Raytheon Oakley Systems Michael Crouse VP, Sales & Marketing Daniel Velez Director, Program Operations Cleared for release. #IIS2013-226. Page 1
Raytheon Oakley Systems About us Founded as Oakley Networks in 2001 Acquired by Raytheon in 2007 US Government & Fortune 500 customers 9th Generation Enterprise Audit and Insider Threat Solutions SureView Export Controlled Dept of Commerce Securing Classified Networks and Fortune 500 customers since 2001 Page 2
Raytheon Oakley Systems Products Insider Threat, Enterprise Audit, Risk Management, IP Theft Protection, Cross Domain, External Data Source Integration, & Analytics Page 3
SureView Innovation and Integration Investigations Dashboards SureView SureView Events Policies c ArcSight McAfee epo (HBSS) Email Browser IM Office Keyboard Clipboard File System Printer Process Log On Lotus Notes Application Channel Registry Terminal USB Video Servers 64-bit malware detection audit social networking reporting scalability Linux Page 4
Policy-Driven Auditing Specifies what to audit and what should be in the audit record Specifies what not to collect Ex: Do not collect email to/from chaplain@unit.army.mil Leverages simple If/Then statements Enables Multiple Stakeholders Ex: Active Malware Protection (AMP) AUDITED ACTIVITY File write to removable media File contains sensitive data - fingerprinted text - SAP code names AUDIT RECORD Date/Time, Username, Workstation Offending Device Action: Capture File Action: <email> Security Staff Action: <forward> ArcSight Page 5
Management Controls Role-based Access Robust Operator Auditing Segregation of Collected Data Chain of Custody Features Non-technical Oversight Integration with 3rd Party Enterprise Tools such as epo and various SIEM s ArcSight, SPLUNK, etc. Access to controls based on role, mission requirements, and authorization US DoD Image Page 6
CrossView : Cross Domain Auditing Analyze events from networks across air gapped domains on one investigator workbench. Network A Network B Network C Analyst Workbench SureView / CrossView Cross Domain Solution Page 7
Convergence: External Data Source Aggregation HR Data Communications Personnel Security Information Foreign Travel Information Facility Access Information Shared Space Audit Data Multi-source data aggregation and single search queries Page 8
REST APIs (requires separate Convergence license) Desktop Agents Convergence: Conceptual Architecture Collector Node Central Database Master Node Enterprise Application Suite Connector Modules Analytics Node Arbitrary External Data Sources Analytics Future Data Phase 1 Page 9
Spotlight - Analytics Interface Enables customers to discover and understand meaningful patterns in large sets of audit data through seamless integration with best of breed analytical tools including: Risk assessment algorithm, Anomaly detection, User trend analysis, Role based profiling w/ threat indicators Analytics Platform modules may be developed by ROS, authorized 3 rd -party partners, or directly by customers Analytics Platform provides optimized access to SureView data and a means for sending the results of analysis back into the SureView system for presentation to analysts Page 10
Analytics Modules Spotlight: Conceptual Architecture Management & Status User Interface Enterprise Application Suite Analytics Node Collector Node Master Node REST APIs Central Database Spotlight Framework Page 11
Support for Person-Centric Investigations Add features to more easily attribute collected audit data to an identifiable person. Implies a shift away from the traditional primary association of collected data to an SureView agent. Particularly relevant to: Convergence customers who are aggregating audit data from multiple external data sources SureView customers with hosted virtual desktop environments CrossView customers with users whose behavior they audit across multiple domains Page 12
SureView Value Proposition Demonstrably Superior Cyber Audit Capability Operationally-proven, mature and scalable solution with overall install base of over hundreds of thousands endpoints to date Unobtrusive and configurable policy-based endpoint auditing with full context event replay Comprehensive coverage and collection of end-user behavior on desktops, workstations and laptops, whether connected to the network or completely offline Low Risk Fully accredited for operation on JWICS, SIPRNET & other classified/unclassified networks Fully interoperable with other host based security system architectures and leading Security Information and Event Management (SIEM) tools such as ArcSight Comprehensive mission support for services, training, and documentation Compliant Compliant with DCID 6/3 and ICD 503 as well as DISA STIG security requirements Fully validated NIST FIPS 140-2 encryption modules for all cryptographic functions Standardized audit policies and common, exportable data format enable discovery and retrieval of audit information. Cost Effective Low Total Cost of Ownership (TCO) Flexible Pricing for Focused Observation Investigations and Enterprise Auditing Support for Hosted Virtual Desktops to align with agency virtualization and cloud strategies Page 13
To Demonstrate the power of the ROS SureView system with Convergence and Advanced Analytics Options Page 14
Agenda Scenario 1 Unapproved Job Outsourcing Scenario 2 Intellectual Property Theft Page 15
Scenario 1 Unapproved Job Outsourcing Scenario: FJEA insider, Aaron Reed, exposes his agency to tremendous risk when he covertly outsources his job to a 3 rd party in China and opens up access to mission resources in the process. This demonstration shows how the correlation of aggregated data from multiple sources can illustrate a rich view of the context around user activities that provides valuable insight into an insider s motivate and intent. This kind of proactive approach is essential to mitigating today s complex array of insider threat risks. Page 16
Scenario 1 Unapproved Job Outsourcing Video Demo Page 17
Scenario 2 Intellectual Property Theft Scenario: Impact of Company Reduction In Force Notification (RIF) on employee behavior causing increased risk of an Insider Threat incident. Bob Davis potentially working with a 2 nd Party inside the company to exfiltrate sensitive company data. This demonstration shows that an effective insider threat mitigation program requires aggregation and correlation of data from various data repositories. With context and audit records from multiple sources, the time to discover and investigate incident is reduced. Page 18
Scenario 2 Intellectual Property Theft Video Demo Page 19
Contact Info Michael Crouse Vice President, Sales and Marketing Raytheon Oakley Systems 443-858-8527 michael.crouse@raytheon.com Daniel Velez Director, Program Operations Raytheon Oakley Systems 703-244-9887 daniel.velez@raytheon.com Cleared for release. #IIS2013-226. Page 20