As more organizations are required to comply with Phase 3 Continuous Diagnostics & Mitigations (CDM) requirements, the objectives for organizations to meet those requirements have become increasingly clear.
Identify
As noted by GSA, CDM provides federal departments and agencies with the capabilities and tools that can help identify ongoing cybersecurity risks. Though risks vary from organization to organization, there are ways to identify network changes that can potentially bring harm to your organization.
Suspicious changes can include but are not limited to:
- Strange User Access Patterns
- Abnormal Database Activities
- User and Device Mismatches
- File Configuration Changes
- Changes During Scheduled Patch Updates
- Privileged Account Abuse
- User Reports
- Unauthorized Port Access
In addition to identifying network changes, the identification of data compliance standards may be required as well. File integrity monitoring software can help maintain an inventory of hardware attached to the network, and even with installed software to help with CDM compliance.
Protect
Keeping your organization secure may include being able to protect an organization's changes to critical files and directories. This is in line with CDM's long-term goals. As Kevin Cox recently stated in a MeriTalk article, a long-term CDM goal is to not only integrate with other DHS cybersecurity programs but to also, "look at other tools to plug into, "really focusing on the data integration layer."
Phase 3 of CDM has a substantial effect on the quality of security-related information available to agencies, and the knowledge of what is happening on the network is tightly integrated with a file integrity monitoring (FIM) tool.
Utilizing software with a ticketing system can help facilitate incident management, providing real, material changes to a network.
Detect
Zero-day attacks are never-ending, and File Integrity Monitoring software can detect zero-day attacks, and unknown and unexpected changes to servers, network devices, databases, active directories, and more. In Phase 3 of CDM, the MNGEVT capability utilizes an incident management system to report and share events with OMI.
Detecting and logging unexpected changes in real-time are only half of meeting the requirement, as incident management and the classification of the events are also required. Utilizing a FIM tool with built-in ticketing can help facilitate that incident management.
More importantly, though, organizations may need the recovery capabilities of real-time file and system integrity monitoring.
Respond
How to respond to unexpected change can keep an organization in or out of CDM compliance is a struggle for many. A FIM tool should be able to respond to any unexpected changes by notifying security personnel and integrating into a vast array of third-party tools. A real-time FIM tool should also provide users with the exact data necessary to respond to unauthorized changes to servers or network device configurations.
Threat-feed integrations, such as STIX 1.0/2.0 and TAXII Threat Feeds, can provide a constant stream of threat data, giving organizations greater insight into the detection of security violation events and the classification of events for meeting Phase 3 MNGEVT requirements.
Recover
Lastly, in Phase 3 of CDM, the main focus for OMI (Operate, Monitor, Improve) is the in-depth security root cause analysis, prioritization of security mitigation response/recovery, notification, and post-incident activity. Systems and integrity monitoring provide insight and actionable information.
Regardless of usage, your software should include the unique ability to recover from some attacks, roll back unexpected changes back to their authoritative state, and even block changes to critical files or directories is a necessity.
To learn more about CDM compliance, download the Continuous Diagnostics & Mitigation solution brief today.
Tags:
April 3, 2019