Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017

746 views

Published on

The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the FAR that provides Department of Defense-specific acquisition regulations that DoD government acquisition officials and contractors doing business with DoD must follow in the procurement process for goods and services. This session will discuss the implications for meeting DFARS in the cloud and provide practical guidance on how DoD and defense contracting organizations can meet DFARS requirements using AWS GovCloud (US). The session will also feature a customer use case on addressing DFARS in AWS GovCloud (US). Learn More: https://aws.amazon.com/government-education/

Published in: Technology
  • Be the first to comment

Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Sandage – Sr. Security Partner Strategist, AWS GovCloud Robert Daugherty, CISO, Cobham Advanced Electronic Solutions Lori Crooks, Dir. Compliance, Cobham Advanced Electronic Solutions June 13, 2017 Meeting DFARS Requirements in AWS GovCloud (US)
  2. 2. DFARS Compliance Requirements DFARS Clause 252.204-7012 – August 26, 2015 (Revised October 21, 2016) • Requires Covered Contractors to apply the NIST 800-171 controls to their Covered Information Systems that store, process, or transmit Unclassified Covered Defense Information • Requires reporting of Cyber Incidents that result in actual compromise of, or have potentially adverse effect on Covered Information Systems • The definition of compromise includes violations of security policy, either intentional or unintentional
  3. 3. DFARS 252.204-7012 Lesser Known Facts • Incident Response is required within 72 hours • Need a Security Information Event Management (SIEM) tool • All requirements must be passed down to subs • Can affect the ability of an organization to bid and/or be awarded DoD contracts • Contractors must notify the DoD CIO of any deficient controls within 30 days of contract award • DoD estimates this applies to 10,000 contractors • Deadline extended on Dec 30, 2016 to Dec 31, 2017
  4. 4. 800-171 Notes • A simplified version of the NIST 800-53 controls in an easier-to-use format • Reduction of controls is around 30% • Focuses on technical controls around least privileges, separation of duties, multi-factor authentication, boundary protection, auditing • Many controls are implemented via configuration settings • Example: Limit unsuccessful logon attempts. • Tailored to commercial entities that need to protect sensitive information • Less government-focused than 800-53
  5. 5. DFARS / NIST 800-171 Compliance in AWS Benefits • Organization can fully deploy DFARs workloads in AWS GovCloud (US)
  6. 6. AWS Security by Design Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. Identity and Access Management AWS CloudTrail Amazon CloudWatch AWS Config Rules AWS Trusted Advisor AWS Cloud HSMAWS Key Management Service AWS Directory Service
  7. 7. SbD DFARs Eco-System Identity and Access Management AWS CloudTrail Amazon CloudWatch AWS Config Rules AWS Trusted Advisor AWS Cloud HSMAWS Key Management Service AWS Directory Service
  8. 8. You can use resource-level permissions to control a user's ability to perform specific actions on CloudTrail trails. Sample - NIST 171 / 3.3.9: Limit management of audit functionality - Limit management of audit functionality to a subset of privileged users.
  9. 9. Advanced Electronic Solutions
  10. 10. Mission
  11. 11.  Proactively detect and monitor for external and internal threats to reputation, property, customer information, potential breach,  Maintain the confidentiality, integrity, and availability of organizational data and information systems, and  Provide governance, risk, and compliance subject matter expertise to sustain business operations. INFOSEC Using a counterintelligence, data-driven, and risk- based approach to…
  12. 12. INFOSEC Truths
  13. 13. 1. People are more important than tools or systems 2. Quality is better than quantity 3. Skilled INFOSEC professionals cannot be mass produced 4. Competent INFOSEC professionals and capabilities cannot be created during an emergency 5. Simple solutions are inherently more secure than complex solutions 6. Plan, train, and test for failure – you will be breached. “Always remember that your focus determines your reality.” George Lucas
  14. 14. Threat Landscape
  15. 15. 229 87% 90% Source: Mandiant, Verizon
  16. 16. $5.8M $300M $56M $2.1 trillion globally by 2019 $100M $100+M $252M $171M
  17. 17. 50TB Of Data UNCLASSIFIED PLA Industry Hacking 2008 to 2014 Su Bin (a.k.a. Steven Su / Steven Subin) sentenced in 2016, aided by UC1 and UC2.  International Traffic and Arms Restrictions (ITAR) data  DIB research and development  B2, F-22, F-35, C-17  F-35 Lightning • Radar Design • Number and types of modules • Detailed engine schematics • Methods for cooling gases • Leading and trailing edge treatments • Aft deck heating contour maps
  18. 18. Approach
  19. 19. PAST TODAY V S
  20. 20. PAST TODAY APT/FIE Surgical We will be hacked Behavior/Analytics Time to detect Training & Awareness Generic Malware “Shotgun” Approach We can stop attacks Signature/Rule Based THREAT VECTORS TYPE OF ATTACK MENTALITY TECHNOLOGY
  21. 21. Background
  22. 22. NO CLOUD
  23. 23. Commercial Cloud Services C2S “Innovate - Accelerate - Integrate”
  24. 24. The Quarter From Hell
  25. 25. 2 Unrelated Human Errors Incomplete Migration and Consolidation Legacy Systems that Failed under stress Multiple USG Requests Potential Insider Threat(s) Suspected APT Attack
  26. 26. CAES INFOSEC Incident Response capabilities hosted in a secure & compliant cloud protected a Multi-Million Dollar site from potential closure, and allowed the entire business sector to continue normal operations NO loss of CAES data, NO compromised systems, NO fines
  27. 27. #whitehotwinning
  28. 28. 6+ Billion Events; 19+ TB Proprietary Format! Delivered: 2,700+ Work Events Job Time 0.0000005% of Data Building Engineer Data Science With a Multi-Million dollar contract on the line and a possible world-wide customer part recall… INFOSEC had two weeks to (1) build a proprietary data reader, (2) deploy a custom big-data solution, and (3) detect and mitigate a potential insider threat.
  29. 29. Rapid Analytic Threat Response (RAPTOR) Operational and Analytical Tools; Guided by compliance standards Local ArcSight Collectors Stacks located in 5 data centers worldwide
  30. 30. Insider Threat Continuous Evaluation Automatically updated risk profiles with risk scoring, constantly updated as new data arrives. RISK PROFILE -- John Q Employee Detailed Findings enriched with Behavioral Based Analytics : • Adverse HR Actions (masked; fact of) • Job Performance Ratings/History • Patterns of life (on the job) • Credit Score / History • Adverse Public Records (OSINT data) • Social Media of Concern (OSINT data) • Email Content of Concern • Adverse Network Activity (log analysis) • Investigative Results (from security) • Social network analysis A service that can monitor employee risk for things that matter. Current Risk Score: 0---------------83---100 TIME SCORE Anomaly Detection Risk Score History:
  31. 31. Surface Web Deep Web Dark Web Estimated to hold 90% of content on the web  Social Media  Academic Databases  Medical Records  Financial Records  Legal Documents  Scientific Reports  Government Reports  Subscription-only Information  Organization-specific Information  Political Protest  Hactivism  Hacking  Drug Trafficking  Illicit Activities
  32. 32. So What?
  33. 33. 1. People are more important than tools or systems 2. Quality is better than quantity 3. Skilled INFOSEC professionals cannot be mass produced 4. Competent INFOSEC professionals and capabilities cannot be created during an emergency. 5. Simple solutions are inherently more secure than complex solutions 6. Plan, train, and test for failure – you will be breached. “Always remember that your focus determines your reality.” George Lucas
  34. 34. 1. People are more important than tools or systems 2. Quality is better than quantity 3. Skilled INFOSEC professionals cannot be mass produced 4. Competent INFOSEC professionals and capabilities cannot be created during an emergency. 5. Simple solutions are inherently more secure than complex solutions 6. Plan, train, and test for failure – you will be breached. “Always remember that your focus determines your reality.” George Lucas
  35. 35. “Great Kid! Don’t get cocky.” Han Solo
  36. 36. Questions?
  37. 37. Thank You!

×