Slide 1

20 May 2015 Northrop Grumman Information Systems (NGIS) Applying Continuous Monitoring and Cyber Best Practice to the Texas Cyber Framework Calvin Smith Approved for Public Release #15-0906; Unlimited Distribution

Slide 2

Agenda 2 Introduction About Northrop Grumman Texas Cybersecurity Framework Federal Continuous Monitoring Program Dynamic Texas Cyber Monitoring Framework Dashboard Cyber Best Practice / Defensive In Depth Q&A Approved for Public Release #15-0906; Unlimited Distribution

Slide 3

Northrop Grumman Information Sector Snapshot At a Glance $6.2B business More than 16,000 employees 50 states, 21 countries 3 Focus Areas Cyber Communications Command and Control Integrated Air and Missile Defense Intelligence, Surveillance, Reconnaissance Civil Health Approved for Public Release, #15-0507; Unlimited Distribution Approved for Public Release #15-0906; Unlimited Distribution

Slide 4

Information Systems Sector Focus Areas 4 Bioinformatics and Analytics Benefits Management Population Health Fraud Detection/ Prevention NextGen Claims/Payment Modernization Personalized Health Health Financial Compliance and Fraud Detection Enterprise Support Applications Information Sharing Decision Support Tools Public Safety C2 and Mobility Identity Management Civil Multi-INT Fusion Large-Scale Data Management Multi-Source Solutions Special Intelligence Solutions SIGINT Tactical and Strategic ISR ISR Integrated Avionics Gateways and Networking Multi-Function RF Devices Ground and Airborne Radios Global SATCOM Distributed Mission Operations Communications Full-Spectrum Cyber Secure Enterprise Computing Defensive Cyber Operations Cyber Resilience Network Exploitation Big Data Analysis Biometric Intelligence Cyber Multi-Domain C2 Systems Combat System Integration: Air, Land, Maritime Large-Scale Enterprise C2 Solutions Critical Infrastructure and Force Protection Command and Control (C2) Joint Air and Missile Defense Ballistic Missile Defense Integration BMD Fieldable Systems International IAMD Integrated Air and Missile Defense UNMANNED CYBER C4ISR LOGISTICS Approved for Public Release, #15-0507; Unlimited Distribution Approved for Public Release #15-0906; Unlimited Distribution

Slide 5

About Me The End-to-End Monitoring team supports federal, state and local government programs, specializing in cyber and performance monitoring. Cal - 28+ years in networking & cyber, 10 years in continuous & end-to-end monitoring architectures. Currently supporting US CERT as Cyber Technologist and Solution Architect for Texas State Agencies Previously worked as Cyber Architect for U.S. Department of State, Department of Homeland Security, Department of Justice and Patent Trademark Office. In his spare time he is an avid music collector, IT cloud tech enthusiast and road warrior. 5 Approved for Public Release #15-0906; Unlimited Distribution

Slide 6

Revised TAC 202 Method to standardize and prioritize cyber risk from the state of Texas perspective Standardizes a cyber approach and establishes a baseline for minimum cyber security Tailorable or customizable for each state agency Enables structure to fuse people, process and technology (tools) Provides a phased approach to align with FISMA / NIST 800-53 Control Catalog for mapping Federal / Texas laws, guidance and instruction 6 Approved for Public Release #15-0906; Unlimited Distribution

Slide 7

Texas Cybersecurity Framework Overview Phased approach to FISMA 7 Texas Cybersecurity Framework TAC 202 Agency Security Plan Template Control Catalog Vendor Services Alignment Risk Management Agency Security Plan Revised TAC 202 Framework Texas Migrating from Static Governance to Dynamic FISMA Alignment Approved for Public Release #15-0906; Unlimited Distribution

Slide 8

Federal Continuous Monitoring Program Continuous Diagnostics & Mitigation (CDM) Leveraging automated tools and processes to continually assess IT systems, networks and programs Capture real-time security information to effectively manage risk while reducing cost Security controls are assessed continuously to provide real-time security posture instead of the traditional snapshot-in-time Real-time risk assessment is based on how well security controls mitigate known threats and vulnerabilities Enables real-time risk management decision-making via continuous streaming of system state intelligence Maps to 11 NIST Continuous Monitoring Domains, 15 DHS CDM Domains, NIST 800-53 Controls 8 Federal Policy Rapidly Moving Towards Real-time Cyber Monitoring Approved for Public Release #15-0906; Unlimited Distribution

Slide 9

Department of Homeland Security (DHS) 15 Continuous Monitoring Domains AbbreviationContinuous Monitoring DomainsRollout Schedule HWAMHardware Asset ManagementPhase 1 / 2015 SWAMSoftware Asset ManagementPhase 1 / 2015 VULVulnerability ManagementPhase 1 / 2015 CMConfiguration ManagementPhase 1 / 2015 NACNetwork Access ControlPhase 2 / 2016 TRUManage Trust In People Granted AccessPhase 2 / 2016 BEHManage Security Related BehaviorPhase 2 / 2016 CAMCredential Access ManagementPhase 2 / 2016 AACManage Account AccessPhase 2 / 2016 CPPrepare to Contingencies & Incidents (CIRT)Phase 3 / 2017 INCRespond to Contingencies & Incidents (CIRT)Phase 3 / 2017 POLDesign & Build in Requirements Policy & PlanningPhase 3 / 2017 QALDesign & Build in QualityPhase 3 / 2017 AUDManage Audit InformationPhase 3 / 2017 OPSManage Operation Security (SIEM)Phase 3 / 2017 9 Approved for Public Release #15-0906; Unlimited Distribution

Slide 10

National Institute of Standards and Technology (NIST) 11 Continuous Monitoring Domains NIST DHS Continuous Domain Crosswalk D1D2D3D4D5D6D7D8D9D10D11 Asset Mgmt Vul Mgmt Config Mgmt Patch Mgmt Net Mgmt Event Mgmt Inc Mgmt Malware Detect Info Mgmt Lic Mgmt SwA A1HWAM X A2SWAM XXX A3VUL X A4CM XX A5NAC X A6TRU XX A7BEH XX A8CAM X A9AAC X A10CP XXXX A11INC X A12POL XXXXXX A13QAL X A14AUD X A15OPS XXXXXXXXXXX 10 Approved for Public Release #15-0906; Unlimited Distribution

Slide 11

11 Continuous Monitoring Architecture Tailorable Framework As capabilities mature you move from continuous monitoring to continuous management Approved for Public Release #15-0906; Unlimited Distribution

Slide 12

Dynamic TAC 202 Cyber Dashboard Features & Capabilities Acceptable Cyber Risk (ACR) The ACR is dynamically determined based on advanced analytics. It is continuously generated based on historical and real-time data. There are no static, defined thresholds. Advanced Analytics Display of meaningful and hidden patterns in unstructured security data using statistics, metrics, and algorithms. Big Data analytics is best visualized to show insights normally not seen in tabular data displays, i.e, visual analytics. Cyber measures / metrics are dynamically reported in real-time Dynamic Color Coding A color scheme using green, yellow and red applied to dashboard metrics and maps based on dynamic changes in the ACR. Predictive Analytics (Machine-Learning) The dashboard dynamically extracts and learns from security control, defense in depth protection and incident information (i.e., historical and real-time) in order to predict future cyber events and ability to respond and mitigate. Quality of Protection (QoP) A derived metric capturing end-to-end cyber protection based on security controls and defense-in-depth cyber protection profiles. Key Cyber Indicators (KCIs) are calculated, combined and weighted to measure potential risk factors contributing to lack/failure of end-user or critical asset protection. 12 Approved for Public Release #15-0906; Unlimited Distribution

Slide 13

Continuous MonitoringKey Architecture Considerations 1. Know the Desired StateSecurity Policy 2. Know the Actual StateOn the Wire Assessment 3. Know the Differences and ActAssess & Analyze Deviations Quickly 4. Group Items Found for ReportingKey stakeholders 5. Integrate with Legacy SystemsInteroperate 6. ScaleEnterprise & Regions 7. Role-Based Access ControlLimit Access 8. Information SharingCollaboration & Dissemination 13 Dynamic Cyber Dashboard Automate Security Aggregation, Correlation & Reporting Approved for Public Release #15-0906; Unlimited Distribution

Slide 14

14 A cyber TAC 202 dashboard provides integrated visual analytics allowing cyber teams to visually interact with their data to better collaborate and quickly mitigate vulnerabilities and threats Dynamic TAC 202 Cyber Dashboard Interactive Texas map drill-down to sites, assets, vulnerabilities, threats TAC 202 Dashboard Approved for Public Release #15-0906; Unlimited Distribution

Slide 15

15 Dynamic TAC 202 Cyber Dashboard Detailed Drill-down to Assets, Controls, Vulnerabilities, Compliance & Risk Approved for Public Release #15-0906; Unlimited Distribution

Slide 16

Dynamic Continuous Monitoring Use Cases Unauthorized (Rogue) Device Events Rapid Detection of Rogue Devices Automate Alerting for Rapid Remediation (Quarantine, Removal) Unauthorized Software (Potential Malware) Events Rapid Detection of Unauthorized/Unlicensed Software on Endpoints Automate Alerting for Rapid Remediation and Removal Misconfigured Software (Deviations) Events Rapid Detection of Current State vs Desired State (based on policy) Automate Alerting for Remediation or Change Control Critical Vulnerability (Potential Exploitation/Weakness) Events 1.Rapid Detection of Vulnerabilities 2.Automate Alerting for Rapid Remediation (Quarantine, Removal) 3.Prioritized Response (based on policy) for Rapid Remediation (Quarantine, Removal) 16 1 2 3 4 Approved for Public Release #15-0906; Unlimited Distribution

Slide 17

Unauthorized / Rogue Device Events 17 1 Approved for Public Release #15-0906; Unlimited Distribution

Slide 18

18 Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for Unauthorized SW / Malware Detection TAC 202 Dashboard 2 Approved for Public Release #15-0906; Unlimited Distribution

Slide 19

Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for Mis-Configured Endpoints 19 TAC 202 Dashboard 3 Approved for Public Release #15-0906; Unlimited Distribution

Slide 20

20 Dynamic TAC 202 Cyber Dashboard Cyber Weather Map for Critical Vulnerability Detection TAC 202 Dashboard 4 Approved for Public Release #15-0906; Unlimited Distribution

Slide 21

Cyber Situational Awareness Problem Reducing the Attacker Free Time in Network 21 Profile of a Cyber Attack Approved for Public Release #15-0906; Unlimited Distribution

Slide 22

Cyber Best Practice Defense in Depth Monitoring 22 TAC 202 Dashboard Approved for Public Release #15-0906; Unlimited Distribution

Slide 23

Cyber Attack Profiles Why Continuous Monitoring of Security Controls and DnD Matters 23 Zero Day Attack Insider Threat Massive Data Exfiltration Loss of data integrity confidentiality Approved for Public Release #15-0906; Unlimited Distribution

Slide 24

Best Cyber Practice Know your cyber requirements Understand policy Operationalize policy and apply to cyber tools and processes to make it more actionable Design defense in depth monitoring architecture based on the business Understand the threat External bad actors Insider threat Know tactics, techniques and procedures Understand your data Create data plan/data architecture Map to security controls and defense in depth Listen to your data And how this applies to your agencys core mission Whats important to your business? What are you trying to accomplish? What, Who and How to report? 24 Implement Continuous Monitoring Approved for Public Release #15-0906; Unlimited Distribution

Slide 25

Points of Contact Keri McClellan Program Manager Cell: 817-240-4693 Email: Keri.McClellan@ngc.comKeri.McClellan@ngc.com Calvin Smith Cyber Technologist, Solutions Architect & Project Manager Office: 512-374-4136 Email: ch.smith@ngc.comch.smith@ngc.com 25

Slide 26

Q&A 26 Northrop Grumman Private/Proprietary Level 1 Approved for Public Release #15-0906; Unlimited Distribution

Slide 27