There is a dangerous misconception coloring the digital security debate in the Federal government. During the last week, in the wake of the breach at the Office of Personnel Management (OPM), I have been discussing countermeasures with many parties. Concerned officials, staffers, and media have asked me about the Einstein and Continuous Diagnostic Monitoring (CDM) programs. It has become abundantly clear to me that there is a fundamental misunderstanding about the nature of CDM. This post seeks to remedy that problem.
The story Federal cyber protection knocked as outdated, behind schedule by Cory Bennett unfortunately encapsulates the misunderstanding about Einstein and CDM:
The main system used by the federal government to protect sensitive data from hacks has been plagued by delays and criticism that it is already outdated — months before it is even fully implemented.
The Einstein system is intended to repel cyberattacks like the one revealed last week by the Office of Personnel Management (OPM)…
Critics say Einstein has been a multibillion-dollar boondoggle that is diverting attention away from the security overhaul that is needed…
To offset those shortcomings, officials in recent years started rolling out a Continuous Diagnostics and Mitigation (CDM) program, which searches for nefarious actors once they’re already in the networks. It’s meant to complement and eventually integrate with Einstein. (emphasis added)
The section I bolded and underlined is 100% false. CDM does not “search” for “nefarious actors” “in the networks.” CDM is a vulnerability management program. Please see the figure at the upper left. It depicts the six phases of the CDM program:
- Install/update “sensors.” (More on this shortly)
- Automated search for flaws.
- Collect results from departments and agencies.
- Triage and analyze results.
- Fix worst flaws.
- Report progress.
- Intro to Hardware Asset Management (HWAM)
- Intro to Software Asset Management (SWAM)
- Intro to Vulnerability Management (VUL)
- Intro to Configuration Settings Management (CSM)
- HWAM – Hardware Asset Management
- SWAM – Software Asset Management
- CSM – Configuration Settings Management
- VUL – Vulnerability Management
- TRUST –Access Control Management (Trust in People Granted Access)
- BEHAVE – Security-Related Behavior Management
- CRED – Credentials and Authentication Management
- PRIV – Privileges
- Plan for Events
- Respond to Events
- Generic Audit/Monitoring
- Document Requirements, Policy, etc.
- Quality Management
- Risk Management
- Boundary Protection – Network, Physical, Virtual
“What we are doing is going agency by agency and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information,”
Don’t misunderstand my criticism of CDM as praise for Einstein. At the very least, Einstein, or a technology like it, should have been deployed across the Federal government while I was still in uniform, 15 years ago. We had equivalent technology in the Air Force 20 years ago. (See the foreword for my latest book online for history.)
Furthermore, I’m not saying that CDM is a bad approach. All of the CDM phases are needed. I understand that intruders are going to have an easy time getting back into a poorly secured network.
My goal with this post is to show that CDM is either being sold as, or misunderstood as, a way to detect intruders. CDM is not an intrusion detection program; CDM is a vulnerability management program, a method to Find and Fix Flaws Faster. CDM should have been called “F^4, F4, or 4F” to capture this strategic approach.
The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house.
It’s time for a new (yet ideologically very old) strategy: find the intruders in the network, remove them, and then conduct counter-intrusion campaigns to stop them from accomplishing their mission when they inevitably return. CDM is the real “multibillion-dollar boondoggle that is diverting attention away from the security overhaul that is needed.” The OPM breach is only the latest consequence of the misguided CDM-centric strategy.