FS_CA_Smart_Approach_to_CCRI_White_Paper

White Paper

ForeScout CounterACT:The Smart Approach to Command Cyber Readiness Inspections (CCRI)

2

ForeScout CounterACT: The Smart Approach toCommand Cyber Readiness Inspections (CCRI)

White Paper

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

CCRI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

CCRI Adherence Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Expediting CCRI Endpoint Compliance Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

ForeScout CounterACT for Continuous Endpoint Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Asset Discovery and Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Compliance Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Access Control — Allow, Limit or Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Endpoint Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Post-connect Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Compliance Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

How ForeScout Addresses CCRI Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ForeScout CCRI Solution Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Case Study: IT Governance using DISA standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About ForeScout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3


White Paper

IntroductionEvery day, government agencies process vast amounts of sensitive information vital to U .S . national security . Loss of this sensitive data or unauthorized access to the systems and networks it resides on can have serious national security consequences, ranging from privacy issues, to public embarrassment, to global economic and political turmoil . It is essential that civilian and defense IT organizations safeguard this information, and the network enclaves housing this information, while also making it readily and appropriately available when and where necessary .

To ensure an apt and consistent level of security, government IT organizations must demonstrate and maintain compliance with a large and growing number of regulations, directives and standards . The main objective is to eliminate intrusions, protect sensitive information, and mitigate exposure to cyber-attacks . Defense IT organizations in particular are subject to several formal and informal inspections, reviews and assessments such Site Assistance Visits (SAVs), Computer Network Defense Service Provider (CNDSP) Inspections and Information Assurance Readiness Reviews (IARRs) .

Compliance inspections comprise formal certification reviews and include all aspects of the risk management process to ensure Information Assurance (lA) integrity and adherence to Department of Defense (DoD) lA Certification and Accreditation Process (DIACAP) . To achieve these goals, the Defense Information Systems Agency (DISA), under the direction and authority of U .S . Cyber Command (USCYBERCOM), has begun conducting Command Cyber Readiness Inspections (CCRI) of key DoD agencies and sites, including those that support the Net-centric Operating Environment (NCOE) and Global Information Grid (GIG) .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CCRI OverviewCCRI is a comprehensive review of a DoD entity’s cyber posture that includes a detailed assessment of its lA programs, the sensitive but Non-classified Internet Protocol Network (NIPRNet), the Secret Internet Protocol Network (SIPRNet), and the critical cyber and physical assets that support these networks . The CCRI criterion is based on several key standards and directives including the DISA Security Technical Implementation Guides (STIGs) and Chairman of the Joint Chiefs of Staff Instruction (CJCSI) directives 6211 .02D and 6510 .01F . DoD entities are given short notice (typically 30 to 60 days) prior to a CCRI audit to ensure their assets will pass the inspection .

The CCRI assessment is highly intensive, evaluating all aspects of a network and every endpoint that connects to it, including cross-domain devices that connect wirelessly or from an extended network . Each endpoint can require hundreds of checks that need to be verified including all existing Information Assurance Vulnerability Alerts (IAVA) . IAVA compliance is a mandated baseline for all endpoints on the GIG . The CCRI grading criteria includes technical vulnerabilities, directive compliance and non technical readiness elements supporting the lA readiness posture . If a DoD unit fails to achieve a passing score, it is subject to re inspection . If poor performance continues, the unit may be disconnected from the GIG until its security deficiencies are corrected .

CCRI audits apply to all combatant commands, services, agencies and their subordinate commands within the DoD that connect to the Defense Information Systems Network (DISN) infrastructure or that process and store DoD information . The program covers both NIPRNet and SIPRNet and effectively reinforces the idea that commanders are accountable for their cyber security posture . There are five parts to the process: notification, pre-coordination, on-site inspection, CCRI results and post-inspection reporting . The on-site inspection generally takes about a week and includes mission briefing, review of components and methodologies, and system scans for vulnerabilities .

The results of an inspection are briefed to senior leadership and reported to U .S . Cyber Command . Post inspection, organizations have to report progress on fixes and mitigation strategies for identified vulnerabilities to USCYBERCOM .

4


White Paper

CCRI Adherence ChallengesDoD directive 8500 .1 requires all information assurance and IA-enabled IT products incorporated into DoD information systems to be configured in accordance with DoD approved security configuration guidelines . The DISA STIGs provide an extensive set of recommendations and checklists to ensure that all DoD cyber assets meet this minimum acceptable level of security . IAVA compliance helps assure that all DoD entities have taken appropriate mitigating actions against vulnerabilities to avoid serious compromises to cyber assets that could potentially degrade mission performance . Failure to adhere to the STIG standards or achieve IAVA compliance can have serious repercussions, including possible disconnection from the GIG .

However, implementation of the STIG checklists and mandated baseline for cyber assets presents significant challenges for DoD IT organizations because the process is time consuming, resource intensive and error prone . Compliance policies for all cyber assets need to be defined, audited, reviewed, fixed and reported on a regular basis . With over 200 STIGs, several of which are updated and revised each quarter, and frequent IAVA notifications, IT administrators have to repeatedly review and update security policies and security configuration guidelines, revise their audit scripts and tools, and ensure their cyber assets are compliant with the updated guidelines .

Without the help of compliance automation solutions, the process to prepare for a CCRI audit involves a series of tedious manual tasks that require IT administrators to write and run scripts, verify their results, and then ensure non-compliant assets are remediated by running additional scripts . Furthermore, attempting to team and analyze results from separate security systems is cumbersome, costly and leaves room for error . As a result, attaining reliable and continuous compliance to the CCRI criteria across an entire DoD IT organization can be inefficient, ineffective and often impacts IT administrators’ operational activities in order to satisfy a CCRI audit .

To address these challenges, DoD IT organizations require policy-based compliance automation solutions that provide a methodology to rapidly assess and improve the security posture of critical assets in accordance with IAVAs, DISA STIGs and CJCSI directives . These solutions allow for the application of tailored compliance policies against an entire organization’s cyber assets and ensure that the end-to-end process of identification, remediation and reporting of non-compliant assets is conducted in an efficient, effective and repeatable manner . This allows commanders and IT staff to focus on critical operational activities while achieving continuous compliance without consuming significant IT resources .

Expediting CCRI using Endpoint Compliance AutomationPreparing for a CCRI audit requires a combination of trained staff, strong policies and industry-leading technology . While there is no ”silver bullet” that covers all the required criteria, there are solutions that can contribute significantly to achieving adherence . Endpoint compliance automation can help DoD IT organizations to create, monitor and enforce endpoint security policies in accordance with DISA STIGs and CJCSI directives with minimal effort .

Endpoint security is essential in ensuring that all cyber assets are compliant with DoD requirements . The challenges are numerous and varied — security software can be disabled or signatures can be out-of-date, unauthorized applications can be installed by users, outdated software with known security vulnerabilities can be present, required configuration settings can be altered, and guests with devices from outside the organization may require network access . Defense IT organizations tasked with automating endpoint security and compliance strive to achieve many of the following objectives:

• Expand network visibility to include real-time information about all endpoints on the network including those that do not have any endpoint management or protection agents installed or running .

• Apply uniform policy controls across a mix of network and endpoint technologies .

• Enforce endpoint configurations in accordance with policies established by best practices and compliance mandates .

• Add value to existing endpoint management and protection systems such as Host Based Security System (HBSS), by ensuring they are installed, enabled, up-to-date and correctly configured .

• Narrow the window of endpoint non-compliance by enforcing policy in real-time when an endpoint connects to the network . Close the gap left by scheduled configuration and vulnerability scanning systems such as Assured Compliance Assessment Solution (ACAS) to improve IAVA compliance .

• Enforce network security policy- grant, limit or block network access based on credentials, user role, endpoint security posture, HBSS and/or ACAS assessment, using 802 .1 X port-based or alternative access control methods; detect unauthorized devices such as rogue access points .

5


White Paper

• Automate or semi-automate remediation when endpoints become non-compliant without generating tickets or requiring significant IT intervention .

• Monitor for changes in device behavior or security posture, and anomalous or malicious network activity to ensure endpoints stay compliant while connected to the network .

• Leverage existing network infrastructure so automated endpoint compliance can be achieved without the expense of replacing deployed networking and security equipment .

Endpoint compliance automation solutions facilitate the implementation and enforcement of repeatable and sustainable processes that allow IT organizations to address the above objectives and satisfy CCRI audit requirements . The endpoint compliance management life cycle consists of the following phases:

• Discover, profile and classify cyber assets in real-time as they connect to the network . Any attempt to manage security and compliance must start with complete knowledge of who and what is on the network . Gartner estimates that IT organizations are only aware of 80% of the endpoints on their network . Gain complete visibility and knowledge of all cyber assets, including those that do not have endpoint management or protection agents installed or activated for effective compliance management in subsequent phases .

• Assess all cyber assets to ensure they are compliant with endpoint security policies in accordance with DISA STIGs or CJCSI directives . Apply appropriate policy to asset groups based on profiling information gathered in the first phase .

• Allow, limit or block network access based on device and/or user credentials, user role and endpoint compliance posture . Limit access for guests and foreign nationals in accordance with DoD directives .

• Remediate cyber assets when security policy violations are detected to bring the environment up to the required level of compliance .

• Protect cyber assets from internal threats or malicious activity by monitoring endpoints post-connection for any changes in security posture or device behavior .

• Report policy compliance levels, compliance deficiencies and remediations to IT staff, executive leadership and regulatory audit teams .

At every phase of the endpoint compliance lifecycle there are processes that can be automated to ensure consistent results in a timely manner . From the identification of cyber assets to the detection and remediation of policy violations across large number of systems and platforms, policy-based endpoint compliance automation can bring dramatic cost-savings and improve operational efficiency .

Figure 1: Endpoint compliance lifecycle

6


White Paper

ForeScout CounterACT for Continuous Endpoint ComplianceForeScout offers a policy-based security platform for end point compliance automation that can help DoD IT organizations to create, monitor and enforce endpoint security policies in accordance with DISA STIGs and CJCSI directives . ForeScout CounterACT™ helps streamline and automate processes at every phase of the endpoint compliance lifecycle enabling IT organizations to satisfy CCRI audit requirements and achieve a level of continuous compliance with minimal effort .

ForeScout CounterACT is a virtual or physical appliance that deploys seamlessly within existing network, security and endpoint infrastructure and provides a highly-scalable, cost-effective CCRI solution without the need to upgrade or re-architect the network . The CounterACT appliance installs out-of-band avoiding latency or potential for network failure, provides 802 .1X and alternative authentication technologies, and can be centrally administered to dynamically manage thousands of endpoints from one console . All endpoint identification, classification, policy-based control, posture assessment and remediation functions are accomplished without the use of agents and fully support embedded devices . As a result, the system enables rapid deployment and low total cost of ownership .

CounterACT is a military-grade security solution ideally suited to protect DoD networks and cyber assets and has achieved widespread deployment within defense environments . The plug and play architecture allows for seamless integration with configuration and policy management systems, vulnerability assessment and host-based security systems, ticketing, patch and systems management solutions (such as Microsoft SCCM and Windows Server Update Services), and security information event management systems to yield a complete closed loop platform for continuous monitoring and compliance .

ForeScout CounterACT can extend the capabilities of an existing HBSS deployment to improve compliance with STIG, Federal Desktop Core Configuration (FDCC) and other standards . With this bidirectional integration CounterACT provides visibility to 100% of the endpoints on the network including those not managed by HBSS . When an endpoint connects to the network, if it has an HBSS agent installed and running, CounterACT gets the endpoint’s compliance status from the HBSS server and uses this information to enforce access control . If the HBSS agent is missing or broken CounterACT alerts HBSS and/or installs and activates the agent on the endpoint . Any unauthorized devices without agents are denied access and reported to the HBSS Rogue System Detection . Post-connection, if HBSS determines the endpoint has become non-compliant it notifies CounterACT and the endpoint is quarantined until the issue is remediated .

CounterACT also integrates bidirectionally with ACAS to enforce real-time IAVA compliance . When an endpoint connects to the network CounterACT determines the last scan timestamp, and if scan results have aged beyond an acceptable time frame it triggers an immediate ACAS scan . Scan results are reported to CounterACT by ACAS so that non IAVA-compliant endpoints can be notified, remediated or quarantined based on IAVA severity .

ForeScout CounterACT facilitates the implementation and enforcement of repeatable and sustainable processes for each phase of the endpoint compliance lifecycle — Discover, Assess, Allow, Remediate, Protect and Report . It streamlines and automates the compliance management process for IT organizations preparing for CCRI evaluations .

7


White Paper

Asset Discovery and ProfilingCounterACT automatically detects and profiles all endpoints as they connect to the network . Through its industry-leading and granular host interrogation engine it can determine detailed attributes of each endpoint — hardware, operating systems, applications, patch levels, processes, open ports, peripheral devices, users and more (see Figure 2) . Each cyber asset is discovered and classified by type in the auto-generated inventory database . Custom asset groupings can be built either automatically or manually to manage cyber assets and apply customized polices and exceptions to each asset group . Administrators can query the asset database using a Google-like search interface to view or create reports of connected users and devices .

Figure 2: CounterACT’s industry leading asset inventory .

8


White Paper

Compliance AssessmentForeScout CounterACT allows defense organizations to create policies based on DISA STIGs and DoD directives and assess the security posture of cyber assets against these policies . Policies can be created using built-in policy templates or customized using wizards . CounterACT can perform various compliance checks including but not limited to:

• Checks for operating system versions and patch levels

• Presence of anti-virus and other security software with latest updates

• Required and prohibited applications (such as P2P software)

• Active and prohibited ports

• Disallowed peripherals

• Configuration settings for various applications

• Custom registry checks

• IAVA compliance checks through integration with ACAS

• Compliance to FDCC or other standards through integration with HBSS

Figure 3: Compliance assessment showing unauthorized processes .

9


White Paper

Access Control — Allow, Limit or BlockForeScout CounterACT can grant, limit or block network access based on endpoint compliance posture, user role, credentials, ACAS scan and/or HBSS assessment . It enforces granular role-based access control for defense personnel, contractors and foreign nationals using VLANs, ACLs and virtual firewaII technology to provide access to specific enclaves and information systems .

CounterACT includes a hybrid mode which lets organizations utilize port-based 802 .1X to comply with DISA access control STIG, and/or other authentication technologies within the same network environment (see Figure 4) . It includes a built-in RADIUS server to make rollout of 802 .1X easy . Alternatively, it can function as a RADIUS proxy and leverage existing RADIUS servers . In addition to 802 .1X, CounterACT supports authentication against LDAP directories such as Active Directory, authentication against a built-in guest registration database or MAC address bypass list, or authentication against external databases that house foreign national or contractor authorization information .

Figure 4: CounterACT’s hybrid mode .

10


White Paper

Endpoint RemediationIn the event that an endpoint is found to be non-compliant with security policies — for example, not having the latest security patches for its operating system — ForeScout CounterACT can trigger remediation mechanisms to bring the cyber asset back into a state of compliance . CounterACT can automatically fix most endpoint security issues such as updating antivirus or other security agents, prompting the patch management system to update the endpoint’s operating system (through direct integration with Microsoft SCCM and Windows Server Update Services (WSUS)), enabling required applications or endpoint management and security agents, restoring security configuration settings or disabling unauthorized software, ports or peripherals . Automated remediation reduces IT costs and increases user productivity .

Conditions ActionsDevice

• type of device

• manufacturer

• location

• connection type

User Communication

• send email

• send to web page

• open trouble ticket

• force re-authentication

User

• name

• authentication status

• workgroup

• email and phone number

Network Access Control

• allow

• block

• restrict

• register guest

Operating System

• OS type

• version number

• patch level

• services and processes

OS Remediation

• install patch

• configure registry

• start or stop process

• trigger external remediation service

Security Posture

• anti-malware agents

• patch management agents

• firewall status

• configuration

Security Agent Remediation

• install agent

• start agent

• update agent

• update configuration

Applications

• installed

• running

• version number

Application Control

• stop or stop application

• update application

Peripherals

• type of device

• manufacturer

• connection type

Peripherals Control

• disable peripheral

Network Traffic

• malicious traffic

• traffic source & destination

• rogue DHCP or NAT behavior

Network Protection

• block malicious traffic

• quarantine malicious device

Figure 5: CounterACT compliance checks and remediation actions

11


White Paper

Post-connect ProtectionForeScout CounterACT’s patented ActiveResponse™ technology monitors the behavior of endpoints post-connection and blocks zero-day, self-propagating threats and other types of malicious activity to protect cyber assets from internal threats . CounterACT also monitors for security posture changes, failure of onboard security agents and anomalous endpoint behavior to ensure that cyber assets stay compliant while connected to the network .

Figure 6: Detecting post-connect posture changes .

12


White Paper

Compliance ReportingForeScout CounterACT has a fully integrated reporting engine that helps monitor the level of policy compliance, produce real time inventory and compliance reports, and fulfill audit requirements . A wide variety of compliance reports can be scheduled or generated upon demand for IT staff, command and technical management and audit teams .

Figure 7: CounterACT compliance reporting .

13


White Paper

How ForeScout Addresses CCRI CriteriaForeScout CounterACT provides DoD IT organizations the ability to automate several endpoint compliance controls required by DISA STIGs and CJCSI directives . The table below summarizes the key CCRI criteria addressed by CounterACT .

CCRI Criteria ForeScout CounterACT

Visibility and Asset Management

• Establish and maintain a complete hardware asset inven-tory for all systems connected to the IP network and the network devices themselves .

• Establish and maintain a complete software asset inven-tory covering each of the operating system types in use . Track the versions and patch levels of the underlying op-erating system as well as the applications installed on it .

CounterACT maintains a comprehensive hardware and software asset inventory of all end points attached to the network . The inventory can be searched and organized by various hardware and software attributes . Inventory reports can also be generated .

Authentication and Access Control

• Block or disconnect information system or device if a directed task(s) cannot be implemented or mitigated as directed by CC/S/A authority .

• Deploy protection mechanisms at layered or internal enclave boundaries and at key points in the network as required for networks handling controlled unclassified and classified information .

• Use and implement commercial wireless networks and devices in accordance with DoD Wireless STIG .

• Ensure Authorizing Official-approved wireless devices, services and technologies use only assured channels, employing NSA-approved cryptographic and key management systems offering high protection levels and approved for protecting transmission of classified information

• Ensure port security is enabled for foreign nationals in accordance with DoD Access Control STIG .

CounterACT can block or restrict access to devices when they become non-compliant . It enforces role-based access control to provide users and devices access to different parts of the network or specific IT resources . Guest and contractor policies can be set up to provide various guest registration options and limit access to specific enclaves and information systems .

CounterACT can enforce access policies through integration with multiple vendors’ VPN products . It provides additional controls for enforcing wireless infrastructure . CounterACT’s hybrid mode allows organizations to use 802 .1X port-based security or alternative network access control methods . It includes a built-in RADIUS server or can function as a proxy to leverage existing RADIUS servers .

Compliance Assessment and Remediation

• Devise a list of authorized software that is required for each type of system .

• Monitor for unauthorized software installed on each machine .

• Secure configurations for hardware and software on laptops, workstations & servers

• Run current versions of software and make sure it is fully patched . Remove outdated and older software from the system .

• Conduct vulnerability assessments, Blue Team vulner-ability evaluations, cyber security inspections, and Red Team operations to provide a systemative view of enclave and IS security posture .

• Ensure subordinate organizations implement DoD Standard Security Configuration .

• Use DoD-provided automated tools/solutions (e .g . HBSS) or CC/S/A procured tools/solutions developed IAW DoD data exchange standards to ensure interoperability with DoD-provided solutions for remediation of vulnerabilities .

CounterACT can perform a wide range of compliance checks including monitoring for required software, unauthorized software, software versions and patch versions, device configuration and endpoint vulnerabilities, just to name a few . It integrated with other DoD-provided tools such as HBSS or vulnerability scanners to obtain additional compliance information for managed devices . When compliance violations are detected, CounterACT can respond based on the severity of the violation by simply alerting or notifying IT staff, or auto-remediating, quarantining or completely blocking non-compliant endpoints .

14


White Paper

CCRI Criteria ForeScout CounterACT

Compliance Assessment and Remediation (continued)

• Implement USSTRACTCOM warning and tactical direc-tives/orders through the sue of available automated tools .

• Limit use of removable media to transfer data between different security domains for the execution of specific mission tasts in accordance with DoD warning and tactical directives/orders and prohibit removable media when used simply for convenience .

• Ensure access is only provided to personal devices of foreign nationals that have the latest security patches, virus protection implemented (including scanning and automatic update capability) and the latest anti-virus signature files installed .

• Implement risk mitigation actions that effectively miti-gate vulnerability .

Post-connect Monitoring and Protection

• Monitor DoD information systems (e .g ., enclaves, ap-plications) to detect and react to incidents, intrusions, disruptions for services, or other unauthorized activ-ies (including insider threat) that threaten the security of DoD operations for IT resources, including internal misuse .

• Suspend unclassified or clasified network access if mali-cious activity is detected .

CounterACT’s parented ActiveResponse™ technology monitors the behavior of endpoints post-connection . It also detects security posture changes and blocks access if malicious activity or anomalous behavior is detected .

Compliance Notification and Reporting

• Provide cyber security inspection, evaluation, and assess-ment findings and results through existing command (e .g ., commangers or directors) and technical manage-ment channels (e .g ., CIO, Authorizing Official, etc .)

• Implement warning and tactical directives/orders that correspond to hardware and software within CC/S/A IT recources and assers inventory .

A wide variety of compliance assessment reports can be scheduled or generated upon demand to fulfill audit requirements as well as provided to command and technical management . CounterACT policies allow notifications and reports to be sent to IT staff regarding the complance status of cyber assets .

15


White Paper

ForeScout CCRI Solution BenefitsForeScout CounterACT is ideally suited for DoD environments looking to streamline and automate the endpoint compliance process for CCRI assessments . It has received several security and government certifications:

• Common Criteria Evaluation certification — EAL4+ level

• FIPS 140-2

• DoD Unified Capabilities (UC) Approved Product List (APL)

CounterACT provides numerous benefits to IT organizations in enforcing best practices required by STIGs, IAVAs and DoD directives:

• Real-time Visibility — automated, real-time visibility of all endpoints (managed and unmanaged) as they connect to your non-secure (NIPRNet) and secret (SIPRNet) networks .

• Active Asset Intelligence — dynamically generated hardware and software asset repository of everything on the network: hardware, operating systems, applications, patch levels, processes, open ports, peripheral devices, users and more .

• Policy-based Access Control — limits access to information systems by authorized users and devices, and to the types of transactions and functions that authorized users are permitted to exercise . Provides 802 .1X port-based access control (to comply with DISA STIGS) or alternative network authentication and access control mechanisms . Includes a built-in RADIUS server to make rollout of 802 .1X easy, or can function as a proxy to leverage existing RADIUS servers .

• Continuous Monitoring — assesses the security and compliance posture of all endpoints in real-time before and after they connect to the network . Detects endpoint configuration violations and malicious behavior and tailors the response based on severity of the violation .

• Automated Remediation — automates the remediation of non-compliant endpoints by triggering actions such as auto update of host-based configuration and protection systems, patches and updates, and installing, activating or disabling applications or peripherals .

• HBSS Integration — increases Situational Awareness and Incident Response (SAlR) by automatically detecting and remediating endpoints with missing or broken HBSS agents . Grants, denies or limits network access based on compliance with STIGs, Standard Desktop Configuration (SDC), FDCC or other standards assessed by HBSS .

• IAVA Compliance — enforces real-time IAVA compliance when endpoints connect to the network through integration with ACAS (BeyondTrust (formerly eEye) Retina or Tenable) . Takes appropriate actions such as remediation or quarantine of non IAVA-compliant endpoints .

• Compliance Reporting —fully integrated reporting and notification engine to monitor the level of policy compliance, satisfy audit requirements, and produce real-time inventory reports .

• Guest Access — individualized access control policies for foreign nationals and contractors to limit access to authorized SIPRNet and NIPRNet systems in accordance with DoD and CJCSI directives .

• Mobile and Wireless Controls — enforces security controls on mobile devices such as smartphones and tablets . Ensures wireless compliance based on STIG standards and CJCSI directives through integration with wireless network infrastructure .

• Non-disruptive Deployment — deploys seamlessly with in existing network infrastructure without the need to re-architect the network, deploy in-line, upgrade the switching fabric, or requiring agents . Enforces access policy from any level of switch/network hierarchy, including access, distribution or core layer .

• IT lnteroperability — integrates with existing IT infrastructure such as directories (Active Directory, OpenLDAP etc .), patch management, endpoint protection, ticketing, vulnerability assessment, security information and event management (SIEM) and mobile device management (MDM) systems .

• Cost Savings — eliminates manual processes associated with assessing, reviewing, remediating and reporting on compliance to STIGs and CJCSI standards . Increases IT efficiency by reducing the time spent preparing for CCRI audits, allowing IT administrators to focus on critical daily operational activities .

16


White Paper

ForeScout CounterACT is also listed in several government contracts to ease procurement:

• GSA Schedules (also referred to as Multiple Award Schedules and Federal Supply Schedules)

• NASA SEWP (Solutions for Enterprise-Wide Procurement) GWAC (Government-Wide Acquisition Contract)

• ITES/2H (Managed and used by US Army . Also used by DoD and other federal agencies)

• Encore II (Managed by DISA, Defense Information Systems Agency)

Case Study: IT Governance using DISA standardsEndpoint compliance with DISA standards was the major driver for a significant government agency responsible for more than 5000 end points . The agency is implementing DlSA hardening guidelines to lockdown and control the operating environment, become resilient against targeted attacks, and be conscious of operating expenses due to upcoming budget cuts .

Included in the government agency’s decision criteria was support for large initiatives such as:

• Evolve endpoints to 64 bit Windows 7 starting in 2012 — This is a major undertaking and the solution must enable the agency to efficiently operate with a mixed environment of old software and applications along with Windows 7 applications without weakening security or adding significant security costs .

• Evolve the network infrastructure to IPv6 starting in 2012 and continuing into 2014 — The solution needed to provide visibility into 1Pv6 style sub-groups and allow an orderly migration to 1Pv6 while retaining tight security .

• Allow guests to access the network without increasing the risks of malware or data theft — The government agency must retain a high standard of security as it receives an extreme number of guests throughout the day that require access to the network .

ForeScout CounterACT won a competitive bake-off against other endpoint compliance solutions from major security and networking vendors . The government agency reported being pleased with the solution’s overall capabilities and automation while specifically highlighting the ability of CounterACT to:

• Discover rogue wireless access points within 10 minutes . CounterACT allows the agency to detect rogue wireless access points in real-time and to automatically take action to shut them down — without manual intervention .

• Detect use of unauthorized USB devices . CounterACT recognizes when any device other than the authorized FIPS 140-2 encrypted memory stick is inserted into the USB port, and disables the use of such unauthorized devices .

• Instantly detect presence of obsolete software, such as older, less secure versions of Java and Adobe . Many software products, such as Java and Adobe, do not uninstall older versions when upgraded, leaving less secure software still resident on the endpoint .

17


White Paper

ConclusionCCRI is a comprehensive review of a DoD entity’s cyber security posture and Information Assurance programs . Preparing for a CCRI assessment is a resource intensive and time consuming process that can impact an IT organization’s operational activities . Endpoint compliance automation solutions such as ForeScout CounterACT are used to implement and enforce a set of repeatable and sustainable processes that contribute significantly to achieving adherence while minimizing the effort involved in preparing for an audit .

ForeScout’s policy-based endpoint compliance platform helps DoD IT organizations to create, monitor and enforce endpoint security policies in accordance with DISA STIGs and DoD directives . It streamlines and automates the entire endpoint compliance lifecycle from the identification and assessment of cyber assets to the detection, remediation and reporting of policy violations . This allows IT organizations to satisfy CCRI audit requirements and achieve a level of continuous compliance with the least amount of manuaI effort .

ForeScout CounterACT eliminates manual processes, increases IT efficiency, lowers operational cost, improves cyber security posture and allows commanders and IT staff to focus on mission-critical operational activities rather than CCRI audits . It helps IT organizations transition to a proactive compliance posture and elevates compliance from a periodic auditing exercise to a culture of continual compliance .

Additional ReferencesThe following resources provide additional information about how ForeScout CounterACT helps military and defense organizations streamline endpoint compliance and satisfy audit requirements .

• ForeScout — 802 .1X and Network Access Control

• ForeScout CounterACT — Visibility and Automation for HBSS

• ForeScout — Real-time IAVA Compliance

• ForeScout CounterACT Common Criteria EAL4+

To learn more about ForeScout solutions for FederaI Government and Defense Organizations please visit: http://www .forescout .com/ solutions/federal/ http://www .forescout .com/solutions/defense/

©2013 ForeScout Technologies, Inc . Products protected by US Patent #6,363,489, March 2002 . All rights reserved . ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc . All other trademarks are the property of their respective owners . Doc: 2013 .0067

ForeScout Technologies, Inc .900 E . Hamilton Ave ., Suite 300 Campbell, CA 95008 U .S .A .

T 1-866-377-8771 (US)T 1-408-213-3191 (Intl .)F 408-213-2283 www.forescout.com

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

About ForeScoutForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks . The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues . ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and management systems to share information and automate remediation actions . Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies . Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide . Learn more at www.forescout.com.

FS_CA_Smart_Approach_to_CCRI_White_Paper

Documents

Transcript of FS_CA_Smart_Approach_to_CCRI_White_Paper