CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

BOD 23-01: Better visibility to reduce risk

“Knowing what’s on your network is the first step for any organization to reduce risk.” 

-CISA Director, Jen Easterly.

On October 3, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks.

"Why is this being published as a BOD?" one might ask since we know that asset visibility has been a requirement for a decade or more through Federal Information Security Modernization Act (FISMA) reporting, as well as the requirement for vulnerability detections and mitigations. One driving factor is that the directive holds federal civilian executive branch (FCEB) agencies responsible for automatic ingestion of the vulnerability enumeration to the Continuous Diagnostics and Mitigation (CDM) dashboard, with CISA reporting the FCEB's compliance to the Department of Homeland Security, White House's Office of Management and Budget (OMB), and Office of the National Cyber Director. How else will the National Cyber Director get a comprehensive, data-driven view of the security risk level of the federal government?

By April 3, 2023, agencies will be expected to perform automated asset discovery every seven days and to identify and report suspected vulnerabilities every 14 days. It's a strong move in the right direction as the whole of the federal government moves to meet Zero Trust requirements. But, without proper validation, the weekly automated asset discovery runs the danger of becoming an exercise of compliance rather than security. Adversaries, as well as admins, are adept at timing activities to avoid detection for a scheduled scan. If you're not doing both passive network monitoring and active network scanning to identify and categorize assets, the managed and unmanaged ones, you're simply not getting the complete picture. The outliers will stand out when both the passively and actively collected asset inventories are compared against each other.

This is certainly the approach we have been advocating Corelight's federal clients incorporate into their zero trust strategy. A “set it and forget it” approach to automated discovery and vulnerability detection introduces opportunities for exploitation in overlooked or dormant assets that may appear online intermittently or seemingly randomly.

Corelight has continued to enhance our sensors not only to show the breadth of a network, but also to provide powerful insights into how the assets interact with one another. For instance, which services are provided or consumed by a particular asset, such as discovering which hosts have used SSH in the last 24 hours. Our most recent sensor release (v26) introduced the Corelight Entity Collection, eight new entity-specific data logs for context and fast searching giving customers a pre-aggregated, contextual view of a given entity from a single search.

This enhanced visibility around hosts, services, and apps provides the necessary context to better validate unknown or unexpected activities or assets found on the network. 

As our federal customers pivot to meet the deadlines outlined in both BOD 23-01 and the federal zero trust architecture (ZTA) strategy, validating what your asset management and vulnerability detection practices are producing is vital to move beyond compliance. If you’d like to learn more about how Corelight is supporting Zero Trust or the new Entity Collection, send us a note at fed-team@corelight.com.

Also check out these additional resources for more information:

By Jean Schaffer, Corelight Federal CTO

 

Recent Posts