MeriTalk recently connected with Ryan Gillis, vice president of cybersecurity strategy and global policy for Palo Alto Networks, to discuss continuous diagnostics and mitigation (CDM) implementation and how Palo Alto Networks can drive agencies to a more secure environment.
MeriTalk: What is your high-level assessment of where agencies stand in terms of CDM implementation, and specifically what are your thoughts about the prospect of dashboards being in place by the end of 2017?
Ryan Gillis: It’s hard to make a generalization across government but there are common issues as agencies implement CDM. As a baseline, CDM and EINSTEIN are the two programs through which the Department of Homeland Security provides certain complementary technologies and capabilities to each civilian agency. Additionally, each agency has the responsibility to secure their own networks, and deploys technology, people, and processes to accomplish those goals.
Agencies are trying to drive as much harmonization as possible between what they’re getting through CDM, what they’re deploying themselves, and how that all functions together. One particular goal is to go through CDM to drive cost savings. Aligning what agencies are buying through CDM and what they are buying separately is a common issue that arises as agencies move through the CDM process.
When it comes to implementation–agencies are not just sticking with one static solution–CDM has done a good job of periodically evaluating and incorporating new technologies. This is to the benefit of the agencies as they’re trying to acquire new technologies to help secure their networks. In terms of the dashboard, I think it will remain a focus; however, it remains to be seen as to whether or not they accomplish this goal. There is a lot that we’ve seen over the last 10 years in regard to CDM and EINSTEIN deployments–but there is a new set of circumstances and challenges with the turnover in personnel and ushering in of a new administration that impact the complex deadline of deploying the dashboards by 2017.
MeriTalk: The CDM program has three phases. Where have organizations faced the greatest challenges in phases 1 and 2? What are the hurdles ahead for phase 3?
RG: The first challenge in the stand-up of the CDM program relates to how we bring in the technologies to meet the initial levels of requirements for phase 1, 2, and 3. Specifically, the identification of the suites of tools that would be utilized by the program and getting agencies to purchase was the most important challenge when getting the program off the ground.
The hurdles ahead relate to: How does CDM align with what agencies have in their networks for harmonization, how does the program manage technology refreshes as the tools that accomplish the requirements for CDM continue to evolve in the private sector, and how do the CDM requirements and capabilities evolve in phase 4 and beyond.
MeriTalk: What strategies should agencies adopt for each phase to minimize the pain and accelerate implementation?
RG: The lessons learned from the OPM breach and last administration’s Cyber Sprint are now being applied through the Trump administration’s cybersecurity executive order. For example, under the new executive order, each department and agency head is being held personally responsible for their own agency’s security, and agencies are now also mandated to implement the NIST framework based on risk management. As agencies look to CDM implementation, they should focus on areas of risk that matter most. What is the highest value asset on your network, and how do you apply people, processes and technology toward securing that.
MeriTalk: How does Palo Alto Networks Next-Generation Security Platform help to ease these challenges at each phase and accelerate time to value?
RG: We can break this into two categories–there are some requirements that we help agencies fulfill directly with our solutions and others where we strategically partner to complement our core competencies. To address challenges in phases 1 and 2, our solutions deliver visibility down to the application and user level, and we partner with companies like ForeScout and Tanium to enable agencies to fulfill the spectrum of required capabilities. In phase 3, we empower users to address the network boundary protection requirements. Finally, we have strong partners, such as VMware, that enable us to collaboratively address phase 4 focus on network segmentation and software-defined networking, so that our security capabilities can be applied in a better managed environment.
MeriTalk: The original CDM blanket purchase agreement is set to expire next summer. How can agencies accelerate their implementations and avoid pitfalls to ensure that they have contracted all phases in time for the deadline?
RG: Just recently, we have seen a move toward GSA’s increased use of special items numbers (SINs). SINs make it easier for the products that are held on CDM (tools that agencies would want to buy and deploy) to be acquired and leveraged. This reduced the administrative burden and accelerated the process to acquisition and deployment. This is an acquisition and procurement move that will hopefully result in getting CDM tools into the hands of operators faster.
MeriTalk: How might the president’s cybersecurity executive order issued last month impact the future of CDM or the likeliness of its extension?
RG: I see the executive order as a continuity of policy. As discussed earlier, this EO is a reflection of the fact that cybersecurity policies have developed in a linear manner and in a nonpartisan way. It reinforces the responsibilities of agencies to secure their own networks by moving toward implementation of the NIST framework. CDM should help with that risk-based approach to securing their networks and high-value assets.
MeriTalk: How can CDM be better integrated with mobile and cloud environments? How can Palo Alto Networks solutions help to address this growing requirement?
RG: The core initial requirements within CDM are to know who and what is on your network and then protect your network boundaries. These philosophies should be applied regardless of how your network is configured–whether your data is stored in a data center or the cloud. We must tailor security solutions to this evolving environment. Agencies are going to need the same types of security to protect high-value assets regardless of where their data resides. Palo Alto Networks understands and is focused on this mission. We are also focused on prevention and stopping successful cyberattacks, an approach that is a core part of our security offerings. Our Next-Generation Security Platform employs a prevention-based approach that automatically stops threats across the attack life cycle–whether these threats are at the endpoint or in the cloud.
MeriTalk: What considerations should agencies weigh carefully when looking at solutions and partners for their CDM journey?
RG: One of the problems in the security industry is focusing narrowly on a solution that addresses a particular requirement or new attack vector and not viewing how that solution integrates into broader requirements. Customers, from the beginning, should ask their vendors, how does this solution solve the distinct problem I’m looking to address, and, as important, how does it complement my other solutions to deliver a more secure environment?
MeriTalk: One of the biggest challenges that agencies report about CDM is that there is not a “one-size-fits-all” approach. What have you seen in the agencies that you work with, and how is Palo Alto Networks uniquely prepared to work with agencies to deliver the right solution?
RG: There are some aspects of commonality, whether the focus is on CDM or corporate customers. A company like Palo Alto Networks needs to be flexible to meet the unique demands of customer sets–whether it be security in the data center, public cloud, private cloud, hybrid cloud, endpoints, or the network layer. Having a platform that works together is how we meet those goals and identify the best partners to bring in core competencies, including VMware, AWS, Verizon, and Proofpoint. These capabilities are instrumental to delivering the right solution for our customers.