Joint Information Environment Single Security Architecture (JIE SSA)

Transcription

1 Joint Information Environment Single Security Architecture (JIE SSA) Danielle Metz DISA JIE Special Assistant to the Mission Assurance Executive /JIE SSA Integrated Design Team Lead 12 May 2014

2 Problem Statement I look at the DoD Architectures today, and defending them is really hard. We have 15,000 enclaves, each individually managed. The consequence of that is that each one of those is patched and run like a separate fiefdom. The people who are responsible for defending them cannot see down beyond the firewalls. Hostbased security systems are helping, but practically speaking, Situational Awareness (SA) is non-existent. General Alexander, USCYBERCOM Commander and Director of NSA, 24 August 2012 interview to Federal News Radio Fragmented defense of DoD Information Networks/Global Information Grid Lack of ability to get SA cripples our ability to defend our networks There is no common operating picture that ensures a comprehensive SA of the entirety of the DoD Cyber Domain Multiple network operations and defense centers, vice integrated, inter-connected Enterprise Operations Centers (EOCs), hinder coordinated DCO and DODIN/GIG operations 2

3 JIE SSA Definition JIE SSA is a joint DoD security architecture comprised of complementary defensive security solutions that: Leverage enterprise defensive capabilities with standardized security suites at optimal locations Remove redundant IA protections Definitively control user data flows and provides global SA down to the B/P/C/S via centralized Computer Network Defense data repository Protect the enclaves after the separation of server and user assets Provide the tool sets necessary to monitor and control all security mechanisms throughout DoD's Joint Information Environment from designated Enterprise Operations Centers Apply the best CC/S/A s Information Assurance capabilities and practices to the Joint Information Environment Security Architecture 3

4 DoD CIO Cybersecurity Goals within JIE SSA Goals Mapped in JIE SSA Outcomes Goal 1: Assured mission execution in the face of cyber warfare Operate/Defend DOD and mission partners can depend on essential information and information infrastructure in the face of cyber warfare by a capable adversary Goal 2: Secure information sharing with mission partners Access/Defend Enable rapid and safe data sharing with any required mission partner Goal 3: DoD and its mission partners can keep a secret Goal 4: Mission Commanders maintain freedom of action in cyber space Goal 5: Technology insertion in DOD is agile Access/Defend Defend Govern Protect our sensitive and classified information Enable and protect mission commander s access to critical mission information when and where needed Employ efficient processes to enable agile technology insertion and deployment with lower risk 4

5 Proposed JIE NIPR SSA 5

6 JIE SSA NIPR Capabilities JIE SSA Capabilities Strategic Sensor Netflow IDS Packet Capture DDOS Detection DDOS External Mitigation ACLs and Whitelist Enterprise IPS DNS Hardening Web Content Filter IPS Enterprise Security Gateway Zero Day Web and Enterprise Remote Access SSL Proxy/Decryption Data Loss Prevention SSL Proxy Packet Capture Reverse Web Proxy DDoS Protection IDS Application Aware FW Zone and Tier Segmentation Hypervisor Protections Stateful FW App Whitelisting/App Sandboxing HBSS Suite Zero Day Endpoint / File Reputation Antivirus Data Loss Prevention Host Intrusion Prevention Systems Policy Auditor Application Discovery Web Application Firewall IPS Database Firewall Netflow Anomalous Network Behavior Detection 6

7 Proposed JIE SIPR SSA 7

8 JIE SSA SIPR Capabilities JIE SSA Capabilities Next Gen FW Intrusion Detection System Netflow Packet Capture Web Content Filter Security Gateway Web Proxies SSL Proxy Data Loss Prevention ACLs Reverse Web Proxy IDS Zone and Tier Segmentation Stateful FW HBSS Suite Antivirus Host Intrusion Prevention Systems Policy Auditor Application Discovery Zero Day Endpoint / File Reputation Web Application Firewall IPS Database Firewall Netflow Anomalous Network Behavior Detection Packet Capture DDoS Protection Application Aware FW Hypervisor Protections App Whitelisting/App Sandboxing Data Loss Prevention 8

9 POC Information POC: DISA JIE Special Assistant to the Mission Assurance Executive Phone: