Now seven years from the launch of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, aimed at engineering lasting improvement in Federal agency network security, the move from legacy to cloud-based infrastructure is accelerating rapidly toward the next world of managed services.
We sat down with Kevin Jones, Senior Director of Federal at security provider CrowdStrike, to discuss the CDM program, what the move from legacy to cloud means for Federal agencies implementing the program, and what the new world might look like as agencies continue to evolve their infrastructure.
MeriTalk: How is CrowdStrike positioned on the leading edge of cybersecurity to aid the CDM program and Federal agencies?
Kevin: To date, there has been a tremendous focus on the on-prem model, but there are big changes coming at the dashboard level and integration layer. At the same time, many agencies are looking to take a more platform based approach to cybersecurity. They’re asking important questions like, “How much data can we extract from a single platform?” and “Can this one solution accomplish what these five legacy tools do today?” Similarly, the CDM PMO is encouraging agencies to leverage different functions such as threat hunting and remediation through the dashboard. The CrowdStrike platform exemplifies these characteristics in a single, streamlined console that provides real solutions across a broad spectrum of functions in the cyber lifecycle.
The key here is to allow agencies to draw out of CrowdStrike what they need for the legacy dashboard without disrupting their eventual migration to the new dashboard beginning next year. CrowdStrike provides multiple levels of actionable security information across both old and new dashboards in a cloud-centric manner.
MeriTalk: From an industry standpoint, how much progress are Federal agencies making with CDM?
Kevin: Candidly, I think it’s a challenge for some and an opportunity for others. For example, some agencies are still struggling to lay their hands on CDM dollars either because they are grappling with the RFS process or there are internal decision points that make it challenging to leverage CDM. It can get rather political in some departments/agencies. In other situations, agencies have strong alignment between procurement efforts and the desire to invest in and acquire new technology. We’ve also seen several agencies review their Phase I decisions in conjunction with Phases 3 and 4 because there are now solutions on the Approved Product List which can address all three requirements with a single agent. If a cyber solution offered in a current phase of the program can help eliminate a legacy product, or products, and can be deployed at scale in a matter of hours or days, this may compel many to reconsider their phase one investments as well.
MeriTalk: What are the biggest challenges to a successful CDM implementation?
Kevin: I think part of it is agency readiness and part of it is CDM adoption. Agencies are ready to consume an integrated platform that is non-invasive, has no major infrastructure requirements, and can be up and running in days or weeks, versus months or years. At the same time, the CDM architecture is still somewhat segmented from other initiatives within agencies. So, there is an inherent conflict and a fair amount of duplicative spending and overlapping technology. It would be great to see a stronger alignment between these requirements. For example, modernization initiatives and cloud deployment efforts run in parallel to – and sometimes even in conflict with – CDM. One specific challenge many are having to contend with is how to adopt cloud-native initiatives while also factoring in their CDM strategy. CDM principles and most CDM tools are legacy, and often antiquated, which is not consistent with the future direction of IT infrastructure and security operations strategy.
MeriTalk: Where would you like to see DHS focus CDM improvement efforts over the next three years?
Kevin: Focus on driving cost and complexity out of the environment. Ask very basic questions about the agency’s mission and what they are trying to protect. Put a premium on securing high-value data and assets. Look for efficiencies wherever and whenever possible. Assess whether or not tools can be leveraged that are capable of meeting multiple requirements in multiple functional areas. (e.g., HWAM vs SWAM, etc.). You want CDM to bring value far beyond the baseline of visibility. CDM should help transform your organization and help enhance your organization’s ability to meet the demands of the mission. If there is any question as to whether or not CDM is helping to achieve that goal, then it is likely time to reevaluate your approach.
MeriTalk: What lesson learned from private sector cybersecurity would you share with DHS to improve CDM?
Kevin: Reducing agent bloat is a big driver across our private sector customer base. CrowdStrike supports cross-functional cyber operations along multiple disciplines including SOC, GRC, Ops, Threat Hunting, and IR teams. We believe this extensible methodology can help transform agency modernization initiatives while ensuring long-term value. Similarly, scale and speed of deployment have often been raised as concerns when adopting a new technology. Many of our global customers have deployed hundreds of thousands of endpoint sensors in a matter of days. One of our largest customers was able to deploy 70,000 endpoints per hour, and private sector architectures are often just as complex and heterogeneous as they are in the public sector. Finally, we encourage all of our customers to start with our baseline rule of 1-10-60: 1 minute to detect an intrusion, 10 minutes to investigate it and 60 minutes to remediate. Even if those numbers represent days or weeks for some agencies, at least we are measuring success against objective criteria with the goal of improving over time.
