McAfee’s Approach to Continuous Monitoring

Risk Awareness

Risk awareness across all subsystems enables agencies to understand real-time activities within the environment, including specific asset details and security controls. It helps agencies generate actionable, prioritized responses. McAfee solutions detect the vulnerabilities on endpoints and malicious traffic traversing the network and assign asset values. In addition, security controls are enriched with threat intelligence gleaned from millions of sensors worldwide. McAfee solutions also understand what countermeasures are in place to mitigate threats. Understanding the risk as a combination of asset value, asset vulnerabilities, real-time attack information, threat intelligence, and countermeasures means that incident response is more accurate, responders are more focused, and time to remediation is faster.

Data Protection

Data protection comes in many forms. Depending on the subsystem, there may be a need to protect data at rest, in motion, and in use. The database subsystem can offer unique challenges, requiring database virtual patching, vulnerability assessment, and activity monitoring. McAfee offers purpose- built solutions for each of these requirements to secure the most complex subsystems.

McAfee combines discovery, prevention, monitoring, and reporting through a centralized solution enriched with supporting information from network and endpoint controls. McAfee helps address questions such as: what data was accessed, by whom, when, how, and from where. With so many attacks focused on sensitive data, a layered, connected approach is the key to mitigating abuse by external and internal users, even those with administrator privileges.

Centralized Management and Monitoring

Unifying security management through an open platform, McAfee makes risk and compliance management simpler and more successful. Flexible automation streamlines workflows, dramatically reducing the cost and complexity of security and compliance administration across the various subsystems within the CAESARS technical reference architecture. Unique capabilities include situational awareness across endpoints, network, and data, as well as streamlined workflows that accelerate administrative tasks and reduce audit fatigue.

Value Drivers

Some of the key value drivers we see around our solution for continuous monitoring include:

• Reducing the time and effort required to demonstrate compliance with regulatory mandates
• Allowing more streamlined workflows to maximize operational efficiencies
• Cultivating a complete platform of situational awareness where more informed decision-making can be achieved more quickly
• Taking advantage of connected, automated solutions that ultimately yield greater security ROI per security asset while reducing manual tasks

For more information about the Security Connected Reference Architecture, visit: www.mcafee.com/securityconnected.

• SQL Injection
• XSS
• Session Hijacking
• Parameter Tampering
• Database Protocol Hacking

I also gave a demonstration of a targeted Phishing attack that brought together Metasploit, Stuxnet, Bit.ly, Facebook…oh, and Cameron Diaz.

These demonstrations were meant to highlight how vulnerable applications, databases, and sensitive data in general can be without the right security controls and development practices.  This is extremely relevant to Continuous Monitoring (CM) for federal agencies.

Continuous Monitoring

About a decade ago, the Federal Information Security Management Act (FISMA) of 2002 was created in response to the realization that information security is vital to the economic and national security of the US. However, the perception is that FISMA has had a marginal impact on improving security for many federal agencies.

Existing federal IT security practices lack processes built atop risk-based security controls. Without these controls, achieving the level of automation and granularity necessary for success in federal agencies is far too complicated, costly, manual,
 and error-prone. Thus, implementing continuous monitoring to measure its effectiveness isn’t possible. Understanding this disconnect, the US Department of Homeland Security (DHS) responded, and Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) and CAESARS Framework Extension (FE) were released about 10 years following FISMA.

CAESARS provides federal agencies with a technical reference architecture. This architecture is specifically designed to deliver guidance for secure, broad-based continuous monitoring implementations. CAESARS focuses on supporting cybersecurity operations, not on running reports to placate auditors and demonstrate compliance with regulatory mandates. Compliance reporting is a natural result of any holistic security strategy that is operationally effective both qualitatively and quantitatively.

CAESARS is a reference architecture that requires vendors to have expertise in endpoint, network, data, mobile, cloud, and embedded security along with centralized management and monitoring solutions for the entire security architecture. This is where the Security Connected platform from McAfee can help you achieve continuous monitoring.

McAfee offers a comprehensive security portfolio that maps directly to the CAESARS reference architecture. McAfee solutions encompass support for all subsystems, including sensor, database, presentation/reporting, and analysis/risk scoring. McAfee solutions interface with all 11 of the data domains that CAESARS requires—and we even offer integrated controls to secure CAESARS data.

The Security Connected platform is open, extensible, and built on the concept of integration with a vast array of solutions to enable agencies to realize value from existing investments in McAfee and third-party solutions. The result is improved ROI and streamlined compliance.

Continual, regular assessments are a prerequisite 
for moving IT security management from isolated assessments to continuous risk management as described by the National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB). McAfee is ready to help agencies seamlessly build the full end-to-end continuous monitoring solution they need to improve security and make FISMA compliance reporting easier and more efficient.

I will go into more McAfee specifics in tomorrow’s blog, so keep a look out here in Security Connected, and be sure to follow @McAfeeBusiness on Twitter for the latest updates.

One of topics we discussed was enhancing security awareness in K-12 education.  There is a need at all grade levels for students, parents, educators, and supporting staff to be more familiar with the various cyber threats and countermeasures as well as resources such as McAfee’s Online Cyber Security Resource Portal. From online predators and malicious software to smartphones and laptops, information security is an essential element of K-12 education, and more and more states are making it a priority.

Another topic of critical importance to federal and state governments alike is the protection of critical infrastructure. The electric grid, oil and gas, chemical, and mining are all examples of areas in which state governments are taking a more active role. Multiple zones within critical infrastructure require protection including IT, SCADA, and ICS or industrial control systems. McAfee has many customers in this area, and has several purpose-built solutions such as those outlined here. The interest from state governments in critical infrastructure is rapidly expanding, and because so many experts agree that this is a primary concern for our country as a whole, an open dialog regarding threats and solutions at a state level is relevant and timely.

It’s great to see such an increase from state governments in information security, and it was a pleasure to meet with the Pennsylvania team.

Fourteen of the targets were the same as in the 2009 attacks, but nearly all of the U.S.-based targets such as The White House, State Department, FAA and FTC were removed from the target list. The modus operandi of the attacks was identical and unusually destructive for typical botnet attacks: the botnet, based in South Korea, was dynamically updated via new malware binaries, launched a relentless DDoS for slightly over a week, and then destroyed the machines it was deployed on by overwriting with zeroes and then deleting key data files such as source code, documents and then zeroing-out the Master Boot Record (MBR) to render the computers unbootable.

In March 2011, however, the level of sophistication was dramatically ramped up, especially for something as simple as a DDoS attack. In fact, it was analogous to bringing a Lamborghini to a go-cart race. Multiple encryption algorithms, such as AES, RC4, and RSA were used to obfuscate numerous parts of the code and configuration of the attack components to slow down the analysis. Over 40 globally distributed multi-tier Command & Control servers (USA, Taiwan, Saudi Arabia, Russia and India accounted for over half of all of servers) were used to dynamically update the malware and its configurations in a fashion designed to be highly resilient against takedowns. It was also clear from our analysis of the code that multiple individuals who may not have been in close coordination were responsible for developing its various parts.

So what was the goal of these attacks and why was so much effort employed to do something that’s fairly trivial in this day and age – flood a Web site with purposeless traffic to slow it down or bring completely offline? We believe this incident, which we estimate has a 95% chance of being perpetrated by the same actors as July 4th 2009 attacks, has very clear anti-Korean and anti-U.S. political motivations and potentially is even more insidious. The level of encryption and obfuscation at all layers of the malware and its distribution method, as well as the quick follow-on destruction of data and machines, indicate that one of the key objectives was to impede rapid analysis and remediation by the Korean authorities. This may very well have been a test, an armed cyber reconnaissance operation of sorts, perhaps conducted by the North Korean military as the South Korean National Intelligence Agency has asserted, to test the defenses and more importantly the reaction time of the Korean government and civilian networks to a well-organized and highly obfuscated attack. Knowing that would be invaluable in a possible future armed confrontation on the peninsula, since cyberspace has already become the fifth battlespace dimension, in addition to land, air, sea, and space.

We have published an in-depth paper on this incident and McAfee’s analysis of it, detailing information about:

• The target Web sites and methodology of the DDoS attacks
• The different cryptographic algorithms in place and how they have been used to deter analysis
• Interesting mistakes made by the actors involved
• Attribution theory and analysis of intent

As with most initiatives at McAfee, this was a team effort bringing together researchers from McAfee Labs with other departments at McAfee, our partners, and our customers. I would like to give a special thanks to the US-CERT, Department of Defense analysts, and AhnLabs, as well as our own – Dmitri Alperovitch, Brian Contos, Sven Krasser – and countless others for their tireless effort, support, and fighting the good fight every day.

I have started to see strong interest in the McAfee DLP, Database Protection and Encryption technologies because there are more customers worried about the protection of their intellectual property than ever before.  Because of the increased competitive nature of the security business staying ahead of the competition is more critical than ever.  But in today’s world, businesses have more to worry about than just about the outside threat; there is also the threat within.  There have been more and more examples of internal employees selling intellectual property to competitors or taking the information with them when they go work for one. 

In the past, the interest in data protection technologies was mainly from companies who had information that was regulated and had to be controlled by law but today many businesses are realising that is just as important, if not more important, to protect their intellectual property.  I met with a very large automobile manufacturer that was worried that their engine and design plans were at risk so they wanted to make sure they had technology like McAfee Data Loss Prevention to ensure their future plans were protected and couldn’t be shared beyond the company walls.  I think companies have become more concerned because of the recent high profile data loss incidents in France and the UK and also because of the threat to their brands with the increase of Wikileak type losses.  One of the biggest targets for theft is information stored in company databases where much of the businesses critical information is kept.  McAfee recently acquired Sentrigo and now offers  marketleading database protection, compliance and monitoring.

Another trend I am seeing from many customers, large and small, is that they are seriously looking to outsource to the cloud to cut down costs and improve availability.  However, they all worry about the security of the cloud and how they can securely transfer critical information to and from it.  Until very recently the “Crown Jewels” of a company’s intellectual property was all stored within the castle walls of the business but this has changed quickly with globalisation, virtualisation and increased use of cloud applications.  Now much of that intellectual property is stored in the cloud where the business may not understand if that data is secure.  McAfee have just launched our Cloud Security Platform that helps businesses build a secure bridge to the cloud and insure that their data is safe when using cloud-based technologies.

Lastly, when I talk to partners they tell me they are looking for a partner who is focused on increasing their channel profitability.  McAfee has heard this from our largest partners too and have introduced a few new programs to really drive our reseller profits.  Additionally our partners are looking to provide a services portfolio that they can offer their customers based on McAfee solutions so we are putting a big focus on delivering these services to our partner base.  There will be some exciting announcements in the coming months giving more details on these programs.  At McAfee we really want to improve our engagement and support our committed partners with more opportunities.  Our goal is to be the best security vendor in the industry offering the best portfolio, best services and paying well for performance.  Any partner interested should visit our partner area on www.mcafee.com.

Regards,

Gert-Jan

Small businesses are a major contributor to the American economy. In 2011, there are an estimated 27.2 million small businesses in America, according to the Small Business Administration, and small businesses comprise two-thirds of all jobs created as stated this morning by Chairman Genachowski. These small businesses are handling financial data, intellectual property and personally identifiable information, and it is vital to the businesses as well as national and critical infrastructure security that the data stays secure.

The list provided by the FCC to small business released today contains valuable reminders for all of us—companies big and small, corporations and individuals. It’s important that we all realize that cybersecurity is not just an IT issue—it’s an overall corporate and global risk that affects all of us.

As many panelists stated, every company needs a cybersecurity plan that includes pre-established relationships in the private sector, government and law enforcement, of who to call in an event. Having a plan in place ensures your company brand and consumer trust as it enables effective response and advanced customer consideration. It shows your stakeholders that you’re building an infrastructure that is responsible and prepared. We’re all connected. If one company does not do its piece to be responsible and keep a healthy network, its putting other companies—both big and small—at risk.

At McAfee, we have a saying: “Safe Never Sleeps.” We’re dealing with an adversary in cybersecurity that is fast and relentless, so it is vital that we all make a plan to protect ourselves for the before and the after. I commend the FCC for releasing the tip sheet that will help small businesses plan and prepare for threats, as well as help keep their businesses and their customers safe. You can view the FCC’s tips for small businesses below, or on their website.

FCC’s 10 Cyber Security Tips for Small Business

1.       Train employees in security principles

Establish basic security practices to protect sensitive business information and communicate them to all employees on a regular basis. Establish rules of behavior describing how to handle and protect customer information and other vital data. Clearly spell out the penalties for violating business policies. 

2.       Protect information, computers and networks from viruses, spyware and other malicious code

Install, use and regularly update antivirus and antispyware software on every computer used in your business. Such software is readily available online from a variety of vendors. Most software packages now offer subscriptions to “security service” applications, which provide additional layers of protection. Set the antivirus software to automatically check for updates at a scheduled time of low computer usage, such as at night (midnight, for example), and then set the software to do a scan after the software update.

3.       Provide firewall security for your Internet connection

A firewall is set of related programs that prevent outsiders from accessing data on a private network. Install and maintain firewalls between your internal network and the Internet. If employees work from home, ensure that their home systems are protected by firewalls. Install firewalls on all computers – including laptops – used in conducting your business.

4.       Download and install software updates for your operating systems and applications as they become available

All operating system vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install such updates automatically.

5.       Make backup copies of important business data and information.

Regularly backup the data on every computer used in your business. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files and accounts receivable/payable files. Backup data automatically if possible, or at least weekly.

6.       Control physical access to your computers and network components

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft, so make sure they are stored and locked up when unattended.

7.       Secure your Wi-Fi networks If you have a Wi-Fi network for your workplace make sure it is secure and hidden.

To hide your Wi-Fi network, set-up your wireless access point or router so it does not broadcast the network name also known as the Service Set Identifier (SSID). In addition, make sure to turn on the encryption so that passwords are required for access. Lastly, it is critical to change the administrative password that was on the device when it was first purchased.

8.       Require individual user accounts for each employee

Setup a separate account for each individual and require that strong passwords be used for each account. Administrative privileges should only be given to trusted IT staff and key personnel.

9.       Limit employee access to data and information, and limit authority to install software

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10.   Regularly change passwords

Passwords that stay the same, will, over time, be shared and become common knowledge to coworkers and can be easily hacked. Passwords should be changed at least every three months.

Tuesday morning, at the National Press Club in Washington, D.C., I had the opportunity to discuss the findings of the report and moderate a panel of cybersecurity and critical infrastructure professionals: Stewart Baker, Center for Strategic and International Studies; Donna F. Dodson, National Institute of Standards and Technology; Kevin Gronberg, Committee on Homeland Security; Michael Peters, Federal Energy Regulatory Commission; and McAfee’s own Phyllis Schneck.

During the panel discussion, a major theme emerged: most critical infrastructure systems are not designed with cybersecurity in mind. It was agreed that organizations need to implement stronger network controls to avoid being vulnerable to cyberattacks.

Cyberthreats are nothing new. Cybersecurity has been on Congress’s agenda alongside other major issues like the environment and the economy for a long time. Each of these issues is of equal importance, so why not take equal approaches? Perhaps a “cash for clunkers” system, but instead of trading in gas guzzlers, we provide tax incentives for trading archaic SCADAs for more secure systems. “Cash for Supervisory Control and Data Acquisition” is obviously not as catchy, but tax credits for protecting our nation’s critical infrastructure sure is.

Tuesday’s panel generated a lively discussion, one that I hope will cause both consumers and legislators to acknowledge the changes in the cyberthreat landscape and focus their attention on fixing existing vulnerabilities, as well as prepare for future sophisticated threats. Failure to acknowledge these new threats is unrealistic and undermines many of the common services most people take for granted in their daily lives.

By George Kurtz

Schneck points out “The so-called ‘smart’ grid is being created with that renewed joy of convenience and efficiency, and that renewed lack of investment in security.” In the Dark gathers research and survey data from IT security executives at critical electricity infrastructure enterprises across 14 countries.

In the past year, the sophistication of Stuxnet has dramatically changed the threat landscape – an attack aimed at sabotaging an industrial control system. Focused on the major industry sectors of power, oil, gas and water, this recent report highlights the key industry findings from respondents as they address the scale of the attacks and the relative adoption of security technologies. Also noted in the report are key trends pulled from the executive survey data including the role of government in these cyber attacks.

Take a look at the key findings or check out the full report and let us know your comments below.

Fast forward to 2011, as McAfee releases “In the Dark: Crucial Industries Confront Cyberattacks,” the frightening news is the mistake is being repeated.  The so-called “smart” grid is being created with that renewed joy of convenience and efficiency, and that renewed lack of investment in security.  This report is a follow-up to the report released to McAfee’s 2010 report: “In the Crossfire: Critical Infrastructure in the Age of Cyberwar.” This sequel report surveyed 200 IT security executives from critical electricity infrastructure enterprises in 14 counties, focused on the critical civilian energy infrastructure that depends most heavily on industrial control systems.

Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent.  Potential reasoning comprises:

1.  Lack of incentives to invest in a difficult economy in protecting against cyber security vulnerabilities when they are not tangible and have not yet been known to cause harm to the energy sector and 2.  Cyber security investment is made often at the CIO/CISO level as a technology conversation for the technology budget vs. where it really needs to be – at the CEO/CFO level where business risk is assessed.  Cyber security is a business risk – if the lights go out, everyone loses money.

It is our hope that this report electrifies the discussion of securing cyber systems for the sake of our safety.   We want to engage the conversation about incentives – what does it take to get us to protect against a threat which, although we cannot see it yet, could be devastating to public safety, business and the economy?  How do we break the vicious cycle of building great new systems, such as the smart grid, without including security from the ground up?  Are we really going to repeat the fatal flaw of the Internet to save a few dollars in the short term?

The following are some key findings in the report:

Key findings in the CIP report

• Eighty percent of respondents have faced a large-scale denial of service attack
• Twenty-five percent of respondents have been victims of extortion attempts
• More than 40 percent of executives believe that their industry’s vulnerability has increased
• Almost 30 percent believe their company is not prepared for a cyberattack
• More than 40 percent expect a major cyberattack within the next year
• Energy sector increased its adoption of security technologies by only a single percentage point, at 51 percent
• Oil and gas industries increased by only three percentage points, at 48 percent
• Nearly 70 percent of respondents frequently found malware designed to sabotage their systems
• A quarter of respondents reported daily or weekly DDoS attacks

Overall Assessment:

• There has been an increase in cyberattacks on critical infrastructure, yet organizations are unprepared or investing more
• The rate of security adoption is significantly trailing behind the rate at which threat are growing, and critical infrastructure industries have made only modest progress since 2010
• Infrastructures that control systems affecting our everyday lives, such as smart grids, are rising in adoption; yet still do not have proper security from attacks in place.

As I said to the Subcommittee, the cybersecurity challenge faced by our country is a serious matter that requires an evolution in the way in which both the public and private sectors collaborate. Each sector has its own set of core capabilities; only the government can implement the complex set of organizational and policy responses necessary to counter the growing cybersecurity threat. Leading information technology companies and their customers are uniquely positioned to act as early warning systems that can identify and help address cybersecurity attacks as a real-time cyber immune system.

With the right industry-government collaboration, networks of the future can comprise intelligence and create resiliency by instantly rejecting harmful code in milliseconds as opposed to the hours it traditionally takes to make a signature. Already we’ve seen public-private collaboration constructs, including the National Cyber Investigative Joint Task Force (NCIJTF), the National Cybersecurity And Communications Integration Center (NCCIC), and the United States Computer Emergency Readiness Team (US-CERT).

Information technology companies focused on cybersecurity in particular have the resources and the economic incentives to continue to invent and develop the technologies and solutions needed to stay ahead of sophisticated cyber attackers. Enhancing protections for private companies to share information within these constructs will enable us to use this work to its full potential and overcome the cyber adversary – this is what the enemy cannot do.

In the best American tradition of collaboration, the public and private sectors have made important strides to address the cybersecurity challenge and to enhance trusted working relationships. As we work together to further evolve our collaboration models, we can succeed in protecting our homeland from the threat of cyber attacks.