How Data Analytics Support the CDM Program

Continuing Diagnostics and Mitigation (CDM) is a program of the Department of Homeland Security designed to enhance cybersecurity across the Federal government. By deploying a standardized stack of pre-approved security tools, CDM ensures that small and large agencies alike can protect their networks from common threats.

During a recent technology summit hosted by FCW in November 2019, Sumo Logic’s Technical Security Manager Paul Tobia appeared with agency CDM managers to discuss their approaches to program implementation.

CDM and the Federal cloud challenge

One significant question facing many Federal cybersecurity personnel is where to deploy CDM assets. As agencies start to rely more on the cloud, they are starting to realize the need for cloud-native, fully automated tools which allow them to act quickly. “Being able to collect all that data, make sense of it, provide visibility, analyze and activity directly in the cloud is really key,” said Tobia.

Unlike traditional data center-based network operations, cloud environments use systems which can have a lifecycle of minutes instead of months or years. Managing this ephemeral timeframe is a growing challenge for IT and security operations, particularly in the Federal space where compliance mandates loom large. Only an automated data analysis system designed to capture and analyze information directly from a cloud environment will be able to capture the full range and depth of data needed to apply the strict security standards of the CDM program.

Much of Sumo Logic’s focus in the Federal space is on helping agencies transition to the cloud and helping them consider newer technologies such as Kubernetes and containers that help them squeeze the most value from their data. Agencies are already focused on their security operations, but CDM is helping bring greater visibility to the areas that need additional focus, Tobia said. “It’s scary to lift the rock up and see what’s going on underneath it, but if you don’t do that, you’re not protecting your environment. That’s the core of what we are trying to do.”

At the agency level, CDM managers need guidance on understanding risk and where best to focus their efforts. Demonstrating progress toward concrete network security goals will be the best way for the CDM program to justify additional investment. “At that practical level, at the execution level, it has to be useful enough for the people who are making decisions on a day-to-day basis to see the value of it,” Tobia noted. “People are going to come to it if they see value in it.”

Integrating technology, people, and processes

There are three variables that factor into a successful CDM rollout – people, process and technology – and agencies should consider them in order. “You need to come at it from the people side and process side first,” Tobia stated. After these two factors are addressed, the technology will follow more naturally – “a tool is a tool is a tool.”

James Saunders, chief cybersecurity architect and acting Security Operations Branch chief at the Small Business Administration, agreed that keeping employees up to speed on new tools and technology is an ongoing challenge. “You have to constantly train and teach, train and teach, and then integrate that data into your CDM programs,” he said. “Start with requirements and ignore the tools in the beginning.”

At the same time, Tobia noted that tools should be part of a larger plan to automate. As agencies move assets to the cloud, scale and speed will only continue to increase. If a tool isn’t automated or there aren’t automated processes around it, runs the risk of becoming ineffective or obsolete. “If you’re not thinking about automation (or) how to bring that signal up to a higher level so that people are…not dealing with tools on a day-to-day basis, then you’re behind the eight ball.”