Moderator:
Steve Warzala
Comply to Connect (C2C)
Today’s Presenter: Tony Gillespie
ForeScout Technologies Inc., Public Sector Strategist
March 23, 2017
https://www.csiac.org/
COMPLY TO CONNECT
•What is it?
•What can it do?
•What does it solve?
Comply to Connect current and future capabilities
(AKA integration of ForeScout and IBM)
Speaker
3
Tony Gillespie
Recently retired GS15 Assistant Chief of Staff G6/CIO for Marine Corps Installations East. 35 years Marine Corps active duty and Civil Service.
Was responsible for the Voice, Video, Data and Security for all USMC bases on the East Coast south of Quantico, Va.
Primary architect and Pilot of C2C for the DoD
910.265.7995
Comply to Connect
• Immediate discovery, classification, assessment, remediation of all IP connected devices.
• Control of all end points, continuous monitoring and behavioral analytics
• Orchestration of tools, ticketing, reporting and analytics
• Sound easy?
• Using existing tools, Vendor Proof of Concept (Capability) and 6 months of failures, a “best of breed” concept was developed, proven, documented and validated.
• Comply to Connect is in the 2017 NDAA
4
2017 NDAA
• This is the bill language from the Conference report accompanying S. 2943 SEC. 1653. PLAN FOR INFORMATION SECURITY CONTINUOUS MONITORING CAPABILITY AND COMPLY-TO-CONNECT POLICY; LIMITATION ON SOFTWARE LICENSING. (a) INFORMATION SECURITY MONITORING PLAN AND POLICY.—(1) PLAN AND POLICY.—The Chief Information Officer of the Department of Defense and the Commander of the United States Cyber Command shall jointly develop— (A) a plan for a modernized, Department-wide automated information security continuous monitoring capability that includes— (i) a proposed information security architecture for the capability; (ii) a concept of operations for the capability; and (iii) requirements with respect to the functionality and interoperability of the tools, sensors, systems, processes, and other components of the continuous monitoring capability; and (B) a comply-to-connect policy that requires systems to automatically comply with the configurations of the networks of the Department as a condition of connecting to such networks. (2) CONSULTATION.—In developing the plan and policy under paragraph (1), the Chief Information Officer and the Commander shall consult with the Principal Cyber Advisor to the Secretary of Defense. (3) IMPLEMENTATION.—The Chief Information Officer and the Commander shall each issue such directives as they each consider appropriate to ensure compliance with the plan and policy developed under paragraph (1). (4) INCLUSION IN BUDGET MATERIALS.—The Secretary of Defense shall include funding and program plans relating to the plan and policy under paragraph (1) in the budget materials submitted by the Secretary in support of the budget of the President for fiscal year 2019 (as submitted to Congress under section 1105(a) of title 31, United States Code). (5) INTEGRATION WITH OTHER CAPABILITIES.—The Chief Information Officer and the Commander shall ensure that information generated through automated and automation-assisted processes for continuous monitoring, asset management, and comply-to-connect policies and processes shall be accessible and usable in machine-readable form to appropriate cyber protection teams and computer network defense service providers.
5
2017 NDAA
• (6) SOFTWARE LICENSE COMPLIANCE MATTERS.—The plan and policy required by paragraph (1) shall comply with the software license inventory requirements of the plan issued pursuant to section 937 of the National Defense Authorization Act for Fiscal Year 2013 (Public Law 112–239; 10 U.S.C. 2223 note) and updated pursuant to section 935 of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113–66; 10 U.S.C. 2223 note). (b) LIMITATION ON FUTURE SOFTWARE LICENSING.— (1) IN GENERAL.—Subject to paragraph (2), none of the funds authorized to be appropriated by this Act or otherwise made available for fiscal year 2017 or any fiscal year thereafter for the Department of Defense may be obligated or expended on a contract for a software license with a cost of more than $5,000,000 in a fiscal year unless the Department is able, through automated means— (A) to count the number of such licenses in use; and (B) to determine the security status of each instance of use of the software licensed. (2) EFFECTIVE DATE.—Paragraph (1) shall apply— (A) beginning on January 1, 2018, with respect to any contract entered into by the Secretary of Defense on or after such date for the licensing of software; and (B) beginning on January 1, 2020, with respect to any contract entered into by the Secretary for the licensing of software that was in effect on December 31, 2017.
• This is the explanation that accompanies the bill language
• Plan for information security continuous monitoring capability and comply-to-connect policy; limitation on software licensing (sec. 1653) The Senate bill contained a provision (sec. 1638) that would require the Chief Information Officer of the Department of Defense and the Commander of United States Cyber Command, in coordination with the Principal Cyber Adviser, to jointly develop a plan for a modernized, enterprise-wide information security continuous monitoring capability and a comply-to-connect policy. The House amendment contained no similar provision. The House recedes with a technical amendment.
6
Gartner Security and Risk Management Summit, “Preparing for Advanced Threats and Targeted Attacks”, Kelly Kavanaugh, June 2014; Webtorials and ForeScout Internet of Things Security Report, June 2016
http://www.forbes .com/si tes/gilpress/2016/01/27/inter net-of-things-iot-predi ctions-from-forrester - machi na-research- wef-gartner-idc/6/#26e32a1972a0; http://www.gartner.com/smarter withgartner/top-10- security-predic tions-2016/
Consequences and Impact of Inadequate Visibility
Industry Stats:
• 80% of successful attacks leverage well-known vulnerabilities –
Gartner Security and Risk Management Summit
• 99% of exploits will continue to be from known vulnerabilities up to one year through 2020 - Gartner
• Top 10 exploited vulnerabilities are more than a year old - HP Security Research.
• 66% of networks will experience an Internet of Things based breach by 2018 – IDC
• 80% of all endpoints connected endpoints to the network will not support agent based technologies by 2020 Gartner
Business / Mission impact:
• Reputational damage which could impact funding.
• Breach remediation averages $4 Million per incident – Ponemon Institute, June 2016
• Critical citizen services become unavailable, unreliable
• Loss of grant funding or punitive damages due to non-compliance with Federal & State requirements
Fundamental Security baseline.. (we all must do it)
• The largest threat to networks is end points (Managed and unmanaged IoT)
• You MUST be able to discover, classify and perform real time risk assessments.
• We need to INTEGRATE tools to reduce extraneous, redundant expensive capabilities.
• We need to become Pro-Active in our efforts (Analytics, Mitigation, Assessments)
• Users are our only reason for having a network, is there a Patch for Stupid?
• Most Cybersecurity resources are performing fundamental baseline security tasks (vice pro-active measures)
• Let’s lock our doors and roll up the windows! (Fundamental security automation) (AKA-”The “Stupid patch” or a wrench big enough to tighten the loose nut)
• How much time do you spend wrestling little alligators taking up YOUR cycles when you should be strategizing.
8
IoT Device Growth
IoT = Internet of Things9
PC
BYOD
IoT
1990 2015 2020
0
5 Billion
30 BillionThe Internet of Things is the
network of dedicated
physical objects (things) that
contain embedded
technology to sense or
interact with their internal
state or external
environment.
IoT = Internet of Things
A Perfect Storm of Threats Creating New Security Needs
Attacks Targeting Devices that Corporations Can’t See
10
5 out of 6 large
companies is hit
with targeted
attacks today
50%Of Enterprises lack visibility
on mobile99%Of IoT devices do not
support security agents
Required Capabilities - Going from Present State to Desired State
Agentless, Continuous Discovery & Situational Awareness
– Device Classification of ALL connected endpoints without the use of Agents
– Ability to rapidly deployment the solution enterprise-wide
– Defense In Depth – Monitor cyber hygiene of all endpoints and the required security controls in real-time
Automated Policy Enforcement
– Out-of-Box Integration with current tools Patch, Firewall, Antivirus
– Legacy equipment protection
– Complete asset inventory for HelpDesk, CMDB, Renewals
– Rogue Device/Activity detection and mitigation
Continuous and Situational State Asset Awareness
– Single pane of glass for detecting, mitigating, and remediating cyber incidents
11
Desired State & Positive Mission Outcomes
Desired State:
1. Complete visibility: You cannot protect what you cannot see.”
2. Understanding configuration, posture, location, ownership of all devices on the network in real-time, supported or unsupported
3. Rapid response to prevent incidents & breaches through orchestration using current portfolio– self-defending network
4. Realtime dashboard of PCI, HIPAA etc. compliance
5. Automate remediation of findings from audits
Positive Mission Outcomes (per IDC)
1. Reduced chance of outage caused by cyber event.
2. Increased devices in compliance
3. Improved incident resilience
4. ResultPublic trust and confidence.
12
So what?
• Staff realigned to proactive tasks (Analytics, Hunting, Forensics)
• Resource reduction (be careful with this one!)
• 99.x% compliance can be YOUR the minimum standard!
2nd and 3rd order effects
• Increased security across the enterprise
• Immediate action and zero day mitigation
• Real-time knowledge of current security posture
• Asset and license management
• Portfolio Management
13
Thank you!
Acronym Glossary
15
IM Instant Messaging
IOC Indicators of Compromise
iOS Apple operating system for mobile devices
IoT Internet of Things
IP Internet Protocol
ISE Cisco Identify Services Engine
MAB Mac Authentication Bypass
MTP FireEye’s Mobile Threat Prevention Platform
MTTD Mean Time to Detection
MTTR Mean Time to Resolution
NA Not Applicable
NAC Network Access Control
NERC North American Electric Reliability Corporation
Netbios Network Basic Inut/Output System
NIC Network Interface Card
NIMAPP Network Mapper
NIST National Institute of Standards and Technology
NMAP network mapper
NX FireEye’s Network Threat Prevention Platform (NX)
OS Operating System
P2P Peer to Peer
PCI Payment Card Industry
PKI Private Key Infrastructure
pxGrid Cisco Platform Exchange Grid
RADIUS Remote Authentication Dial-In User Service
Reauth Reauthorization
RTU Remote Terminal Unit
SCADA Supervisory Control and Data Acquisition
SDK Software Developer Kit
SGT Security Group Tags (Cisco)
SIEM Security Information and Event Management
SNMP Simple Network Management Protocol
SOX Sarbanes Oxley
SQL SQL Server
SSID Service Set Identifider
syslog standard for messaging logging
TACACS Terminal Access Controller Access Control
TAM FireEye’s Threat Assessment Manager
TAP FireEye’s Threat Analytics Platform
TCO Total Cost Ownership
USB Universal Serial Bus
VA Vulnerability Assessment
vFW Virtual Firewall
VM Virtual Machine
VPN VPN
AAA Authentication, Authorization and Accounting
ACL Access Control List
ACS Cisco Secure Access Control Server
ARP Address Resolution Protocol
ATD Advanced Threat Detection
ATP Advanced Threat Prevention
BYOD Bring Your Own Device
CA Certificate Authority
C&C Command and Control
CEF Cisco Express Forwarding
CoA Change of Authorization
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
EMM Enterprise Mobility Management
EXFireEye’s Threat Prevention Platform for Email-based
Cyber Attacks
FERC Federal Energy Regulatory Commission
FW Firewall
GUI Graphical User Interface
HIPAA Health Insurance Portability and Accountability Act
HITECHHealth Information for Technology for Economic and
Clinical Health
HPS Host Property Scanner
HX FireEye’s Endpoint Threat Prevention Platform
ID Identification
Backup
17
18
Vendors are proliferating within these siloed environments
Source: Harbor Research, 2014; McKinsey Global Institute, 201519
IoT Device / Solution Vendors by Physical Environments
Personal Home CityFactory LogisticsRetailVehiclesOffice WorksiteMedical
Without standards or platforms, each vendor in each vertical environment tends to build their own respective specialized solution stack from scratch