EXPERT CONTINUOUS EDITION DIAGNOSTICS AND MITIGATION · 2020. 8. 11. · 2 FEDEA NEWS NETWO EPET EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION FEDEA NEWS NETWO EPET EDITION: CONTINUOUS

CONTINUOUS DIAGNOSTICS AND MITIGATION

INSIDE THIS ISSUE:DHS continues down the CDM path

How CDM is helping agencies collect data

Protecting endpoint business devices

Alternatives to VPNs

BROUGHT TO YOU BY:

EXPERTEDITION

FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION 12

TABLE OF CONTENTS

DHS continues down CDM path with new shared services dashboard…2

CDM dashboard has 15 pilot agencies collecting data…4

Protecting endpoint business devices in a smartphone world…6

COVID-19 drives agencies to investigate alternatives to VPNs, raises need for BYOD support…8

The efforts to protect networks have twisted and turned in order to stay as close to the evolving perimeter as possible. The addition of mobile devices to the perimeter’s edge has increased the amount and volume of data at risk and therefore the tools needed to secure them.

Another way to view a perimeter is to say that none exists at all. “What we’ve found is that perimeter around the enterprise has evaporated,” said Bill Harrod, federal chief technology officer at MobileIron. Instead, Harrod points to the concept of zero trust to redefine the security perimeter at a granular level.

But as you’ll read in this Expert Edition: Federal Insights – Continuous Diagnostics and Mitigation, neither definition is turning out to be a problem for the Department of Homeland Security or its pilot program.

Kevin Cox, the continuous diagnostics and mitigation (CDM) program manager at DHS shared details about its pilot to understand federal agency attack surfaces through the use of agency-specific and federalwide dashboards. He said the data feeding the dashboard will become more valuable thanks to the coming artificial intelligence and

machine learning capabilities.

Lisa Wolfe Editor-in-Chief Federal News Network

FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION 32

DHS continues down CDM path with new shared services dashboard

“We’re about to begin an effort to work with agencies to pull in their mobile asset data from their enterprise mobility management systems.” Kevin Cox, CDM prograM Manager, DepartMent of HoMelanD SeCurity

BY AMELIA BRUST

Compared to other major federal programs, the Department of Homeland Security’s continuous diagnostics and

mitigation program is still in its infancy. However, 2020 promises to be a big year for CDM.

Kevin Cox, CDM program manager at DHS, said his team is now deploying a new dashboard, so that agencies have the ability to use more analytics, business intelligence and better visualization when it comes to operationalizing their data. He said that was coming from both a risk management standpoint and a federal standpoint.

“In addition to all of that work, we’ve expanded out into our network security management arena,” Cox said. “We are working with agencies to get a better understanding of what their perimeters look like, what data they already have out in the cloud.”

Some new cloud pilot planning is underway at agencies, both to better understand what data is available and to see who has access to it on a continuous basis.

“We’re about to begin an effort to work with agencies to pull in their mobile asset data from their enterprise mobility management systems. So we’re venturing in on the mobile side,” Cox said.

Part of that operationalization process, and another key driver for CDM since 2019, he said, is making sure the data is good quality from ground sensor to the dashboard. Filling those gaps was a major concern of DHS’ CDM DEFEND task orders. DHS also needed to bring in more agencies which were not originally participating in the CDM program, which means making sure they have asset management capability, awareness of what’s connected to their networks, and identity and access management capability, Cox said.

The program has a shared service platform in the cloud for 34 non-CFO Act agencies in order to deploy such capabilities to them, rather than requiring them to build their own dashboards. But each agency can just see their own data, which is summarized to the federal dashboard, Cox explained.

But he acknowledged this process has not been easy, and that the more flexibility DHS has to meet a particular agency’s data needs the better.

“With larger agencies, when we implemented the DEFEND task orders, that really expanded out the conversation we could have with each agency. We could take a look at the tool sets they had in place and if those tool sets met our requirements, then we could utilize those to get the data that was needed to feed into the dashboard and on up to the federal dashboard,” he said.

For now, the General Services Administration will award a new contract for DEFEND group F, which Cox said will give DHS more flexibility to support the non-CFO Act agencies and expand out beyond basic asset, identity and access management solutions to a much fuller cybersecurity approach.

FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION 54

BY AMELIA BRUST

A new tool for continuous diagnostics and mitigation across the federal government has several pilots underway. And the Department of Homeland

Security is sending participant agencies data to get acclimated.

In May, DHS awarded its new CDM dashboard contract which was intended to bring better scalability, performance, visualization and analytics to agencies. According to Kevin Cox, CDM program manager at DHS, that was to ensure agencies receive the greatest value from their cybersecurity data, in order to better manage their risks.

Now through April, and the rest of the fiscal year, Cox said DHS is working with 15 agencies to be early adopters of the new dashboard. DHS is also implementing Elasticsearch deployments for the dashboard. Elastic is a search company which builds software-as-a-service products for needs such as

application search, enterprise search, metrics and business analytics among other.

“What we’ll do is work with the agenc[ies] themselves, work with their system integrators through the DEFEND task order, and then also work with our dashboard provider to set up the new agency dashboard at each of those agencies,” Cox said. “And that will then enable us to feed the data into the new dashboard, get the agencies comfortable with it. Once all of the data is flowing, once the agency is comfortable with it, then it would go into full operational. And then they could just continue to use the new dashboard going forward.”

DHS is working with 15 agencies

to be early adopters of the

new dashboard.

He called the move to pilot the dashboard within 15 agencies at once a positive step. DHS will start with the CFO Act agencies because through the DEFEND task order, Cox said, they have broader flexibility and capability to support them. Once the DEFEND group F task order is awarded to non-CFO Act agencies, they will look to deploy the dashboard technology later this year and into next.

“We’ve been really leaning in as much as we can to get it deployed as quickly as possible because we do see the value in it – from not only at the agency level, but also at the federal level in terms of helping better visualize agency environments and risk across the federal landscape,” Cox said.

The dashboard should also be able to provide new capabilities around artificial intelligence and machine learning. That feeds into a bigger 2020 effort known as the Agency-Wide Adaptive Risk Enumeration (AWARE) score. Cox called it an algorithm, developed with the

State and Justice Departments, which provides a look at the attack surface of an agency. AWARE uses basic measurements such as vulnerability management and configuration management, weighted by age and criticality.

Adversaries are attacking or exploiting agencies to get to their networks via endpoints which are not patched well.

“So what we’re trying to do is measure how well each agency is doing in terms of managing their vulnerabilities, how they’re managing patching, how they’re managing configuration, and that will give us a sense of what an agency is doing well,” Cox said. “Are they shrinking their attack surface? Or does this agency need some additional help because they’re not getting things patched quickly enough or [are] not properly configured?”

AWARE helps DHS see what agencies are doing well in these areas and may have lessons to share with others.

CDM dashboard has 15 pilot agencies collecting data

“We’ve been really leaning in as much as we can to get it deployed as quickly as possible.” Kevin Cox, CDM prograM Manager, DepartMent of HoMelanD SeCurity

6 INSIGHT BY MOBILEIRON

THIS CONTENT IS PROVIDED BY MOBILEIRON

Smartphones are an integral part of how companies and the government do business today, but keeping them protected can be a challenge.

The government hasn’t fully caught up to the rest of the world in the ability to use phones to do important work, but it wants to and, according to MobileIron Federal Chief Technology Officer Bill Harrod, it’s a priority.

“Kevin Cox, the continuous diagnostics and mitigation (CDM) chief at the Department of Homeland Security, said that mobility is one of the new focuses for CDM at DHS,” Harrod said during the discussion Managing Threats Through CDM in Government, sponsored by MobileIron. “Being able to put controls around those modern endpoints, leverage the challenge of how we secure those modern endpoints, and how we report that up to DHS is going to be really critical.”

Right now a lot of agencies are providing mobile devices for work, or allowing employees to use their own devices for work, but fully securing those devices is something the government is wrapping its arms around.

INSIGHT BY MOBILEIRON 7

“The mobile endpoint has become one of the favorite targets for hackers and attacks, and it’s not as well secured as a lot of the traditional devices,” Harrod said. “We need a way to validate that the phone or tablet is in compliance with policy, that it hasn’t been jailbroken, that there aren’t malicious apps on the device and that the data is encrypted.”

Threats aren’t relegated to cracking easy passwords anymore. In the mobile world, one of the weakest links for security is the temptation and ease of connecting to networks that are not secure.

The ubiquity of the mobile device and the reliance on always being connected can make users more likely to connect to any hotspot around, Harrod said.

But sometimes even when users are careful, networks can be tricky.

“A colleague of mine was recently in Shanghai on an elevated highway at highway speeds,” Harrod said. “His phone connected to an Apple network. The issue was that there aren’t any Apple stores near where he was, but the Apple network ID is configured on the device by default. As a result, somebody was spoofing that Apple SSID, and his phone connected to that network. That person then had access to his phone.”

Harrod said connectivity like WiFi and Bluetooth need to be taken into account when configuring a device.

One solution to the concerns about mobile security may be the concept of zero trust, however.

“Traditionally in security, we relied on a perimeter of security defenses and anything inside the perimeter was trusted,” Harrod said. “What we’ve found is that perimeter around the enterprise has evaporated. What zero trust is about is how we redefine the security perimeter at a granular level. We use things like microsegmentation and effective security at all of the endpoints to redefine that trust model down to the level of transaction or application.”

Harrod said that smaller circle of trust helps the government and companies weed out suspicious and malicious activity and then clamp down on it before it gets out of hand.

“The mobile endpoint has become one of the favorite targets for hackers and attacks.” Bill HarroD, feDeral CHief teCHnology offiCer, MoBileiron

“We use things like microsegmentation and effective security at all of the endpoints to redefine that trust model down to the level of transaction or application.” Bill HarroD, feDeral CHief teCHnology offiCer, MoBileiron

Protecting endpoint business devices in a smartphone world

8 INSIGHT BY MOBILEIRON 9INSIGHT BY MOBILEIRON

A year ago, even a month ago, only a portion of federal employees and contractors were teleworking. Now, in the midst of the coronavirus pandemic, there is a mandate from the Office of Management and Budget (OMB M:2016) to maximize telework, sustain the mission of the agency, and encourage all employees and contractors who can work from home to do so. This presents a security and an access challenge that agencies must quickly address. MobileIron offers government-grade solutions, which are detailed below and already in place at some agencies.

The big changeThe rapid escalation in the number of workers connecting to federal networks has been drastic and occurred almost overnight. Some of those workers were provisioned to telework, at least on an occasional basis or in exigent circumstances. But for most federal agencies, they saw at most 20% of their workforce connecting remotely, even under extended weather-related closures. Now, some agencies are seeing 80% or more of their workforce attempting to connect from home. With the OMB mandate, this will increase and remain high for

the foreseeable future. For many users, there have been no provisions made to enable them to officially telework. They have neither government furnished equipment (GFE) or appropriate training on how to connect to, sign-on to, and access federal networks, applications, and resources. They are using their own devices, such as smartphones, tablets, and (frequently) older, less well-maintained laptops and desktops with out-of-date operating systems and virus protections or no virus protection at all. 

The tsunami of connections from users’ personal devices to federal networks has resulted in the relaxation of some access and security policies and the circumvention of others. In addition, even if users are accessing a government network via an established virtual private network (VPN), VPNs were not designed with the capacity to accept this volume of traffic, nor were they designed to provide additional security controls for bring-your-own-device (BYOD) and mobile devices in general. 

The growth of remote workers and network connections has increased the attack surface, and federal agencies and employees are at risk now more than ever. These unanticipated personal devices may lack appropriate authentication

capabilities, and many may not be using multi-factor credentials or approved derived credentials. Identity fraud, phishing attacks designed to capture and compromise authentication credentials (especially user IDs and passwords), malicious code, and advanced persistent threats are all rising. And these threats are increasingly likely to succeed due to the increased volume of remote workers, especially those who are less experienced with security processes and technology. Over the last several days, we have seen attacks against the Department of Health and Human Services in the form of nation-state attacks to spread disinformation and increase fear and uncertainty among the U.S. population. We also anticipate increased levels of denial-of-service (DoS), man-in-the-middle (MITM), and brute force attacks against basic authentication access portals.

The challengeOne of the ways that federal agencies are trying to protect their networks and IT resources is by requiring users to employ an encrypted tunnel, a VPN, to connect to agency networks. While there are several different types of VPNs – including remote-access, site-to-site, Layer 3 Multiprotocol

Label Switching (L3MPLS), Dynamic Multipoint VPN (DMVPN), and more – they all share common objectives to encrypt and secure end-to-end communications, and some common limitations. For one, the VPN provides only client-to-server encryption. Therefore, if the VPN server is on the network edge, then the VPN does not secure the last mile to actual resources. Nearly all VPNs can operate in different modes, such as device-wide (normally IKEv2), always-on (typically IKEv2, but could also be SSL VPN), on-demand, or per-app. The per-app mode is only initiated when the configured application is launched and only that application’s traffic traverses the encrypted tunnel. As a result, the battery drain is less than for an always-on VPN, however, it is very specific about the traffic that is protected. Commonly, most VPN gateways can terminate five connections simultaneously, and only the designated app’s traffic can traverse the tunnel to the gateway, preventing other malicious apps from being forwarded to the enterprise network. For the teleworker user case, the remote-access VPN is the most applicable. Traditional enterprise network VPNs are expensive, challenging and time-consuming to implement. Terminated at the edge of

SPECIAL SPONSOR MESSAGE

COVID-19 drives agencies to investigate alternatives to VPNs, raises need for BYOD support

(continued next page)

FEDERAL NEWS NETWORK EXPERT EDITION: CONTINUOUS DIAGNOSTICS AND MITIGATION 1110 INSIGHT BY MOBILEIRON

SPECIAL SPONSOR MESSAGE

the enterprise network, they have limited capacity for the number of simultaneous connections permitted and are bound by license keys. These VPNs require significant time and effort by network administrators to configure and implement the appropriate termination points. Federal agencies also implement full-tunnel and normally expressly prohibit split-tunnel, thereby forcing all devices to the VPN termination gateway.

In addition, VPN licenses are expensive and frequently not dynamically extensible to accommodate a dramatic increase in the number of users and hours per day those users will be connected. Many federal agencies continue to rely on these types of traditional enterprise network VPNs. Federal IT modernization efforts have resulted in some agencies adopting a per-app VPN solution, which provides greater fine-grained control over the origination and termination endpoints of the VPN tunnel, stronger encryption like prioritizing TLS 1.2 and 1.3 protocol cipher suites to be negotiated first between the client and VPN server, and additional features. However, it also adds bandwidth constraints, license costs, and complexity to the efforts by the network administrators to provide

the required maintenance and upgrades, configure the settings of the VPN gateways, and manage the cryptography and required certificates.

In nearly all cases, these VPNs were not designed for mobile devices or mobile device traffic. Enterprise VPNs do not have the capability to enforce security policies on a mobile device, or to evaluate the compliance of a mobile device with established baseline requirements. 

What we offer that’s different and more effectiveThe MobileIron solution leverages an integrated VPN component called Tunnel, used in conjunction with the native operating system, MobileIron Unified Endpoint Management, for data security at rest and cybersecurity policy enforcement that can validate the compliant state of the device before initiating the application and allowing access. MobileIron can determine if the device is jailbroken, if the OS is current, if the device is on an authorized (or unauthorized/public) Wi-Fi network, if the application is approved and from a trusted app store, and if the device is currently protected by a mobile threat defense solution that detects and remediates

COVID-19 drives agencies to investigate alternatives to VPNs, raises need for BYOD support (cont.)

malicious threats and apps. In addition, MobileIron provides stronger multi-factor authentication and contextual awareness of the user, device, and credential, which all become part of the zero sign-on access control. 

MobileIron Tunnel allows agencies to enable any business app, including in-house and third-party apps, to access resources on the enterprise network, intranet, or SaaS-based using a secure network connection. App VPNs can be established over any network, including cellular networks, to ensure federal data is always secure. Tunnel also leverages MobileIron’s advanced closed-loop compliance engine to ensure non-compliant devices are not allowed to access sensitive agency data.

In addition, Tunnel significantly improves the user experience by establishing on-demand or always-on app VPN connections, without requiring the user to take any additional steps. The IT administrator can configure these types of VPNs from within the MobileIron UEM and the managed devices are seamlessly updated. Personal and malicious apps are blocked so that only appropriate data flows through Tunnel, which provides greater protection for government data and user privacy.

In October 2019, Branko Bokan of the Cybersecurity and Infrastructure Security Agency (CISA), a component of DHS, stated, “To provide maximum coverage against mobile threat actions, organizations must deploy Enterprise Mobility Management (EMM), Mobile Threat Defense (MTD), and Mobile App Vetting (MAV) capabilities together as in integrated solution, and not as a series of standalone products.” 

MobileIron is an integrated, full function solution providing an innovative cybersecurity platform for iOS, Android, MacOS, and Win10 based devices, combining EMM, MTD, and MAV capabilities into a single mobile-centric, zero-trust security solution. This approach provides agencies with complete control over government data as it flows across devices, apps, networks, and cloud services.

With COVID-19 containment in effect, the need for this deployment of capabilities has rapidly accelerated. If you would like more information, please click here to be contacted by a MobileIron representative.

CONTINUOUS DIAGNOSTICS AND MITIGATION

BROUGHT TO YOU BY:

EXPERTEDITION