[vc_row][vc_column][vc_column_text]When a crime is committed, one of the first things the police do is collect evidence from any security cameras nearby, and these days, cameras are everywhere. That’s a model that federal agencies want to apply to cybersecurity. This constant monitoring of systems to catch bad actors provides the basis for CDM – Continuous Diagnostics and Mitigation.
Garrett Lee, Director of Strategic Federal Programs at VMware Carbon Black, said CDM is all about the synergy between having a closely-coupled protection and visibility strategy, seeing all the activity taking place on the endpoints, on networks, seeing how you’re being attacked, and then pivoting to build the right defenses tailored to those attacks.
“If you think about CDM, it’s modernizing cyber for the civilian government. It’s doing so while simultaneously creating the type of cyber data telemetry that gives the Department of Homeland Security and our federal leaders the ability to understand at large what our vulnerability landscape looks like across the .gov domain. They can then take decisive actions to shore up our defenses to threats as they are presented — It’s about prevention and rapid detection working together,” Lee said.
VMware Carbon Black App Control (formerly named CB Protection) accomplishes that global view through Software Asset Management, or SWAM — one of the foundational elements of CDM. SWAM automatically identifies all software assets on endpoints: every file, application, certificate, each of the devices and the computers in an endpoint environment, as well as platform and software information. It categorizes risk to the software by understanding what versions are being run, in order to approve (allowlisting) and ban (denylisting) either manually or automatically.
“Some may think they need to design their list of approved software prior to deploying a allowlisting strategy,” Lee explained. “This is not the case with an application control solution as mature as ours.” The better approach is to install the software, allow it to take stock of the environment, and use the trust governance mechanisms and automation the platform offers in order to establish rule-based brokers of trust to achieve increasing enforcement levels.”
While VMware Carbon Black’s application control solution offers software asset visibility and governs and enforces what is allowed to run on endpoints, shrinking what is known as the attack surface, there is still the matter of the endpoint activity itself. This is where endpoint detection and response software comes into play. VMware Carbon Black EDR (formerly named CB Response) allows agencies to have the visibility necessary to implement threat hunting, which is a capability most government agencies currently lack. And even those that do typically lack one of the central elements of VMware Carbon Black EDR: the unfiltered data approach.
“It is all about the data. If you’re gathering evidence in a crime scene, and you have the ability to gather all the evidence then nothing will get missed. Likewise, we take a view of ‘gather all the evidence we need to be able to determine exactly what happened in an IT environment’ and not leave it on the endpoint itself where it may be vulnerable, but move it to a central server,” Lee said. “The life story of every system is written to a central system so that threat hunters can examine that data set determine the scope, cause and impact of how they’re being attacked, take real time response remediation actions, to triage the any damage underway, so that you’re not caught with a need to re-image a system and put it back out into the environment with the same vulnerabilities it had yesterday that allowed you to become compromised.”
This allows cyber specialists to surgically remove the data, solve and address the problem after isolating it from the rest of the environment. That type of remediation can be performed directly from the console, without the need to re-image the system. But more importantly, it allows you to find the root cause, scope and impact of the attack, and change protections to tighten defenses against the threat.
VMware Carbon Black is all about maximizing the effectiveness of cyber practitioners, because they’re a scarce resource. That means creating policy-based enforcement about what’s able to run, and getting granular to the point of deciding how you want to govern the use of USB devices. That reduces the burden on the security environment by shrinking the attack surface, turning a single decision into policy across the system. Threat hunters don’t want to operate repetitively; automation is a force multiplier.
Lee said some cyber practitioners shudder when you mention allowlisting, because they’ve had bad experiences with less mature solutions in the past. Scalability, manual tuning, and frustration in establishing rules have been common pain points. But VMware Carbon Black has been able to make allowlisting much more user-friendly.
“The training we provide is not necessarily to navigate some tool complexity,” Lee said. “It’s more how to think and architect your strategies that you can carry out with this very capable tool set to be able to govern your environment. And so much of the services and training we deliver is people and process oriented. It’s how to intelligently establish these rule sets and deploy them in a way that is appropriate to each unique environment.”
The same goes for threat-hunting. Using VMware Carbon Black EDR is intuitive, even for novice threat hunters. Lee said the hardest part is learning how to think like a threat-hunter. As threat hunters increase their skill, their appreciation for the power the data VMware Carbon Black EDR provides them only grows.
And it’s not just easier, it’s effective. Because allowlisting is a CDM SWAM requirement, the CDM program conducted an analysis of alternatives to explore different capabilities. The Department of Homeland Security makes the full report available to government agencies, but the results were clear.
“This large Federal agency was the agency that served as the Center of Excellence for that. And the prime contractor worked for seven months alongside this agency to really vet out what’s the most appropriate allowlisting solution for the needs of CDM and the needs of the agency,” Lee said. “Five or six vendors went in, were down-selected to two, and VMware Carbon Black won. We look forward to continuing to support the program.”[/vc_column_text][/vc_column][/vc_row]