As more organizations are required to comply with Phase 3 Continuous Diagnostics & Mitigations (CDM) requirements, the objectives for organizations to meet those requirements have become increasingly clear.
As noted by GSA, CDM provides federal departments and agencies with the capabilities and tools that can help identify ongoing cybersecurity risks. Though risks vary from organization to organization, there are ways to identify network changes that can potentially bring harm to your organization.
Suspicious changes can include but are not limited to:
- Strange User Access Patterns
- Abnormal Database Activities
- User and Device Mismatches
- File Configuration Changes
- Changes During Scheduled Patch Updates
- Privileged Account Abuse
- User Reports
- Unauthorized Port Access
In addition to identifying network changes, the identification of data compliance standards may be required as well. A file integrity monitoring software can help maintain an inventory of hardware attached to the network, and even with installed software to help with CDM compliance.
Keeping your organization secure may include being able to protect an organization's changes to critical files and directories. This is in line with CDM long-term goals. As Kevin Cox recently stated in a meritalk article, a long-term CDM goal is to not only integrate with with other DHS cybersecurity programs, but to also, "look at other tools to plug into, "really focusing on the data integration layer".
Phase 3 of CDM has a substantial effect on the quality of security- related information available to agencies, and the knowledge of what is happening on the network is tightly integrated with a file integrity monitoring (FIM) tool.
Utilizing software with a ticketing system can help facilitate incident management, providing real, material changes to a network.
Zero day attacks are never-ending, and File Integrity Monitoring software can detect zero-day attacks, unknown and unexpected changes to servers, network devices, databases, active directory and more. In Phase 3 of CDM, the MNGEVT capability utilizes an incident management system to report and share events with OMI.
Detecting and logging unexpected changes in real-time is only half of meeting the requirement, as incident management and the classification of the events is also required. Utilizing a FIM tool with built in ticketing can help facilitate that incident management.
More importantly though, organizations may need the recovery capabilities of real-time file and system integrity monitoring.
How to respond to unexpected change can keep an organization in or out of CDM compliance is a struggle for many. A FIM tool should be able to respond to any unexpected changes by notifying security personnel and integrating into a vast array or third party tools. A real-time FIM tool should also provide users with the exact data necessary to respond to unauthorized changes to servers, or network device configurations.
Threat-feed integrations, such as STIX 1.0/2.0 and TAXII Threat Feeds, can provide a constant stream of threat data, giving organizations greater insight into the detection of security violation events and the classification of events for meeting Phase 3 MNGEVT requirements.
Lastly, in Phase 3 of CDM, the main focus for OMI (Operate, Monitor, Improve) is the in-depth security root cause analysis, prioritization of security mitigation response/recovery, notification, and post-incident activity. Systems and integrity monitoring provides insight and actionable information.
Regardless of usage, your software should include having the unique ability to recover from some attacks, Rolling back unexpected changes back to their authoritative state, and even blocking changes to critical files or directories is a necessity.
To learn more about about CDM compliance, download the Continuous Diagnostics & Mitigation solution brief today.
April 3, 2019