Leaping hurdles in CDM

The Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program provides federal civilian agencies with a number of cybersecurity capabilities, including an agency dashboard that presents consolidated view of the agency’s security posture. 

As threats increase in prevalence and severity, agencies must continuously monitor network traffic as a fundamental cybersecurity response. The agency dashboard represents a key analytics tool for agencies to develop this capability, as they manage and monitor assets, accounts and vulnerabilities. Ultimately, agency object-level data ends up aggregated and resides in a CISA-hosted federal dashboard for a comprehensive view across participating agencies.

Implementing a new dashboard

In early 2020, CISA decided to change the dashboard platform across the CDM program, bringing significant performance improvements and the potential for even more to come in the near term. 

The initial installation and operation of comprehensive CDM agency dashboards raised immediate flexibility and performance challenges. While the asset management capability of the CDM program introduced a standard governance, risk and compliance (GRC) dashboard tool to provide near real-time threat and incident reporting, the complexities of disparate agency networks and infrastructure presented obstacles. Asset discovery demonstrated those challenges as agencies found that the scale of their operations were far larger and more complex than previously understood. As agencies catalogued subnetworks and families of devices, the asset count rose steadily.

Agencies collected a formidable volume of events from the vulnerability scanners and unified endpoint management tools, compounded by the increase in number and complexity of assets under observation. Ultimately, it became clear that a traditional GRC tool could not keep up with data ingestion in a meaningful or actionable timeframe for agencies of significant size. Even though CISA provided the resources and initial software licenses to install a transformation and integration solution that offered true agency-wide data access, the agency dashboard often needed weeks to ingest the data—far too slow to meet monitoring requirements.

CISA considered the performance challenges and solicited a dashboard solution that could scale up to the largest civilian agencies. CISA selected a technical solution built around the Elastic stack, and asked participating agencies to prepare for a conversion to Elastic Cloud Enterprise (ECE) within months of the selection decision. This needed to be a rapid conversion, while maintaining connectivity between installed agency dashboards and the federal dashboard throughout the conversion. 

To the integrators charged with making the transition, including CGI Federal, the requirements for constant connectivity and performance enhancements presented both challenges and opportunities. We had to maintain all existing data transformation, and ingestion queries and structures implemented within the data integration layer, in order to keep the data flow to the federal dashboard running without interruption. We introduced a second and separate set of interfaces to feed directly from the data integration layer to a new enrichment database that would assume the heavy lifting necessary to correlate, denormalize and enrich data for transfer to ECE.

A dramatic difference

We made no changes to installed integrations with this parallel architecture, and ECE receives a dedicated stream of data packaged for immediate assimilation into a testing environment. Perhaps more significant, our introduction of a new physical data model supports the persistence of objects even when key identifiers are missing or modified. This means that objects representing assets and users depend much less on event-driven data streams, which leads to significantly less duplication, and  therefore, more accurate monitoring capabilities.

The results have exceeded our expectations. Ingestion periods have dropped from weeks to hours, even for the largest agencies. The pilot agency experienced an improvement so dramatic that it considered running multiple ingestion cycles per day in order to improve the timeliness of the overall CDM solution. The agency eventually determined that such an aggressive ingestion cycle would provide limited benefit, but having the option presented a leap ahead in performance optimization. 

CGI’s CDM dashboard solution gives participating agencies the ability to see timely and accurate dashboard data to support response and management of their environments. This is true across a diverse set of agencies utilizing a wide variety of sensors and unified endpoint management systems.

In addition, agencies may soon be able to perform their required CyberScope reporting with a single dashboard solution that offers the benefit of eliminating repetitive manual tasks. CISA’s ability to quickly reorient to a high-performance dashboard stack, combined with CGI’s technical transition strategy and realization of persistent object-level data, have propelled CISA’s vision of near real-time monitoring across the complex environments within CDM’s participating agencies. 

For more about our work in CDM, download the brochure “CDM cybersecurity solutions.”