MeriTalk recently connected with George Young, Vice President of U.S. Public Sector at Elastic, for insight into how the Department of Homeland Security’s CDM (Continuous Diagnostics and Mitigation) Program might soon evolve. With improved data feeds at the major agencies, and a new Federal dashboard and emerging capabilities on the way, we discussed how the groundwork has been laid to meet the threat at the point of attack, rather than simply responding to it.
MeriTalk: The CDM program is going on seven years now, are we seeing tangible impacts at most agencies? Do you get the sense that momentum is building?
GY: I think the program has moved more slowly than people anticipated but it has provided some valuable tools to agencies, like the ability to identify assets on networks. It has brought value in the basic blocking and tackling categories, meaning foundational cybersecurity tactics are now considered best practices. I do believe that people are ready for more advanced capabilities like using BRO/Zeek logs, DNS traffic, and other proactive measures that can support threat hunting. Across all industries, reactive security methods aren’t enough to keep pace with advancing threats, which makes some of these core proactive features so critical for the dashboard’s structure.
MeriTalk: DHS awarded the new dashboard contract just a few weeks ago. What do you think this will do for government-wide visibility into cyber threats?
GY: To address the dynamic nature of the environment, threats must be addressed both proactively and interactively as they develop and evolve, and the dashboard is key to enabling this kind of visibility and collaboration. The dashboard gives leaders at each level of the agency real-time access to all network activity. Everything that happens in the program has to roll up into the various levels of dashboards (sub-agency, agency, DHS) and gaining that visibility helps agencies analyze information quickly and at scale.
MeriTalk: One of the main things CDM leadership has keyed in on recently is moving CDM from a compliance focus, to a proactive, “threat-based” approach to risk management. What does that mean to you?
GY: The change from “compliance” and scorecards to “threat-based” is happening across industry as well. Security leaders care less about checking boxes and more about the overall strategy for reducing risk, including how to keep their organizations out of the news as victims of the latest hack. This shift to proactive risk management requires users to gather massive amounts of real-time data to understand the current operational picture. Many agencies are still far behind in developing those massive-scale, near-real-time analytics for mitigating and protecting against sophisticated threats.
MeriTalk: How do we get there?
GY: You begin by aggregating all your datasets into a scalable, flexible analytics platform –
one that can handle petabytes of structured and unstructured data and process it quickly. Most federal agencies are dropping massive amounts of data on the floor either due to the inability to afford the right solution or the inability to turn volumes of near real-time data into actionable insights. The indicators of compromise are there, but many SOCs are not seeing the data at all. Certain anomalies are like a needle in a haystack, and without access to all data and threat intelligence, security operators don’t stand a chance finding them. We had one large government organization that was not looking at their endpoint data due to the cost of their existing solution. They implemented a pilot with Elastic and within 24 hours they discovered indicators of data exfiltration ongoing in their network. This is a common experience across the government and it keeps CISOs up at night knowing that they are not really seeing all the data.
MeriTalk: Can you talk about the volume of threat data that agencies are amassing as the CDM program goes forward? What are the challenges in extracting the right insights from all this sensor data, as it pertains to threat detection?
GY: There are a few challenges that agencies face. The first one is economic. The current tools are licensed in such a way that it is extremely costly to look at high volume data sets like Netflow, DNS, endpoint data, and Zeek/BRO logs. The new age of threat detection requires agencies to access and analyze these various information sources, so it is critical to building new financial models. Open source software is leading the way by providing agencies with free tools that were previously unavailable.
Secondly, the current set of security tools are built on “known knowns,” meaning I can only get you a fast answer if I know in advance the questions I need to ask. This worked well in an environment where hackers acted like we thought they would (for instance, they were sending traffic to the wrong firewall ports). This is no longer the case with well-financed and sophisticated nation-state actors. No one knows what vector the next threat will come from, but what we do know is that the indicator of that threat is somewhere in the massive amount of data we need to collect, store, and process. This is why agencies are turning to search platforms to help them with threat hunting. Modern search tools are built for massive scale exploration of data which is indexed for unanticipated questions. Google does not search the internet when you ask it a question. It has already indexed that data and can give you the best results because of that. This type of search technology is central to addressing the very dynamic threat environment today.
Finally, machine learning and anomaly detection are going to be part of the solution. Search technologies along with machine learning are a powerful combination capable of storing, indexing, and analyzing the volumes of data necessary to address today’s threats. Automation and monitoring free up security operators to dive into threat intelligence, conduct high-level analysis, and create viable threat hunting strategies.
MeriTalk: Any tips for agencies that need to remain nimble and proactive, even as the attack vectors change over time?
GY: No one knows what bad actors will do next, and there isn’t time to optimize your entire infrastructure and security tactics in advance. Threat hunting is the dynamic solution to advancing your cyber posture and assuring you are one step ahead of attackers. And it is not a replacement for ongoing cybersecurity efforts, rather it complements enterprise network defense activities by advancing threat detection capabilities for agencies of any size. Threat hunting is the answer, modern search is the tactic, and open source is the enabler.