As more organizations are required to comply with Phase 3 Continuous Diagnostics & Mitigations (CDM) requirements, the objectives for organizations to meet those requirements have become increasingly clear.  

 

Identify

As noted by GSA, CDM provides federal departments and agencies with the capabilities and tools that can help identify ongoing cybersecurity risks. Though risks vary from organization to organization, there are ways to identify network changes that can potentially bring harm to your organization.

Suspicious changes can include but are not limited to:

  • Strange User Access Patterns
  • Abnormal Database Activities
  • User and Device Mismatches
  • File Configuration Changes
  • Changes During Scheduled Patch Updates
  • Privileged Account Abuse
  • User Reports
  • Unauthorized Port Access

In addition to identifying network changes, the identification of data compliance standards may be required as well. File integrity monitoring software can help maintain an inventory of hardware attached to the network, and even with installed software to help with CDM compliance

 

Protect

Keeping your organization secure may include being able to protect an organization's changes to critical files and directories.  This is in line with CDM's long-term goals.  As Kevin Cox recently stated in a MeriTalk article, a long-term CDM goal is to not only integrate with other DHS cybersecurity programs but to also, "look at other tools to plug into, "really focusing on the data integration layer." 

Phase 3 of CDM has a substantial effect on the quality of security-related information available to agencies, and the knowledge of what is happening on the network is tightly integrated with a file integrity monitoring (FIM) tool. 

Utilizing software with a ticketing system can help facilitate incident management, providing real, material changes to a network.   

 

Detect 

Zero-day attacks are never-ending, and File Integrity Monitoring software can detect zero-day attacks, and unknown and unexpected changes to servers, network devices, databases, active directories, and more.  In Phase 3 of CDM, the MNGEVT capability utilizes an incident management system to report and share events with OMI. 

Detecting and logging unexpected changes in real-time are only half of meeting the requirement, as incident management and the classification of the events are also required. Utilizing a FIM tool with built-in ticketing can help facilitate that incident management. 

More importantly, though,  organizations may need the recovery capabilities of real-time file and system integrity monitoring. 

 

Respond

How to respond to unexpected change can keep an organization in or out of CDM compliance is a struggle for many. A FIM tool should be able to respond to any unexpected changes by notifying security personnel and integrating into a vast array of third-party tools. A real-time FIM tool should also provide users with the exact data necessary to respond to unauthorized changes to servers or network device configurations.

Threat-feed integrations, such as STIX 1.0/2.0 and TAXII Threat Feeds,  can provide a constant stream of threat data, giving organizations greater insight into the detection of security violation events and the classification of events for meeting Phase 3 MNGEVT requirements. 

 

Recover

Lastly, in Phase 3 of CDM, the main focus for OMI (Operate, Monitor, Improve) is the in-depth security root cause analysis, prioritization of security mitigation response/recovery, notification, and post-incident activity.  Systems and integrity monitoring provide insight and actionable information. 

Regardless of usage, your software should include the unique ability to recover from some attacks, roll back unexpected changes back to their authoritative state, and even block changes to critical files or directories is a necessity.  

To learn more about CDM compliance, download the Continuous Diagnostics & Mitigation solution brief today. 

CDM_solution_brief

Tags:
Jacqueline von Ogden
Post by Jacqueline von Ogden
April 3, 2019
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time