Security from End-point to Enterprise
Written by Harrison Donnelly
DISA host-based security program
expands to strengthen awareness and
control throughout DoD networks.
The program, called the host-based security system (HBSS), took an important step forward early this summer with the launching of a hosting service at DISA computing centers to help smaller military services and agencies implement the program. While the schedule for the program’s official launch is classified, intensive efforts are under way by both the DoD and IA industry experts to put the program into place globally, train for it and provide operational support.
Mark Orndorff, DISA program executive officer for information assurance and network operations, summarized the program in a recent article: “What we’re doing today is building out an enterprise architecture to take what was originally designed to improve the security of end-points, but pull information from a system and correlate it to a DoD enterprise level, so that commanders operating and defending the network will know the status of their security posture, giving us a readiness report card that’s machine generated.
“It will give us the ability to collect and correlate alarms as attacks propagate around the network and will give us the visibility of things such as anti-virus signature updates and anti-virus scan runs—essentially, letting us know what’s on the network. It will also give us the ability to look for what we call ‘rogue’ systems. These could be systems installed by DoD, systems configuration-managed by the DoD operators and defenders, systems added to the network, friendly systems added outside the management control of the network operators, and potentially malicious systems,” he explained.
“The whole focus is getting global situational awareness to help us know exactly what’s on the network, the readiness posture of everything on the network, and the network-alerting information to help us fight through an attack,” Orndorff continued.
While the new program will be largely transparent to end-users, DISA officials suggest that it will dramatically change the way administrators and operators of the network do business.
“What we hope we are giving system administrators is a set of tools to improve the security of the networks, and additionally to provide a set of dashboards or views into the status of their network in order to change their whole routine. This will allow them to move from a reactive posture to attacks, to being proactive with the focus on prevention first,” Orndorff said.
“Whether it’s compliance with security policy, updating and patching computers, or maintaining anti-virus, there’s a whole set of things users on the ground who administer networks need to deal with every day,” he pointed out. “HBSS will now give a set of meaningful and actionable reports and dashboards to help focus time and attention on the key issues that need to be addressed every day.”
PROGRAM EVOLUTION
HBSS started several years ago as an initiative to try to improve the security of DoD computing platforms. Recognizing that there was a gap in the network when an off-the-shelf computer system was put on the network, officials addressed some specific objectives, such as the common problem of buffer-overflow attacks, and decided to buy an encompassing tool to mitigate multiple risks.
In addition, the DoD policy for “infoconing” requires the baselining of systems to identify all loaded software on a host, and then periodically re-baselining to identify any deltas. Anything found during the re-baselining may cause an attack or threat, thus changing software that wasn’t deliberately installed by the system administrator. The original focus was to automate the baselining effort and provide some specific controls to mitigate a set of attacks.
Since then, awareness and concern over the cyberthreat has grown exponentially, as has DoD’s focus on cyber-operations. With this, a greater need has grown for automation to provide better command and control, better situational awareness, and the ability to operate a network speed with machine-to-machine flows of information.
“Even though those objectives weren’t part of our original focus, we realized HBSS was a great platform to address those emerging requirements,” Orndorff said.
“It seemed like a pretty awesome undertaking even when it started out,” he acknowledged, “but it has definitely grown since then. The good news is we have high-level leadership support for this program. Commanders at all levels are tracking progress in implementation and providing the support to get resources on board to get this operating effectively.”
HBSS is a centrally managed, host-based Tier 3 enclave-level tool, according to Ann Baron-DiCamillo, HBSS program manager. “Within the tool, there are different point products, such as an intrusion detection system and intrusion prevention system, a firewall system, policy compliance reporting, device control capabilities, rogue system detection capability, and an architecture capability to include third party and other government developed integration products.
“The ePO server pushes an agent to the host to install, manage and add to all point products on the host,” Baron-DiCamillo continued. “HBSS supports infocon baselining, robust whitelist capability, buffer overload protection, and situational awareness from an asset alert reporting capability.
“The situational awareness includes a variety of asset information, such as operating system versions, anti-virus/anti-spyware, and so on. From alert reporting, two-point products within the host-based security system do alerting—the Host Intrusion Prevention System, which is the intrusion prevention and detection system, and the anti-virus,” she added.
The system will also have the ability to add government-developed capabilities. This capability can address those specific threats the DoD is experiencing that industry may be unaware of or not especially concerned about. The department will also be able to develop government additions to the framework to address emerging threats or DoD-specific threats and use the HBSS system to push out those capabilities.
DISA’s strategy for implementing and supporting the program also has evolved, officials note. The initial strategy was to set up an enterprise contract and buy a DoD-wide license for software, as well as the key hardware components needed to roll this out. But each component, agency military service and field activity was essentially responsible for developing implementation plans, with some support and training from DISA.
“That’s still the plan that, for the most part, the larger military services are executing,” Orndorff said. “But we’ve added an option where DISA will host some of the infrastructure for the services and components out of our enterprise computing centers. The components will still have the operational responsibility to manage alarms and operate and defend their portion of the network, but we will take over some of the burden of standing up the infrastructure and maintaining, upgrading and patching it—all the normal responsibilities needed to operate a new capability.
“The enterprise service option has recently become available, with initial implementations occurring over the past month. We are quickly moving out with the fielding process. The specific deadlines are classified, but we’re moving quickly toward the finish line,” he said.
TRAINING NEEDS
Given the pervasiveness of the new system and the major changes it will involve in operations, officials realize training and managing expectations are critical. They are using a variety of methods, including online programs, classroom training and the latest collaboration tools.
For example, the initiative is taking advantage of an existing partnership with Carnegie-Mellon University, which had already developed a capability called the virtual training environment to push general information assurance and security training to users and administrators. “What we did was to take advantage of the capability and build into a group of HBSS-specific modules for high-level leaders, administrators and users,” said Chris Paczkowski, chief, CND Enclave Security Division, in support of the program. “It’s a multi-part targeted set of training products, which allows us to deliver the training anywhere in the world, 24 hours a day. For the first time since I’ve been in this business, we’re getting feedback that the online training is better than the classroom training.”
“We’ve always had traditional classroom training for administrators, but we wanted to give more of a focus to the management side,” Baron-DiCamillo explained. “So we’ve worked to create specific classes geared more toward senior management. Instead of going through four days of classes, you can choose different modules that fit your role in the HBSS deployment.”
To address newly emerging topics and focus areas, officials are also using DISA’s Defense Connect Online, which offers a variety of collaboration tools. In addition, teams of enterprise implementers are available to visit locations to assist in getting started.
“During this implementation phase, we’ve tried to set expectations by defining what we think is a safe first step in getting this rolled out,” Orndorff explained. “We have some pretty good plans for where we want to take it next, with at least three waves of improvement already on the drawing boards. By the time we get to the second wave, I’m sure we’ll be thinking about the fourth one. We’ll continue to evolve this to leverage it to the maximum extent possible.”
The program is also coordinating closely with other DoD efforts. The Enterprise Solutions Steering Group—which is led by STRATCOM and includes participation from the military services, National Security Agency, DISA and other agencies— decides on priorities and develops technical approaches. While DISA then takes the lead on the acquisition side, participants emphasize that it truly represents a DoD enterprise approach to addressing network defense requirements.
“We’re enthusiastic about HBSS, and we’re excited about what this brings to DoD networks,” said Orndorff. “But this is just one component of a strategy to secure and defend the networks. It doesn’t solve all of our problems or eliminate other key defense capabilities that we’re working on in parallel. It’s not a silver bullet, but is part of an integrated framework to help defend DoD networks.”
INDUSTRY PERSPECTIVE
Several companies also are helping with implementation, testing and operational support. BAE Systems is the prime contractor of HBSS. After extensive market surveys and technical analysis of various vendor offerings, the company selected McAfee Security as technology partner.
“We have formed a close working relationship with DISA through a team-based approach that includes McAfee, other contractors, and outside organizations such as Carnegie Mellon to successfully deliver this capability,” said Bruce Thibault, HBSS program manager for BAE Systems.
As lead integrator, BAE Systems is providing cybersecurity engineering, classroom and online training, and global implementation and operations support. The company’s cybersolutions are based on more than 30 years of research, new product development, and new tool and technology evaluation for the defense and intelligence communities.
“BAE Systems is experienced in establishing and operating new cybersecurity programs from initial requirements through long-term trends and challenges. We focus on providing expert solutions and field-proven security, driven by our customer’s performance requirements,” said John Lewington, director of enterprise solutions and identity management for BAE Systems. “With the threat rapidly changing, the BAE Systems cybersecurity team stands ready to support HBSS and other critical cyberprograms. The successful deployment of HBSS across DoD will result in a drastic improvement in situational awareness and the security posture of DoD computer systems.”
“Our research teams have seen the same amount of malware in the first half of 2009 that we saw in all of 2008,” said Kent Rounds, director, DoD for McAfee Security. “This explosion in malware, combined with other emerging threats, requires an up-to-the- minute approach in enterprise level security. Centrally managing the network in a holistic manner in order to easily integrate with supporting tools is a paradigm shift in network security protection. Simply put, the objective is security at every layer, combined with global threat intelligence at a breadth, depth and speed to be fully prepared.” ♦