Northrop Grumman / Integrated Cyber Threat Response

Transcription

1 I. Program Overview Organization Name/Program Name: Northrop Grumman / Integrated Cyber Threat Response Program Leader Name/ Position/Contact information , Phone Program Category Program Background: What is this program all about? (No more than one page). The overarching need for this program History of the program The product that is created by this program Scope of work original & updated Expected deliverables Current status of the program Tim Powell / Director, Information Security Identity, Access and Engineering t.powell@ngc.com, (Choose One) o Sub-System R&D/SDD program or project o Sub-System Production o Sub-System Sustainment o System level R&D/SDD program or project o System level Production o System level Sustainment o Special Project The need for improving network cyber defenses against cyber spies is acute. Cyber spies continue to upgrade their capabilities through new tactics and technology. Successful companies and government agencies must embrace this new arms race and deploy additional defensive countermeasures. Cyber spies have traditionally employed spear phishing as the method of choice to extract company intellectual property. Today, there is a tactical shift by these cyber spies, who now also attack externally-facing web servers. The Northrop Grumman Integrated Cyber Threat Response program (the Program) brought together more than 2,000 information technology and information security professionals from across the country and at all levels of the organization. Together they addressed serious threats to the company computing infrastructure through an innovative, highly collaborative and integrated approach while delivering tremendous value at reduced cycle time. Their efforts led to increased systems administrator engagement and ownership of the implemented processes and solutions, resulting in the heightened protection of company and customer data stored on the company network. The scope of the Program included the main Northrop Grumman network over 100,000 computers and other networking devices as well as hundreds of other smaller 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 1

2 networks that the company administers for internal and external customers. The diverse Program team of security and non-security IT experts analyzed the networks and delivered a series of network device configuration changes and a few new network tools to enhance security. The Program was successfully completed in mid-2014 and is now in steady state/sustainment, with key cyber security continuous improvement processes incorporated into dayto-day Information Security operations. II. VALUE CREATION = 20 POINTS Note that we have provided a weighting system on this section that indicates importance to the overall A&D enterprise in improving performance. Value: 50% of category score What is the long-term value, competitive positioning, advantage, and return created by this program to your: Customers National interests, war fighter Company Strength, bottom line, and shareholders Scientific/technical value (particularly for R&D programs) 50% of category score Excellence and Uniqueness: What makes this program unique? Why should this program be awarded the Program Excellence Award? The long term value to our customers military and civilian government agencies is increased security of data stored on Northrop Grumman networks. This information includes critical operational data used by warfighting systems and key national government programs, as well as data relative to research and development programs. As we have recently seen on the news, even partial data loss can seriously damage the mission and/or reputation of the agency impacted, whether the data is stored on their network or another network. With this in mind, customers maintain a positive view of Northrop Grumman as an industry leader and as a trusted partner, knowing the company has invested in and secured internal and external data. Likewise, Northrop Grumman s position as an industry leader, and the value it provides its shareholders is protected against the reputational harm a data loss incident could cause. The Program was unique because it was an internallyfocused company program, but the results affect external customers and partners, and the results are shared with external customers and partners. Northrop Grumman participates in several government sponsored and industry cyber security working groups (e.g., Defense Industrial Base Destructive Resiliency) and freely shares successful defensive techniques and threat information. A Program Excellence award would be appropriate recognition. The Program was remarkable not just for the tremendous results achieved (18 security deployments in 10 months,) but for the innovative management approach 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 2

3 used. The Program brought together more than 2,000 Northrop Grumman information technology and information security professionals from across the country and at all levels of the organization. Together they addressed serious threats to the company computing infrastructure through an innovative, highly collaborative and integrated approach while delivering tremendous value at reduced cycle time. Their efforts led to increased systems administrator engagement and ownership in the processes and solutions implemented, resulting in the heightened protection of company and customer data stored on the company network. The Program delivered value very quickly by launching five Integrated Product Teams (IPTs) within the Program structure. Each IPT managed two threads in parallel: a near-term focus for implementing quick win deployments (e.g., turning on additional security features of an existing tool) and a more structured activity to identify and implement higher value, longer-term security deployments (e.g., upgrading all servers to a higher security standard). The practice of simultaneously pursuing immediate-term and longer-term implementations is now being reused by other programs to deliver both rapid initial value and higher-value, underdeveloped or larger-effort solutions. III. ORGANIZATIONAL PROCESSES/BEST PRACTICES: (HOW DO YOU DO THINGS) = 30 POINTS Note that we have provided a weighting system on this section that indicates importance in the evaluation process. For each question, respond with the best practices and unique processes used by your program. Strategic Operations 30% of the score On an on-going basis how do you track and improve the value of this program to your customers, corporation, organization, and employees? Specifically, what processes, tools and practices have allowed the value of your program to increase? Every day, cyber attackers scan and probe Northrop Grumman networks. Hundreds of employees are targeted every month for their computer data and account privileges. These events are resolved quickly, with unique events researched further for mitigation through processes established by the Program. In addition, the Program has provided ongoing, steady-state value each day that Northrop Grumman protects its network and company and customer data from cyber threats. The Program s lasting value continues to increase as the team s ongoing, best practice framework enables development of more and more security ideas into specific 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 3

4 deployments that create a stronger company security posture. For example, after each set of deployments, an expert team evaluates and votes to promote the next set of ideas for development and implementation. This structured approach provides for rapid delivery of top security ideas while providing the Information Security organization time to research and evaluate more complex security ideas. Using this framework, the Program successfully elicited, evaluated and managed more than 200 security improvement ideas. Team Leadership 30% of category score Teaming What unique processes and practices have you put in place to maximize team collaboration and efficiency? Supply Chain With the broader distribution of design, development and production responsibility across the supply chain what unique tools, processes and practices have you put into place to ensure integration of the total supply chain (up/down/across)? People Development Among the most important roles of a leader is the identification and development of talent. What unique processes, tools and practices have you put into place to ensure people are developed and given the opportunity to risk, fail, recover and fully contribute. What metrics have you put into place to ensure this effort is effective? The Program had outstanding collaboration processes to leverage the talents of the extended team. To help the more than 2000 systems administrators dispersed across the company understand the Program s need and urgency, a series of conference calls were conducted, each jointly hosted by Northrop Grumman s chief information security officer, corporate security officer, and chief information officer. Leveraging collaboration technology, the company officers were able to directly engage system administrators, establish a direction, and answer questions. The framework for this capability exists today, and can be implemented as significant topics and issues arise. Relative to the supply chain, the Northrop Grumman network provides specific points for access and collaboration with our customers and suppliers and these points are focus areas for security upgrades delivered by the Program. In addition, Northrop Grumman openly shares security best practices and advancements with our customers and suppliers through collaboration forums sponsored by government-industry groups such as the Defense Industrial Base and CERT. For people development, the Program provided recurring individual leadership opportunities for subject matter experts. Each IPT was jointly led by a subject matter expert and the Program s project manager. This enabled subject matter experts to push rapid security idea evaluation and development while allowing the project manager to focus on deployment execution. The Program turned over this dual management approach to regular Information Security operations and it provides an excellent vehicle for developing leaders. Overall, the metrics for managing the IPT structured 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 4

5 evaluation process included counts of network security ideas generated and those selected for deployment and successfully deployed. These metrics conveyed the high return-on-investment and the need to continue the security deployments including the opportunities for talented individuals to lead. Operations 40% of category score Cycle Time Please describe what your program has done to reduce and continue to improve the cycle time required for the phase of life cycle in which you currently are executing (design/develop, produce, sustain). Include in your description the tools, processes and practices used as well as the metrics. Efficiencies Affordability and breaking the cost curve are among the most important challenges facing all program managers. Describe the areas you have targeted to improve your costs and how you resolved these challenges for each target. Describe how your program has developed or implemented new and unique tools, processes and practices to reduce cycle time for your program s specific stage of the lifecycle (design/develop, produce, sustain). Planning, Monitoring, and Controlling What are the most significant change elements your program dealt with in the past 36 months, and what unique best practices and processes did you implement to make these changes. (Examples of change: intellectual property, shortages of critical supplies/raw materials.) Using the enhanced management techniques described above, the Program was able to dramatically reduce cycle time, completing 18 significant security deployments in 10 months. One of the largest deployments required engineers to standardize more than 1200 configurations; they completed the work more than one month ahead of the eight month plan (18%+ schedule reduction). The practice of simultaneously pursuing immediate-term and longer-term implementations is being reused by other programs to deliver both rapid initial value and highervalue, underdeveloped or larger-effort solutions. When reused on other programs and projects, these processes help increase labor efficiencies and reduce potential hardware, software, and systems cost challenges. The Program overcame a challenge common on information security efforts: managing sensitive security vulnerability information. Several individuals on the Program were aware of specific security vulnerabilities from industry connections and government partners. Rather than establish the Integrated Cyber Threat Response program as an internal special access program and include sensitive information in the requirements, program management removed sensitive information from program work products, which opened potential participation and communication to all Northrop Grumman employees. Individuals already knowledgeable about the sensitive information could confirm whether proposed security improvements were mitigating vulnerabilities. The rest of the extended team could focus on improving security against a broader set of known threats. This information management approach yielded many large dividends, including reduced development cycle time from unrestricted communications, quicker learning times for individuals joining the program and lower risk of exposing confidential data AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 5

6 IV. ADAPTING TO INNOVATION AND COMPLEXITY: (HOW DO YOU DEAL WITH YOUR PROGRAM S UNIQUE COMPLEXITIES) = 20 POINTS Identify the Program s Market Uncertainty level How new is your product to your market and users, based on the definitions below. Then describe how you deal and address this specific uncertainty: - Derivative an improvement of an existing product/system. - Platform a new generation in an existing product line. - New to the Market a product or system adopted from another market - New to the World - breakthrough product, never seen before Identify the Program s Technological Uncertainty using the definitions below. Then describe how you deal and address this uncertainty: - Low-tech: application of mature, well-established technology - Medium Technology: existing technology modified to meet new design requirements - High-Technology: recently developed new technology - Super High Technology: nonexisting technology that needs to be developed during the program. Identify the level of your System Complexity using Level of Market Uncertainty Level (choose one) X Derivative Platform New to Market New to the World Describe how your program deals with this uncertainty to maximize value for all stakeholders. In this case, the existing system was the company computer network. The Program dealt with uncertainty about attacker methods and tactics by prioritizing security deployments to defend against multiple threat vectors (types of attacks), both known and expected. Simply stated, security architectures are inherently easier to defend and typically less costly. For example, the Program implemented a simpler standard for defining the thousands of firewall rules in firewalls across the company. The Program team looked for versatile solutions that ideally replaced existing single threat protections and that integrated well with existing network components. Technological Uncertainty Level (choose one) Low Technology Medium Technology X High Technology Super High Technology Describe the processes and practices put into place to manage this level of uncertainty and assure efficient, successful execution. The technologies involved in cyber defense are very often immature as the attackers target the newest products for identifying and exploiting technical vulnerabilities. The Program addressed this uncertainty by deploying compensating controls to secure new devices and by using a layered defense strategy. For example, the Program team implemented naming restrictions and improved password management practices for default server accounts. The Program prioritized security deployments to ensure there are strong defenses to stop an attack at the network perimeter layer, at the endpoint device, at the data layer and during attempted command-and-control external communications. System Complexity (choose one) Assembly Sub-System 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 6

7 the definitions below. Then explain how you are dealing with this level of complexity: - An Assembly performing a single function. - A Sub-system fitting within a larger system. - A System a collection of subsystems performing multiple functions. - An Array a System of Systems ; a widely dispersed collection of systems serving a common mission. Identify the Pace and Urgency of your team s effort using the definitions below. Then describe how you deal with the program s pace requirements: - Regular timing no specific time pressures. Fast/Competitive time to market is important for competitiveness. - Time Critical there is an absolute and criticalto-success deadline. - Blitz there is a crisis element driving the need for immediate response System X Array of Systems Describe how your program deals with this level of complexity to ensure efficient, timely execution of the program. Focus on the how. In this case, the common mission was protection of the network and system complexity was created by the many different security deployments. The Program dealt with system complexity by ensuring compatibility with a common security architecture and by using company standard deployment processes. For each deployment, the Program included an Information Security Engineer who ensured the deployed elements integrated with the company security architecture. Pace and Urgency (choose one) Regular Timing Fast/Competitive Time Critical X Blitz The Program environment included the crisis element of potential attack. This atmosphere helped motivate the team to develop and deploy security upgrades as quickly as possible. As explained above, the Program focused on rapid deployment by managing two threads in parallel: a near-term focus for implementing quick win deployments (e.g., turning on additional security features of an existing tool) and a more structured activity to identify and implement higher value, longer-term security deployments (e.g., upgrading all servers to a higher security standard). V. METRICS (HOW DO YOU MEASURE PROGRAM S PERFORMANCE) = 30 POINTS Note 1: We are not looking for $ results, but the relative percentage achieved. In particular indicate what specific metrics and data you are using that drive the program beyond standard measures of schedule, budget, and performance, and which have contributed to your program s focus and its success.) Note 2: We have provided a weighting system on this section that indicates importance to the overall A&D enterprise in improving performance. Those with lower weighting are not unimportant; however, they have become given practices that all teams should be using. 40% of category score Customer/Performance - How do you measure the impact of your program on your customer and your customer s satisfaction? The Program s customers are the users of the Northrop Grumman network and their satisfaction hinges on the network being always available and secure. The Information Security organization continuously measures cyber-attack activity and the company s performance in stopping attacks and protecting data. Example metrics include suspicious 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 7

8 Include a description of unique/new metrics, as well as numerical evidence (normally a percentage or rate). Focus on the unique metrics developed to provide an efficient way to effectively communicate this information to your customers and within your organization beyond your program team. 20% of category score Team - How do you measure and assess the impact of your program on your team development and employee satisfaction? webpage queries blocked, spear phishing attempts blocked, security patch deployment performance and number of vulnerabilities remediated. These metrics are shared with senior management monthly. To maintain security vigilance, the Program needed to convey a sense of urgency to all contributing to network security. To help reach the more than 2000 systems administrators dispersed across the company, the Program established regular conference calls, each jointly hosted by Northrop Grumman s chief information security officer, corporate security officer, and chief information officer. A discussion forum for this group was also established and maintained. The Program overcame a common employee satisfaction challenge on security initiatives: restricted access to sensitive information. Several individuals on the Program were aware of specific security vulnerabilities from industry connections and government partners. Rather than establish the Program as an internal special access program tied to restricted information, program management did not include sensitive information in program requirements and this opened participation and communication about the Program to all Northrop Grumman employees. Individuals already knowledgeable about the sensitive information could confirm whether proposed security improvements were mitigating vulnerabilities. The rest of the extended team could focus on generally improving security against the broader set of known threats. Beyond improved employee satisfaction from working in an inclusive work environment, this information management approach yields reduced development cycle time from unrestricted communications, quicker learning times for individuals supporting information security activity and reduced risk of exposing confidential data. In addition, Northrop Grumman issues an annual employee engagement survey and survey results are reviewed by leadership and employees to understand and discuss areas where employee development opportunities and satisfaction can be improved. 40% of category score Unique Metrics - Describe unique metrics you are The Program team understood that to be successful they needed a measurement program to monitor institutional change and quick remediation of security vulnerabilities. For 2015 AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 8

9 using to measure your program s progress and how you focus it for outstanding and future success. example, if unsecured passwords were simply corrected, users may use weak passwords again, on the next password change. To drive long-term security improvement and reduce the number of vulnerabilities being created, the Program s legacy complements security compliance checks with measuring indicators of improved security attentiveness: For example, the program team worked with the enterprise training group to track and drive training success rates for the more than 2000 system administrator population to 95% trained by the target completion date. Likewise, the Program influenced the inclusion of security goals in system administrators annual performance reviews. This formal measurement process ensures clear communication between system administrators and their supervisors about the administrator s central role in protecting company and customer data. All key processes and metrics developed by the Program are now part of Northrop Grumman day-to-day Information Security operations AVIATION WEEK PROGRAM EXCELLENCE INITIATIVE 9