Tuesday, July 21, 2015

Going Too Far to Prove a Point

I just read Hackers Remotely Kill a Jeep on the Highway - With Me in It by Andy Greenberg. It includes the following:

"I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold...

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the I-40 on-ramp, “no matter what happens, don’t panic.”

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.


“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop...

After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment." (emphasis added)

I had two reactions to this article:

1. It is horrifying that hackers can remotely take control of a vehicle. The auto industry has a lot of work to do. It's unfortunate that it takes private research and media attention to force a patch (which has now been published.) Hopefully a combination of Congressional attention, product safety laws, and customer pressure will improve the security of the auto industry before lives and property are affected.

2. It is also horrifying to conduct a hacking "experiment" on I-40, with vehicles driving at 60 or more MPH, carrying passengers. It's not funny to put lives at risk, whether they are volunteers like the driver/author or other people on the highway.

Believing it is ok reflects the same juvenile thinking that motivated another "researcher," Chris Roberts, to apparently "experiment" with live airplanes, as reported by Wired and other news outlets.

Hackers are not entitled to jeopardize the lives of innocent people in order to make a point. They can prove their discoveries without putting others, who have not consented to be guinea pigs, at risk.

It would be a tragedy if the first death by physical-digital convergence occurs because a "security researcher" is "experimenting" in order to demonstrate a proof of concept.

Tuesday, June 30, 2015

My Security Strategy: The "Third Way"

Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice:

You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM.

This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result.

In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach.

I do not see the situation in this way, for two main reasons.

First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access to a computing resource. A breach is the theft, alteration, or destruction of that computing resource, following an intrusion.

It therefore follows that one can suffer an intrusion, but not suffer a breach.

One can avoid a breach following an intrusion if the security team can stop the adversary before he accomplishes his mission.

Second, there is no point at which any network is "secure," i.e., intrusion-proof. It is more likely one could operate a breach-proof network, but that is not completely attainable, either.

Still, the most effective strategy is a combination of preventing as many intrusions as possible, complemented by an aggressive detection and response operation that improves the chances of avoiding a breach, or at least minimizes the impact of a breach.

This is why I call "detection and response" the "third way" strategy. The first way, "secure your network" by making it "intrusion-proof," is not possible. The second way, suffer intrusions and breaches, is not acceptable. Therefore, organizations should implement a third way strategy that stops as many intrusions as possible, but detects and responds to those intrusions that do occur, prior to their progression to breach status.

My Prediction for Top Gun 2 Plot

We've known for about a year that Tom Cruise is returning to his iconic "Maverick" role from Top Gun, and that drone warfare would be involved. A few days ago we heard a few more details in this Collider story:

[Producer David Ellison]: There is an amazing role for Maverick in the movie and there is no Top Gun without Maverick, and it is going to be Maverick playing Maverick. It is I don’t think what people are going to expect, and we are very, very hopeful that we get to make the movie very soon. But like all things, it all comes down to the script, and Justin is writing as we speak.

[Interviewer]; You’re gonna do what a lot of sequels have been doing now which is incorporate real use of time from the first one to now.

ELLISON and DANA GOLDBERG: Absolutely...

ELLISON:  As everyone knows with Tom, he is 100% going to want to be in those airplanes shooting it practically. When you look at the world of dogfighting, what’s interesting about it is that it’s not a world that exists to the same degree when the original movie came out. This world has not been explored. It is very much a world we live in today where it’s drone technology and fifth generation fighters are really what the United States Navy is calling the last man-made fighter that we’re actually going to produce so it’s really exploring the end of an era of dogfighting and fighter pilots and what that culture is today are all fun things that we’re gonna get to dive into in this movie.

What could the plot involve?

First, who is the adversary? You can't have dogfighting without a foe. Consider the leading candidates:

  • Russia: Maybe. Nobody is fond of what President Putin is doing in Ukraine.
  • Iran: Possible, but Hollywood types are close to the Democrats, and they will not likely want to upset Iran if Secretary Kerry secures a nuclear deal.
  • China: No way. Studios want to release movies in China, and despite the possibility of aerial conflict in the East or South China Seas, no studio is going to make China the bad guy. In fact, the studio will want to promote China as a good guy to please that audience.
  • North Korea: No way. Prior to "The Interview," this was a possibility. Not anymore!
My money is on an Islamic terrorist group, either unnamed, or possibly Islamic State. They don't have an air force, you say? This is where the drone angle comes into play.

Here is my prediction for the Top Gun 2 plot.

Oil tankers are trying to pass through the Gulf of Aden, or maybe the Strait of Hormuz, carrying their precious cargo. Suddenly a swarm of small, yet armed, drones attack and destroy the convoy, setting the oil ablaze in a commercial and environmental disaster. The stock market suffers a huge drop and gas prices skyrocket.

The US Fifth Fleet, and its Chinese counterpart, performing counter-piracy duties nearby, rush to rescue the survivors. They set up joint patrols to guard other commercial sea traffic. Later the Islamic group sends another swarm of drones to attack the American and Chinese ships. This time the enemy includes some sort of electronic warfare-capable drones that jam US and Chinese GPS, communications, and computer equipment. (I'm seeing a modern "Battlestar Galactica" theme here.) American and Chinese pilots die, and their ships are heavily damaged. (By the way, this is Hollywood, not real life.)

The US Navy realizes that its "net-centric," "technologically superior" force can't compete with this new era of warfare. Cue the similarities with the pre-Fighter Weapons School, early Vietnam situation described in the first scenes at Miramar in the original movie. (Remember, a 12-1 kill ratio in Korea, 3-1 in early Vietnam due to reliance on missiles and atrophied dogfighting skills, back to 12-1 in Vietnam after Top Gun training?)


The US Navy decides it needs to bring back someone who thinks unconventionally in order to counter the drone threat and resume commercial traffic in the Gulf. They find Maverick, barely hanging on to a job teaching at a civilian flight school. His personal life is a mess, and he was kicked out of the Navy during the first Gulf War in 1991 for breaking too many rules. Now the Navy wants him to teach a new generation of pilots how to fight once their "net-centric crutches" disappear.

You know what happens next. Maverick returns to the Navy as a contractor. Top Gun is now the Naval Strike and Air Warfare Center (NSAWC) at NAS Fallon, Nevada. The Navy retired his beloved F-14 in 2006, so there is a choice to be made about what aircraft awaits him in Nevada. I see three possibilities:

1) The Navy resurrects the F-14 because it's "not vulnerable" to the drone electronic warfare. This would be cool, but they aren't going to be able to fly American F-14s due to their retirement. CGI maybe?

2) The Navy flies the new F-35, because it's new and cool. However, the Navy will probably not have any to fly. CGI again?

3) The Navy flies the F-18. This is most likely, because producers could film live operations as they did in the 1980s.

Beyond the aircraft issues, I expect themes involving relevance as one ages, re-integration with military culture, and possibly friction between members of the joint US-China task force created to counter the Islamic threat.

In the end, thanks to the ingenuity of Maverick's teaching and tactics, the Americans and Chinese prevail over the Islamic forces. It might require Maverick to make the ultimate sacrifice, showing he's learned that warfare is a team sport, and that he really misses Goose. The Chinese name their next aircraft carrier the "Pete Mitchell" in honor of Maverick's sacrifice. (Forget calling it the "Maverick" -- too much rebellion for the CCP.)

I'm looking forward to this movie.

Saturday, June 27, 2015

Hearing Witness Doesn't Understand CDM

This post is a follow up to this post on CDM. Since that post I have been watching hearings on the OPM breach.

On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.

A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.

During his opening statement, and in his written testimony, he made the following comments:

"The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying them when they are inside government networks.

EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.

CDM, on the other hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-the-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level." (emphasis added)

All of the text in bold is false. CDM is not "identifying [threats] when they are in inside government networks." CDM is not "an embedded system of sensors on internal government networks" looking for threat actors.

Why does Dr. Gerstein so misunderstand the CDM program? The answer is found in the next section of his testimony, reproduced below.

"CDM operates by providing

          federal departments and agencies with capabilities and tools that identify
          cybersecurity risks on an ongoing basis, prioritize these risks based upon
          potential impacts, and enable cybersecurity personnel to mitigate the
          most significant problems first. Congress established the CDM program
          to provide adequate, risk-based, and cost-effective cybersecurity and
          more efficiently allocate cybersecurity resources." (emphasis added)

The indented section is reproduced from the DHS CDM Website, as footnoted in Dr. Gerstein's statement.

The answer to my question of misunderstanding involves two levels of confusion.

The first level of confusion is a result of the the CDM description, which confuses risks with vulnerabilities. Basically, the CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a "find and fix flaws (i.e., vulnerabilities) faster" program.

In other words, the CDM description should say:

"CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize these vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first."

The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads the CDM description and its mention of "risks," he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.

As I wrote in my CDM post, we absolutely need the capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with the operational capability to detect and remove threat actors. CDM could be deployed across the entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.

Essentially, the government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.

It is critical that staffers, lawmakers, and the public understand what is happening, and not be lulled into a false sense of security due to misunderstanding these concepts.

Saturday, June 20, 2015

The Tragedy of the Bloomberg Code Issue

Last week I Tweeted about the Bloomberg "code" issue. I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post.

I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise.

This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security.

Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results:

Security research specialists love to party.

I have been asked if I was physical security (despite security wearing very distinctive uniforms),” wrote Erica Joy Baker on Medium.com who has worked, among other places, at Google.

Can we not rathole on Mailinator before we talk overall security?

We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division. 

Ditto many of the security concerns that arise when building websites, the typical abuses people perpetrate.

“First, I needed to pass everything through the security team, which was five months of review,” TMitTB says, “and then it took me weeks to get a working development environment, so I had my developers sneaking out to Starbucks to check in their code. …”

In Fortran, and I ask to see your security clearance.

If you're counting, that's eight instances of "security" in seven sentences. There's no mention of "software security." There's a small discussion about "e-mail validation," but it's printed to show how broken software development meetings can be.

Searching for "hack" yields two references to "Hacker News" and this sentence talking about the perils of the PHP programming language:

Everything was always broken, and people were always hacking into my sites.

There is one result for "breach," but it has nothing to do with security incidents. The only time the word "incident" appears is in a sentence talking about programming conference attendees behaving badly.

In brief, a 112 page magazine devoted to the importance of software has absolutely nothing useful to say about software security. Arguably, it says absolutely nothing on software security.

When someone communicates, what he or she doesn't say can be as important as what he or she does say.

In the case of this magazine, it's clear that software security is not on the minds of the professional programmer who wrote the issue. It's also not a concern of the editor or any of the team that contributed to it.

From what I have seen, that neglect is not unique to Bloomberg.

That is the tragedy of the Bloomberg code issue, and it remains a contributing factor to the decades of breaches we have been suffering.

Friday, June 19, 2015

Air Force Enlisted Ratings Remain Dysfunctional

I just read Firewall 5s are history: Quotas for top ratings announced in Air Force Times. It describes an effort to eliminate the so-called "firewall 5" policy with a new "forced distribution" approach:

The Air Force's old enlisted promotion system was heavily criticized by airmen for out-of-control grade inflation that came with its five-point numerical rating system. There were no limits on how many airmen could get the maximum: five out of five points [aka "firewall 5"]. As a result nearly everyone got a 5 rating.

As more and more raters gave their airmen 5s on their EPR [ Enlisted Performance Report], the firewall 5 became a common occurrence received by some 90 percent of airmen. And this meant the old EPR was effectively useless at trying to differentiate between levels of performance...

Under the new system, [Brig. Gen. Brian Kelly, director of military force management policy] said in a June 12 interview at the Pentagon, the numerical ratings are gone — and firewall 5s will be impossible...

The quotas — or as the Air Force calls them, "forced distribution" — will be one of the final elements to be put in place in the service's massive overhaul of its enlisted promotion process, which has been in the works for three years...

Only the top 5 percent, at most, of senior airmen, staff sergeants and technical sergeants who are up for promotion to the next rank will be deemed "promote now" and get the full 250 EPR points...

The quotas for the next tier of airmen — who will be deemed "must promote" and will get 220 out of 250 EPR points — will differ based on their rank. Kelly said that up to 15 percent of senior airmen who are eligible for promotion to staff sergeant can receive a "must promote" rating, and up to 10 percent of staff sergeants and tech sergeants up for promotion to technical and master sergeant can get that rating, and the accompanying 220 points.

The next three ratings — "promote," "not ready now" and "do not promote" — will each earn airmen 200, 150 and 50 points, respectively. But there will be no limit on how many airmen can get those ratings. (emphasis added)

I am not an expert on the enlisted performance rating system. In some ways, I think the EPR is superior to the corresponding system for officers, because enlisted personnel take tests whose scores influence their promotion potential.

However, upon reading this story, it reminded me of my 2012 post How to Kill Teams Through "Stack Ranking", which cited a Vanity Fair article about Microsoft's old promotion system:

[Author Kurt] Eichenwald’s conversations reveal that a management system known as “stack ranking” — a program that forces every unit to declare a certain percentage of employees as top performers, good performers, average, and poor — effectively crippled Microsoft’s ability to innovate.

“Every current and former Microsoft employee I interviewed — every one — cited stack ranking as the most destructive process inside of Microsoft, something that drove out untold numbers of employees,” Eichenwald writes.

This sounds uncomfortably like the new Air Force enlisted "forced distribution" system.

I was also reminded of another of my 2012 posts, Bejtlich's Thoughts on "Why Our Best Officers Are Leaving", which stressed the finding that

[V]eterans were shocked to look back at how “archaic and arbitrary” talent management was in the armed forces. Unlike industrial-era firms, and unlike the military, successful companies in the knowledge economy understand that nearly all value is embedded in their human capital. (emphasis added)

I am sure the Air Force is doing what it thinks is right by changing the EPR system. However, it's equivalent to making changes in a centrally planned economy, without abandoning central planning.

It's time the Air Force, and the rest of the military, discard their centrally-planned, promote-the-paper (instead of the person), involuntary assignment process.

In its place I recommend one that openly and competitively advertises and offers positions; gives pay, hiring, and firing authority to the local manager; and adopts similar aspects of sound private sector personnel management.

Today's knowledge economy demands that military personnel be treated as unique individuals, not industrial age interchangeable parts. Our military talent is one of the few competitive advantages we possess over peer rivals. We must not squander it with dysfunctional promotion systems.


Saturday, June 13, 2015

Redefining Breach Recovery

For too long, the definition of "breach recovery" has focused on returning information systems to a trustworthy state. The purpose of an incident response operation was to scope the extent of a compromise, remove the intruder if still present, and return the business information systems to pre-breach status. This is completely acceptable from the point of view of the computing architecture.

During the last ten years we have witnessed an evolution in thinking about the likelihood of breaches. When I published my first book in 2004, critics complained that my "assumption of breach" paradigm was defeatist and unrealistic. "Of course you could keep intruders out of the network, if you combined the right controls and technology," they claimed. A decade of massive breaches have demonstrated that preventing all intrusions is impossible, given the right combination of adversary skill and persistence, and lack of proper defensive strategy and operations.

We need to now move beyond the arena of breach recovery as a technical and computing problem. Every organization needs to think about how to recover the interests of its constituents, should the organization lose their data to an adversary. Data custodians need to change their business practices such that breaches are survivable from the perspective of the constituent. (By constituent I mean customers, employees, partners, vendors -- anyone dependent upon the practices of the data custodian.)

Compare the following scenarios.

If an intruder compromises your credit card, it is fairly painless for a consumer to recover. There is a $50 or less financial penalty. The bank or credit card company handles replacing the card. Credit monitoring and related services are generally adequate for limiting damage. Your new credit card is as functional as the old credit card.

If an intruder compromises your Social Security number, recovery may not be possible. The financial penalties are unbounded. There is no way to replace a stolen SSN. Credit monitoring and related services can only alert citizens to derivative misuse, and the victim must do most of the work to recover -- if possible. The citizen is at risk wherever other data custodians rely on SSNs for authentication purposes.

This SSN situation, and others, must change. All organizations who act as data custodians must evaluate the data in their control, and work to improve the breach recovery status for their constituents. For SSNs, this means eliminating their secrecy as a means of authentication. This will be a massive undertaking, but it is necessary.

It's time to redefine what it means to recover from a breach, and put constituent benefit at the heart of the matter, where it belongs.

Wednesday, June 10, 2015

My Federal Government Security Crash Program

In the wake of recent intrusions into government systems, multiple parties have been asking for my recommended courses of action.

In 2007, following public reporting on the 2006 State Department breach, I blogged When FISMA BitesInitial Thoughts on Digital Security Hearing. and What Should the Feds Do. These posts captured my thoughts on the government's response to the State Department intrusion.

The situation then mirrors the current one well: outrage over an intrusion affecting government systems, China suspected as the culprit, and questions regarding why the government's approach to security does not seem to be working.

Following that breach, the State Department hired a new CISO who pioneered the "continuous monitoring" program, now called "Continuous Diagnostic Monitoring" (CDM). That CISO eventually left State for DHS, and brought CDM to the rest of the Federal government. He is now retired from Federal service, but CDM remains. Years later we're reading about another breach at the State Department, plus the recent OPM intrusions. CDM is not working.

My last post, Continuous Diagnostic Monitoring Does Not Detect Hackers, explained that although CDM is a necessary part of a security program, it should not be the priority. CDM is at heart a "Find and Fix Flaws Faster" program. We should not prioritize closing and locking doors and windows while there are intruders in the house. Accordingly, I recommend a "Detect and Respond" strategy first and foremost.

To implement that strategy, I recommend the following, three-phase approach. All phases can run concurrently.

Phase 1: Compromise Assessment: Assuming the Federal government can muster the motivation, resources, and authority, the Office of Management and Budget (OMB), or another agency such as DHS, should implement a government-wide compromise assessment. The compromise assessment involves deploying teams across government networks to perform point-in-time "hunting" missions to find, and if possible, remove, intruders. I suspect the "remove" part will be more than these teams can handle, given the scope of what I expect they will find. Nevertheless, simply finding all of the intruders, or a decent sample, should inspire additional defensive activities, and give authorities a true "score of the game."

Phase 2: Improve Network Visibility: The following five points include actions to gain enhanced, enduring, network-centric visibility on Federal networks. While network-centric approaches are not a panacea, they represent one of the best balances between cost, effectiveness, and minimized disruption to business operations.

1. Accelerate the deployment of Einstein 3A, to instrument all Federal network gateways. Einstein is not the platform to solve the Federal government's network visibility problem, but given the current situation, some visibility is better than no visibility. If the inline, "intrusion prevention system" (IPS) nature of Einstein 3A is being used as an excuse for slowly deploying the platform, then the IPS capability should be disabled and the "intrusion detection system" (IDS) mode should be the default. Waiting until the end of 2016 is not acceptable. Equivalent technology should have been deployed in the late 1990s.

2. Ensure DHS and US-CERT have the authority to provide centralizing monitoring of all deployed Einstein sensors. I imagine bureaucratic turf battles may have slowed Einstein deployment. "Who can see the data" is probably foremost among agency worries. DHS and US-CERT should be the home for centralized analysis of Einstein data. Monitored agencies should also be given access to the data, and DHS, US-CERT, and agencies should begin a dialogue on whom should have ultimately responsibility for acting on Einstein discoveries.

3. Ensure DHS and US-CERT are appropriately staffed to operate and utilize Einstein. Collected security data is of marginal value if no one is able to analyze, escalate, and respond to the data. DHS and US-CERT should set expectations for the amount of time that should elapse from the time of collection to the time of analysis, and staff the IR team to meet those requirements.

4. Conduct hunting operations to identify and remove threat actors already present in Federal networks. Now we arrive at the heart of the counter-intrusion operation. The purpose of improving network visibility with Einstein (for lack of an alternative at the moment) is to find intruders and eliminate them. This operation should be conducted in a coordinated manner, not in a whack-a-mole fashion that facilitates adversary persistence. This should be coordinated with the "hunt" mission in Phase 1.

5. Collect metrics on the nature of the counter-intrusion campaign and devise follow-on actions based on lessons learned. This operation will teach Federal network owners lessons about adversary campaigns and the unfortunate realities of the state of their enterprise. They must learn how to improve the speed, accuracy, and effectiveness of their defensive campaign, and how to prioritize countermeasures that have the greatest impact on the opponent. I expect they would begin considering additional detection and response technologies and processes, such as enterprise log management, host-based sweeping, modern inspection platforms with virtual execution and detonation chambers, and related approaches.

Phase 3. Continuous Diagnostic Monitoring, and Related Ongoing Efforts: You may be surprised to see that I am not calling for an end to CDM. Rather, CDM should not be the focus of Federal security measures. It is important to improve Federal security through CDM practices, such that it becomes more difficult for adversaries to gain access to government computers. I am also a fan of the Trusted Internet Connection program, whereby the government is consolidating the number of gateways to the Internet.

Note: I recommend anyone interested in details on this matter see my latest book, The Practice of Network Security Monitoring, especially chapter 9. In that chapter I describe how to run a network security monitoring operation, based on my experiences since the late 1990s.