“Knowing what’s on your network is the first step for any organization to reduce risk.”
-CISA Director, Jen Easterly.
On October 3, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks.
"Why is this being published as a BOD?" one might ask since we know that asset visibility has been a requirement for a decade or more through Federal Information Security Modernization Act (FISMA) reporting, as well as the requirement for vulnerability detections and mitigations. One driving factor is that the directive holds federal civilian executive branch (FCEB) agencies responsible for automatic ingestion of the vulnerability enumeration to the Continuous Diagnostics and Mitigation (CDM) dashboard, with CISA reporting the FCEB's compliance to the Department of Homeland Security, White House's Office of Management and Budget (OMB), and Office of the National Cyber Director. How else will the National Cyber Director get a comprehensive, data-driven view of the security risk level of the federal government?
By April 3, 2023, agencies will be expected to perform automated asset discovery every seven days and to identify and report suspected vulnerabilities every 14 days. It's a strong move in the right direction as the whole of the federal government moves to meet Zero Trust requirements. But, without proper validation, the weekly automated asset discovery runs the danger of becoming an exercise of compliance rather than security. Adversaries, as well as admins, are adept at timing activities to avoid detection for a scheduled scan. If you're not doing both passive network monitoring and active network scanning to identify and categorize assets, the managed and unmanaged ones, you're simply not getting the complete picture. The outliers will stand out when both the passively and actively collected asset inventories are compared against each other.
This is certainly the approach we have been advocating Corelight's federal clients incorporate into their zero trust strategy. A “set it and forget it” approach to automated discovery and vulnerability detection introduces opportunities for exploitation in overlooked or dormant assets that may appear online intermittently or seemingly randomly.
Corelight has continued to enhance our sensors not only to show the breadth of a network, but also to provide powerful insights into how the assets interact with one another. For instance, which services are provided or consumed by a particular asset, such as discovering which hosts have used SSH in the last 24 hours. Our most recent sensor release (v26) introduced the Corelight Entity Collection, eight new entity-specific data logs for context and fast searching giving customers a pre-aggregated, contextual view of a given entity from a single search.
This enhanced visibility around hosts, services, and apps provides the necessary context to better validate unknown or unexpected activities or assets found on the network.
As our federal customers pivot to meet the deadlines outlined in both BOD 23-01 and the federal zero trust architecture (ZTA) strategy, validating what your asset management and vulnerability detection practices are producing is vital to move beyond compliance. If you’d like to learn more about how Corelight is supporting Zero Trust or the new Entity Collection, send us a note at fed-team@corelight.com.
Also check out these additional resources for more information:
By Jean Schaffer, Corelight Federal CTO