11

Mike DavisThe Security NetworksTechnical Advisor, TSN

Mike@sciap.organd

Information Systems Security Association, VP, ISSA, SD;

IA Technical Process Owner (TPO), Warrant Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ Michael.H.Davis@navy.mil

Information Assurance (IA) for Service-Oriented Architecture (SOA)May 20, 2009

Security Summit

CyberWhat is that - really?

A General Overview of our Cyber Prioritization Crisis

Good for public release. No distribution statement needed – SPAWAR review tracking number SR-2009-221.

EasyButton

EasyButton

22

What is Cyber?What is Cyber?

“A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.“

-- DoD Definition of Cyberspace

“The military strategic goal is to ensure US military strategic superiority in cyberspace.”

-- National Military Strategy for Cyberspace Operations

Cyber space operations = employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the GIG

It could mean just about anything….

But mostly a balanced IO/CNO & IA/CND portfolio

33

What makes Cyber different?What makes Cyber different?

Given Cyber = “virtual” warfare, somewhat different from the kinetic / physical environment we all know well

-- Includes ALL Offensive and Defensive IT/IO/IA capabilities and DOTMPLF, ALL aggregated somehow

-- Essentially a select critical technical combination of IO/CNO and IA/CND + more integration stuff

-- A different virtual ROE than Kinetic – sometimes reversed, legally constrained (and what is “an act of War?”)

-- Shared vulnerabilities mandate a proactive, dynamic defensive posture – a “mission kill” is one e-mail away

-- Thus a crisis of prioritization, where everything is urgent, mandatory… and the many CoC lines are blurred

Many high-level cyber definitions and approaches abound

No “definitive” enterprise top down action plans, yet

44

Cyberspace CharacteristicsCyberspace Characteristics• What’s so different?

– Man-made domain… complex and insecure by design– Global stakeholders — public, private and

government– Speed of both action and change – zero separation– Transcends physical, organizational and geopolitical

boundaries – highly sensitive to political/legal influence

– Anonymity – identity/intent of players not always clearRoE / CONOPS

Kinetic = virtual

“NO” boundaries

Legal aspects rule

No clear Cyber IFF!

Global reach & impact

AND sensors everywhere, ISR/METOC, SPACE, Networks, ETC, Etc, etc!

(Source: derived from JS Cyber 101 brief)

55

Cyberspace CharacteristicsCyberspace Characteristics

All of the warfighting domains intersect…

Cyberspace Domain is contained within and transcends the others

In relation to other mission areas…

… cyberspace is a blend of exclusive and inclusive ties

The “Venn connections / COIs” are extensive

Numerous dynamic “COIs” dominate relationshipsAdding complexity and causing “cross domain” data sharing effects

IA

(Source: derived from JS Cyber 101 brief)

C2C2

66

Cyber must be E2E!Cyber must be E2E!

Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!

Thus, the IA/cyber controls and interfaces in each element / boundary must be quantified / agreed to upfront!

EnterpriseEnterpriseSiteSiteEnclaveEnclaveNetwork SoS

Network SoS

System /services

System /services

HW/SW/FM“CCE”

HW/SW/FM“CCE”

Each sub-aggregation is responsible for the IA/cyber controls within their boundaries and also inherits the controls of higher levels and all weaknesses in any layer!

Each sub-aggregation is responsible for the IA/cyber controls within their boundaries and also inherits the controls of higher levels and all weaknesses in any layer!

WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions

WE have a “natural” hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in end-to-end (E2E) transactions

AppsApps

ANDpeopleprocesses

77An end-state stresses encapsulation using secure messagingAn end-state stresses encapsulation using secure messaging

What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements”

What’s a “simple” IA/Cyber end-state / vision look like? What are the “Requirements”

88

Cyber Prioritization CrisisCyber Prioritization CrisisDraft paper in circulationDraft paper in circulation – highlights are:– highlights are:

-- Cyber is fundamentally enacting a prioritized and balanced approach between existing IO/CNO (aka offense) and IA/CND (aka defense) capabilities,

-- with diminishing resources, while also addressing dynamic and emerging threats through targeted R&D/S&T initiatives to fill gaps of the cyber vision.

-- The RoE, CONOPS, organization relationships required are NOT the same as kinetic processes,

-- Where the political / legal aspects of cyber will impede us all!

-- CoC needs an effective situational awareness capability for "cyber" to enhance our decision superiority

99

Cyber Prioritization CrisisCyber Prioritization CrisisDraft paper in circulationDraft paper in circulation – intended for technical discussions– intended for technical discussions

Cyber technical foundations (what matters):

1 - Enterprise risk management process needed

2 - Fix/update/simplify what we have (”CM” too!)

3 - NO clear IA/security/cyber vision or end-state

4 - Supply chain security issues – are everywhere

5 - Lack of enterprise SOA IA / security approach

6 - Enforce a common data strategy, security built in

1010

Securing Cyberspace for the 44th Securing Cyberspace for the 44th PresidencyPresidency

WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions

• A renewed focus on international collaboration, with more overt / open security methods, • Continued emphasis on partnering government with industry, better quantifying the legal aspects of enforcement and proactive responses,• Taking a holistic, overarching, fully integrated / meshed approach to security for the full spectrum IA needed in “D.I.M.E.” (Diplomatic, Intelligence, Military and Economic)

• A renewed focus on international collaboration, with more overt / open security methods, • Continued emphasis on partnering government with industry, better quantifying the legal aspects of enforcement and proactive responses,• Taking a holistic, overarching, fully integrated / meshed approach to security for the full spectrum IA needed in “D.I.M.E.” (Diplomatic, Intelligence, Military and Economic)

- Create a comprehensive national security strategy for cyberspace- Organize and lead from the white house (create a national office for cyberspace)- Reinvent the public – private partnership- Regulate cyberspace (not voluntary anymore, but not overly prescriptive either)- Secure the industrial control systems – ICS / SCADA- Manage Identities - Authenticate digital entities (in an enterprise IDM approach)- Modernize authorities / laws… (e,g, revise FISMA.. merge NSS and other standards)- Use acquisitions policy to improve security- Build the capabilities – research, training and education- Do not start over – leverage CNCI

- Create a comprehensive national security strategy for cyberspace- Organize and lead from the white house (create a national office for cyberspace)- Reinvent the public – private partnership- Regulate cyberspace (not voluntary anymore, but not overly prescriptive either)- Secure the industrial control systems – ICS / SCADA- Manage Identities - Authenticate digital entities (in an enterprise IDM approach)- Modernize authorities / laws… (e,g, revise FISMA.. merge NSS and other standards)- Use acquisitions policy to improve security- Build the capabilities – research, training and education- Do not start over – leverage CNCI

1111

cyber security social contractcyber security social contractto Obama from industryto Obama from industry

WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions

-- We all lack a common enterprise risk management approach-- Need new internet protocols / methods to support security-- "Enforceable" CM is mandatory (can reduce 80% of all attacks!)-- Positive incentives to encourage / enforce folks to follow best practices-- Lack of software quality and assurance-- Multi-organizational coordinated roadmap / vision is essential-- Map / manage the physical to cyber security (ICS / PCS / SCADA / etc)-- Supply chain issues better understood, protected and testing against-- Use / leverage / engage DARPA, IARPA, In-Q-Tel, etc.-- Move from a passive, forensic-based defense to an active posture using real-time intelligence updates to dynamically adjust our protection levels-- Must have both privacy and security built in -- Focus on "insider threat“ (a “determined intruder” – inside or external)-- Government embrace / lead the required IA standards that are effective-- Modern IdM / access control ( where our “ZBAC” approach works cross domain)-- Set clear IA/security priorities – then resource, manage and control

-- We all lack a common enterprise risk management approach-- Need new internet protocols / methods to support security-- "Enforceable" CM is mandatory (can reduce 80% of all attacks!)-- Positive incentives to encourage / enforce folks to follow best practices-- Lack of software quality and assurance-- Multi-organizational coordinated roadmap / vision is essential-- Map / manage the physical to cyber security (ICS / PCS / SCADA / etc)-- Supply chain issues better understood, protected and testing against-- Use / leverage / engage DARPA, IARPA, In-Q-Tel, etc.-- Move from a passive, forensic-based defense to an active posture using real-time intelligence updates to dynamically adjust our protection levels-- Must have both privacy and security built in -- Focus on "insider threat“ (a “determined intruder” – inside or external)-- Government embrace / lead the required IA standards that are effective-- Modern IdM / access control ( where our “ZBAC” approach works cross domain)-- Set clear IA/security priorities – then resource, manage and control

1212

Leadership Summary / RecapLeadership Summary / Recap((Cyber Security Collaboration SummitCyber Security Collaboration Summit – SD – Nov 08 – SD – Nov 08))

•Common vision / end state / master plan – where are we going?

•Governance & more governance – coordinate ALL those in charge?

•Specified requirements and then some – top down, detailed needs

•Prescriptive implementation guidance required – fidelity in the “what”

•What’s “good enough” IA/Security? Must have a common threshold

•Pedigree approach – simplify verification and compliance (build in)

•What is the IA business basis / ROI? (AND success metrics therein?)

•What is the future risk environment? Threats, consequences, etc?

•Training at all levels, especially user and SW development

•Standard architectures / standards / profiles (and a Trust Model!!!)

• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is pervasive too

•Common vision / end state / master plan – where are we going?

•Governance & more governance – coordinate ALL those in charge?

•Specified requirements and then some – top down, detailed needs

•Prescriptive implementation guidance required – fidelity in the “what”

•What’s “good enough” IA/Security? Must have a common threshold

•Pedigree approach – simplify verification and compliance (build in)

•What is the IA business basis / ROI? (AND success metrics therein?)

•What is the future risk environment? Threats, consequences, etc?

•Training at all levels, especially user and SW development

•Standard architectures / standards / profiles (and a Trust Model!!!)

• SOA security is vague - at best (No T&E / C&A Plans at all!), but…• Application security and web security, or lack there, is pervasive too

WE must collectively quantify & prioritize these for leadership actionsWE must collectively quantify & prioritize these for leadership actions

1313

Representative Navy Operator IA Representative Navy Operator IA issuesissues

• IA Master Plan; IA vision; clear IA goals • IA Governance Structure / Consistent Policies• Workforce Quals / Certs / Training• "Improve Speed to Capability” - Implementing newer

technologies.. HBSS, DAR, etc….• IA Approach, Strategy consistent with SYSCOMs and DoD• IA Policy/Architecture “implementation” guidance• Enterprise Access Control - "Trust Model"• Certification & Accreditation - Aggregation of systems• Supply Chain Security / Defense in Breadth• Sustain current IA and CND posture to ensure readiness

Calling things “cyber” will not change the current IA and IO issuesThese are still the activities that are needed for protecting the GIG

1414

Recent IT/Cyber Leadership perspectivesRecent IT/Cyber Leadership perspectives

A - Political / legal cyber paper Cyber offense must be strictly monitored controlled, due to potential escalation & state department implications & countries suing each other

B - Navy IT FLAG/SES meeting results / paper:-- Greater accountability, completer visibility, net-centric concepts need to

be revisited, can't protect all networks - ensure the C2 / enterprise are…

-- Need better situational awareness, discipline in development and acquisition, TTPs... And training...

-- Senior Advisor’s major conclusions : Stricter CM & SA / inspect traffic

-- FLAG / SES participants guidanceCommon governance and language, eliminate low to medium threats, focus more resources on defensive posture and key critical actions (aka - have a risk management approach), closer collaboration between Service / agencies, include space and undersea cables, exercise In degraded modes, stress education, use the RED TEAM to better effectiveness, avoid issues NMCI found, high speed acquisition and address COTS / supply chain management..

Issues / suggestions are similar to others , but act collectively WE must!

1515

NSPD-54/HSPD-23: CNCI ‘12 Initiatives’NSPD-54/HSPD-23: CNCI ‘12 Initiatives’

Establish a front line of defense

Resolve to secure cyberspace / set conditions for long-term success

Shape future environment / secure U.S. advantage / address new threats

Foc

us A

rea

2F

ocus

Are

a 1

Foc

us A

rea

3

Trusted Internet Connections

Trusted Internet Connections

Deploy Passive Sensors Across Federal Systems

Deploy Passive Sensors Across Federal Systems

Pursue Deployment of Intrusion Prevention

Systems

Pursue Deployment of Intrusion Prevention

Systems

Coordinate and Redirect R&D

Efforts

Coordinate and Redirect R&D

Efforts

Connect Current Centers to Enhance

Situational Awareness

Connect Current Centers to Enhance

Situational Awareness

Develop Gov’t-wide Counterintelligence Plan for Cyberspace

Develop Gov’t-wide Counterintelligence Plan for Cyberspace

Increase Security of the Classified

Networks

Increase Security of the Classified

Networks

ExpandEducation

ExpandEducation

Define and Develop Enduring Lead Ahead

Technologies, Strategies & Programs

Define and Develop Enduring Lead Ahead

Technologies, Strategies & Programs

Define and Develop Enduring Deterrence

Strategies & Programs

Define and Develop Enduring Deterrence

Strategies & Programs

Manage Global Supply Chain Risk

Manage Global Supply Chain Risk

Define Federal Role for Cybersecurity in Critical Infrastructure Domains

Define Federal Role for Cybersecurity in Critical Infrastructure Domains

““THESE” are the THESE” are the key long-term business opportunitieskey long-term business opportunities!!

Many are still being finessed, and all need prioritized

(Source: derived from JS Cyber 101 brief)

1616

What can we expect to help us?What can we expect to help us?

• NSA / GIAP with CNCI = better IA stuff

• Support for “data/content centric security – DCS”

• Leaders get it, but we need translate geek speak

• ESM / PvM helps automated systems, reporting

• COTS IA – commercial suite “B” encryption

• Going beyond boundary protection approach – Effective trust binding between data, layers and domains

• Develop an IA vision -> enterprise architecture– Easier to build IA in through a top-down structure / standards

1717

Where you can assist Where you can assist

• New technologies, methods, processes (CNCI!)• Not so niche areas of general systems engineering,

integration, “rapid COTS / GOTS insertion,” etc• Collaboration with other innovative companies• Partner with other security groups, IA/cyber entities• Cyber “packages” needed, not un-integrated SW

• Follow issues / concerns – they will not go away• Think tank, study, and discovery support efforts• Top down risk management, prioritization approach!

1818

SummarySummary• There are MANY IA/cyber initiatives in the works

– Follow the CNCI trail, that should prevail…

• We still need cyber enterprise “R”equirements, just as we do now for IA and IO and C&A and ….– What is needed now, current issues, will exist in cyber– W/o an enterprise risk management approach, any / all

paths will do… and we stay in the crisis of prioritization

• We ALL need better collaboration – DOD on down– Users / platforms must drive cyber = KISS = commodity– Vendors / integrators need to coalesce, drive the truck

Remember the “P6” principle… Planning and communications only gets us part way there

That’s our story – what’s yours?

1919

2020

20

“Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information

Systems by Incorporating Protection, Detection, and Reaction Capabilities.”

• Timely, Reliable Access to Data and Information Services for Authorized Users

• Timely, Reliable Access to Data and Information Services for Authorized UsersAvailability Availability

• Quality of Information System Reflecting Logical Correctness and Reliability of Operating System

• Quality of Information System Reflecting Logical Correctness and Reliability of Operating SystemIntegrity Integrity

• Security Measure Designed to Establish Validity of Transmission, Message, or Originator

• Security Measure Designed to Establish Validity of Transmission, Message, or OriginatorAuthentication Authentication

• Assurance that Information is Not Disclosed to Unauthorized Entities or Processes

• Assurance that Information is Not Disclosed to Unauthorized Entities or ProcessesConfidentialityConfidentiality

• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s Identity

• Assurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s IdentityNon-RepudiationNon-Repudiation

What is Information Assurance (IA)?IN

FO

SE

C

Info

rmatio

n A

ssuran

ceWHAT parts belong where – wrt our collective enterprise trust model?

2121

Cyber “Protections” OverviewCyber “Protections” Overview

CMI/KMI

CND

Policy Training

C&A

Typical IA Acquisition elements

Enterprise Risk Mgmt.

IA Services

CA Support

Multiple playersMultiple PEs/LinesMultiple threatsMultiple PMW/S/As

“IO” and

CNODefendAttackExploit

Requirements

Strategy AND Governance critical to “implementation” success!

“CIO”FISMA

OperationsIAMs

PKI/CACID Mgmt

(or why “IA/IO/Cyber” is so complex / hard… because it is ALL of that and more!)

IA

NETOPS

2222

22

An “Overall” Enterprise PictureAn “Overall” Enterprise Picture(what are the minimal elements, who “owns” them, & how do they get integrated?)(what are the minimal elements, who “owns” them, & how do they get integrated?)

IA/Security strategy must consider the whole enterprise trust model!

There is more to the enterprise IA/C&A picture than “just” CCE, SOA and Apps, which are hard enough to integrate

CCE

SOA/ESB/Services

Dynamic Access Control

Data privacy protection and Auditable anonymity

Data security strategy / ownership Hardware / Software Assurance

Business processes

ITIL/ITSM SLA execution

Apps & COIs

“SOA Security” needs to account for more than “just” SOA!“SOA Security” needs to account for more than “just” SOA!

2323

So what really matters in IA/Cyber E2E?So what really matters in IA/Cyber E2E? A notional Quality of Protection (QoP) HierarchyA notional Quality of Protection (QoP) Hierarchy

(Wrt our defense in “(Wrt our defense in “breadthbreadth” position paper – ” position paper – but what REALLY mattersbut what REALLY matters?)?)

“DATA QoP”(C-I-A and N & A)

IA&A and CBE / DCS(distributed / transitive trust model … E2E data-centric security and protections)

Core / Security Services( WS* and other security policy / protocols / standards (including versions & extensions therein)

network protection – CND – FW / IDS / VPN / etc (in general, mature capabilities – but multiple unclear “CM” processes are persistent and problematic)

IO … and ... IA

CNO/E/A, “I&W”, OPSEC, etc Crypto, KMI, TSM/HAP, policy, etc

Complex… Dynamic…

Known… Static…

Settings

A&E / Policy

Standards

IA devices

Mainly: IA standards, IA&A, CBE/DCS and digital policy!Mainly: IA standards, IA&A, CBE/DCS and digital policy!

2424

GIG IA Protection Strategy EvolutionGIG IA Protection Strategy Evolution

• Manual Review to Release Information Classified at Less than Sys-high

• Manual Analysis and Procedures determine allowed interconnects

• Information “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all information

• Privilege gained by access to environment and rudimentary roles

• Common User Trust Level (Clearances) across sys-high environment

• Automated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirements

• Information “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occur

• Privilege assigned to user/device based on operational role and can be changed

• User Trust Level sufficient across Transaction/COI – varies for enterprise

Static “Perimeter” Protection Model

Common level of Information Protection provided by System

High Environment

Transactional “Enterprise IA”

Protection ModelRequired level of

Information Protection “Specified” for each

Transaction

We will be loosely connected, sharing information – and protected?

2525

The Big Picture:The Big Picture: XML Family of Specifications XML Family of Specifications

2626

IA / C&A Building blocksIA / C&A Building blocks• …. The desired end-state is in general one of a transformed single C&A process that

accommodates all C&A needs and activities (re: T&E / V&V) • End-state needs to integrate and accommodate several major perspectives / initiatives:

– (1) aggregation into some number of larger systems of systems (SoS) and enclaves / platforms, – (2) platform IT (PIT), – (3) the federal C&A transformation effort (bringing together DOD, IC and federal agencies), and – (4) the new NNWC C&A process (for the Navy aspect).

• Develop a "security container" of sorts emulating the "CC" process (see http://www.niap-ccevs.org/cc-scheme/ ) that IA devices go through –establishes the same format / needs

• Natural to have a limited and controlled set of IA building blocks for a FEW main classes:– IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall, IDS/IPS, HBSS, HAP/TPM devices, reference monitor, etc) – IA enabled capabilities (OS, web browsers, messaging systems, screening routers, etc )(and we submit the

IA/WSS standards need to go here too… prescribe a limited set of IA “profiles” with defined standards / protocols!)– Services and Applications ( we think we can define a standard "security container" for each, ideally a “class” -

maybe a couple are needed for SOA/Services – we postulate the earlier three C&A types would work well) )– Critical IA capability devices (any key IT capabilities, we may have missed and want to specifically consider)– PIT Platform IT variants (there should be ONE general PIT super set, then each SYSCOM takes that and tailors it

a little more for HM&E, WPNs/CBS, Avionics/Controls, SATCOM/LOS radios, etc) – Remainder of NIST 95 descriptions: Intelligence activities; Cyrptologic activities; command and control; weapons

and their systems; systems for "direct military / intelligence" missions; and classified systems... Any “special cases” defined

– AND/OR consider the remainder of 8500.2 categories: AIS application; enclaves; outsourced IT; PIT interconnection (where Platform IT refers to computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems, such as weapons, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the R&D of weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems)

Just as “IT” must transition to a “commodity” approach, so must Cyber security!Just as “IT” must transition to a “commodity” approach, so must Cyber security!

2727

Net-centric operations as well as the emerging new joint capabilities and integration development process is where the DoD is headed in the “Business of

Warfighting”

Source: Secretary of State Hillary Clinton Statement, January 21 2009Source: SSC Atlantic Cyber Strategy

Cyberspace

Cyber must effectively integrate Business and Warfighter Mission Areas

CyberCyber – Spans Warfare and Business Mission – Spans Warfare and Business Mission AreasAreas

Where GOVERANCE (or lack of it), still rules…

(Source: notional – partially derived from industry partner brief)

2828

• Cyberspace intrusions and attacks are a real and emerging threat

• U.S. faces a dangerous mixture of vulnerabilities and adversaries

• Cyberspace situational awareness is not mature (and not at all levels)

• PEOPLE, Information and the C4ISR infrastructure are targets

• Exploitation, disruption, exfiltration, misinformation or destruction are adversary goals (& bragging rights)

• Malicious cyberspace activity is increasing in regularity and severity

A National Security IssueA National Security Issue

“Attacks on Critical Infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident.” -- 2007 National Infrastructure Protection Plan

Ubiquitous Presence…Ubiquitous Presence… Salient Danger…Salient Danger…

• 1.5 billion people on the Internet; much of Asia and Africa still to come(using wireless, which is cheaper to install)

• Upwards of 200B e-mails per day

• Critical to commerce, government, business processes, safety, etc.

• Exponential demand; 8 hours of YouTube uploaded every minute

• Increasing connections; global wireless and cellular usage

• Volumetric rise in data everywhere, with no enterprise data security and tracking approach (Internet = database)

(Source: derived from JS Cyber 101 brief)