1 / 35

Kenneth Neves, Brenda Turteltaub 7/14/09

Overview of the Integrated IT/Cyber Roadmap Initiative: Presented to NNSA Information Technology Workshop, Las Vegas. Kenneth Neves, Brenda Turteltaub 7/14/09. OUTLINE. Charter and team deliverables Threat/Response Process: Four baseline assessments Building vision Roadmap based on vision

crowleyc
Download Presentation

Kenneth Neves, Brenda Turteltaub 7/14/09

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of the Integrated IT/Cyber Roadmap Initiative:Presented to NNSA Information Technology Workshop, Las Vegas Kenneth Neves, Brenda Turteltaub 7/14/09

  2. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements) Director’s Office – OCIA

  3. Group charter This group was established by the CIO Multi-site Initiative 2.4 to address HQ request to identify Complex-wide cooperation in cyber security and IT. The group is to create an “integrated IT/Cyber roadmap” to create a context for discussion, priority, and joint work among the sites and labs. Indentified areas of cooperation in the roadmap server as a menu for the NSE CIOs and NNSA to guide their efforts and integrate activities along the boundaries of IT and Cyber Security The team provided survey responses, interview responses, and many opinions Subgroup Team BUT The are not accountable for conclusions drawn “yet” – future meetings in planning Director’s Office – OCIA

  4. Conduct assessment to identify integration opportunities. Due 2/28/09. Provide recommendations. Due 4/30/09. Generate and communicate draft integrated IT-Cyber roadmap. Due 6/30/09. Generate and communicate final integrated IT-Cyber roadmap. Due 9/30/09. Team deliverables Today’s presentation proceeds an upcoming off–site with CIOs and subgroup team to finalize a draft roadmap. Director’s Office – OCIA

  5. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements) Director’s Office – OCIA

  6. Setting: An attack scenario (based on public information) Attack Human intervention Director’s Office – OCIA

  7. Setting: Potential response Response Director’s Office – OCIA

  8. Threats & risks  reactive controls  desired vision ATTACK+RESPONSE“suggests”ROADMAP • Hackers • Determined adversary • Insider • Outsider with credentials • Automated propagation of malware Vision of desired long term defense, that anticipates new attack vectors Appropriate defensive measures (e.g. NIST 800-53) Tradeoffs with residual risk Director’s Office – OCIA

  9. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements) Director’s Office – OCIA

  10. ProcessFour “baseline” assessments • Assessment 1 • Brainstorm/Survey/Vote on items & areas we could pursue in the near-term • Completed: see file “Affinity Analysis.pptx” • Assessment 2 • Preliminary survey on Organizational Structure, Critical Infrastructure Protection, and Configuration Management • Completed: see file “Comparison Matrix Complete. xlsx” • Assessment 3 • Telephone interviews to understand IT/Cyber practices of each site/Lab • Completed: see file “Comparison Interviews KWN 6-12-09.xlsx” • Assessment 4 • A more systematic assessment • Based on Consensus Audit Guidelines (CAG-20*) • Completed: see file “Controls Complete 6-9-09 ver 1.xlsx” *These files are on the KC Wiki. For Wiki access issues contact Art Wegener, [awegener@kcp.com]. Limited access because OUO. *Ref: http://www.gilligangroupinc.com/headlines/2009/feb-23-related/20090223-cag-draft-1.0.html Director’s Office – OCIA

  11. Consensus Audit Guidelines (CAG 20):Important in building draft roadmap* • Automated inventory of software and hardware • Standard secure configurations for hardware and software on laptops, workstations and servers • Secure configurations for network devices, firewalls, routers, and appliances • Boundary defenses (architecture, filters, proxies, egress port controls) • Integrated audit logs and analysis tools, local and complex • Application software security • Controlled use of administrative privileges • Continuous vulnerability scanning/remediation • Dormant account monitoring and control • Anti-malware defenses • Limitation and control of egress ports, protocols • Wireless device control • Data leakage protection • Secure network engineering • Red team exercises • Data recovery • Training, certification and skills assessment *Adapted from CAG 20 Controls 2/23/09, and detailed in survey, Director’s Office – OCIA

  12. Consensus Audit Guidelines (CAG 20)Important in building draft roadmap (continued) • Instructs on how to implement and test controls • Maps to 800-53s • Categorizes controls as: • Quick wins • Improved visibility and attribution • Hardened configuration and improved information security hygiene • Advanced Controls were categorized to help organizations set a meaningful baseline and plan and measure improvements, Although the controls are to improve cyber security, most are implemented through IT. Director’s Office – OCIA

  13. CAG 20 category definitions:Focus on quick wins to improve rapidly • Quick Wins:These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major process, organization, architecture, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these controls provide protection against the most critical attacks. The intent of identifying Quick Win control areas is to highlight where security can be improved rapidly. These items are identified in this document with the label of “QW.” • Improved Visibility and Attribution: These controls focus on improving the process, architecture, and technical capabilities of organizations so that the organization can monitor their networks and computer systems, gaining better visibility into their IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and ability to determine attribution supports organizations in detecting attack attempts, locating the points of entry for successful attacks, identifying already-compromised machines, interrupting infiltrated attackers’ activities, and gaining information about the sources of an attack. These items are labeled as “Vis/Attrib.” • Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. Control guidelines in this category are formulated with the understanding that a well-managed network is a much harder target for computer attackers to exploit. Throughout this document, these items are labeled as “Config/Hygiene.” • Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations handling particularly sensitive networks and information that are already following all of the other controls should focus on this category. Items in this category are simply called “Advanced.” Director’s Office – OCIA

  14. Input sources: All posted on the team’s “Entrusted” Wiki Site Interviews (27 pages) CAG Survey (90 pages) Rating of Controls (12 pages) $Funding$ Sources (2 pages) Director’s Office – OCIA

  15. “Careerboosting opportunity” [slide 16, Alan Paller, Director of Research, SANS Institute, Las Vegas, DOE Conference, May 13, 2009] Validated approach “After the fact validation”: This slide appeared a recent keynote talk at DOE Cyber Conference HOWEVER: We do NOT believe controls are the whole picture or the whole answer to threats! We need an overarching integrated IT/Cyber strategy • Be the person who enables rapid implementation of the “20 Critical Controls” and • Does the gap analysis showing current controls vs. “20 Critical Controls” • Builds the automation process that puts controls in place • Builds monitoring system that measures effectiveness • Builds dashboard that gives executives visibility into the “20 Critical Controls” • Establishes the audit program for the “20 Critical Controls”

  16. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements) Director’s Office – OCIA

  17. Controls for today, suggest visions for tomorrow • Automated inventory of software and hardware • Standard secure configurations for hardware and software on laptops, workstations and servers • Secure configurations for network devices, firewalls, routers, and appliances • Boundary defenses (architecture, filters, proxies, egress port controls) • Integrated audit logs and analysis tools, local and complex • Application software security • Controlled use of administrative privileges • Continuous vulnerability scanning/remediation • Dormant account monitoring and control • Anti-malware defenses • Limitation and control of egress ports, protocols • Wireless device control • Data leakage protection • Secure network engineering • Red team exercises • Data recovery • Training, certification and skills assessment • DESIRED VISION IN KEY AREAS • Configuration management of IT assets • Network management/architecture • Information protection • Sustaining support and services • Authentication and authorization • Technology tools to build policy and security into the system • People and socialization issues • Server and application security • Governance processes local and complex-wide Director’s Office – OCIA

  18. Observations • Both NIST 800-53 and the CAG 20 controls are focused on defense at the boundaries stressing • Configuration management, • Standards • Levels of protection commensurate with risk • However, good practices beyond “controls” need to be considered: e.g. anomaly detection, network and application role based access controls, defense against novel application-based attack vectors • Hence, our vision must include selected controls, not be mired in them • Very Soon we will see rev. 3 of 800-53 and rev. 1 of 800-37. • More controls will be added by NIST, which will cost more to implement, BUT will not necessarily address highest order risk • We lack a business based approach to cost, risk, and protection • Consequently, we have augmented the CAG survey by requesting information on other topics during interviews that are not simply control based Director’s Office – OCIA

  19. Create “pillar visions/guiding principles” that point the way! Details Technical visions not integrated INPUT BASELINE CAG Survey + Organization & Culture Interviews High level key drivers • DESIRED VISION IN THESE AREAS* • Configuration management of IT assets • Network management/architecture • Information protection • Sustaining support and services • Authentication and authorization • Technology tools to build policy and security into the system • People and socialization issues • Server and application security • Governance processes; local and complex-wide PILLAR VISIONS (cast as guiding principles) Organization & Culture Critical Inf. Protection Config. Management *Backup slides not presented today: 71 Desirable States Director’s Office – OCIA

  20. Approach to a roadmap 2 Pillar Visions Enabler/Obs. Narrative Yr. “N” 3 Yr. 3 Steps toward Roadmap: 1, 2, 3, 4 4 Actions toward visions Roadmap Yr. 1 Timeline Risk/Benefits Yr. 1 Quick Wins As-is Teaming 1 HQ Support Interviews, CAG-20 questionnaire Director’s Office – OCIA

  21. Pillars of cyber security are inclusive and require sound IT practices • Organization and Culture • Office of the CISO/CIO • Information Security Awareness • Information Risk Management • Program Management • Enterprise Architecture • Policy Management • Records Management • Critical Infrastructure Protection • Network Security • Privileged User Management • End Point Protection • Security Architecture • Identity & Access Management • Physical Security • Centralized Logging and Event Correlation • Disaster Recovery • Convergence of Technologies • Central Service Management Model • New Computing Environments (e.g. grid, cloud) Critical Infrastructure Protection Cyber Security Config- uration Management Organization and Culture • 3. Configuration Management • Standard Operating Environment • Software Dev. Life Cycle – Security • Data Stewardship • “Rationalize Platforms” - Virtualization Director’s Office – OCIA

  22. Pillar visions cast as guiding principles • The Pillar visions, offered here, are distilled from the 8 area vision charts* developed by the committee, interviews, responses to CAG survey, trends in technology and foreseeable threats • They provide an context for future discussions around actionable plans to “evolve” toward a more common NNSA approach • Visiting these principles periodically among HQ, Local Site Offices, and M&O Management, provides a dialog for change, improvement, and affordability • Common vision does NOT mean we are all the same, but have agreed to similar goals Any number of actions can be taken, as a “Complex”, to close gaps in these areas – it’s a matter of priority and risk management This approach supports Secretary Chu’s vision for more focus on “real protection” and less focus on compliance *see backup charts for 8 area visions Director’s Office – OCIA

  23. Guiding principlesPillar 1 - Organization and culture • Central integration of IT and Cyber Security should be integrated under single management focus group or position (e.g. CIO, COO, Director, DDO, or other entity) • Each site should have an encompassing model for IT/Cyber that includes policies, portfolio optimization, service architecture, enterprise architecture, information protection/retention, and skills management • IT/Cyber should be viewed and managed as a partner and enabler of the mission within the institution, not “just a cost”, under an “inclusive” governance model • There should be a Complex-wide partnership to manage residual risk that includes HQ, Local Site Offices, and M&O Senior Management Director’s Office – OCIA

  24. Guiding principlesPillar 2: Critical infrastructure protection • Central site-network security should be managed from the desktop to the internet to include appropriate “edge” controls and configurations throughout • Security Architecture: Each site should have a similar security architecture to include access models, intrusion prevention and detection systems, and near real-time automated assessments • We should actively anticipate future technologies and their impact: specifically convergence, new modes of access, and new computing environments (e.g. mobile devices, clouds, grids, wireless) • We should actively manage the interfaces of physical security and information policy into the fabric of cyber space implementations whenever possible • We should provide full role-based access and controls to the network and its assets -- controlled at the edges and monitored within at the packet level Director’s Office – OCIA

  25. Guiding principlesPillar 3: Configuration management • We should evolve standardized environments, testing tools to automate compliance in near real time – this includes platforms, operating systems, network devices and pervasive applications • Each site should have a well defined life cycle process for all IT assets and platforms • Create application service architecture (to overlay on the network architecture) for key institution enterprise applications that provides appropriate controls and isolation of sensitive information • Anticipate technologies that lower cost and improve security (e.g. diskless, virtualization, rationalization) • The Complex should provide a common model for ingress/egress port monitoring, proxies, and filters Director’s Office – OCIA

  26. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements) Director’s Office – OCIA

  27. Draft roadmap • Based on the pillar principles and area visions [not presented], we selected items to for a typical roadmap definition • We biased the selection based on whether it • Is multi-site in nature • Appears to be actionable (without considering funding issues) • Was categorized as “quick win” and/or appears to be urgent in face of threats • This is a proposed structure for a roadmap -- the actual items listed still require full committee vetting and consensus building • Finalization is due Sept. 30, 2009 Director’s Office – OCIA

  28. Candidate complex-wide activitiesPillar 1: Organization and culture Not appropriate for public view • Identify a business model for residual risk acceptance and a broad structure for the costs of implementing new controls • Speak the same language when we talk about impact • Provide informed risk basis for HQ decisions • Prototype a portfolio management process that ensures stakeholder input, allows for the Complex to invest in new approaches • Ensure that at each site, we manage integrated IT and cyber solutions – CIO level, Deputy Director of Operations, and/or Director level • Define a common approach to incident classification and response • Address new pending mandates such as records management and email retention • Create joint strategies for disaster recovery and continuity of IT operations • Create a technology “watch” with Complex-wide coordination Director’s Office – OCIA

  29. Candidate complex-wide activitiesPillar 2: Critical Infrastructure Not appropriate for public view • Gain Complex-wide accreditation (including rule/policies) regarding mobile computing, instant messaging, and tele-presence • Develop/purchase/deploy a common expert systems based intrusion detection suite of tools, to include real time log/event crawlers (and foster Complex-wide approach) • Improve sharing of attack information during events (e.g. SNL proposal) • Collaborate on common remote access models, with common “edge management policies,” and indentify tools • Consider common role based models to support intra site access (e.g. a common ontology of users: employee, contractor, collaborator, citizen, foreign person, etc.) • Extend (B) to complex-wide event monitoring in real time Director’s Office – OCIA

  30. Candidate complex-wide activitiesPillar 3: Configuration Management Not appropriate for public view • Develop a component library configurations for platforms, testing tools, and security plans for potential sharing • Help the Complex decide on minimal controls required for unclassified networks as a base for the Complex, allowing for site specific issues • Design a “boundary edge” architecture to create common DMZ, firewall, proxy rule sets, etc. • Explore data at rest protection, egress monitoring, and develop a data protection strategy • Provide domain expertise and foster collaboration with research entities in Government, so that new technology is applied to our real world defensive issues Director’s Office – OCIA

  31. Guiding principles for selecting and executing general multi-site initiatives • Focus on Quick Wins • Look for teaming opportunities within existing funding • “Buy” vs. “make” is preferred • Focus on activities that mutually benefit, and consistent with our respective contract commitments • Preventative measures are preferred over corrective measure • Strive for lowering security risks vs. enhancing a compliance based approach • Select areas that promote Complex-wide evolution to standards in IT and best business practices Director’s Office – OCIA

  32. Roadmap to close gaps (selected from Pillar candidate activities) CY2010 CY2011 CY2012 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 A. Risk business model D. Incident classification & response Not appropriate for public view Organization and Culture B. Integrated portfolio mgmt. process at all levels E. Records mgmt., email retn., common tools, new technologies C. Improve attack info. sharing D. Remote access & edge mgmt. CriticalInfrastructure B. Intelligent intrusion detection tools, log/event interpretation C. Explore NNSA RBAC model to support multi-site collaboration and authentication A. Complex-wide wireless accreditation A. Component libraries and test suites for accreditation F. Complex-wide real time monitoring and event aggregation Configuration mgmt. B. Prudent “controls” for baseline C&A, complex-wide, with all DAAs buy-in E. Common edge mgmt. tools plan and group Director’s Office – OCIA

  33. OUTLINE • Charter and team deliverables • Threat/Response • Process: Four baseline assessments • Building vision • Roadmap based on vision • Conclusion • Backup slides (8 area vision charts, with 71 suggested improvements-worth a look!) Director’s Office – OCIA

  34. Conclusion – Next Steps • Consensus building: Vet the vision, principles, and potential activities with the CIOs and their representatives • Formalize the straw horse roadmap • Look at investment approaches as appropriate • Validate items and schedules • Create white papers and proposals for items that are worthy, but need funding • Decide on “pace, scope, and size” of effort (requires HQ, Directors, and site experts) • Downstream • Measure progress • Improve and revisit vision and roadmap periodically Director’s Office – OCIA

  35. Q & A Director’s Office – OCIA

More Related