When I last posted about Splunk and the federal Continuous Diagnostics and Migration (CDM) program, it was just kicking into high gear. In the year since, the Department of Homeland Security (DHS) and General Service Agency (GSA) have awarded five task orders to four companies to cover Phase 1 of the CDM program. I am extremely happy to announce Splunk Enterprise was selected by each of these companies to serve as the data integration solution.
While Phase 1 focused on what is on the network, Phase 2 examines who is using the network. The four functional tool areas of CDM Phase 2 — TRUST, BEHAVE, CRED and PRIV — will be deployed to verify trust levels, training, credentials and access rights according to established departmental policies. Similar to Phase 1, these tool areas are supported by disparate technologies that will produce massive amounts of data. To help make sense of the data, DHS and GSA have approved Splunk® Enterprise and Splunk Enterprise Security (Splunk ES) for all four functional areas of Phase 2. Splunk will correlate these disparate data sources to create and monitor the Master User Record (MUR)—the central repository of attributes for all four tool areas—to alert and remediate instances, in real-time, when the MUR reflects a delta from the ‘desired state’ as defined by D/A policy.
Think of the analytic power you can have by bringing all your endpoint (Master Device Record or MDR) and user data (MUR) into one single Splunk index. Federal departments and agencies will be able to examine patterns of data and trends within their networks, evaluate access behaviors and rapidly identify activity and patterns that lie outside of the norm.
Looking forward, CDM Phase 3 will focus on what is happening on the network and will include the creation of a Master System Record (MSR). With CDM, the term ‘system’ means a set of hardware and software that exist to perform a mission. By the end of Phase 3, within a single Splunk index, federal civilian departments and agencies will be able to have a MDR, MUR and MSR all within Splunk Enterprise, correlating endpoint, user and event data across the entire enterprise.
So after reading all this, you may be asking, what can I really do with this data? Well, what most excites me is the ability for agencies to fully embrace risk-based decision-making. With correlated vulnerability, threat and configuration data all housed within Splunk, federal CISOs can comfortably move to event-driven authorization, providing a system with an Authority to Operate (ATO) based only on real-time system conditions. If anything changes in the vulnerability, threat or configuration, the ATO can immediately be revoked and the system will be pulled off-line.
This real-time, risk-based, decision-making is the key to securing government networks, and through the CDM program, Splunk now has the honor of serving as the data integration tool for all federal departments and agencies.
CDM Program Manager & Public Sector Cloud Specialist