Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The ‘Next Chapter’ in Cyber Risk: Are Federal Agencies Prepared?

The latest study from MeriTalk finds increased technical collaboration across federal agencies and industry stakeholders, as well as some worrying gaps in cybersecurity fundamentals.

Tenable recently co-sponsored a MeriTalk study conducted to assess the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, the initiative that provides cybersecurity tools and guidance to all federal agencies. MeriTalk surveyed over 100 federal and industry CDM stakeholders to capture their thinking about the state of the program and recommendations for its future direction. In reviewing the report, titled “CDM: The Next Chapter,” we came away with a mixture of excitement and trepidation.

It is exciting, for example, that a solid majority of respondents (59%) report that federal agencies are implementing CDM tools as part of an integrated cyber defense strategy (rather than a stand-alone program). Less exciting is the fact that 90% of respondents see adversaries as gaining the upper hand, and 68% find that CDM is not adapting fast enough to protect expanding cloud and mobile environments. Below we take a deeper look into some key “takeaways” not readily apparent from the report’s headlines.

Good news: Cross-agency teamwork is happening at many levels

Since its inception, CDM has been about teamwork. Designed as a groundbreaking effort to bring all federal agencies together to fight a common fight, CDM continues to invoke a team ethos not only among federal agencies, but also between federal and industry participants, and among different cybersecurity programs. Examples include:

  • New shared services: From “Security Operations Center (SOC) as a Service” to the Cybersecurity and Infrastructure Security Agency’s recently approved QSMO marketplace, responses made clear that the federal enterprise is moving rapidly toward a “circle the wagons” approach that recognizes a shared need to defend against common enemies.
  • Moving toward automation: Respondents overwhelmingly (82%) recognized the importance of integrating Trusted Internet Connections (TIC) 3.0 into CDM, with automated TIC data feeds supporting CDM reporting. 97% saw benefits in leveraging automation in general.
  • Integration from both sides: Federal respondents pointed to integrating cyber initiatives as a top priority; industry stakeholders emphasized the need for federal guidance, with “improving integration” following closely behind.

It appears from the MeriTalk report that CDM stakeholders are in agreement that cybersecurity is truly a team sport. And with promising initiatives on the horizon, such as CISA’s centralized marketplace, it seems highly likely that the teamwork trend will continue to accelerate in CDM’s next chapter.

Not-so-good news: Too many teams are forgetting the asset management fundamentals

Speaking of sports, it is a long-accepted truth that building on solid fundamentals is an essential path to success in athletic competition. The same could be said for cybersecurity. One slide in the “Next Chapter” presentation gave us particular concern on that front. In a poll of federal-only respondents, 33% felt that they could only “somewhat” answer that most basic CDM question: “What is on the network?” Conversely, only 17% felt that they had complete, real-time visibility into the assets on their network environment.

Answers to the other core CDM “capability” questions revealed slightly better results. All areas left room for improvement, but this fundamental gap in asset management proficiency is a warning flag that must not be ignored. If you don’t know which assets are on your network, it follows that you don’t know what your vulnerabilities are. That cyber exposure gap needs to be closed before a secure expansion effort can proceed.

Back in the spring of 2017, the deployment of CDM tools revealed a 44% undercount in devices attached to the network. This cyber exposure chasm of “shadow IT” caused a major re-calibration of the scope of work required to achieve CDM goals. The fact that one-third of federal respondents in this latest survey feel unable to fully answer the “what is on the network” questions seems to indicate that, in spite of the tremendous progress of CDM over the past three years in closing the gap, there is still much work to be done.

How federal agencies can excel beyond the cybersecurity basics

Indeed, “gap-fill” requests continue to stream in from federal agencies. CDM’s ability to quickly deploy the necessary tools to fill those gaps will determine the rate at which planned expansion into cloud and mobile environments can proceed. At Tenable, we are committed to helping CDM close these cyber exposure gaps. Tenable.sc Continuous View is the vulnerability management platform that enables federal agencies to discover all assets in their network environment and identify the vulnerabilities in those devices. Deploying active Nessus scanners, passive “always on” Nessus Network Monitors, and Nessus agents can achieve complete visibility in today’s increasingly remote network environment.

Another exciting development in Tenable.sc is its Predictive Prioritization capability. Once gap-fill efforts disclose new vulnerabilities, the need to prioritize effectively, and to focus on those that truly pose threats, becomes paramount. Using legacy methods like CVSS as the basis for this prioritization will quickly lead to “vulnerability overload.” Last year, over 30% of the 17,000+ new vulnerabilities carried a CVSS score in the “high” or “critical” range. But past experience has shown definitively that the vast majority of those vulnerabilities pose no serious threat.

Predictive Prioritization is a data science-based process that goes beyond CVSS and re-prioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a Vulnerability Priority Rating (VPR) to every vulnerability – including those that have yet to be published in the U.S. National Vulnerability Database (NVD) – and updates the ratings daily based on threat intelligence, exploit activity and multiple other data inputs.

The Tenable data science team estimates that, on average, only 3% of vulnerabilities are actually exploited. Putting this into perspective, if you used VPR for prioritization, you would only need to patch about 500 of those 17,300 new vulnerabilities to eliminate all critical threats that posed a risk of exploitation. This is far more feasible than guessing which of the 5,300 critical or high CVSS vulnerabilities matter. 

By using VPR, and other capabilities that enable a risk-based approach to vulnerability management, agencies can immediately operationalize the objective of the new CDM dashboard ecosystem – assembling the tools and information that “allow agencies to ‘fix the worst problems first' across their networks.”

Join us on June 9th for CDM Central

The virtual CDM Central conference, "Tales From the Frontlines," will be streaming live on June 9. We’ll be there along with MeriTalk and federal IT leaders addressing the current state of the CDM program, and what’s in store for the program’s chapters ahead. Visit us at our virtual booth where we can interact through virtual chat features, live demos, and more. You can register here.

Get more information

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training