we
ca
n
dynamic
cyber
defense
how CA can help agencies build
a framework for a multi-level
security posture
table of contents
Executive summary
3
Section 1: Introduction
5
Section 2: Vision & objectives
6
Section 3: Technical solution
9
Section 4: Solution outcomes
13
Section 5: Solution delivery
15
Challenge
CA has learned through experience that mission critical networks are contested, violated, infiltrated and penetrated, leading to significant risks to US Governmental and Commercial interests. The critical infrastructure has evolved from a ‘network enabled’ position to one that is now ‘network dependent.’ No aspect of the critical infrastructure operates without extensive use of information technology and it is this very fact that makes these networks such a high priority target for adversaries.
Opportunity
The need for secure, self-aware, proactively managed defense mechanisms has never been more critical. Commercially available technologies, when combined with research and development done by both the government and the private sector, represent the best possible approach for combating the types of threats our critical infrastructure is facing today.
This White Paper discusses methods by which network management can be extended to provide Dynamic Threat Detection, leading to Dynamic Cyber Defense.
Benefits
This White Paper will discuss ‘leap-ahead’ capabilities that can be implemented in accordance with Government and Commercial policy, scale in a way that can truly address the network ‘edge’ (elements that amount to 107) and be dynamic enough to support broad based communities of interest as required. It is these ‘leap ahead’ capabilities that will be a key step towards combating the types of asymmetric threats facing organizations today. These capabilities will be built with a focus on cyber threats that are nation-state sized, operating with a decentralized method of control and exploiting not only technical vulnerabilities, but also those introduced by human behavior.
Example
The solution will build the framework to support a multi-level defensive posture to address Cyber threats. For example, an intrusion detection system detects malformed packets from a particular source address. It blocks input from that address. At the same time it informs a local management node that sends other firewalls and routers a warning about the malformed packets and this causes all firewalls and routers to block input. As a result, the source of a possible threat has been isolated.
The warning is also passed up to an Enterprise-level management component that can analyze warnings from devices across the network and can inform Security Analysts of the threat and take more extensive remediation action, which could include analyzing the source machine for infection, or even powering it down, or re-imaging it to remove the threat.
Section 1: Introduction
CA Inc (CA) is uniquely placed in the Management Software market to address the challenges of Dynamic Cyber Defense.
CA develops and markets software to cover all the critical aspects of enterprise security, from traditional security event detection software to configuration management and performance management.
CA and its customers have learned through experience over the past decade that advances in
technology have surpassed mission capabilities in many ways. Governmental Agencies and Commercial organizations have found themselves in a position that requires extensive investment not only in capabilities to deal with adversaries’ extensive knowledge of technology trends, but also in new infrastructure technologies that can operate at the scale required to address the global threats in the world today. The Information Assurance mission needs to enhance the probability of its ultimate success and is looking for a force multiplier—a capability that significantly increases the combat potential of the force that employs it.
Although this threat is frequently seen as targeted at Governmental agencies, it is clear that similar attacks have been and will continue to be focused on Commercial entities. This may be in their own right, or as providers of critical infrastructure and services to the citizenry.
This paper discusses the first steps in an iterative implementation of a Dynamic Cyber Defense system. The approach discussed is based on the capabilities of the underlying technology, using these to build a framework for a continuously improving Dynamic Cyber Defense system.
This paper will discuss some specific technology from CA, but the framework constructed will be able to integrate with non-CA technology at all levels. To ensure this, interfaces will be constructed using standard protocols, including SNMP, SOAP and HTTP.
The initial focus is on Pervasive Sensing, extending the sensor network by leveraging commercially available technologies and open source components that can be integrated with deployed sensor mechanisms already in place, resulting in an ability to inform across domains and security classifications at network speed, providing decision advantage.
Once the coverage of the network has been enhanced with additional sensing, the management layers can be integrated and policy built to respond to threats quickly; by providing cross-network
notifications, isolation of affected systems and escalation for analysis and remediation. The approach addresses the following:
1. Secure command and control – the provision of a responsive C2 system in a secured manner so that the management system does not introduce new vulnerabilities and risks.
2. Pervasive sensing – the ability to exploit workstations to monitor network traffic and to provide information to Network management systems.
3. Management of workstations as part of the sensor grid, including virtualized workstations.
5. Extension of the management framework out to next generation security platforms, for example HAIPE technologies.
6. Providing data reduction from initial events to actionable information.
7. Provide the infrastructure for developing threat pattern detection and implementing responses to previously identified attack patterns.
This approach can deliver true ‘leap-ahead’ capabilities that can: • Be implemented in accordance with Government or Corporate policy.
• Scale in a way that can truly address the network ‘edge’ (elements that amount to 107). • Be dynamic enough to support broad based communities of interest as required.
It is these leap-ahead capabilities that will be a key step towards combating the types of asymmetric threats facing our nation. These capabilities are designed to combat threats that are nation-state in size, operating with a decentralized method of control and exploiting not only technical vulnerabilities but also those introduced by human behavior.
Section 2: Vision & objectives
VisionCA envisages a direction for Dynamic Cyber Defense that moves beyond current, commonly accepted capabilities.
Figure 1: Overall Approach
匀椀琀攀ⴀ䰀攀瘀攀氀 䴀愀渀愀最攀洀攀渀琀 猀琀 䰀攀瘀攀氀 䴀愀渀愀最攀洀攀渀琀 匀攀渀猀漀爀猀 ☠ 䔀渀昀漀爀挀攀洀攀渀琀 匀椀琀攀ⴀ䰀攀瘀攀氀 䴀愀渀愀最攀洀攀渀琀 猀琀 䰀攀瘀攀氀 䴀愀渀愀最攀洀攀渀琀 匀攀渀猀漀爀猀 ☠ 䔀渀昀漀爀挀攀洀攀渀琀 䔀渀琀攀爀瀀爀椀猀攀 䴀愀渀愀最攀洀攀渀琀 䔀砀挀栀愀渀最攀 匀攀渀猀漀爀ⴀ氀攀瘀攀氀 吀栀爀攀愀琀 䤀渀昀漀爀洀愀琀椀漀渀
䐀攀琀攀挀琀
刀攀昀椀渀攀
䌀漀爀爀攀氀愀琀攀⼀倀愀琀琀攀爀渀
䔀砀挀栀愀渀最攀 䌀漀爀爀攀氀愀琀攀搀 吀栀爀攀愀琀 䤀渀昀漀爀洀愀琀椀漀渀CA technology and experience support the ability to build from the ‘bottom up’; to collect data from multiple sources, integrate and correlate them using an event management system and then create or use an existing automated system to take action and notify administrators and staff. Within this environment, similar sensors can inform each other of status using peer-to-peer methodologies capable of crossing domains and security classifications when needed.
At each level of the solution CA technology will be used to protect the management system and to record accesses and actions.
Data can be integrated in an end-user interface to allow Service Status, Threat Level, Performance and Recommended Actions to be easily viewed; and to allow analysts to act upon the data, defining and deploying policy to prevent and answer future threats.
Objectives
Secure command and control
Contemporary cyber environments with large-scale centralization of configuration management are vulnerable to attack. Attackers target this infrastructure and sometimes succeed in gaining full control of entire domains. This solution will utilize asymmetric cryptography and off-line signing of
configuration orders to build an infrastructure resistant to these attacks and to minimize the risks introduced by the Command and Control system.
The components of the solution can be protected from access from Web Clients, Administrative Clients and network ports. This can be achieved by providing products to lock down user access, specifically CA SiteMinder (for Web Access) and CA Access Control (for clients and servers).
In addition, internal protection, particularly for Web Services, can be strengthened by enforcing authentication and authorization at the server to server and service to service level. This can be achieved by the use of CA SiteMinder and CA SOA Security Manager.
Pervasive sensing
Security monitoring infrastructure is currently a bolt-on addition to networks. Instead, this solution utilizes network endpoints, including desktops, as a distributed sensor grid. It will feed network data back to traditional network monitoring systems and will support peer-to-peer techniques for
decentralized, local detection of anomalies. New techniques in traffic summarization, anonymizers and detection can be developed within this framework.
The sensor net will be extended by making use of workstations already installed on the network. By populating the address space with a combination of real systems and honeypot sensors, there is an increased likelihood of both detecting and ensnaring attackers.
The sensor net can be further improved by incorporating managed mobile devices as sensors in order to extend detection beyond the traditional security perimeter.
The system can leverage pervasive sensing into automatic anomaly detection and response. Scalability
Pervasive sensing requires a significant information flow from edge devices. That information flow can consume a significant fraction of the bandwidth to the edge. To make such information flow scalable
and secure, the solution is designed in a tiered and scalable manner, with Event and Fault Management at multiple levels.
Data exfiltration (insider threat)
Data loss whether by accident or theft is a constant threat to systems integrity.
Rather than focusing solely on perimeter security, the solution focuses on the threat posed by insiders, whether they are trusted individuals, or malicious hardware or software.
The sensor net will also be extended by installing a data exfiltration detection tool. This tool will analyze data traffic in the context of identity, such as the author of a document, the sender/recipient of an email and their role within the organization.
CA’s Data Loss Prevention technologies can be installed on servers, workstations and on the network to provide quantified control of insiders. By establishing functional specialization and by taking a systems engineering approach to IT environments, the management system will expose new opportunities to contain and/or detect misuse and exfiltration of data.
Distributed decision making
The solution will allow edge sensors to distribute sensor data amongst themselves through Local Management Nodes. The communications can then be used to reduce the enterprise-wide effect of an attack by taking remedial action across the network when an attack is first detected.
This capability will be implemented at the lowest level of management, to provide the speediest initial response to detected threats.
Service alignment
The solution will allow Faults to be associated with supported business and mission services. This will allow the impact of a fault or event to be evaluated and initial and final remediation actions to be determined. Correct evaluation of the Fault will allow an appropriate level of reaction to be taken. Fault/event management
The solution will provide a fully functional root-cause analysis and fault management capability. This will allow low-level events to be analyzed and the root cause to be determined, as well as suppressing secondary events caused by the original Fault.
Remediation
The solution allows remediation to be staged. An initial response action can be taken quickly, which can contain the effect of the threat or, better, address it immediately.
If the threat has been contained initially, then analyst or Enterprise-level action can be brought to bear to address the threat and restore service.
Section 3: Technical solution
OverviewThe general approach is to collect data, manage it, provide actionable events and to act upon those events.
Low-level event, faults and abnormal activities will be collected by low-level detection devices, some from CA and some from existing software and hardware.
These events will be passed to Local Management Nodes which will perform basic event management, normalization, de-duplication and classification. This will reduce the data and make it easier to take action upon it.
The Local Management Nodes will use local policy definitions to determine what action to take, using the following two options as an initial guideline:
The Events match a known profile and policy and local remediation action will be taken. This action can either resolve the initiating event, or can isolate the affected devices, programs and services and escalate to the Enterprise level for remediation.
The Events are known to have network-wide implications and information about the events will be passed to other Local Management Nodes. These nodes may then take the equivalent local remediation action within their area of responsibility.
The Events will also be passed to the Enterprise-level Management Components which can correlate messages from all sources. These components will take action using all available information including CMDB service-related information and inventory information and will apply defined policy.
The Enterprise-level Management Components will record information and alert analysts (again according to policy). Records of incidents and alerts will be in the Service Desk. The Service Desk will drive escalations and notifications and will provide reports to allow actions to be evaluated and actions to be improved.
CA technology
CA Access Control provides file-level protection on servers, controlling read, write and execution access to files.
CA CMDB provides the ITIL-defined database to manage Configuration Items and their relationships to services.
CA Data Loss Prevention provides protection for data at rest, in motion, on removable devices and in network traffic.
CA eHealth Performance Manager provides performance monitoring for network devices and servers, including detection of unusual traffic patterns.
CA Enterprise Log Manager provides forensic analysis of system and security logs.
CA IT Client Manager provides inventory of hardware, software and configuration for servers and workstations; provides software delivery for updates and enforces patch levels and configuration.
CA Role and Compliance Manager manages the relationships between users and their roles on the systems, to ensure separation of responsibilities and prevent role-creep.
CA Service Desk provides the ITIL-defined Service Desk function, including Incident/Problem management, notification, escalation and process management.
CA SiteMinder provides single sign-on for Web-based applications and controls access to those applications.
CA SOA Security Manager provides protection for SOA transactions and enforces security on SOA traffic.
CA Spectrum Infrastructure Manager provides fault detection, root cause analysis and service alignment for network devices and servers. It also provides Event Management and forwarding.
CA Spectrum Service Assurance Manager provides monitoring of Service Availability against defined SLAs.
CA SystemEdge is an agent that resides on servers to provide detailed performance and other activity data. It also provides a method for remediation.
CA Wily provides end-user experience monitoring and application server monitoring for .net and Java applications.
Staged Implementation
The implementation should be built from the ‘bottom’ sensor level upwards.
There is a rapid deployment of existing technology, followed by integrations and then custom exploitation and new technique development. The major steps are described in the sequence of diagrams on the following page.
The general approach is to collect data, manage it, provide actionable events and to act upon those events.
Stage 1
Software is installed to discover the devices to be managed. This includes network devices, servers and workstations. Agents (CA ITCM) are installed on servers and workstations to collect hardware and software inventory information. This collection of inventory information can be performed by non-CA tools and integrated into the CA ITCM management component and database.
Once the managed objects have been discovered, representations of services are built and the installed software is integrated into a Service Desk to provide incident management and fundamental ITIL processes.
At this stage the managed systems and sensors will be providing status information to the
management systems, which will be correlating the data against defined services and recording events in the Service Desk.
Figure 2: Initial Installation – Discover the Management Domain
Stage 2
Figure 3: Additional Instrumentation – Collect More Data
Following the installation of additional instrumentation is installed to collect metrics from servers (System Edge) and security events (Access Control). Again, a non-CA tool can be used to do the collection, with integration into the CA management framework.
Wily Introscope and Customer Experience Manager (CEM) are installed to collect application
performance information both from the end-user and the systems point of view. Wily CEM will help to detect anomalies or degradation. Wily Introscope will serve as a sensor at the application level, with the ability to drill down into execution details.
Data Loss Prevention is installed on the workstations to provide exfiltration prevention at the workstation level and on servers to provide exfiltration prevention for networks’ shares and internet/ intranet servers. The data will be examined based on environmental values, including identity, location and data content.
The Enterprise Log Manager (ELM) can be installed to provide forensic Log Analysis across the Enterprise.
These data are fed into the management components previously installed.
Note: Access Control is installed to support the Secure Command and Control focus. Stage 3
Figure 4: Integrate Data in Context and Exploit
The solution is extended to exploit additional sources of data, for example existing HAIPE devices and installing Agents on servers and workstations.
As a result of the extensive discovery and pervasive sensor data collection, some leap-ahead implementation can be achieved:
• First-level Element Managers will be connected to other First-Level Managers to form a network of Local Management Servers to support the Distributed Decision Making focus. Basic Policy can be defined to forward events between these nodes.
• Faults and Events will use the Service definitions in the CMDB to provide information on affected services. This can be used to evaluate criticality from a mission perspective and to determine the most appropriate remediation action.
Section 4: Solution outcomes
Secure command and controlIT Operations and Security must go ‘hand in glove’ to provide a computing environment where the availability, integrity and confidentiality of IT resources are verified. IT Resources are defined as applications, data, systems and networks. CA’s security approach is to protect the IT resources by providing policy based controls that enforce who can access what, when and where that access is allowed and capture audit data of the activities for review and reporting. CA’s solution is a layered approach of integrated products that will manage and secure an organization’s IT resources. The diagram, on the following page, shows a notional deployment of CA’s security components. To protect against the hijacking of this infrastructure, the solution can include the ability to enforce higher-assurance, offline approvals of enterprise reconfiguration actions and policy changes.
The key components in this part of the proposal are CA SiteMinder, to lock down application access and Access Control to protect the Command and Control system.
Pervasive sensing and exfiltration defense
This approach will extend the sensing available in two main ways – to exploit devices not currently acting as sensors, mainly workstations and laptops, and to integrate information from existing sensors that are not currently under consolidated management.
The following are examples of the extensions that can be made:
• Install new sensors to extend the sensing network and the data collected. • Install exfiltration protection on workstations to provide protection against
accidental, careless or deliberate data loss.
• Install exfiltration protection on web servers and email servers to block inappropriate transmission of data.
• Install network traffic sensors on workstations. The sensors are expected to provide NetFlow information to the management components.
• Install Wily CEM as a performance sensor on workstations. • Integrate with existing devices and sensors.
Anticipated outcomes
Figure 6: Overall Approach
The approach is to collect data, manage it and provide actionable events.
Low-level event, faults and abnormal activities will be collected by low-level detection devices, some from CA and some from existing software and hardware.
These events will be passed to Local Management Nodes which will perform basic event management, normalization, de-duplication and classification. This will reduce the data and make it easier to take action upon it.
The Local Management Nodes will use policy to determine if policy requires peer-to-peer notification and, if so, will transmit event data directly to peer Local Management Nodes.
The events will also be passed to the main Management Components which can correlate messages from the sources. These components will take action using all available information including CMDB service-related information and inventory information and will apply defined policy.
The main Management Components will record information and alert (according to policy). Records of incidents and alerts will be in the Service Desk. The Service Desk will drive escalations and notifications and will provide reports to allow actions to be evaluated and actions to be improved.
The sensor network will be extended to include input from existing hardware and software, specifically HAIPE devices. Further, workstations will be exploited as sources by installing NetFlow Agents.
Section 5: Solution delivery
CA provides a highly trained specialist workforce of implementation engineers used as an approach to provide value in the shortest possible time.
Time-to-value deployment approach
CA Services uses a rapid time-to-value deployment approach. This is a repeatable best practices approach delivering high value in quick incremental phases. Rapid time-to-value offers fast ROI, a smooth solution transition for your organization and solution flexibility to match your continually evolving business needs.
The primary objective of the time-to-value delivery approach is to stagger solution functionality and deliver the solution progressively over a period of time.
It provides baseline functionality that is tactical and that can be delivered with rapid time-to-value. Functionality that is deemed priority “medium” or “low” will be delivered after the initial deliverables. To provide optimal delivery of solutions, services are provided in three main forms:
Rapid Implementation Solution Offerings
The intent of Rapid Implementation Solution Offerings (RISOs) is to install and configure a CA technology solution in a controlled fashion, in a tightly scoped environment, with a focus on a pre-designated Best Practices approach.
CA offers RISOs for all the major technology solutions in this document. RISOs typically form the first phase of a Solution Implementation.
Solution Implementation Solution Offerings
The intent of Solution Implementation Solution Offerings (SISOs) is to provide additional customization, configuration and integration of CA technology solutions, with a focus on a more tailored approach than the RISOs.
Expert packs
Beyond the initial installation, configuration, customization and integration, CA Expert packs provide for smaller, incremental pieces or work, providing specialists to enhance the installed solutions to address new functions and to ensure optimal operation of the technology.
Conclusion
The Internet is not only the battleground for cyberwarfare. It’s also a global platform for threat development that our adversaries can use to assess technologies (for vulnerabilities or for payload potential), then develop, test and refine their attacks. Attackers now are sophisticated, often state-sponsored technologists who possess a comprehensive knowledge of trends and developments in systems, software, and networks.
As a result, the operational tempo of the threat environment continues to accelerate. Attacks are evolving rapidly in their potential for harm and in the degree of their destructiveness. The pace of change in scope and scale renders static defensive systems almost immediately obsolete.
To countermand these effects, agencies need new infrastructure technologies that can scale to address global threats. They are looking for a force multiplier, a capability that significantly increases both defensive and offensive potential in information assurance.
In this paper, CA Technologies proposes a framework for developing a dynamic cyber defense system. By dynamic, we mean a capability for detecting and adapting to new threat vectors automatically. In describing such a system, we are not recommending or promoting specific products. Rather, we are noting that standards-based technology now exists to build systems that include:
• Secure command and control • Pervasive sensing
• Management of workstations • Control and prevention of data loss
• Potential to incorporate next-gen security management platforms
• Infrastructure for detecting and responding to even zero-day attack patterns
Systems with these components give agencies “leap-ahead” capabilities. We argue that that is exactly what they will need to confront nation-state adversaries, not just “hackers” or even threats originating inside their own firewalls.
For more information on this topic and other areas of IT, please contact your CA Account team or the CA Federal Sales Hotline at 866-836-5234.
