20 May 2015 Northrop Grumman Information Systems (NGIS) Applying Continuous Monitoring and Cyber...
Preview:
Citation preview
- Slide 1
- 20 May 2015 Northrop Grumman Information Systems (NGIS)
Applying Continuous Monitoring and Cyber Best Practice to the Texas
Cyber Framework Calvin Smith Approved for Public Release #15-0906;
Unlimited Distribution
- Slide 2
- Agenda 2 Introduction About Northrop Grumman Texas
Cybersecurity Framework Federal Continuous Monitoring Program
Dynamic Texas Cyber Monitoring Framework Dashboard Cyber Best
Practice / Defensive In Depth Q&A Approved for Public Release
#15-0906; Unlimited Distribution
- Slide 3
- Northrop Grumman Information Sector Snapshot At a Glance $6.2B
business More than 16,000 employees 50 states, 21 countries 3 Focus
Areas Cyber Communications Command and Control Integrated Air and
Missile Defense Intelligence, Surveillance, Reconnaissance Civil
Health Approved for Public Release, #15-0507; Unlimited
Distribution Approved for Public Release #15-0906; Unlimited
Distribution
- Slide 4
- Information Systems Sector Focus Areas 4 Bioinformatics and
Analytics Benefits Management Population Health Fraud Detection/
Prevention NextGen Claims/Payment Modernization Personalized Health
Health Financial Compliance and Fraud Detection Enterprise Support
Applications Information Sharing Decision Support Tools Public
Safety C2 and Mobility Identity Management Civil Multi-INT Fusion
Large-Scale Data Management Multi-Source Solutions Special
Intelligence Solutions SIGINT Tactical and Strategic ISR ISR
Integrated Avionics Gateways and Networking Multi-Function RF
Devices Ground and Airborne Radios Global SATCOM Distributed
Mission Operations Communications Full-Spectrum Cyber Secure
Enterprise Computing Defensive Cyber Operations Cyber Resilience
Network Exploitation Big Data Analysis Biometric Intelligence Cyber
Multi-Domain C2 Systems Combat System Integration: Air, Land,
Maritime Large-Scale Enterprise C2 Solutions Critical
Infrastructure and Force Protection Command and Control (C2) Joint
Air and Missile Defense Ballistic Missile Defense Integration BMD
Fieldable Systems International IAMD Integrated Air and Missile
Defense UNMANNED CYBER C4ISR LOGISTICS Approved for Public Release,
#15-0507; Unlimited Distribution Approved for Public Release
#15-0906; Unlimited Distribution
- Slide 5
- About Me The End-to-End Monitoring team supports federal, state
and local government programs, specializing in cyber and
performance monitoring. Cal - 28+ years in networking & cyber,
10 years in continuous & end-to-end monitoring architectures.
Currently supporting US CERT as Cyber Technologist and Solution
Architect for Texas State Agencies Previously worked as Cyber
Architect for U.S. Department of State, Department of Homeland
Security, Department of Justice and Patent Trademark Office. In his
spare time he is an avid music collector, IT cloud tech enthusiast
and road warrior. 5 Approved for Public Release #15-0906; Unlimited
Distribution
- Slide 6
- Revised TAC 202 Method to standardize and prioritize cyber risk
from the state of Texas perspective Standardizes a cyber approach
and establishes a baseline for minimum cyber security Tailorable or
customizable for each state agency Enables structure to fuse
people, process and technology (tools) Provides a phased approach
to align with FISMA / NIST 800-53 Control Catalog for mapping
Federal / Texas laws, guidance and instruction 6 Approved for
Public Release #15-0906; Unlimited Distribution
- Slide 7
- Texas Cybersecurity Framework Overview Phased approach to FISMA
7 Texas Cybersecurity Framework TAC 202 Agency Security Plan
Template Control Catalog Vendor Services Alignment Risk Management
Agency Security Plan Revised TAC 202 Framework Texas Migrating from
Static Governance to Dynamic FISMA Alignment Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 8
- Federal Continuous Monitoring Program Continuous Diagnostics
& Mitigation (CDM) Leveraging automated tools and processes to
continually assess IT systems, networks and programs Capture
real-time security information to effectively manage risk while
reducing cost Security controls are assessed continuously to
provide real-time security posture instead of the traditional
snapshot-in-time Real-time risk assessment is based on how well
security controls mitigate known threats and vulnerabilities
Enables real-time risk management decision-making via continuous
streaming of system state intelligence Maps to 11 NIST Continuous
Monitoring Domains, 15 DHS CDM Domains, NIST 800-53 Controls 8
Federal Policy Rapidly Moving Towards Real-time Cyber Monitoring
Approved for Public Release #15-0906; Unlimited Distribution
- Slide 9
- Department of Homeland Security (DHS) 15 Continuous Monitoring
Domains AbbreviationContinuous Monitoring DomainsRollout Schedule
HWAMHardware Asset ManagementPhase 1 / 2015 SWAMSoftware Asset
ManagementPhase 1 / 2015 VULVulnerability ManagementPhase 1 / 2015
CMConfiguration ManagementPhase 1 / 2015 NACNetwork Access
ControlPhase 2 / 2016 TRUManage Trust In People Granted AccessPhase
2 / 2016 BEHManage Security Related BehaviorPhase 2 / 2016
CAMCredential Access ManagementPhase 2 / 2016 AACManage Account
AccessPhase 2 / 2016 CPPrepare to Contingencies & Incidents
(CIRT)Phase 3 / 2017 INCRespond to Contingencies & Incidents
(CIRT)Phase 3 / 2017 POLDesign & Build in Requirements Policy
& PlanningPhase 3 / 2017 QALDesign & Build in QualityPhase
3 / 2017 AUDManage Audit InformationPhase 3 / 2017 OPSManage
Operation Security (SIEM)Phase 3 / 2017 9 Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 10
- National Institute of Standards and Technology (NIST) 11
Continuous Monitoring Domains NIST DHS Continuous Domain Crosswalk
D1D2D3D4D5D6D7D8D9D10D11 Asset Mgmt Vul Mgmt Config Mgmt Patch Mgmt
Net Mgmt Event Mgmt Inc Mgmt Malware Detect Info Mgmt Lic Mgmt SwA
A1HWAM X A2SWAM XXX A3VUL X A4CM XX A5NAC X A6TRU XX A7BEH XX A8CAM
X A9AAC X A10CP XXXX A11INC X A12POL XXXXXX A13QAL X A14AUD X
A15OPS XXXXXXXXXXX 10 Approved for Public Release #15-0906;
Unlimited Distribution
- Slide 11
- 11 Continuous Monitoring Architecture Tailorable Framework As
capabilities mature you move from continuous monitoring to
continuous management Approved for Public Release #15-0906;
Unlimited Distribution
- Slide 12
- Dynamic TAC 202 Cyber Dashboard Features & Capabilities
Acceptable Cyber Risk (ACR) The ACR is dynamically determined based
on advanced analytics. It is continuously generated based on
historical and real-time data. There are no static, defined
thresholds. Advanced Analytics Display of meaningful and hidden
patterns in unstructured security data using statistics, metrics,
and algorithms. Big Data analytics is best visualized to show
insights normally not seen in tabular data displays, i.e, visual
analytics. Cyber measures / metrics are dynamically reported in
real-time Dynamic Color Coding A color scheme using green, yellow
and red applied to dashboard metrics and maps based on dynamic
changes in the ACR. Predictive Analytics (Machine-Learning) The
dashboard dynamically extracts and learns from security control,
defense in depth protection and incident information (i.e.,
historical and real-time) in order to predict future cyber events
and ability to respond and mitigate. Quality of Protection (QoP) A
derived metric capturing end-to-end cyber protection based on
security controls and defense-in-depth cyber protection profiles.
Key Cyber Indicators (KCIs) are calculated, combined and weighted
to measure potential risk factors contributing to lack/failure of
end-user or critical asset protection. 12 Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 13
- Continuous MonitoringKey Architecture Considerations 1. Know
the Desired StateSecurity Policy 2. Know the Actual StateOn the
Wire Assessment 3. Know the Differences and ActAssess & Analyze
Deviations Quickly 4. Group Items Found for ReportingKey
stakeholders 5. Integrate with Legacy SystemsInteroperate 6.
ScaleEnterprise & Regions 7. Role-Based Access ControlLimit
Access 8. Information SharingCollaboration & Dissemination 13
Dynamic Cyber Dashboard Automate Security Aggregation, Correlation
& Reporting Approved for Public Release #15-0906; Unlimited
Distribution
- Slide 14
- 14 A cyber TAC 202 dashboard provides integrated visual
analytics allowing cyber teams to visually interact with their data
to better collaborate and quickly mitigate vulnerabilities and
threats Dynamic TAC 202 Cyber Dashboard Interactive Texas map
drill-down to sites, assets, vulnerabilities, threats TAC 202
Dashboard Approved for Public Release #15-0906; Unlimited
Distribution
- Slide 15
- 15 Dynamic TAC 202 Cyber Dashboard Detailed Drill-down to
Assets, Controls, Vulnerabilities, Compliance & Risk Approved
for Public Release #15-0906; Unlimited Distribution
- Slide 16
- Dynamic Continuous Monitoring Use Cases Unauthorized (Rogue)
Device Events Rapid Detection of Rogue Devices Automate Alerting
for Rapid Remediation (Quarantine, Removal) Unauthorized Software
(Potential Malware) Events Rapid Detection of
Unauthorized/Unlicensed Software on Endpoints Automate Alerting for
Rapid Remediation and Removal Misconfigured Software (Deviations)
Events Rapid Detection of Current State vs Desired State (based on
policy) Automate Alerting for Remediation or Change Control
Critical Vulnerability (Potential Exploitation/Weakness) Events
1.Rapid Detection of Vulnerabilities 2.Automate Alerting for Rapid
Remediation (Quarantine, Removal) 3.Prioritized Response (based on
policy) for Rapid Remediation (Quarantine, Removal) 16 1 2 3 4
Approved for Public Release #15-0906; Unlimited Distribution
- Slide 17
- Unauthorized / Rogue Device Events 17 1 Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 18
- 18 Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for
Unauthorized SW / Malware Detection TAC 202 Dashboard 2 Approved
for Public Release #15-0906; Unlimited Distribution
- Slide 19
- Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for
Mis-Configured Endpoints 19 TAC 202 Dashboard 3 Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 20
- 20 Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for
Critical Vulnerability Detection TAC 202 Dashboard 4 Approved for
Public Release #15-0906; Unlimited Distribution
- Slide 21
- Cyber Situational Awareness Problem Reducing the Attacker Free
Time in Network 21 Profile of a Cyber Attack Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 22
- Cyber Best Practice Defense in Depth Monitoring 22 TAC 202
Dashboard Approved for Public Release #15-0906; Unlimited
Distribution
- Slide 23
- Cyber Attack Profiles Why Continuous Monitoring of Security
Controls and DnD Matters 23 Zero Day Attack Insider Threat Massive
Data Exfiltration Loss of data integrity confidentiality Approved
for Public Release #15-0906; Unlimited Distribution
- Slide 24
- Best Cyber Practice Know your cyber requirements Understand
policy Operationalize policy and apply to cyber tools and processes
to make it more actionable Design defense in depth monitoring
architecture based on the business Understand the threat External
bad actors Insider threat Know tactics, techniques and procedures
Understand your data Create data plan/data architecture Map to
security controls and defense in depth Listen to your data And how
this applies to your agencys core mission Whats important to your
business? What are you trying to accomplish? What, Who and How to
report? 24 Implement Continuous Monitoring Approved for Public
Release #15-0906; Unlimited Distribution
- Slide 25
- Points of Contact Keri McClellan Program Manager Cell:
817-240-4693 Email: Keri.McClellan@ngc.comKeri.McClellan@ngc.com
Calvin Smith Cyber Technologist, Solutions Architect & Project
Manager Office: 512-374-4136 Email:
ch.smith@ngc.comch.smith@ngc.com 25
- Slide 26
- Q&A 26 Northrop Grumman Private/Proprietary Level 1
Approved for Public Release #15-0906; Unlimited Distribution
- Slide 27