WORKSPACE MANAGEMENT & DHS CONTINUOUSDIAGNOSTICS & MITIGATION (CDM) INITIATIVE

www.res.com | A RES White Paper

Title | www.res.com1

Today, agencies face the growing challenge of creating a “secure and compliant” workplace that still allows employees to be empowered and productive. This is primarily being driven by the introduction of new technologies, consumer devices being used for work and a new tech savvy workforce. Simply put, managing IT in the same way we did five years ago is not effective in today’s environment.

As users continue to accelerate the trend toward consumerization, CIO’s & CISO’s need to implement solutions that address the variety of devices, apps and operating systems that make up the IT infrastructure and meet the anytime, anywhere access capabilities imposed by today’s flexible work styles. This explosion of disruptive enterprise technology and working trends presents IT administrators with new challenges, often leading to more time spent on manual processes and higher costs to meet more demanding needs from users.

With an array of business challenges and pain points within their agencies, IT administrators require systems management flexibility in solutions in order to optimize functionality. And, it’s not only physical environments that need to be managed but also virtual and cloud-based environments, together with distributed networks, systems and services, as well as, regulatory and security models. The enterprise solutions they choose must work with existing infrastructures that have the capabilities to simplify and automate IT operations, not add additional complexities.

Luckily, in the Federal Government, the White House & the Office of Management and Budget (OMB) have realized the need for a holistic and secure solution to beef up IT delivery based on a robust lifecycle approach. It’s called the Continuous Diagnostics and Mitigation Imitative and is being shepherded by the Department of Homeland Security (DHS). In designing the enterprise architecture and corresponding security architecture, an organization seeks to securely meet the IT infrastructure needs of its governance structure, missions, and core business processes. Information security is a dynamic process that must be effectively and proactively managed for an organization to identify and respond to new vulnerabilities, evolving threats, and an organization’s constantly changing enterprise architecture and operational environment. The Risk Management Framework (RMF) developed by The National Institute of Standards and Technology (NIST), describes a disciplined and structured process that integrates information security and risk management activities into the IT system development life cycle. Ongoing monitoring is a critical part of that risk management process. In addition, an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts.

Continuous monitoring of computing and network assets requires up-to-date knowledge of the security posture of every workstation, server, and network device. This includes operating system and application versions and patches, vulnerabilities, and threat signatures and patterns. Information security managers will use the summary and detailed information to manage and report the security posture of their respective agencies. While each agency is required to implement continuous monitoring, they are not required to implement a “one size fits all” solution. Each agency can implement the continuous monitoring solution that best fits its own requirements and environment as long as its solution provides the required monthly data to the DHS repository known as CyberScope. Defense and intelligence agencies will have to provide their required security data to the Defense Department and intelligence community versions of CyberScope.

Systems ScannedEvery 72 Hours

Install Tools/Sensors

AutomatedVulnerability

Search

ProgressReportive

Dashboard

Collect Resultsfrom the Agency

and Departments

Fix High PriorityVulnerabilities

First

Prioritize,Analyze &

Triage

Figure 1 - CDM Lifecycle Framework

Title | www.res.com2

Changes to IT infrastructure driven by dynamic networks and the exponential growth in the number and types of attacks are outpacing the ability to track changes across a heterogeneous IT infrastructure with manual processes and current paper-based systems. The idea behind continuous monitoring is to know, in real-time or near real-time, the health of the organization’s network. This empowers the Department of Homeland Security and agencies to address threats or potential threats sooner.

However, agencies have been hard pressed to identify solutions that meet the visibility, ease-of-use, real-time tracking, and reporting requirements. Instead, agencies have turned to teams of consultants to monitor and report on a plethora of heterogeneous systems a few times a year. To comply with FISMA (Federal Information Security Management Act) in the face of resource constraints, federal agencies need continuous monitoring solutions specifically designed to overcome current monitoring challenges by enabling:

• The ability to establish a baseline inventory of networks and their associated IT assets• Visibility across disparate systems — desktops, servers, network devices — through a single console• Streamlined adoption with a solution that implements easily, requires minimal training, and generates tangible

results immediately• Automation of repeatable processes which optimizes the use of IT and staff• Vulnerability Management Reports in prioritized order for resolution• SCAP Interoperability for reporting (CyberScope)

In addition to the above, governance plays a role in every step for a successful CDM program for any agency.

So far we have spoken about CDM from a component and general perspective. From a DHS acquisition perspective CDM is planned to be implemented in a phased approach with budgets allocated for out years.

PHASE 1• Objective & Scope — Endpoint Integrity via asset (devices) Management for the current computing environment

(all devices that are IP addressable)• Areas of Focus — Hardware & Software Management, Configuration Management, Vulnerability & Malware Management

PHASE 2• Objective & Scope — Access Management, Privileges & Infrastructure Integrity via network infrastructure

management and workforce (people/staff) for the current computing environment• Areas of Focus — Account Access & Privilege Management, Ports & Protocols for infrastructure devices and

Configuration Settings

PHASE 3• Objective & Scope — Boundary Protection (perimeter defense) & Incident Response (Event Management) focused

on local computing environment accounting for the events associated with network infrastructure and enclaves• Areas of Focus — Access control, Event Triage, Encryption & Remote Access

Consistent with the ISCM (Information Security Continuous Monitoring) Concept of Operations (CONOPS), the CDM Program covers 15 continuous monitoring capabilities:

• Hardware inventory management

• Prepare for incidents and contingencies • Quality management

• Software inventory management

• Respond to incidents and contingencies • Security-related behavior management

• Configuration setting management

• Requirements, policy, and planning

• Trust-in-people granted access (access control management)

• Vulnerability management • Operational security • Credentials and authentication management

• Privilege management • Generic audit/monitoring • Network/physical access control management

Title | www.res.com3

Capabilities are established at every level of the network, not just the periphery, which gives agencies the ability to see how effective their systems are. These capability implementations are the effective constituents of the 3 phases of the CDM program described above.

While most agencies have started to look at this problem from an infrastructure perspective, they struggle with managing that last mile of the CDM program, the user. With RES ONE Enterprise, IT can now centrally manage and secure every aspect of the user’s workspace, independent of their changing devices, locations, work styles and more. Today, most enterprise app store solutions only offer apps and provide a user-friendly front-end experience, which still leaves IT with the responsibility of manually delivering requests. IT departments need to address all of their critical functions for users, such as software installs, password changes, new hardware requests, access to specific data, printer access, backing up data, as well as, all the different activities required when a user is on boarded and much more. Simply implementing a self-service interface for apps, rather than a holistic solution, ignores many of the factors users require from IT. These solutions do not take into account the need for IT to manage the entire lifecycle of a user’s IT Services.

RES has developed RES ONE Enterprise which maps to the requirements of the ISCM CONOPS covered by the CDM program. This makes RES ONE Enterprise a staple and mandatory tool requirement from every agency perspective. Specifically RES plays in the following CDM Phases & Control areas:

• CDM Phase 1: Software Management & Vulnerability Management via Application whitelisting (Tool Functional Area 2 & 4). As part of RES ONE Enterprise, RES ONE Workspace prevents access to and use of unauthorized applications in real time as the user’s context changes. As a user changes location, device, Wi-Fi hotspot, time of day and more, RES ONE Workspace will revoke access to certain applications and data. This creates a secure, reliable and safe workspace for any user. This reduces helpdesk workload and also helps with enforcing licensing and compliancy standards. Additionally, RES ONE Workspace can audit for any attempts to break into the workspace. TAKEAWAY — Whitelisting has strong potential to block more malware than blacklisting. By allowing only known good software to be executed the organization controls its whitelist and can keep it to a certain size, and the whitelist is easier to manage. The whitelist can’t be manipulated as easily by the attacker. New versions of malware are automatically blocked (when software is identified at the executable level). Thus, whitelisting has strong potential to block more malware, including advanced persistent threats and zero-day malware. RES also defines the device role so that the organization that whitelists and blacklists can be specific enough to limit software to that needed on the device without requiring a large number of exceptions. Device role means the business and/or technical function(s) that the device is intended to perform, such that the role correlates closely with (and determines) the software needed on the device.

• CDM Phase 2: Trust-in-people granted access (access control management), Credentials and authentication management, Privilege management. Built into the RES ONE Workspace solution, administrative delegation allows for granular delegation of control within the management console. Users, groups, OUs, and zones can be assigned to read or modify specific parts. It can also be used to allow access to specific applications that require elevated permissions to install drivers. This streamlines the workload and reduces risks of managing user workspaces across multiple administrators. TAKEAWAY — RES ensures a Secure & Uniform user service experience (regardless of new infrastructure) that is accessible from anywhere by managing accounts for people & services. A user workspace is composed during each login to a Windows desktop. After composition, the desktop contains configured applications, data, printing capabilities and personal settings. Composition of these items is dynamic and based on context (who you are, where you are, what computer you use and the time of day).Once the unique user workspace has been composed, it is secured simply and effectively by only allowing the use of the available workspace items. The user workspace exists until log off the Windows desktop. Composing and securing a user workspace is independent from any underlying technologies. User Workspace Management allows one to manage this process easily for many user workspaces at once.

Title | www.res.com4

RES ONE Workspace addresses making informed decisions about how much trust should be granted to potential and actual application/network/information/facilities users by carefully screening new and existing persons granted access for evidence that access might be abused, thereby preventing insiders from carrying out insider attacks. RES ONE Workspace offers a better desktop experience to your users with lower costs, increased security and greater control.

Security rules, stored in the same central database, will be used by the Workspace Composer to set up the security. The level of security can be controlled through these rules and can range from flexible to very tight. The built-in security drivers process the context-aware information from the Workspace Composer. These drivers are capable of blocking any unauthorized application, file or network access. Security diagnostics and logging are sent back to the central database.

TELEWORK MANDATE & UNIFIED COMMUNICATIONS PLAYRES ONE Enterprise aligns perfectly with the telework law that many Federal agencies are implementing. The Telework Enhancement Act of 2010 has Federal IT leaders taking a hard look at the technology market for ways to satisfy new requirements. These mandates state that agencies must establish telework policies and identify employees eligible for teleworking without diminishing employee or agency performance. This means agency employees must be equipped with the necessary tools to be as productive and accessible from their homes as they are in the office. The dynamic composition and excellent security features of User Workspace Management save IT professionals’ time, and allows users to stay productive while maintaining security wherever they are working. One of the key differentiators of RES Workspace Management is, it is a user workspace with Adaptive Security and not a substitute for a desktop. It works dynamically with a desktop to manage desktop items independently from the underlying computer and technologies used. Features include the ability to control licenses (application) for better performance by being temporary, dynamic and independent.

Service Lifecycle

Service Lifecycle

RES ONE ENTERPRISE

So�ware AssetManagement-

Whitelisting

RES ONE WORKSPACE

PrivilegesCredentials & Authentication

Security BehaviorTrusted Identities

Manage Assets

ManageAccounts forPeople and

Services

Manage Events

Fig 2: CDM phases and alignment with RES Product Suite

Title | www.res.com5

With the Adaptive Security approach one can restrict access to applications, data, networks, websites and removable storage based on user context and rendering all local drives read-only by a single click. With Dynamic Privileges you can elevate or restrict access rights to applications, installations and control panel applets by leveraging the principle of least privileges. This will prevent users from becoming local administrators.

TAKEAWAY — RES ONE Enterprise forms the cornerstone to any workplace-as-a-service initiative undertaken by a Federal Agency. The solution integrates and has a built in extension to work with other existing software products for desktop virtualization. RES also delivers multiple benefits by replacing traditional desktops and laptops with virtual computing that provides as-needed operating systems and applications at monthly, pay-per-use service with scalability – all supported by a robust security model.

RES ONE Enterprise promises to reduce operating costs, increase operational flexibility, and simplify administrative management, while efficiently using resources by eliminating surpluses of outdated and underutilized equipment.

INTEGRATION & INTEROPERABILITYRES ONE Enterprise has robust integrations with other third-party solutions such as Enterprise Mobility Solutions, IT Service Management Solutions, Mobile Device Management (MDM) solutions & Software as a Service (SaaS) solutions. Specifically out of the box, RES supports integration with:

• ServiceNow• Citrix XenMobile• MobileIron• Microsoft Office 365• Salesforce.com• Microsoft System Center Configuration Manager• LanDesk Management Suite

With the current impending requirement for all the federal agencies to migrate to Windows 7, RES ONE Enterprise can assure a seamless migration by inventorying all current XP applications, application settings, data etc., and ensure the user experience is identical in the new OS.

By combining Application Whitelisting capability with the ubiquitous BigFix, one can now have a full whitelisting solution that can be completely controlled by BigFix on the same BigFix architecture. RES provides utilities to baseline existing customer images to take care of all of the pre-implementation requirements. This utility will capture all baseline OS files and baseline applications and directly import them in to the approved database. Furthermore, the integration allows to automatically whitelist all updates, patches, and software deployments that are delivered by BigFix.

© Copyright 2017 RES Software. All Rights Reserved. All other trademarks are the properties of their respective companies. RES ONE is a trademark of Real Enterprise Solutions Nederland B.V.

ABOUT RES

v 1.0 01/09/17

RES creates, automates and secures digital workspaces to improve the experience and productivity of the workforce while lowering IT costs. RES takes a people-centric approach to making technology access secure, even in complex multi-device/multi-location scenarios, across physical, virtual and cloud environments. RES boasts numerous patented technologies, fast time to value, and superior customer support for more than 2,500 companies around the world. For more information, visit www.res.com, contact your preferred RES partner, or follow updates on Twitter @ressoftware.

Lastly, RES ONE Identity Director integrates with BigFix as well. It can provide end users with access to select relevant “fixlets” for their devices and initiate deployment via BigFix. It also has the ability to leverage an approval process so that system owners must approve the deployment before it would execute. Historically, there is a common issue in BigFix for large organizations where there are too many “console operators.” The more console operators in BigFix, the more performance can be degraded. RES ONE Identity Director integration allows lower level regional IT administrators the ability to deploy content, patches, or enforce baselines, without ever being granted a BigFix console operator account.

In today’s budget and resource constrained government environment where mission-critical functions are dependent upon information technology, the ability to manage this technology to assure confidentiality, integrity, and availability of information is now also mission-critical. When designing enterprise and security architecture, agencies work to securely meet the IT infrastructure needs of its governance structure, missions, and core business processes. Information security is a dynamic process that must be proactively managed to identify and respond to new vulnerabilities, evolving threats, and constantly changing operational environment. Not being secure, or not being compliant leads to decreased productivity. The dynamic composition and superior security features of User Workspace Management save IT professionals’ time, and allows users to stay productive while maintaining security wherever they are working.

Users can get the IT services they need, quickly and automatically

IT can meet and exceed user expectations

Delivery and return of IT services happens instantly and 24/7/365

IT can become a trusted partner and value-added service provder to the business

The gap between business and IT is bridged

RES customers have experienced:

$3.6 Million savings(225% ROI and 6.3 month payback)

25% reduction in help desk ticketswithin 30 days

New worker productivity in hoursversus 6 weeks