Raytheon Oakley Systems

(1)

Raytheon Oakley

Systems

Michael Crouse

VP, Sales & Marketing

Daniel Velez

Director, Program Operations

(2)

About us



Founded as Oakley Networks in 2001



Acquired by Raytheon in 2007



US Government & Fortune 500 customers



9th Generation Enterprise Audit and Insider

Threat Solutions



SureView – Export Controlled Dept of Commerce

Raytheon Oakley Systems

Securing Classified

Networks and

Fortune 500 customers

since 2001

(3)

Raytheon Oakley Systems – Products

Insider Threat, Enterprise Audit, Risk Management, IP Theft Protection, Cross

Domain, External Data Source Integration, & Analytics

(4)

Customer Success Is Our Mission is a registered trademark of Raytheon Company.

c

SureView

™

Innovation and Integration

SureView

™ McAfee ePO (HBSS) ArcSight SureView™ Investigations Dashboards Policies Events

64-bit malware detection audit social networking reporting scalability Linux

Printer Keyboard

Email Browser IM Office Clipboard File System Process Log On Terminal Servers Lotus

(5)

Policy-Driven Auditing



Specifies what to audit and what should be in the audit record



Specifies what not to collect

Ex: “Do not collect email to/from

[email protected]

”



Leverages simple “If/Then” statements



Enables Multiple Stakeholders

Ex: Active Malware Protection (AMP)

AUDITED ACTIVITY

AUDIT RECORD

- SAP code names - fingerprinted text

•

File write to removable media

•

File contains sensitive data

•

Date/Time, Username, Workstation

•

Offending Device

•

Action: Capture File

•

Action: <email> Security Staff

(6)

Management Controls

US DoD Image



Role-based Access



Robust Operator Auditing



Segregation of Collected Data



Chain of Custody Features



Non-technical Oversight



Integration with 3rd Party Enterprise

Tools such as ePO and various SIEM’s



ArcSight, SPLUNK, etc.

Access to controls based on

(7)

Analyze events from networks across air gapped domains on one investigator workbench.

CrossView

™

:

Cross Domain Auditing

SureView

™

/ CrossView

™

Cross Domain Solution

Analyst Workbench

(8)

Convergence:

External Data Source Aggregation

Facility Access Information Personnel Security Information HR Data Communications Foreign Travel Information

Shared Space Audit Data

(9)

Future

Convergence: Conceptual Architecture

D

esk

top

A

gents

Collector Node Central Database Master Node Enterprise Application Suite

Arbitrary External Data Sources

R E S T A P Is (re q u ire s s e p a ra te Con v e rg e n c e l ic e n s e ) Analytics Node Connector Modules Phase 1 Data Analytics

(10)

Spotlight - Analytics Interface



Enables customers to discover and

understand meaningful patterns in large sets

of audit data through seamless integration

with best of breed analytical tools including:

–

Risk assessment algorithm,

–

Anomaly detection,

–

User trend analysis,

–

Role based profiling w/ threat indicators



Analytics Platform modules may be

developed by ROS, authorized 3

rd

_-party

partners, or directly by customers



Analytics Platform provides optimized access

to SureView data and a means for sending

the results of analysis back into the

(11)

Spotlight: Conceptual Architecture

Collector Node

Central Database Master Node

Enterprise Application Suite

REST APIs Spotlight Framework Analytics Node A nal y ti cs M odul es

Management & Status User Interface

(12)

Support for Person-Centric Investigations



Implies a shift away

from the traditional

primary association of

collected data to an

SureView agent.



Particularly relevant to:

–

Convergence customers who are

aggregating audit data from

multiple external data sources

–

SureView customers with hosted

virtual desktop environments

–

CrossView customers with users whose behavior they audit across

multiple domains



Add features to more easily attribute collected audit data to

(13)

SureView Value Proposition



Demonstrably Superior Cyber Audit Capability

–

Operationally-proven, mature and scalable solution with overall install base of over hundreds of thousands endpoints to date

–

Unobtrusive and configurable policy-based endpoint auditing with full context event replay

–

Comprehensive coverage and collection of end-user behavior on desktops, workstations and laptops, whether connected to the network or completely offline



Low Risk

–

Fully accredited for operation on JWICS, SIPRNET & other classified/unclassified networks

–

Fully interoperable with other host based security system architectures and leading Security Information and Event Management (SIEM) tools such as ArcSight

–

Comprehensive mission support for services, training, and documentation



Compliant

–

Compliant with DCID 6/3 and ICD 503 as well as DISA STIG security requirements

–

Fully validated NIST FIPS 140-2 encryption modules for all cryptographic functions

–

Standardized audit policies and common, exportable data format enable discovery and retrieval of audit information.



Cost Effective

–

Low Total Cost of Ownership (TCO)

(14)

To Demonstrate the power of the ROS

SureView system with Convergence and

(15)

Agenda



Scenario 1

– Unapproved Job Outsourcing

(16)

Scenario 1 – Unapproved Job Outsourcing



Scenario: FJEA insider, Aaron

Reed, exposes his agency to

tremendous risk when he

covertly outsources his job

to a 3

rd

_{party in China and}

opens up access to mission

resources in the process.



This demonstration shows

how the correlation of aggregated data from multiple sources can

illustrate a rich view of the context around user activities that

provides valuable insight into an insider’s motivate and intent.



This kind of proactive approach is essential to mitigating today’s

(17)

Scenario 1 – Unapproved Job Outsourcing

(18)

Scenario 2 – Intellectual Property Theft



Scenario: Impact of Company Reduction In Force Notification (RIF) on

employee behavior causing increased risk of an Insider Threat incident.



Bob Davis potentially working with a 2

nd

Party inside the company to

exfiltrate sensitive company data.



This demonstration shows that an effective insider threat mitigation

program requires aggregation and correlation of data from various data

repositories.



With context and audit records from multiple sources, the time to discover

(19)

Scenario 2 – Intellectual Property Theft

(20)

Contact Info

Michael Crouse

Vice President, Sales and Marketing

Raytheon Oakley Systems

443-858-8527

[email protected]

Cleared for release. #IIS2013-226.