A solution for the Department of Defense's Comply to Connect strategy and the Department of Homeland Security's Continuous Diagnostics and Mitigation Program.

All organizations are vulnerable to cybersecurity attacks in some way. The common thread among all organizations, including the United States federal government, is the necessity to continuously validate and improve their security posture and prove their compliance year round. To achieve this state, organizations are moving away from point-in-time monitoring toward a more continuous approach to help identify and fix critical weaknesses in cyber defenses as they occur. 

Background  

There are several accepted frameworks that can accelerate an organization's ability to build-in security while simultaneously reducing risk. WWT used these frameworks for guidance in developing a Continuous Compliance solution. In Special Publication (SP) 800-137, the National Institute of Standards and Technology (NIST) defined information security continuous monitoring (ISCM) as maintaining ongoing awareness of information security, network vulnerabilities and threats. The goal of NIST SP 800-137 is to provide guidance in applying the Risk Management Framework (RMF) when building information systems for federal agencies. The RMF is captured in SP 800-37 and highlights a system lifecycle approach for security and privacy as it relates to organizational mission and business functions. 

The Department of Homeland Security developed the Continuous Diagnostics and Mitigation (CDM) program to bring multiple frameworks and strategies together. CDM built upon existing frameworks focused on building applications to mitigate risk by highlighting capabilities and tools that not only identified risk, but mitigated and responded to the most significant problems first. 

The CDM program is organized in to four phases in the form of questions:

  • PHASE 1: What is on the network?
  • PHASE 2: Who is on the network?
  • PHASE 3: What is happening on the network?
  • PHASE 4: How is data protected?

WWT is committed to answering these questions in a manner our federal defense and civilian agencies understand and feel comfortable with. To that end, we've developed a series of workshops to help organizations evaluate their security posture and tool suites and build in efficiencies wherever possible. WWT's Tools Rationalization Workshop is based on the NIST Cyber Security Framework and aligns security technology classes (Devices, Applications, Networks, Data and Users) with operational functions (Identify, Protect, Detect, Respond and Recover) to identify gaps and overlaps in customers' technology portfolios. 

Furthermore, WWT has the advantage of leveraging our Advanced Technology Center (ATC) to demonstrate these solutions today. The ATC is a collaborative ecosystem in which engineers design, build, educate and demonstrate innovative technology products and integrated solution sets. This is the type of flexible capability that has allowed WWT to build a successful implementation of a formidable continuous compliance framework that aligns with CDM to ensure end users have the proper access to the environments required to meet their mission requirements.

Simplified Conceptual Approach 

WWT believes that buying elements per phase greatly increases complexity. It is common for large scale organizations to have multiple tool sets that include several vendors. The integrations of these technologies can become difficult without the right approach. Not only has WWT witnessed this situation across several government organizations, we've seen it with commercial entities as well. We looked at all four phases and selected solutions that seamlessly integrate to satisfy Comply to Connect (C2C) and CDM requirements at scale. 

To reduce complexity, WWT recommends focusing on two steps that tie into the four phases of CDM, which directly relate to C2C:

  1. User, Network and Endpoint Validation
  2. Endpoint Visibility and Remediation

The first step focuses on user identification/authentication and the network/endpoint vulnerability posture. The questions being asked are whether the user has the appropriate authorization to access the network and whether the network and endpoint devices being utilized are in compliance based on a number of regulations, such as Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs). 

The second step leverages visibility to understand the immediate state of the endpoint, and then attempts to remediate the endpoint if it is not in compliance. If a number of remediation actions are unsuccessful, quarantining the endpoint is warranted. Simultaneously with the second step, it is imperative to have real-time visibility of users, their activities and endpoints to ensure a continuous state of compliance. Should the user or endpoint fall out of compliance, remediation actions will take effect. 

This is a simplified way of understanding a Continuous Compliance approach. For more information, WWT has published an Integrated Endpoint Security Architecture strategy that explores more of what is involved in our holistic approach to endpoint security. The scope of this white paper is high-level and focused on introducing a few choice technology solutions that WWT chose to implement.

Simplified Technical Approach

To build an integrated solution for Continuous Compliance that's robust enough to evolve over time and allow for operational growth in an enterprise network, WWT recommends Cisco Identity Service Engine (ISE) for Network Admission Control, Tanium for holistic systems management, and Tenable (known as Assured Compliance Assessment Solution under DISA) for the identification of security vulnerabilities. Additionally, WWT recommends Splunk for data analysis and Phantom for Security Orchestration and Automation and Response (SOAR).

WWT has the following technologies integrated and running in our ATC: 

Cisco. Utilizing Cisco ISE, we're able to control access by verifying users and devices plus the level of access they should have before network access is granted. Cisco uses several industry-leading protocols to help ensure the right connections are granted in the most expedient manner. Government networks are significantly large, so having a technology that can support hundreds of thousands of users connecting simultaneously is critically important as mission systems have to be available at a moment's notice. 

Cisco ISE can tie directly into Microsoft Active Directory to validate users who belong on the network. Likewise, ISE can also interface with a certificate authority to validate device access via certificates. This includes allowing a user plus device to access specific assets on the network, such as printers, file servers and email based on endpoint posture. Not only can you block access to unmanaged or illegal devices, you can dynamically assign them to an access control list for further evaluation. This functionality paves the way for compliance checks with software technology providers like Tenable Network Security. It is important to note that ISE has existing integration with Tenable. 

Tenable. Tenable was selected by DISA for its Assured Compliance Assessment Solution (ACAS). ACAS is an integrated software solution that performs vulnerability scanning, configuration checks and reporting. WWT will leverage this functionality in this framework. Tenable's primary component is the Security Center Platform. This, in conjunction with the Nessus Vulnerability Scanner, will allow us to execute continuous asset monitoring for compliance and subsequent access to the network. The way this is controlled is via a Common Vulnerability Scoring System (CVSS). If the CVSS score of an endpoint is high (7 or higher on a 1 to 10 scale), the asset will need to be quarantined or remediated. Remediation can take on several forms of execution, but we chose Tanium to handle remediation activity. 

Tanium. Tanium is a modular endpoint security and management platform that provides the lightning-fast ability to see and execute actions across every managed device, regardless of the infrastructure size and complexity. By providing full system access and the flexibility to take any action, Tanium can make changes on endpoints with speed and scale. For those endpoints that need extensive remediation, Tanium offers the ability to use the Trace module to gather comprehensive endpoint forensic data to investigate. 

Tanium is most useful in a Continuous Compliance application thanks to its ability to distribute, update, install and even uninstall software packages. The speed at which Tanium can do this is unmatched. Lastly, Tanium has the ability to report back on what was successful or not. To bolster reporting, organizations can use Splunk's integrations with Tanium to capture machine data for in-depth analysis. 

Splunk. Building a Continuous Compliance solution requires the ability to correlate and analyze large datasets. Furthermore, it requires the ability to concisely and accurately display information for leadership and operators to make informed and timely decisions. Splunk is WWT's partner of choice for this functionality. Through the use of products like Splunk Enterprise Security (ES), the time-to-detection of an attack can be significantly reduced, allowing for automated responses through additional Splunk offerings such as Phantom. In the context of Continuous Compliance, Splunk ES is a security information and event management (SIEM) solution that offers quick and dynamic functions for teams to reduce response times. It also includes visibility through pre-defined or custom dashboards that can show key performance metrics and thresholds for in-depth analysis. 

Continuous Diagnostics and Mitigation (CDM) and Comply to Connect (C2C) do not have to be challenging. WWT has proved that integrating the right technologies and building a CDM/C2C-compliant network is possible by using the technologies you probably already have. Leveraging the power of WWT's Advanced Technology Center enables the ability to sandbox a complete solution, test functionality and add or subtract technologies to achieve the most appropriate end goal. Whether customers are looking for general information or have a specific question regarding Continuous Compliance, WWT can help.  

Contact us today to learn more about how WWT leverages technologies from industry leaders to build solutions for our customers.