It seems like every time you turn around, somebody’s website has been hacked or their data has been compromised. In 2013, the Cybersecurity and Infrastructure Security Agency (CISA), who leads the national effort to defend critical government and private sector infrastructure against threats and evolving risks, established their Continuous Diagnostics and Mitigation (CDM) program to combat the problem.
CDM provides a dynamic approach to fortifying the cybersecurity of civilian government networks and systems. To do this, organizations need to create baseline technical security configurations that are known to be effective. Currently, most stakeholders align their security configurations around one of two sets of “checklists” to follow to ensure baseline security compliance:
- Developed by the Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs) are DoD configuration standards for locking down system vulnerabilities.
- Center for Internet Security (CIS) controls offer organizations a roadmap for maturing their cybersecurity programs, as well as technical guidance for establishing and maintaining secure configurations.
However, configuring systems is one thing. Maintaining those security configurations over time is a whole different beast. Through the process of continuous diagnostics and mitigation, agencies are able to receive relevant, timely, and actionable information on the state of their systems and ensure security before mal actors have a chance to pounce.
In a recent survey, more than 100 federal and industry stakeholders revealed:
- 59% are integrating continuous diagnostics and mitigation into their overall cyber strategies
- 90%, however, believe adversaries are outpacing their efforts
- Stakeholders say cloud computing, automation and zero trust (in that order) are the top three strategies critical to success
Satisfying STIG and CIS Benchmarks and controls gives you a firm cybersecurity baseline.
The Center for Internet Security (CIS) is a non-profit organization whose mission is to make the connected world safer by “developing, validating, and promoting timely best practice solutions.” A primary initiative that enables CIS to meet its mission is the CIS controls and CIS Benchmarks. The CIS controls is a set of twenty basic actions to take to protect your organization and data from known cyber-attack vectors. And CIS Benchmarks are a collection of more than 100 configuration guidelines.
Likewise, STIGs are published as a set of 500 individual policies, encompassing tens of thousands of controls. Originally created for the DoD by DISA, today, STIGs are widely used throughout the federal government to meet compliance obligations. STIGs are updated every 90 days in order to address the latest threats.
Whether STIG or CIS, the benchmarks and controls fall under the National Institute of Technology Standards (NIST) Special Publication (SP) 800-70 definition of a “checklist.” Security configuration checklists are the technical instruction or procedures for verifying that a product is configured appropriately for its operational environment. Meeting these requirements provides a low-level technical configuration foundation upon which your organization can build a secure IT infrastructure.
To give you an idea of what kinds of areas these controls cover, they include:
- Inventory and Control of Hardware and Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptop, Workstations, and Servers
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery Capabilities
- Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches
- Data Protection
- Account Monitoring and Control
Continually diagnosing and monitoring STIG and CIS controls is essential to cybersecurity.
It doesn’t sound terribly complex, right? You’ve got CIS controls and benchmarks to tell you where and what to monitor. However, consider smartphone updates for a moment. People need to make sure that their operating systems are continuously updated, but they also need to make sure that each application on the device stays updated. Even with automatic updates, people struggle because sometimes an operating system update creates a functionality problem with an application.
Now, take this example and scale it across the enterprise. According to Netskope’s 2021 Cloud and Threat Report, organizations with 500-2,000 employees use an average of 690 specific cloud applications per month. This number doesn’t even cover the fact that the average organization also includes at least one device per employee, network devices, Internet of Things devices like printers, and on-premises applications. When organizations try to maintain secure configurations, they often find that the number of devices and applications makes the process cumbersome and time-consuming.
As malicious actors continuously evolve their threat methodologies, companies need to continually review their controls’ effectiveness. This makes continuous monitoring the bane of every security professional’s existence. It’s such a cumbersome, manual project subject to human error that an entire cybersecurity industry has grown up around it. Continuous monitoring means making sure that you have visibility into your environment to remediate any security control weaknesses.
Many organizations have complex technologies that include security information and event management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms to help them. Other organizations use centralized log management (CLM) tools to help them detect, investigate, and remediate suspicious activities.
However, at their core, all of these solutions focus on monitoring the organization’s environment to detect abnormal activity, indicating potential threats or risky activity. That can mean a cybercriminal has already gained unauthorized access to the organization’s systems, networks, or applications.
STIG and CIS provide the technical configurations that lock down your devices and applications. When your organization is engaged in continuous monitoring activities, those tools are scanning your organization’s hardware and software to look for any weaknesses that can act as a backdoor into your infrastructure.
Those scans then send alerts to security or IT professionals, telling them that they need to install a security update or fix a configuration. Ultimately, responding to alerts falls under the broader umbrella of system hardening. For context, installing a security patch update is just another name for maintaining technical security controls.
Addressing the three biggest challenges with CDM.
With the rapid move to telework in 2020, agencies need to ensure that they need to focus on who is on their network and what’s happening on their network. As agencies mature their security posture, they find themselves facing three challenges when complying with CDM strategies:
- Challenge 1: Cloud Adoption. Moving to the cloud is more difficult for federal agencies than for commercial organizations. The sensitive data that agencies manage includes constituent nonpublic information, like names, social security numbers, and birth dates; federal contract information (FCI); controlled unclassified information (CUI); and classified information. Under both Cloud First and Cloud Smart mandates, agencies began migrating some operations to the cloud. However, the need to continue using rigid, legacy IT led to a piecemeal approach. Agencies adopted technologies that worked for where they were at the time, not always where they needed to be. This diversified IT stack reduces visibility, making it more difficult for agencies to manage data security. Monitoring for who and what is on the network becomes challenging. It also makes tracking the route of access challenging. With so many applications and access points, maintaining security benchmarks drains resources.
- Challenge 2: Identifying Hardware and Maintaining Secure Configurations. In August 2020, the US Government Accountability Office (GAO) reviewed agencies’ continuous monitoring activities by selecting three agencies that reported acquisition of the CDM tools.The report noted that none had effectively implemented all essential CDM program requirements, none had fully implemented requirements for managing hardware, contractors installing tools failed to provide unique identifiers consistently, and agencies lacked consistency in comparing network configuration settings to federal benchmarks. The agencies cited lack of resources as one of the reasons for these inconsistencies. Many agencies face the same problem. They find themselves confined by rigid technology debt and an inability to compete for cybersecurity staff adequately.
- Challenge 3: Compliance. Finally, agencies struggle to maintain complete and accurate audit documentation across these distributed, disconnected, divergent IT stacks. The problem for many agencies is the C for “continuous” in CDM. Instead of periodic, point-in-time audits, CDM requires organizations to evaluate their security. Agencies need to respond whenever new risks, like common vulnerabilities and exploits (CVEs), arise. Installing security updates across the network and decentralized endpoints becomes a challenge. Moreover, documenting activities and low-level technical configuration updates only adds to the struggle.
Documenting CDM capabilities to prove governance and compliance.
As agencies work toward maturing their CDM programs, compliance documentation provides a way to assess and track progress. However, many agencies struggle because they have too many devices, users, and applications. As part of your compliance process, documenting CDM activities becomes mission critical.
One place to start is with hardware asset management (HWAM). Even if you’ve already completed an asset inventory, you want to make sure that you have the most complete, updated version. However, this is often a struggle because moving to the cloud usually means keeping track of devices that use dynamic IP addresses.
HWAM ensures that you know all the devices connected to your networks. Unmanaged devices are often vulnerable to attacks because no one manages their software, configuration settings, or security updates. Moreover, if you don’t have a plan for managing all devices, you can’t hold anyone accountable for them. Ultimately, starting with an inventory is the first step to either removing unmanaged machines or making someone responsible for managing risky devices.
Once your HWAM inventory is complete, you can create a software asset management (SWAM) plan. Every authorized device should only be running the approved software necessary to fulfill the role it plays in your IT stack. This is one of the problems that occur regularly associated with “Bring Your Own Device” policies and shadow IT. If your employees are bringing devices that you don’t control into your environment, they leave your networks open to unapproved applications. Additionally, if you fail to manage your own devices appropriately, your employees can add new software to those devices and place you at risk.
As part of your software asset management process, you also want to make sure that you:
- Balance automated and manual software installation
- Decide whether to use a central console for installing software or use distributed locations
- Choose whether a general device manager or subject matter expert will be responsible
- Create configuration settings management (CSM) process
The ultimate goal of creating your hardware and software inventories is to establish a configuration setting management process to prevent malicious actors from exploiting unsecure configurations. When you set up your configuration settings process, you want to make sure that you:
- Assign ownership over setting configurations
- Authorize settings
- Establish timeframes for maintenance
As part of creating processes, you should set the desired state by analyzing system requirements for each device role across your IT stack. You set these baselines as standard requirements across the organization then make sure that any changes or deviations must be approved as part of your change management processes.
Once you decide on what you consider your “desired state,” you need to figure out your “actual state.” You can do this by reviewing the configurations of devices and software on your network, then comparing that to the authoritative configurations. Any difference between these indicates a potentially vulnerable asset.
Simplifying processes and ensuring success in CDM.
Earlier, we indicated that surveyed leaders and experts say cloud computing, automation and zero trust are the top three strategies critical to success:
- Cloud Computing.66% said cloud computing was key to their continuous diagnostics and mitigation efforts because it improves scalability and agility and is easier to modernize over time. This gives agencies a flexible, secure foundation on which to build.
- 60% said automation was key to making continuous diagnostics and mitigation work. Automating CDM elements removes human error, reduces stress on the workforce, improves response times and efficiency, and simplifies real-time network monitoring.
- Zero Trust.59% say zero trust is a winning strategy for stopping data breaches. It is centered around the practice of not trusting—or assuming the trustworthiness of—anything inside or outside the network without verification and validation.
Of these three, automation may provide the most measurable benefits of them all. Yet the same survey revealed that agencies estimate just 45% of their current CDM processes are automated.
SteelCloud’s patented ConfigOS automation software is on the approved provider list for CDM, automating CIS and STIG control implementation, monitoring and maintenance. ConfigOS can harden any system in about an hour, eliminating weeks of effort and allowing you to quickly establish a DISA STIG or CIS-compliant environment. Because of this, it is the ideal means for achieving CDM—continually scanning, remediating, and reporting on system vulnerabilities. Better yet, even in the largest network environments—including classified, tactical, weapon systems, air-gapped labs, and the commercial cloud—ConfigOS can easily remediate every endpoint, every day.
Because ConfigOS can operate in and secure cloud environments, it’s vital to the cloud computing strategy, securing the platform, and protecting it from outside sources. And because it rapidly verifies and validates security controls, it is integral to establishing and maintaining a zero-trust posture.
Automation doesn’t just make CDM easier (and more possible), it also:
- Saves you time and money as you try to mature your security posture and meet mission-critical compliance requirements.
- Requires little expertise to operate. Agencies can set up ConfigOS and train employees in one workday. Now junior IT staff can manage, remediate, and update security control configurations. For agencies that find themselves unable to hire enough cybersecurity staff, SteelCloud provides a solution to the problem.
- Frees up highly paid experts for other initiatives. Every agency and organization has a backlog of security initiatives to work on. ConfigOS gives your experts the added time and opportunity they need to move forward with other missions.
- Enables you to scan your entire environment, implement controls, detect conflicts, remediate conflicts, and document waivers all from a single location.
- Provides a secure storage location for all security configuration documentation so that agencies can streamline their audit processes and reduce human error risks.
- Maintain a secure environment by updating all configurations within 72-hours of a new release so that you no longer have to worry about the burden of manually updating systems, networks, devices, and software.
Locking down government systems and data.
Continuous diagnostics and mitigation of STIG and CIS benchmarks and controls is essential to securing the data that’s critical to our nation. The processes may be complex and the job may be imposing, but it is essential to our nation’s security. To learn more about CDM, CIS, STIG and the other concepts discussed here, download our STIGs For Dummies guide, or get a demo of ConfigOS in action visit steelcloud.com