Interesting interview with the Department of Homeland Security’s (DHS) John Streufert over on GovInfosecurity.com. This story comes as the contract vehicle associated with his Continuous Diagnostic and Mitigation (CDM) program was awarded to several of the standard heavyweights around the beltway. Although the program has origins with 15 lofty goals, the initial batch of initiatives focus on basic compliance covering items like #1 hardware and #2 software asset management, #3 configuration setting management, and #4 vulnerability management for federal, state, and local government agencies.
I see where they are going in terms of creating an “infrastructure” on top of which some of the more complex goals can be achieved but the entire approach appears backwards, again focusing too much on control monitoring rather than threat monitoring. It’s still a challenge but most organizations have gotten pretty good doing the basics right, including successfully baselining system configurations and managing vulnerabilities. And hardware and software asset management usually come as a natural output of these existing solutions. It’s the hard stuff we are still lacking in and that includes monitoring networks with what we already have to detect and respond to threats (way down at #12 in the CDM list as “Respond to Incidents and Contingencies”). Bringing everyone up to the same low water line just prolongs our the best defense at this time.
If organizations can better detect and respond to threats before they get in (or fairly soon thereafter), then implementing this program as-is is just three to five years wasted on us implementing standard compliance practices, attackers successfully penetrating our systems, and us being oblivious to the intrusions. Yeah, compliance is needed but the biggest immediate impact we need to focus on is threat monitoring … not “diagnostics” monitoring.
Today’s post pic is from GovWin.com. See ya!