and tools that identify
          cybersecurity risks on an ongoing basis, prioritize these risks based upon
          potential impacts, and enable cybersecurity personnel to mitigate the
          most significant problems first. Congress established the CDM program
          to provide adequate, risk-based, and cost-effective cybersecurity and
          more efficiently allocate cybersecurity resources.” (emphasis added)

The indented section is reproduced from the DHS CDM Website, as footnoted in Dr. Gerstein’s statement.

The answer to my question of misunderstanding involves two levels of confusion.

The first level of confusion is a result of the the CDM description, which confuses risks with vulnerabilities. Basically, the CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a “find and fix flaws (i.e., vulnerabilities) faster” program.

In other words, the CDM description should say:

“CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize these vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”

The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads the CDM description and its mention of “risks,” he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.

As I wrote in my CDM post, we absolutely need the capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with the operational capability to detect and remove threat actors. CDM could be deployed across the entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.

Essentially, the government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.

It is critical that staffers, lawmakers, and the public understand what is happening, and not be lulled into a false sense of security due to misunderstanding these concepts.

Tweet

Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Continue reading Hearing Witness Doesn’t Understand CDM

Posted in cdm