IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
Isf 2015 continuous diagnostics monitoring may 2015
1. 20 May 2015
Northrop Grumman Information
Systems (NGIS)
Applying Continuous
Monitoring and Cyber Best
Practice to the Texas
Cyber Framework
Calvin Smith
Approved for Public Release #15-0906; Unlimited Distribution
2. Agenda
2
• Introduction
• About Northrop Grumman
• Texas Cybersecurity Framework
• Federal Continuous Monitoring Program
• Dynamic Texas Cyber Monitoring Framework Dashboard
• Cyber Best Practice / Defensive In Depth
• Q&A
Approved for Public Release #15-0906; Unlimited Distribution
3. Northrop Grumman Information Sector
Snapshot
At a Glance
• $6.2B business
• More than 16,000 employees
• 50 states, 21 countries
3
Focus Areas
• Cyber
• Communications
• Command and Control
• Integrated Air and Missile Defense
• Intelligence, Surveillance,
Reconnaissance
• Civil
• Health
Approved for Public Release, #15-0507; Unlimited Distribution
Approved for Public Release #15-0906; Unlimited Distribution
4. Information Systems Sector
Focus Areas
4
Bioinformatics
and Analytics
Benefits
Management
Population Health
Fraud Detection/
Prevention
NextGen
Claims/Payment
Modernization
Personalized
Health
Health
Financial
Compliance and
Fraud Detection
Enterprise Support
Applications
Information Sharing
Decision Support
Tools
Public Safety C2
and Mobility
Identity
Management
Civil
Multi-INT Fusion
Large-Scale
Data
Management
Multi-Source
Solutions
Special
Intelligence
Solutions
SIGINT
Tactical and
Strategic ISR
ISR
Integrated Avionics
Gateways and
Networking
Multi-Function RF
Devices
Ground and Airborne
Radios
Global SATCOM
Distributed Mission
Operations
Communications
Full-Spectrum
Cyber
Secure
Enterprise
Computing
Defensive Cyber
Operations
Cyber
Resilience
Network
Exploitation
Big Data
Analysis
Biometric
Intelligence
Cyber
Multi-Domain
C2 Systems
Combat
System
Integration: Air,
Land, Maritime
Large-Scale
Enterprise C2
Solutions
Critical
Infrastructure
and Force
Protection
Command
and Control (C2)
Joint Air and
Missile Defense
Ballistic Missile
Defense
Integration
BMD Fieldable
Systems
International
IAMD
Integrated Air and
Missile Defense
UNMANNEDCYBER C4ISR LOGISTICS
Approved for Public Release, #15-0507; Unlimited Distribution
Approved for Public Release #15-0906; Unlimited Distribution
5. About Me
The End-to-End Monitoring team supports federal,
state and local government programs, specializing in
cyber and performance monitoring.
Cal - 28+ years in networking & cyber, 10 years in
continuous & end-to-end monitoring architectures.
Currently supporting US CERT as Cyber Technologist and
Solution Architect for Texas State Agencies
Previously worked as Cyber Architect for U.S. Department
of State, Department of Homeland Security, Department of
Justice and Patent Trademark Office.
In his spare time he is an avid music collector, IT cloud
tech enthusiast and road warrior.
5
Approved for Public Release #15-0906; Unlimited Distribution
6. Revised TAC 202
• Method to standardize and prioritize cyber risk from the state of Texas
perspective
• Standardizes a cyber approach and establishes a baseline for
minimum cyber security
• Tailorable or customizable for each state agency
• Enables structure to fuse people, process and technology (tools)
• Provides a phased approach to align with FISMA / NIST 800-53
• Control Catalog for mapping Federal / Texas laws, guidance and
instruction
6
Approved for Public Release #15-0906; Unlimited Distribution
7. Texas Cybersecurity Framework
Overview – Phased approach to FISMA
7
Texas
Cybersecurity
Framework
TAC 202
Agency
Security Plan
Template
Control
Catalog
Vendor
Services
Alignment
Risk
Management
Agency Security Plan Revised TAC 202Framework
Texas Migrating from Static Governance to Dynamic FISMA Alignment
Approved for Public Release #15-0906; Unlimited Distribution
8. Federal Continuous Monitoring Program
Continuous Diagnostics & Mitigation (CDM)
• Leveraging automated tools and processes to continually assess IT
systems, networks and programs
• Capture real-time security information to effectively manage risk while
reducing cost
• Security controls are assessed continuously to provide real-time security
posture instead of the traditional “snapshot-in-time
• Real-time risk assessment is based on how well security controls mitigate
known threats and vulnerabilities
• Enables real-time risk management decision-making via continuous
streaming of system state intelligence
• Maps to 11 NIST Continuous Monitoring Domains, 15 DHS CDM
Domains, NIST 800-53 Controls
8
Federal Policy Rapidly Moving Towards Real-time Cyber Monitoring
Approved for Public Release #15-0906; Unlimited Distribution
9. Department of Homeland Security (DHS)
15 Continuous Monitoring Domains
Abbreviation Continuous Monitoring Domains Rollout Schedule
HWAM Hardware Asset Management Phase 1 / 2015
SWAM Software Asset Management Phase 1 / 2015
VUL Vulnerability Management Phase 1 / 2015
CM Configuration Management Phase 1 / 2015
NAC Network Access Control Phase 2 / 2016
TRU Manage Trust In People Granted Access Phase 2 / 2016
BEH Manage Security Related Behavior Phase 2 / 2016
CAM Credential Access Management Phase 2 / 2016
AAC Manage Account Access Phase 2 / 2016
CP Prepare to Contingencies & Incidents (CIRT) Phase 3 / 2017
INC Respond to Contingencies & Incidents (CIRT) Phase 3 / 2017
POL Design & Build in Requirements Policy & Planning Phase 3 / 2017
QAL Design & Build in Quality Phase 3 / 2017
AUD Manage Audit Information Phase 3 / 2017
OPS Manage Operation Security (SIEM) Phase 3 / 2017
9
Approved for Public Release #15-0906; Unlimited Distribution
10. National Institute of Standards and Technology (NIST)
11 Continuous Monitoring Domains
NIST – DHS
Continuous
Domain
Crosswalk
D1 D2 D3 D4 D5 D6 D7 D8 D9 D10 D11
Asset
Mgmt
Vul
Mgmt
Config
Mgmt
Patch
Mgmt
Net
Mgmt
Event
Mgmt
Inc
Mgmt
Malware
Detect
Info
Mgmt
Lic
Mgmt
SwA
A1 HWAM X
A2 SWAM X X X
A3 VUL X
A4 CM X X
A5 NAC X
A6 TRU X X
A7 BEH X X
A8 CAM X
A9 AAC X
A10 CP X X X X
A11 INC X
A12 POL X X X X X X
A13 QAL X
A14 AUD X
A15 OPS X X X X X X X X X X X
10
Approved for Public Release #15-0906; Unlimited Distribution
11. 11
Continuous Monitoring Architecture
Tailorable Framework
As capabilities mature you move from continuous monitoring to continuous management
Approved for Public Release #15-0906; Unlimited Distribution
12. Dynamic TAC 202 Cyber Dashboard
Features & Capabilities
• Acceptable Cyber Risk (ACR) – The ACR is dynamically determined based on
advanced analytics. It is continuously generated based on historical and real-time data.
There are no static, defined thresholds.
• Advanced Analytics – Display of meaningful and hidden patterns in unstructured
security data using statistics, metrics, and algorithms. Big Data analytics is best
“visualized” to show insights normally not seen in tabular data displays, i.e, visual
analytics. Cyber measures / metrics are dynamically reported in real-time
• Dynamic Color Coding – A color scheme using green, yellow and red applied to
dashboard metrics and maps based on dynamic changes in the ACR.
• Predictive Analytics (Machine-Learning) – The dashboard dynamically extracts and
learns from security control, defense in depth protection and incident information (i.e.,
historical and real-time) in order to predict future cyber events and ability to respond and
mitigate.
• Quality of Protection (QoP)– A derived metric capturing end-to-end cyber protection
based on security controls and defense-in-depth cyber protection profiles. Key Cyber
Indicators (KCIs) are calculated, combined and weighted to measure potential risk
factors contributing to lack/failure of end-user or critical asset protection.
12
Approved for Public Release #15-0906; Unlimited Distribution
13. Continuous Monitoring Key Architecture Considerations
1. Know the Desired State Security Policy
2. Know the Actual State “On the Wire” Assessment
3. Know the Differences and Act Assess & Analyze Deviations Quickly
4. Group Items Found for Reporting Key stakeholders
5. Integrate with Legacy Systems Interoperate
6. Scale Enterprise & Regions
7. Role-Based Access Control Limit Access
8. Information Sharing Collaboration & Dissemination
13
Dynamic Cyber Dashboard
Automate Security Aggregation, Correlation & Reporting
Approved for Public Release #15-0906; Unlimited Distribution
14. 14
“A cyber TAC
202 dashboard
provides
integrated
visual analytics
allowing cyber
teams to
visually interact
with their data
to better
collaborate and
quickly
mitigate
vulnerabilities
and threats”
Dynamic TAC 202 Cyber Dashboard
Interactive Texas map drill-down to sites, assets, vulnerabilities, threats
TAC 202 Dashboard
Approved for Public Release #15-0906; Unlimited Distribution
15. 15
Dynamic TAC 202 Cyber Dashboard
Detailed Drill-down to Assets, Controls, Vulnerabilities, Compliance & Risk
Approved for Public Release #15-0906; Unlimited Distribution
16. Dynamic Continuous Monitoring Use Cases
Unauthorized (Rogue) Device Events
Rapid Detection of Rogue Devices
Automate Alerting for Rapid Remediation (Quarantine, Removal)
Unauthorized Software (Potential Malware) Events
Rapid Detection of Unauthorized/Unlicensed Software on Endpoints
Automate Alerting for Rapid Remediation and Removal
Misconfigured Software (Deviations) Events
Rapid Detection of “Current State vs Desired State” (based on policy)
Automate Alerting for Remediation or Change Control
Critical Vulnerability (Potential Exploitation/Weakness) Events
1. Rapid Detection of Vulnerabilities
2. Automate Alerting for Rapid Remediation (Quarantine, Removal)
3. Prioritized Response (based on policy) for Rapid Remediation (Quarantine,
Removal)
16
1
2
3
4
Approved for Public Release #15-0906; Unlimited Distribution
17. Unauthorized / Rogue Device Events
17
1
Approved for Public Release #15-0906; Unlimited Distribution
18. 18
Dynamic TAC 202 Cyber Dashboard
Cyber “Weather Map” for Unauthorized SW / Malware Detection
TAC 202 Dashboard
2
Approved for Public Release #15-0906; Unlimited Distribution
19. Dynamic TAC 202 Cyber Dashboard
Cyber “Weather Map” for Mis-Configured Endpoints
19
TAC 202 Dashboard
3
Approved for Public Release #15-0906; Unlimited Distribution
20. 20
Dynamic TAC 202 Cyber Dashboard
Cyber “Weather Map” for Critical Vulnerability Detection
TAC 202 Dashboard
4
Approved for Public Release #15-0906; Unlimited Distribution
21. Cyber Situational Awareness Problem
Reducing the Attacker “Free Time” in Network
21
“Profile of a
Cyber Attack”
Approved for Public Release #15-0906; Unlimited Distribution
22. Cyber Best Practice
Defense in Depth Monitoring
22
TAC 202 Dashboard
Approved for Public Release #15-0906; Unlimited Distribution
23. Cyber Attack Profiles
Why Continuous Monitoring of Security Controls and DnD Matters
23
Perimeter Security
Network Security
Endpoint Security
Application Security
Data Security
Mission
Critical Assets
Prevention
Response
Server
IDP
DLPSecurity Policies
& Compliance
Security
Technology Evaluation
Security
Architecture & Design
Security Awareness
Training
Near Real Time
Security Dashboard
Cyber Threat
Intelligence
Certification &
Accreditation
IT Security
Governance
Near Real Time
Vulnerability
Assessment
SIEM
SOC / NOC
Monitoring
(24x7)
Threat
Modeling
Penetration
Testing
Incident Reporting,
Detection, Response
Digital
Forensics
Escalation
Management
Security SLA/SLO
Reporting
Outside
threats
Protection
Risk
Management
DLP
DLP
DLP
Acronyms & Abbreviations:
DAR: Data At Rest DIM: Data In Motion DIU: Data In Use PKI: Public Key Infrastructure FDCC: Federal Desktop Core Configuration
IDP: Intrusion Detection and PreventionSIEM: Security Information Event Management DLP: Data Loss Prevention NAC: Network Access Control
DHS
Einstein
Honeypot
Secure
DMZs
Application
Security Messaging
Security
Messaging
Security
Web Proxy
Content Filtering
Enclave
Firewall/IDP
Desktop
Firewall/IDP
Endpoint Security
Enforcement
(Whitelist)
XML
Firewall
Web
Application
Firewall
Dynamic App
Testing
Static App
Testing/Code
Review
Database
Monitoring,
Protection
Enterprise Right
Management
PKI
DAR/DIM/DIU
Protection
Identity & Access
Management
Data
Integrity
Data/Drive
Encryption
Perimeter Security
Network Security
Endpoint Security
Application Security
Data Security
Mission
Critical Assets
Enclave
Firewall/IDP
Data
Integrity
DLP
Data/Drive
Encryption
Database
Monitoring,
Protection
PKI
DAR/DIM/DIU
Protection
Enterprise Right
Management
Identity & Access
Management
Security Policies
& Compliance
Security
Technology Evaluation
Security
Architecture & Design
Security Awareness
Training
Near Real Time
Security Dashboard
Cyber Threat
Intelligence
Certification &
Accreditation
IT Security
Governance
Near Real Time
Vulnerability
Assessment
SIEM
SOC / NOC
Monitoring
(24x7)
Threat
Modeling
Penetration
Testing
Incident Reporting,
Detection, Response
Digital
Forensics
Escalation
Management
Security SLA/SLO
Reporting
Malacious
Insider
Risk
Management
DLP
DLP
DLP
Acronyms & Abbreviations:
DAR: Data At Rest DIM: Data In Motion DIU: Data In Use PKI: Public Key Infrastructure FDCC: Federal Desktop Core Configuration
IDP: Intrusion Detection and PreventionSIEM: Security Information Event Management DLP: Data Loss Prevention NAC: Network Access Control
Prevention
Response
Protection
Perimeter Security
Network Security
Endpoint Security
Application Security
Data Security
Mission
Critical Assets
Prevention
Response
Perimeter
Firewall
NAC
DLP
Web
Application
Firewall
PKI
Security Policies
& Compliance
Security
Technology Evaluation
Security
Architecture & Design
Security Awareness
Training
Near Real Time
Security Dashboard
Cyber Threat
Intelligence
Certification &
Accreditation
IT Security
Governance
Near Real Time
Vulnerability
Assessment
SIEM
SOC / NOC
Monitoring
(24x7)
Threat
Modeling
Penetration
Testing
Incident Reporting,
Detection, Response
Digital
Forensics
Escalation
Management
Security SLA/SLO
Reporting
Inside
threats
Protection
Risk
Management
XML
Firewall
DLP
DLP
DLP
Acronyms & Abbreviations:
DAR: Data At Rest DIM: Data In Motion DIU: Data In Use PKI: Public Key Infrastructure FDCC: Federal Desktop Core Configuration
IDP: Intrusion Detection and PreventionSIEM: Security Information Event Management DLP: Data Loss Prevention NAC: Network Access Control
Perimeter
IDP
Messaging Security
(Anti-virus, Anti-malware)
DHS
Einstein
Web Proxy
Content Filtering
Endpoint Security
Enforcement
Server
IDP
Desktop
Firewall/IDP
Remote
Access
Wireless
Security
Network
IDP
Enclave
Firewall/IDP
Identity & Access
Management
DAR/DIM/DIU
Protection
Data/Drive
Encryption
Enterprise Right
Management
Database
Monitoring,
Protection
Perimeter Security
Network Security
Endpoint Security
Application Security
Data Security
Mission
Critical Assets
Prevention
Response
Security Policies
& Compliance
Security
Technology Evaluation
Security
Architecture & Design
Security Awareness
Training
Near Real Time
Security Dashboard
Cyber Threat
Intelligence
Certification &
Accreditation
IT Security
Governance
Near Real Time
Vulnerability
Assessment
SIEM
SOC / NOC
Monitoring
(24x7)
Threat
Modeling
Penetration
Testing
Incident Reporting,
Detection, Response
Digital
Forensics
Escalation
Management
Security SLA/SLO
Reporting
Evading
Insider User
Protection
Risk
Management
Acronyms & Abbreviations:
DAR: Data At Rest DIM: Data In Motion DIU: Data In Use PKI: Public Key Infrastructure FDCC: Federal Desktop Core Configuration
IDP: Intrusion Detection and PreventionSIEM: Security Information Event Management DLP: Data Loss Prevention NAC: Network Access Control
Perimeter
Firewall
Web Proxy
Content Filtering
Endpoint Security
Enforcement
Zero Day Attack Insider Threat
Massive Data Exfiltration
Loss of data integrity
confidentiality
Approved for Public Release #15-0906; Unlimited Distribution
24. Best Cyber Practice
• Know your cyber requirements
– Understand policy
– Operationalize policy and apply to cyber tools and processes to make it more “actionable”
– Design defense in depth monitoring architecture based on the business
• Understand the threat
– External bad actors
– Insider threat
– Know tactics, techniques and procedures
• Understand your data…
– Create data plan/data architecture
– Map to security controls and defense in depth
– “Listen” to your data
• And how this applies to your agency’s core mission
– What’s important to your business?
– What are you trying to accomplish?
– What, Who and How to report?
24 Implement Continuous Monitoring
Approved for Public Release #15-0906; Unlimited Distribution
25. Points of Contact
Keri McClellan
Program Manager
Cell: 817-240-4693
Email: Keri.McClellan@ngc.com
Calvin Smith
Cyber Technologist, Solutions Architect & Project Manager
Office: 512-374-4136
Email: ch.smith@ngc.com
25