(CDM) Continuous Diagnostics and Mitigation fail to indicate a compromise within your network.

[riavarone]

(CDM) Continuous Diagnostics and Mitigation fail to indicate a compromise within your network.

A. The US-CERT program Web page lists the core tools used for CDM as the following:

1. Intro to Hardware Asset Management (HWAM)
2. Intro to Software Asset Management (SWAM)
3. Intro to Vulnerability Management (VUL)
4. Intro to Configuration Settings Management (CSM)

B. While patching and accounting for what systems are within a network, it should not stop there. C. CDM manages network infrastructure. D. It does not detect and respond to intruders. E. Using detonation chambers and event management, would respond to intruders in real time. (NIST 800-53 Security Control 44 detonation chambers). Security controls and network inventory element awareness are a baseline critical for proper network security hygiene. One such defense is through behavioral detection techniques and the use of what is referred to in NIST Special Publication 800.53 Revision 4, Security Control 44. This control recommends organizations use an approach called detonation chambers to counter advanced threat actors. As stated in this control, “Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. Control is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation.” (http://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-44 ) Utilizing detonation chambers on live network traffic flows would complete the network hygiene continuum. Inclusion of Detonation chamber technologies within the CDM ecosystem would allow for the identification and distribution of new vulnerabilities in real time and benefit all other core tools within CDM (HWAM, SWAM, VUL and CSM).

[jwiedman-f61]

A clarification: NIST SP 800-53 breaks down controls by family. SC, in this case, is the "System and Communication Protection" family, rather than "Security Control". The control you reference is more commonly referred to as just SC-44.

Within each control description of 800-53, there is a table indicating whether that control is allocated for low, moderate, and high systems. Detonation Chambers (SC-44) is not included in any of the baselines. It may be a worthwhile control to consider, but unless NIST decides to include it in one or more data categorization baselines, OMB should not mandate it separately.

Ultimately, section 1 of the guidance as drafted incorporates 800-53 or 800-171 controls for all contractor systems with CUI. We all have our favorite controls that we think are more important than the others, but I think the decision on which controls are required should be left to NIST and the agencies making risk based decisions. This draft policy is at the right level.

[OrlieYaniv]

Unfortunately, the tactics and techniques employed by cyber criminals have evolved more rapidly than the baseline controls for low, medium and high assurance systems identified in Rev 4 of NIST 800.53. Accordingly, OMB should encourage organizations to adopt those security controls that will enable organizations to (1) quickly identify when they have been breached, even by a zero-day exploit; and (2) rapidly respond and contain those breaches in order to avoid as many adverse consequences as possible. As many effective controls that manage risk stemming from an breach are not currently part of the 800.53 moderate baseline and the next iteration of that document is not on the near term horizon, OMB should follow the model identified in the NIST Cybersecurity Framework ("Framework") which encourages organizations to select those security controls best tailored to their unique threat environments. In addition, OMB should encourage organizations to adopt controls that approach security from a variety of perspectives, to include signature and non-signature based solutions. Of note, SC 44 is identified as an informative reference in the Framework.

[steowens]

So forgive me for coming in to this late. But my understanding of the Zero Trust architecture is that CDM is used in conjunction with other tools to establish network security. CDM is effective for identifying and remediating configuration management issues which could open up security holes. Looking over at most of the data breaches this year the overwhelming number of them were caused by insecure configuration of otherwise secure systems. CDM will help reduce the number of configuration mistakes that inevitably get made. Before spending a ton of money trying to defend against Mr. Robot, perhaps start by defending against script kiddies, there is only one Mr. Robot but there are a whole lot of script kiddies.