Network Security Deployment (NSD)



Similar documents
Network Security Deployment Obligation and Expenditure Report

National Cybersecurity Protection System (NCPS)

Request for Records Disposition Authority

The Comprehensive National Cybersecurity Initiative

EINSTEIN 3 - Accelerated (E 3 A)

US-CERT Year in Review. United States Computer Emergency Readiness Team

Preventing and Defending Against Cyber Attacks November 2010

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Preventing and Defending Against Cyber Attacks June 2011

How To Improve Federal Network Security

Privacy Impact Assessment EINSTEIN Program

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002

Cyber Security Metrics Dashboards & Analytics

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Network Monitoring using MMT:

Department of Homeland Security

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

North American Electric Reliability Corporation (NERC) Cyber Security Standard

ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC)

Working with the FBI

Concierge SIEM Reporting Overview

What s New in Security Analytics Be the Hunter.. Not the Hunted

A New Perspective on Protecting Critical Networks from Attack:

How To Manage Security On A Networked Computer System

How To Monitor Your Entire It Environment

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

Department of Homeland Security Federal Government Offerings, Products, and Services

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

RAVEN, Network Security and Health for the Enterprise

Reliable, Repeatable, Measurable, Affordable

Eight Essential Elements for Effective Threat Intelligence Management May 2015

The SIEM Evaluator s Guide

Visualization, Modeling and Predictive Analysis of Internet Attacks. Thermopylae Sciences + Technology, LLC

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

White Paper Integrating The CorreLog Security Correlation Server with BMC Software

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

AMPLIFYING SECURITY INTELLIGENCE

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Defense Security Service

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

24x7 Incident Handling and Response Center

Middle Class Economics: Cybersecurity Updated August 7, 2015

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Discover Security That s Highly Intelligent.

UNCLASSIFIED/FOR OFFICIAL USE ONLY. Department of Homeland Security (DHS) Continuous Diagnostics & Mitigation (CDM) CDM Program Briefing

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

2) trusted network, resilient against large scale Denial of Service attacks

Cisco Cyber Threat Defense - Visibility and Network Prevention

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Advanced Threat Protection with Dell SecureWorks Security Services

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

How To Sell Security Products To A Network Security Company

The Cyber Threat Profiler

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

I N T E L L I G E N C E A S S E S S M E N T

IBM SECURITY QRADAR INCIDENT FORENSICS

Cross Agency Priority Goal: Cybersecurity FY2014 Q2 Status Update

Unified Security, ATP and more

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Cyber Incident Annex. Federal Coordinating Agencies. Coordinating Agencies. ITS-Information Technology Systems

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

POLIWALL: AHEAD OF THE FIREWALL

Open Source Software for Cyber Operations:

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

RSA Security Analytics Security Analytics System Overview

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Enterprise Security Tactical Plan

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Transcription:

Network Security Deployment (NSD) National Cybersecurity Protection System (NCPS) 11 July 2012

What is the NCPS? National Cybersecurity Protection System (NCPS) is the program of record within the Department of Homeland Security for satisfying the goals of the CNCI; it is how the Department defines and manages its technology investment against requirements, cost, and schedule It is synonymously referred to as EINSTEIN in the press and outreach briefings NCPS provides a wide range of cyber security capabilities for the Federal Executive Branch government networks (.gov domain), including: Intrusion detection (passive defense) Intrusion prevention (active defense) Advanced cyber analytics Data aggregation & correlation Visualization Malware analysis Packet Capture Incident Management Information sharing and collaboration This range of capabilities supports US-CERT operations and helps prevent cyber attacks on the.gov domain and/or reduces the time to respond to and recover from cyber attacks when they occur. 2

NCPS Capabilities Breakdown Einstein 3 Accelerated Einstein 2 NCPS consists of a series of incremental Block programs Einstein 1 Incident Handling Malware Lab Advanced Analytics Each Block includes an EINSTEIN component that encompasses a specific cybersecurity capability Blocks serve as the mechanism for governing acquisition of the program within DHS 3

NCPS Intrusion Detection (Block 2.0) Capabilities Description: Passive, signature-based Intrusion Detection System (IDS) capabilities to help protect Federal Executive Branch government networks. Block 2.0 capabilities include*: IDS sensors can be located at Department/Agency Trusted Internet Connection (TIC), TIC Access Point (TICAP) or Managed Trusted Internet Protocol Service (MTIPS) locations Sensor utilize taps; not in-line with data flow MOAs govern NCPS bandwidth utilization Centralized data storage Visualization, correlation, knowledgebase, IDS and flow analysis tools Contextual data feeds Block 2.0 subsumed Block 1.0 capabilities and also includes: Block 1.0 network flow sensors and data collection/analysis infrastructure Mission Operating Environment (MOE) Incident Management System (IMS) Public and secure web presences Goals: Deploy flow collectors and IDS sensors to cover all Federal Government Civilian Department and Agency network traffic Improve detection, prevention and notification of cyber incidents 4

NCPS System Enhancement (Block 2.0.x) Capabilities Block 2.0.x capabilities provide enhancements to EINSTEIN 2 capabilities that include: Packet Capture (PCAP) Description: An environment for collecting, analyzing, and storing the payload data from network traffic. Goal: Provide the ability to conduct deep packet inspection of suspicious malicious traffic Malware Analysis Center Description: An environment that supports secure automated submission and analysis of malware Goals: Provide an isolated environment for the safe submission of malware samples Support automated analysis and storage of malware samples Provide an unattributable network to support malware research Enhanced Analytics Description: High input/output relational database and visualization tools that support queries on and visualizations of very large datasets Goal: Significantly reduce the amount of effort and time to analyze large data sets and produce cyber analytics reports Enrich analysis with a wide range of commercial, open source, and organic threat feeds and data sources Incident Management System Description: Replacement of US-CERT s existing incident management system (a highly customized proprietary application) with an open source cyber incident tracking application Goals: Simplify data input and better align incident management processes with US-CERT s cyber analysis processes Improve system performance Support standards-based, machine-to-machine ticket exchanges with Departments/Agencies and other CIRTs 5

NCPS System Enhancement (Block 2.0.x) Capabilities (cont.) Additional Block 2.0.x capabilities: Cyber Indicators Repository (CIR) - Formerly known as External Indicators & Warnings (E-I&W) Description: An external facing application that allows US-CERT and its D/A partners to share indicators (DNS, email, file hash values, etc.) related to malicious network traffic Goals Provide a central repository for the cyber community for indicators and warnings data Protect attribution through strict access controls and rules on how summary information is reported Cyber Indicators Analysis Platform (CIAP) - Formerly known as Internal Indicators & Warnings (I-I&W) Description: An internal application used to support cyber indicator analysis and serve as US-CERT s authoritative source for cyber indicators Goals Support internal analysis through the flexible association of structured and unstructured data, as well as contextsensitive relationships that may change over time Integrate CIAP and CIR (ingest new indicators from CIR; export finished products from CIAP to CIR) CyberScope Description: A DOJ-developed system that is used to automate FISMA reporting and support continuous monitoring of the installed base of Federal Government (.gov) information technology assets. Goals Assume management control of the application and migrate it from a DOJ Data Center to DHS Data Centers Improve support for automated data feeds (e.g., incorporate additional SCAP-based feeds, increase frequency to real-time reporting, etc.) 6

NCPS System Enhancement (Block 2.0.x) Capabilities (cont.) Additional Block 2.0.x capabilities: US-CERT Public web site* Description: A publically-accessible web site, hosted at the Software Engineering Institute, that provides high-level information about cyber threats Goals Provide a mechanism for sharing cyber threat advisories and cyber security best practices with the general public Provide a mechanism for submission of cyber incidents and malware by private citizens Migrate the capability to a DHS Data Center US-CERT HSIN Portal* Description: A secure portal, hosted by the NC4 Corporation, that is used by DHS and it s cyber partners to support information sharing Goal Support two-factor authentication Provide multiple secure compartments to support collaboration with limited communities Provide tools to support real time and asynchronous collaboration with trusted partners Provide mechanisms for sharing cyber data feeds and analytic tools Migrate the capability to a DHS Data Center * These capabilities were originally developed under Block 2.0, but will eventually be subsumed by Block 2.2 7

NCPS Analytic (Block 2.1) Capabilities Security Information & Event Management (SIEM) Description: A Security Information and Event Management (SIEM) capability for normalizing and correlating disparate data source events and providing threat visualization, analytics, and reporting services Currently utilizes the following data sources: Netflow data Netflow data tagging IDS alerts US-CERT watch lists Commercial threat feeds Goals: Improve detection, prevention and notification of cyber incidents Improve correlation, aggregation, and visualization of cybersecurity data 8

NCPS Information Sharing (Block 2.2) Capabilities Description: A secure environment for sharing cybersecurity information, at all classification levels, with a wide range of security operations and information sharing centers across federal, state/local/tribal, private, and international boundaries The Information Sharing capability will include the following capabilities: Web-based services that support the exchange and analysis of cyber security information via standardized interfaces Content/document management Asynchronous collaboration (e.g., workspaces) Real time collaboration (e.g., instant messaging, desktop sharing, and white boarding) Two-factor authentication and Identity Management (role-based access control) Federated search Goals: Prevent cyber incidents from occurring through improved sharing of threat information Reduce the time to respond to incidents through improved coordination and collaboration capabilities Improve efficiencies through the use of more automated information sharing and through the exposure of analytics capabilities Improve information sharing of cybersecurity activity KPP 5: Provide data-sharing between all participating agencies on known cyber events within 30 minutes of event detection KPP 6: Provide information-sharing between all participating agencies on known cyber events within 30 minutes of event detection 9

Block 2.2: Information Sharing System Operational View 10

NCPS Intrusion Prevention (Block 3.0) Capability Description An active intrusion prevention capability that conducts threat-based decision making on network traffic entering or leaving the Federal Executive Branch civilian networks and disables attempted intrusions before harm is done Top Secret Mission Operating Environment (MOE) at NCPS Operations and Data Centers Classified and unclassified signatures and countermeasures Back-end data storage and data processing capabilities located at DHS Data Centers Goals Increase the volume of DHS monitored Federal traffic Provide the ability to prevent, terminate, or mitigate risks from malicious traffic Improve detection, prevention, and notification of cyber events 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information