In November 2018, Congress passed a bill that created the Cybersecurity and Infrastructure Security Agency (CISA). CISA, part of the Department of Homeland Security, offered a federal response to the growing threat of cyber attacks—a threat thrust into the spotlight after the Office of Personnel Management’s (OPM) massive 2015 breach, which left the personal data of 22 million federal employees compromised.
A key component of improved federal cybersecurity is visibility, which is being addressed through CISA’s Continuous Diagnostics and Mitigation (CDM) Program. Last year, Congress upped CDM funding by $53.5 million, setting aside a total of $213.5 million for the program.
The program’s objectives include reducing agencies’ threat surface, increasing visibility into their cyber postures, improving their response capabilities, and streamlining reporting. As these funds are actually funneled into technology investments, agencies need to recognize the fact that no single vendor is able to solve the entire CDM puzzle.
With that in mind, let’s zoom into a few technologies that can help make visibility a reality and consider how they relate to one another.
SSL Visibility
To start with something seemingly obvious, federal agencies need to have visibility into the traffic that’s coming and going on their networks to make sure it’s not malicious. While many security devices can look at traffic and detect threats, they can’t do so if the traffic is encrypted, as 90% of Internet data is.
This represents a bit of a catch-22. While encryption can protect data privacy, it can also disguise malware. This conundrum can be addressed through SSL visibility products, which decrypt and re-encrypt traffic before it’s driven to security tools based on context like IP reputation, port/protocol, and URL categorization.
SSL visibility tools allow security devices to do what they do best—actually analyze the traffic—as opposed to wasting precious resources on the intensive decryption/re-encryption process. Full visibility into cyber threats cannot be achieved without this crucial step.
Improving Monitoring
If agencies cannot open up traffic that’s coming and going on their network, they cannot log it correctly—and logging and reporting are key components of CDM requirements. Only by properly decrypting traffic can agencies then send it to a central location to be logged, monitored, reported, and further analyzed.
For instance, with proper decryption and logging, agencies can then use behavioral analytics, artificial intelligence, and machine learning to do a behavioral analysis of the traffic. Currently, 88 percent of federal civilian agencies are using a tool called Einstein to do just that.
But once again, these puzzle pieces all must fit together. Advanced analytics cannot happen without the aforementioned decryption.
Protecting Assets
SSL visibility cracks open encrypted streams to allow security devices to help log and protect those assets. But there are many ways to approach protection. To start, agencies need to protect themselves from OWASP top ten threats and emerging zero-day attacks. Another mitigation strategy is to log and monitor traffic so that it may be analyzed, further highlighting the interconnectedness of these different components of cybersecurity.
Similarly, many multi-service application protection platforms can and must also protect against malicious bot traffic. Every industry faces automated attacks like account takeover, vulnerability recon, or denial of service, and the federal government is no exception.
Putting It All Together
CISA’s CDM program offers a complex but important puzzle that agencies cannot solve through a single vendor. Asset protection itself requires multiple solutions, as agencies are defending against a growing list of attacks. But that protection cannot happen without checking other boxes, such as decrypting and logging traffic.
At the end of the day, agencies cannot protect what they cannot see. While that’s the driving force behind the CDM program, agencies must ensure they have the right tools in place to ensure visibility. Cracking open encrypted traffic, sending it to a central log, running behavioral analytics, and setting up proper asset protection represents a good starting point.
By Ryan Johnson, Federal Solution Engineering Leader, F5
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.