For the past three years, 躂圖AV has been working with the Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) program to build, deploy, and operationalize a whole new CDM dashboard ecosystem. Our goal has been realizing actionable operational visibility for federal agencies ��� an unprecedented level of visibility and access to cyber data, at scale. The CDM Dashboard ecosystem improves how incident responders find and remediate threats and vulnerabilities, enabling agencies to better protect their assets.

To achieve this, we���ve partnered with Elastic, whose suite of open-source products enables real-time search, analysis, and visualization of data regardless of format. And while the original CDM mission to help federal agencies protect their networks remains strong, the CDM dashboards, built on Elastic, are enabling a game-changing level of visibility and insight. After exploring how, we���ll look at a scenario illustrating how operational visibility in the federal government could greatly improve our nation���s cybersecurity.

First, we must recognize the impact of the 2021 Executive Order on cybersecurity, which did three critical things:

• Removed many of the government���s barriers for interagency data sharing.
• Directed the improved collection and analysis of additional cyber-relevant data.
• Prescribed a government-wide endpoint detection and response (EDR) capability, which has become a top priority for CDM.

This evolution of federal cyber requirements cleared a path for more effective collaboration across the federal civilian executive branch (FCEB) agencies ��� a new direction that aligned perfectly with platforms like Elastic and the CDM dashboards.

Now, let���s walk through exactly how the CDM dashboards can help orchestrate an improved defense of agency networks.

Pretend you���re a CISA cyber analyst tracking a particularly bad threat actor, ���Bad Baby Dingo,��� operating out of Australia. You receive intelligence that Bad Baby Dingo is targeting a common vulnerability and exposure (CVE) to launch a rare process that installs a malicious file on victims��� systems.

The process to install the file, which we���ll call ���Creepy Koala,��� leaves behind clues ��� specifically, logs that describe the process being launched and the file being installed. These process logs are captured on the endpoint and sent to the CDM dashboard for analysis and monitoring.

You log in to the CDM federal dashboard and run a search across the entire FCEB for the CVE that Bad Baby Dingo is exploiting. You get over 12,000 hits spread across 14 agencies, which would require a huge amount of labor to comb over. However, with the dashboard, you simply isolate the assets with the CVE, gaining insights into potential high value assets (HVAs) that could be impacted. Using this list as your input for another query, you identify potential indicators that the Creepy Koala process has been run. This time, your search leads you to 18 devices split between just two agencies, with HVA context to help inform and prioritize your response.

At this point, you have evidence that Bad Baby Dingo has breached two federal networks with an identified and prioritized set of assets. You pivot to agency A���s EDR console and isolate 10 of the impacted devices. You dive deeper into the systems to confirm what you suspected ��� a Creepy Koala process has been run on the endpoints. You help the agency security operations center (SOC) prioritize their response to block the process, remove the bad files, and create rules within the EDR to block the process in the future. You work with your peers across CISA to distribute alerts and detection rules to all agencies. You now have what you need to render Creepy Koala effectively harmless against the entire federal government.

The ever-evolving threat landscape requires cybersecurity analysts to detect, analyze, and respond to threats quickly, accurately, and at scale. At 躂圖AV, the Cyber Threat Analysis Center (CTAC), our premier threat analysis and advanced analytics capability, serves as the tip of the spear in threat monitoring, analysis, detection, and response.

The effort has gained significant support from policymakers as well. Last year, the National Defense Authorization Act (NDAA) gave CISA the ability to collect data from federal agency networks and proactively hunt for vulnerabilities without notifying the individual agencies. The Executive Order on Improving the Nation���s Cybersecurity contains dozens of new and enhanced provisions which provide CISA with the authority to make a significant impact. In order to maintain transparency across government, DHS will be required to report the findings of this proactive threat hunting to Congress. With the CDM dashboard, this information is easily shareable, but adhering to the NDAA while continuing to increase threat hunting efforts requires agencies to change the way data is stored, accessed, and analyzed.

In its continuous evolution, more features will be added to the CDM dashboard during the government���s next fiscal year. Updated capabilities are already being piloted at a handful of smaller agencies to measure potential impact. These enhancements include a CDM-enabled threat hunting capability, which pulls log data into the agency dashboard and enables queries across agencies from the federal dashboard to proactively search for threat activity. Generating deeper insights from across the government to alert threat hunters is a giant step forward, and the CDM dashboards can enable this ��� identifying threats in time to make a difference.