What Does a Cyber Secure Navy Look Like? Cyber Protection, Prioritization, and Plan May 2010 Brian D. Shaw DASN C4I / IO / Space Director of Cyber Warfare brian.d.shaw@navy.mil brian.d.shaw@navy.smil.mil shawbri@nmic.ic.gov 703-614-6432 (w) 703-509-2589 (c)
Is it really that bad? If the nation went to war today, in a cyber war we would lose. (Mike McConnell, former Director of National Intelligence, Feb 10) Cyber Shockwave We re not prepared! (Feb 10) Very tough to identify WHO is attacking internet anonymity President has little to no overall authority to direct industry actions Essentially impossible to prosecute cyber crime, as international borders hinder virtual legal reciprocity and enforcement There is no cyberwar but we need to focus on cybersecurity. (Howard Schmidt, Cyber-Security Coordinator (Mar 10) OUR collective mission / focus Collaboratively enable information dominance 2
Who s in Charge? Where? POTUS (Cyber Security Coordinator, et al) SECDEF / SECSTATE Congress STRATCOM USCYBERCOM FLTCYBERCOM Navy, Army, AF, Marine Corps Federal, Industry, Consumers Authority and Enforcement are KEY! Re: CIP is 85% industry - No direct federal control, so what then? Note - see the glossary for the many acronyms, while defense centric, we need a common cyber taxonomy / lexicon 3
Strategic Cyber Elements (1) Collaborate on DoN enterprise IA / cyber strategy and vision policy mapped to prioritized capabilities with assigned resources (2) Update DoN overall enterprise risk assessment (ERA) accounts for both significant threat vectors & vulnerability consequences (3) Prioritize enterprise level mitigations from the ERA Navy specific items complement and weighted within the existing CNCI 12 (4) Align and synchronize resources and cyber capabilities across DoN organizations and tier 1 tier 3 architecture perspectives (5) Address pervasive lack of basic cyber hygiene enterprise wide within our total claimancy s people, processes and products (technology) (6) Reduce complexity - Build a trusted cyber infrastructure on top of the existing IA/CND infrastructure, as an integrated SoS - with enforced CM (7) Better integrate / leverage education and IO / CNO thus optimize our overall cyber package and ensure synchronization and RESILIENCY! Top down approach to a balanced, prioritized cyber execution plan 4
What cyber variables can we affect? Effective as-is, or have a lower added ROI - Prosecution/enforcement need near real-time forensics, global reciprocity - Offensive tools good now, controlled use, escalation - Try to fix all issues/problems as many are intractable, givens, etc. - Continue to emphasize perimeter defense as they are already in! BEST potential impact and long term effectiveness - Improve education and training yet use checks / balances - Enterprise risk management using both threats & consequences - Effective IA/Cyber Management enforceable CM & a trust model - Proactive, dynamic CND/ IA defense DCD, as the best offense - Define & enforce network policy / SOPs cut off those not in compliance Continue to finesse the first set / Go full force on the last! 5
Integrated CND & IA as a SoS (all defensive protections must themselves act as one system) It s all about TRUST need a common enterprise trust model Some HAP/TSM is needed, but where to put which EAL devices? Need a common top-down, enforced IA/Cyber architecture/model Need an alternative to commercial ISP leverage existing dark fiber? Effective / secure enterprise access control is everything: IA&A implementation focus = authorization based access control complemented by ABAC, RBAC, even RAdAC as an end-state Proactive/Dynamic Defensive I&W - Detect abnormal patterns, characteristics, attributes, unusual requests. - Provide auto alerts; divert questionable actions; "wraps" issues/problems (This is the catch all capability, as we can t protect everything near 99%) Life cycle education and training must parallel acquisition Integrated Computer Security Operations Centers (eg: GNOSC, etc) Centralized V&V / assessment collection and reporting (NCDOC / NIOC) Institutionalize Dynamic Cyber Enterprise Management (DCEM) Protect the Cyber C 3 Crown Jewels! 6
Dynamic Cyber Enterprise Management 1 - Institutionalize enforceable configuration management - Established baselines, manage dynamic settings C.I.s - Properly configured/ccb (servers, routers, firewalls, etc) - Patches, updates, IAVA delta / increment change mgmt - Verification / Auditing / Certification & Accreditation (C&A) 2a - Continuous monitoring & reporting - Automatic reports/alerts fed to users & central repository - Integrated with NetOps and Infocon (IPS-like actions) 2b - Intuitive situational awareness automated dashboard - Must have an enterprise network picture can t manage unknowns 3 - Life cycle best practices/sops institutionalize rigor NSA IAD poor IA management factors (CM, monitoring, follow SOPs) = 80% NCDOC lack of IA accountability (poor CM, inadequate IAVA, misuse) = 90% Verizon Data Breach Report implementing known fixes and capabilities = 87% Effective, enforceable DCEM / enterprise cyber hygiene 7
CNE / CNA Provide near-real time OPSEC to IA Effectively leverage the black side Intel into secret (& below) protections Establish Cyber War Reserve Modes Isolated networks, C 2 order wire, mil using dark fiber, etc Fusion of diverse data, into KM we can use in all of cyber All sensors, CNE/A effects, OpSec, Intel, etc = improved CND/IA Can t easily / rapidly tell WHO the bad actors are Need cyber detection / forensic capabilities (Service's responsibility) Offensive uses best done by STRATCOM / USCYBERCOM / C10F Cyber War / ROE undefined, unclear if win-lose / lose-lose Offensive cyber methods / tools / activities require authorized and skilled subject matter experts 8
Key Tactical Thrusts Organize DoN cyber security approach / governance - RACI Update ERA, prioritize mitigations and resources Begin Dynamic Cyber Enterprise Management asap Top-down enforcement of IA / Cyber architecture Secure enterprise access control / Cyber IFF Overall Dynamic Cyber Defense (DCD) approach Proactive / dynamic defensive I&W monitor abnormal behavior Virtual storefront reacts quickly to predictive IO/IA I&W IA/CND treated as an integrated SoS with lead/lag feedback Common enterprise trust model Reduce complexity - IA Building blocks / APLs with pedigrees Integrate into an enterprise cyber security model / framework Execute lifecycle awareness, education, and training 95% security incident reduction High ROI Activities that get us all moving quickly 9
So what can WE collectively DO? NAVY way forward Sync with DOD cyber strategy / USCYBERCOM / other agencies Support OPNAV N2N6 cyber roadmap & C10F requirements Streamline acquisition process tie to CNO priorities = value / affordability Facilitate Collective / Collaborative Governance Integrated DON efforts: Plans / Policy, Operations, Acquisition, R&D, etc Overall execution coordination / cooperation between government, industry, academia, others key cyber stakeholders Cooperatively ACT on key tactical thrusts affordably! Focus on: highest ERA ROI items, reduce complexity, enforce resiliency Do the basics well & first - otherwise new toys matter little Enforce critical areas (like CM, hygiene...) and fix what ails us now Leverage the bleeding edge - let CNCI lead/sponsor COMMS, collaboration, alerts at cyber speed! 10
Information Dominance: The ability to seize and control the information domain high ground when, where and however required for decisive competitive advantage across the range of Navy missions... Questions? Comments? Suggestions? 11
Glossary APL/PPL approved/preferred product list ACL access control list CA certification authority C&A certification & accreditation CCB configuration control board CI configuration item CIP critical infrastructure protection CNCI Comprehensive National Cybersecurity Initiative CND/CNO computer network defense/operations CSIS Center for Strategic and International Studies DCD dynamic cyber defense DCEM dynamic cyber enterprise management EAL evaluation assurance level ERA enterprise risk assessment HAP high assurance platform HBSS host based security system IAD Information Assurance Directorate (@ NSA) IAVA information assurance vulnerability alert IA&A identification, authentication and authorization (access control) IDS/IPS intrusion detection/ protection system IOS internetwork operating system (OS for routers) ITMC IT Management Council I&W indications and warnings KM knowledge management NIAP National IA Partnership SANS storage area network systems TSM trusted security module VM virtual machine V&V verification and validation ZBAC authorization-based access control 12
Back Ups 13
Trace Requirements to the top President's Cyber Plan 1 - Ensure accountability in federal agencies, cyber security will be designated as a key management priority. 2 - Work with ALL the key players, including state and local governments and the private sector. 3 - Strengthen the public-private partnerships. 4 - Continue to invest in the cutting-edge research and development necessary for the innovation and discovery. 5 - Begin a national campaign to promote cyber security awareness and digital literacy. DOD / DON cyber approach, must be global, as is the cyber landscape! 14
NSPD-54/HSPD-23: CNCI 12 Initiatives Comprehensive National Cyber Security Initiative Focus Area 2 Focus Area 1 Deploy Trusted TrustedInternet Deploy Passive Passive Pursue Pursue Deployment of of Coordinate and and Sensors Connections SensorsAcross Intrusion Prevention Redirect Redirect R&D R&D Federal Federal Systems Systems Systems Systems Efforts Efforts Establish a front line of defense Connect Connect Current Current Develop Develop Gov t-wide Increase Increase Security Security Expand Centers Centers to to Enhance Enhance Counterintelligence of of the the Classified Expand Education Situational Awareness Plan Plan for for Cyberspace Networks Networks Resolve to secure cyberspace / set conditions for long-term success Focus Area 3 Define Define and and Develop Develop Enduring Enduring Lead Lead Ahead Ahead Technologies, Strategies & Programs Define Define and and Develop Develop Enduring Enduring Deterrence Strategies & Programs Manage Manage Global Global Supply Supply Chain Chain Risk Risk Define Define Federal Federal Role Role for for Cybersecurity in in Critical Critical Infrastructure Domains Domains Shape future environment / secure U.S. advantage / address new threats Agency Cyber efforts must leverage the Federal Investments The HARD part is implementing enterprise integration, interoperability and controlling emergent behavior - that can affect most focus areas 15
LOCAL ENCLAVE DoD CND (and Cyber ) Defense in Depth CND SP CND SP - Incident Response / Management - Incident Response / Management - Prometheus - Prometheus - Threat Analysis - Threat Analysis - Compliance Scans - Compliance Scans - IAVM Management - IAVM Management Incident Response Incident Response IDS IDS NUDOP NUDOP DNS Blackholes DNS Blackholes PROMETHEUS PROMETHEUS HOST HOST Firewalls Firewalls Standard IP Blocks Standard IP Blocks ACLs ACLs LAN (POP/HUB) LAN (POP/HUB) NET Cool / INMS View NET Cool / INMS View IAP Monitoring IAP Monitoring Site Compliance Scans PKI Threat Analysis Site Compliance Scans PKI Threat Analysis NMCI NIPRNET IDS Feeds Email AV IAVM Implementation NMCI NIPRNET IDS Feeds Email AV IAVM Implementation TRICKLER / SIPRNET Firewall PPS Policy TRICKLER / Threat Assessment Alert Filtering SIPRNET Firewall PPS Policy CENTAUR Threat Assessment Alert Filtering CENTAUR Vulnerability Scanning CND Data Strategy PKI System Patching Vulnerability Scanning Metrics CND Data Strategy PKI System Patching Metrics NET Cool View CDS DITSCAP/DIACAP NET Cool View CDS ACLs DITSCAP/DIACAP NET Cool Data ACLs Vulnerability In-Line Filtering NET Cool Data Remediation Vulnerability In-Line Filtering Standard IP Block Lists Standard IP Block Lists IPS Remediation IPS CENTRIXS Monitoring Firewalls Email AV CENTRIXS Monitoring Firewalls Email AV In-Line Virus Scanning In-Line Virus Scanning CONOPS DITSCAP/DIACAP DNS Blackholing CONOPS DITSCAP/DIACAP DNS Blackholing CARS IASM DRRS-N RNOSC CARS IASM DRRS-N RNOSC IAVM Vulnerability Remediation HBSS Compliance IAVM Vulnerability Remediation Content Filtering HBSS Content Filtering SCCVI- Anti-virus Compliance ENMS SCCVI- Anti-virus PKI SCRI CARS Tier 3 SIM ENMS PKI SCRI CARS Tier 3 SIM WIDS IAVM Compliance WIDS IAVM Compliance TMAT IWCE TMAT HBSS CAC/PKI Wireless Mapping IWCE WAN SA HBSS CAC/PKI Wireless Mapping SLIDR WAN SA Deep Packet Inspection SLIDR Deep Packet Inspection SCCVI-SCRI WIDS SCCVI-SCRI WIDS NET Cool Data Standardized Configurations NET Cool Data Navy DMZ Standardized Configurations Navy DMZ DAR POR Management Enclave DMZ DAR POR Management Enclave DMZ Insider Threat Insider Threat SIPR NAC SIPR NAC TMAT TMAT PKI PKI TIER III WAN (Enclave) WAN (Enclave) Incident Handling Incident Handling NMCI SIPRNET IDS Feeds NMCI SIPRNET IDS Feeds TIER II GIAP GIAP IP Sonar IP Sonar Navy GIG (NCDOC) Navy GIG (NCDOC) Global CND UDOP Global CND UDOP Functional NIC Functional NIC Multi-Layer Protocol Multi-Layer Defense Protocol Defense In-Line Filtering In-Line Filtering Deep Packet Inspection Deep Packet Inspection CND POR CND POR Honey Grid Honey Grid Enterprise Enterprise DMZ DMZ Operational Operational Funded and Funded and Rolling Out Rolling Out Proposed or In Proposed or In Development Development DAPE DAPE TIER I DoD GIG (JTF-GNO) DoD GIG (JTF-GNO) Cyber = mostly Life-cycle education and and proactive, dynamic defense. (From NCDOC briefs) Secure Locally Defend Globally The smart integration and collaboration between MANY needed IO & IA functions Tutelage Tutelage 16
Integration of Cyber Security and Defense Capabilities Insider Threat Mobius Project Trends Analysis Online Surveys IDS Monitoring Incident Handling IAVM Threat Stolen Credentials Spear Phishing Zero Day Exploits Soft Cert Searches Web Based Attacks Social Engineering Compromised Password Files Known Trojans and Malware Commonly Known Vulnerabilities Indiscriminant Recon Threat CCZ NIOSC Construct Tactical IDS placement DNS Blackhole IP Block Initiative CAC/PKI Network Forensics Malware Analysis Signature Development Mobius Project Trends Analysis Online Surveys IDS Monitoring Incident Handling IAVM New/Custom Trojans CARS initiative Mobius to Prometheus Cyber Tactical Teams Enhanced Compliance LE/CI integration Threat Analysis Process Improvements CCZ NIOSC Construct Tactical IDS placement DNS Blackhole IP Block Initiative CAC/PKI Network Forensics Malware Analysis Signature Development Mobius Project Trends Analysis Online Surveys IDS Monitoring Incident Handling IAVM Where, lack of IA CM is pervasive and undermines it all Tactical Sensor Pilot HBSS Pilot SCCVI/SCRI Enhanced Collaboration IDS to IPS Transition CARS initiative Mobius to Prometheus Cyber Tactical Teams Enhanced Compliance LE/CI integration Threat Analysis Process Improvements CCZ NIOSC Construct Tactical IDS placement DNS Blackhole IP Block Initiative CAC/PKI Network Forensics Malware Analysis Signature Development Mobius Project Trends Analysis Online Surveys IDS Monitoring Incident Handling IAVM HBSS Deployment Content Filtering Joint Data Strategy NMIMC Integration SLIDR Pilot Insider Threat Tool Pilot OCRS / IAVA Spiral Tactical Sensor Pilot HBSS Pilot SCCVI/SCRI Enhanced Collaboration IDS to IPS Transition CARS initiative Mobius to Prometheus Cyber Tactical Teams Enhanced Compliance LE/CI integration Threat Analysis Process Improvements CCZ NIOSC Construct Tactical IDS placement DNS Blackhole IP Block Initiative CAC/PKI Network Forensics Malware Analysis Signature Development Mobius Project Trends Analysis Online Surveys IDS Monitoring Incident Handling IAVM 2003 / 2004 2005 2006 2007 2008 Synchronized cyber capabilities to to narrow the Threat Vectors (From NCDOC briefs) 17
SO what are were trying to institute? An integrated Cyber System using dynamic lead & lag feedback Establish proactive, dynamic CND / IA Defense = dynamic cyber defense (DCD) Cyber I&W Virtual Storefront NMS / Security Management tools Defensive assessments Incident results SA ****** (Sensors, CNA/E inputs OpSec, Intel, etc ) Users & CoC threats IA & CND threats V&V / C&A Defensive I&W Forensics Red Teams Upfront/Early feedback (leading indicators) Change soft settings (takes seconds to minutes) Upgrades Changes (developed & installed) (takes days to months / years) After-the-fact feedback (lagging indicators) 18
Building a Trusted Cyber Infrastructure an adequately assured, affordable, net-centric environment Focus on a few core capabilities & devices = PC, routers, IA suite, Servers, & SANS all with access control Standard IA/CND suite FW, A/V, IDS/IPS, CDS,, etc Treat as a SoS : with high EAL WAN Router IA Suite Core Router IAW: NNE 2016 / NGEN vision Assured IOS Various EAL EAL 4-5 EAL 4 Security Monitor HW / FW Secure OS kernel Secure Virtual Machine Strict access / ZBAC EAL 6 Servers Distribution Router ALL OSes (MS, Mac, Unix) SANS EAL 5 6 Data centric security Defensive I&W Strict access / ZBAC Network Devices PC End user devices Make IT security a commodity: Use IA building blocks = APLs/PPLs NIAP Interoperability and Compose-ability are built in upfront and help dramatically reduce complexity and ambiguity Thus.establishing known risks & pedigrees: Reduces attack surface, impacts & TOC EAL 3-4 Secure OS TSM HBSS ZBAC Eval Assur Level (EAL): 2 3 4 5 6 7 19