University of Wisconsin–Madison
Continuous Diagnostics and Mitigation

Continuous Diagnostics & Mitigation: Lather, Rinse, Repeat

CISO’S PERSPECTIVE — February 2019


In my last CISO’s Perspective, I wrote about elevating our cybersecurity program to Tier 4 (Adaptive) using the National Institute for Standards and Technology’s Cybersecurity Framework model. As we ponder how we can practice the art of continuous improvement using advanced cybersecurity technologies and practices, the concept of Continuous Diagnostics and Mitigation (CDM) is a significant game changer for UW–‍Madison.  

Sometimes referred to as the 6th step in the Risk Management Framework (RMF), CDM is an important cybersecurity activity. It occurs when a system owner employs strategies, tools and processes that continually assess the operational security controls against evolving vulnerability, threat and impact factors. Disruption to operations or loss of data occurs when controls fail, system upgrades occur without proper testing, or external factors dictate, determine, and implement mitigating controls or return the system to an earlier RMF step.

Why CDM?

CDM is a set of detective controls that includes not only scanning and logging, but also other means of assessing vulnerabilities within an information system. CDM will eventually become the standard we live by when addressing Advanced Persistent Threats. Whether conducted by organized crime or unfriendly nation-states, these threats are continually targeting UW–‍Madison data and information technology systems.  They target information like Personal Identity Information (PII) and Protected Health Information (PHI) to use for identity theft and fraud. CDM is a way to address these threats that expose the University to regulatory liability. It can also detect compromise of unpublished research which can result in lost opportunities and revenue.

The key is the “C” in CDM. We do both regular scans for vulnerabilities and point-in-time scans for specific vulnerabilities that we learn of from the daily routines of our Cybersecurity Operations Center (CSOC). The added value of CDM is in those processes that facilitate mitigating the vulnerabilities as they are found.

CDM is not a new idea

Continuous monitoring is a concept pioneered in Federal information systems and actively pursued since 2011. 

Shortly after the UW–‍Madison Risk Management Framework was introduced and began testing in 2016, a working group made up of members of the Madison Information Security Team (MIST) began pondering how this concept could evolve to be a necessary and strong component of UW–‍Madison’s active defense against Advanced Persistent Threats.

The CDM Working Group’s report, initially delivered in January 2017, made clear that UW–Madison IT teams acting on their own cannot adequately respond to those threats.  The group found that CDM tools and support can be best delivered as a sustainable service and resourced with coordination among IT teams from the entire UW–Madison community and the Office of Cybersecurity.

The tools and processes have been evolving over the past 18 months as the CSOC came online and are now ready to be carried across campus to achieve the best results.

The CDM Decision Point

At the IT Policy Forum held February 14, a panel of Cybersecurity and IT leaders discussed how the CDM concept works, including actual implementations in the College of Agriculture and Life Sciences, the College of Letters and Sciences Learning Support Services, and Biochemistry. A common theme discussed was the acknowledgement that many of the current practices in DoIT and  the distributed IT teams, while diverse, are really core CDM practices. Additional effort will be needed to facilitate the development, implementation and sharing of CDM best practices on campus with a collaborative spirit of improvement. It will need to be resilient to emerging threats and technologies and advocate for an ever-evolving set of best practices for CDM on campus. 

A CDM Advisory group is being formed which gives many on campus an opportunity to contribute to this effort.

What’s Next for CDM?

It’s time to collect those best practices and for IT Teams to decide where they will gain value from the lessons others are learning. CDM is most successful in organizations that focus on sustainable and repeatable practices. Knowing what works and practicing those behaviors, conducting the necessary tests, and codifying the processes are essential—yet as diverse as the campus IT teams that currently perform them. At its core, CDM can be summed up in a few easy steps:

  1. Install or update sensors
  2. Use automated search tools to discover flaws
  3. Collect results
  4. Triage and analyze results
  5. Fix priority issues
  6. Report Progress

Scanning or testing all critical network components, servers, end points, databases, IoT and peripheral devices—with results reviewed and acted on in a cyclical manner—ensures the health of the information technology enterprise. Collecting the results and sharing them in a transparent way ensures that all IT teams benefit from the knowledge of our IT environment, risk is reduced, sustained IT services are available, data is protected from abuse or inadvertent destruction and confidential data is not compromised.

Practice will make perfect! Eventually CDM will become as simple as lather, rinse, repeat. 

Let the journey begin (cue the Star Trek theme music)…

As always, I appreciate your feedback. Simple rules—be nice, be fair, and be honest. 

Please email your thoughts to cybersecurity@cio.wisc.edu and we will periodically post them with helpful answers.

Bob Turner, UW–‍Madison Chief Information Security Officer

Leave a Reply

Your email address will not be published. Required fields are marked *