Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

Similar documents
Defense Information Systems Agency

The Challenge of Cyberspace Defense and CSSP Services

Software Assurance Ecosystem Knowledge Architecture. 1 Wednesday, December 31, 2008

Forecast to Industry Program Executive Office Mission Assurance/NetOps

Reinvent Your 2013 Security Management Strategy

the SWIFT Customer Security

Back to Basics: Basic CIS Controls

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Risk Management Framework for DoD Medical Devices

White Paper. Comply to Connect with the ForeScout Platform

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Cybersecurity Capabilities Overview

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

Meeting RMF Requirements around Compliance Monitoring

MIS Week 9 Host Hardening

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Perfect Storm Cyber RDT&E

Security by Default: Enabling Transformation Through Cyber Resilience

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

Defense Security Service Industrial Security Field Operations National Industrial Security Program (NISP) Authorization Office (NAO)

K12 Cybersecurity Roadmap

External Supplier Control Obligations. Cyber Security

Changing face of endpoint security

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Aligning with the Critical Security Controls to Achieve Quick Security Wins

White Paper. View cyber and mission-critical data in one dashboard

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

MAKING SECURITY MEASURABLE AND MANAGEABLE

ISACA Arizona May 2016 Chapter Meeting

INFORMATION ASSURANCE DIRECTORATE

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Information Warfare Industry Day

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Cyber Hygiene: A Baseline Set of Practices

CyberSecurity: Top 20 Controls

Un SOC avanzato per una efficace risposta al cybercrime

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

The U.S. Coast Guard s Role in Cybersecurity

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

IASM Support for FISMA

NIST Special Publication

Total Protection for Compliance: Unified IT Policy Auditing

Vulnerability Management. If you only budget for one project this year...

Building Resilience in a Digital Enterprise

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018

9 Steps to Protect Against Ransomware

Privileged User Access and Management

AMRDEC CYBER Capabilities

Container Deployment and Security Best Practices

The Common Controls Framework BY ADOBE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INFORMATION ASSURANCE DIRECTORATE

Automating the Top 20 CIS Critical Security Controls

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Mapping BeyondTrust Solutions to

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Innovate or die!? Modern IT Workplace Security. Alex Verboon Cyber Security Consultant

CIS Controls Measures and Metrics for Version 7

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

CIS Controls Measures and Metrics for Version 7

Designing and Building a Cybersecurity Program

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cybersecurity Today Avoid Becoming a News Headline

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity Best Practices

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Ransomware A case study of the impact, recovery and remediation events

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

INFORMATION ASSURANCE DIRECTORATE

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

McAfee Public Cloud Server Security Suite

Critical Hygiene for Preventing Major Breaches

SANS SCADA and Process Control Europe Rome 2011

Cyber Resilience. Think18. Felicity March IBM Corporation

Continuous Diagnostics and Mitigation demands, CyberScope and beyond

Risk Intelligence. Quick Start Guide - Data Breach Risk

Carbon Black PCI Compliance Mapping Checklist

PROFESSIONAL SERVICES (Solution Brief)

CISO as Change Agent: Getting to Yes

INFORMATION ASSURANCE DIRECTORATE

2017 Annual Meeting of Members and Board of Directors Meeting

INFORMATION ASSURANCE DIRECTORATE

Migrating Applications to the Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Transcription:

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment Joseph L. Wolfkiel Secure Configuration Management Lead Engineer May 2018 1

Disclaimer The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government. 2

Overview Objective and Problem Statement Defining Terms Building an Enterprise Inventory and Compliance Baseline Today s Homogeneous C2 and Reporting Environment Conducting Enterprise Cyber C2 in Today s Environment Heterogeneous Environment of the Future Comparative Challenges Stuff We Think We Can Do Stuff We Still Have to Figure Out 3

Objective and Problem Statement Objective: To help attendees understand the challenges in conducting Cyber Command and Control (C2) and reporting in the evolving DoD and commercial cyberspace environment Problem Statement: The DoD has been moving to a common cybersecurity toolset for 10+ years Starting with Host-Based Security System (HBSS) in 2004-2005 HBSS included management agent & Host Intrusion Prevention System (HIPS) Moved to single AV product integrated with HBSS Added enterprise Compliance checking Device Control Module Application whitelisting Software inventory Common vulnerability and STIG scanner acquired as Assured Compliance Assessment Solution (ACAS) Current plans go to per-component best of breed products US Cyber Command and the Joint Forces Headquarters, DoD Information Network (JFHQ DoDIN) need to provide enterprise defense 4

Defining Terms Cybersecurity: Prevention of damage to, protection of, and restoration computers and networks, to ensure availability, integrity, authentication, confidentiality, and nonrepudiation (DoDI8500.01, 14 Mar 14) Inventory: A complete list of items such as property, goods in stock...(bing.com) Compliance: The state or fact of according with or meeting standards (bing.com) Command and Control (C2): Exercise of authority and direction of assigned forces (U.S. Army FM 3-0) Heterogeneous: composed of parts of different kinds (Dictionary.com) 5

Building an Enterprise Inventory and Compliance Baseline Cumulative process, following NIST 8011 and CIS basic security control concepts Hardware Asset Management (HWAM) - Asset ID and inventory, operational context Software Asset Management (SWAM) - Software inventory & install/execution control Vulnerability Management (VUL) - Vulnerability awareness and patch priority Security Configuration Management (CONF) - Security Technical Implementation Guidance (STIG) & Individual Configuration Directives Anti-Malware - Host Intrusion Prevention System and Antivirus Insider Threat Mitigations - Data Loss Prevention (DLP), user behavior analytics, and knowledge management (KM) 6

Today s Homogeneous C2 and Reporting Environment - Multiple Tools, But Only One Per Capability HBSS and ACAS are Primary Sensors Plans to add C2C Sensor Criticality Missions RMF control compliance Workflow emass Mission System Data CMRS Hardware Inventory Software Inventory STIG compliance IAVM compliance Defensive product deployment Product configuration compliance Rollup, drilldown, filtering by attribute Directives Tasking Orders IAVM (Vuln-Patch) STIG (Configuration) COAMS (Names) Directive Content All data reported to CMRS or input to emass Active Vuln Scans Passive Vuln Scans Repository ACAS Software & Patch Inventory Host IPS Application Control Antivirus STIG and Patch Compliance Operational Context Data Loss Prevention HBSS Policy-Based Network Access Orchestration C2C Routers/Switches/Network/IoT/Mobile Workstations/ Servers 7

Conducting Enterprise Cyber C2 in Today s Environment Which Devices are Permitted on the Network Unsupported products TBD Enterprise C2C policy Application of Patches The IAVM process Scanning and Reporting of Vulnerabilities ACAS Tasking Orders and the IAVM process Directing Secure Configurations STIG process Directing Malware Mitigations Custom Host Intrusion Prevention System Signatures Minimum AV signature ages and scan frequency Mitigation Directives JFHQ DoDIN Cyber Components Mitigation Directives Implementation Elements Devices Compliance Compliance 8

Heterogeneous Environment of the Future: Best of Breed Tools for All of Today s Capabilities Then Some Each component picks Block a writing best-of-breed data to tool from a set of approved tools. Now, JFHQ DoDIN issues removable directives media to execute on the functionality in each tool type Block notepad from Secret systems running as Admin Only pure Host text DLP and pdf Sol 1 Host DLP Sol 2 Host DLP Sol 3 documents to be copied Host IPS Sol 1 Host IPS Sol 2 Host IPS Sol 3 from browsers Ensure AV is blocking Containment Sol 1 Containment Sol 2 Containment WannaCry Sol Ransomware 3 AV/Malware Sol 1 Verify SMBv1 AV/Malware is disabledsol 2 AV/Malware Sol 3 Verify Config the Checking Win10 Sol 1 Config Checking Sol 2 Config Checking Sol 3 Cumulative Vuln Scanning update is Sol 1 Vuln Scanning Sol 2 Vuln Scanning Sol 3 applied App Whitelisting on all Win10 Sol 1 App Whitelisting Sol 2 App Ensure Whitelisting Flash Player Sol 3is SW Inventory Solution 1 SW Inventory Solution 2 SW never Inventory allowed Solution to run on 3 DoD systems NAC/C2C Solution 1 NAC/C2C Solution 2 Verify that trusted smartcard middleware is installed on every Linux and Windows device Networked Devices Ensure DoD coalition partners that connect to DoD networks can only send traffic to the Internet 9

Comparative Challenges Homogeneous Implement enterprise protective or defensive measures Automatically collect directive compliance data Broken out by device count, location, organization, and/or accreditation boundary Event analysis to determine how frequently measures are being invoked Heterogeneous Implement enterprise protective or defensive measures in a tool-agnostic way Automatically collect compliance data Broken out by device count, location, organization, and/or accreditation boundary and correlate the compliance indicators between different tools Analyze event data to determine how frequently measures are being invoked when different events are being produced per tool for the same incident Future: Factor in all protective and defensive capabilities to determine, per attack vector, if a device population is protected from a threat or class of threats 10

Stuff We Think We Can Do Asset Identification/Correlation Same Device? How do you tell? IP, MAC, Hostname, Serial Number, BIOS GUID, Software GUID? 11

Stuff We Think We Can Do Asset Operational Context/Characterization 1 Create and Maintain an Enterprise Standardized List of Names to be Used 3 Leverage the Interoperability to Generate Enterprise Situational Awareness 2 Use Standardized Names to Describe Elements of Operational Context: Who owns it? Where is it? What accreditation boundary does it belong to? 12

Stuff We Think We Can Do Patch and Vulnerability Management, Config Compliance How? Leverage the NIST Security Content Automation Protocol Language to check for settings and software in a given Operating System XCCDF Checklist automation (STIG) CVE Standardized IDs for vulnerabilities CCE Standardized IDs for settings CPE Standardized names for hardware and software XCCDF Checklist 13

Stuff We Still Have to Figure Out Standard policies and compliance reporting for: Antivirus Data loss prevention Host IPS Application whitelisting Containment Other TBD Way Ahead: Try to leverage SCAP concepts Minimum compliance set per required function Compliance measures in benchmarks per tool and/or capability set Resolve compliance assessments to pass/fail 14

Questions? 15

16

DEFENSE INFORMATION SYSTEMS AGENCY The IT Combat Support Agency www.disa.mil /USDISA @USDISA 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback