Leveraging StealthWatch for CNCI and TIC Compliance
With increasingly sophisticated attacks on the rise, improved cybersecurity has become even more critical for federal agencies. According to the Office of Management and Budget’s Fiscal Year 2010 FISMA Report to Congress, cyber attacks on the federal government increased 39% in 2010 over the previous year.1
The Comprehensive National Cybersecurity Initiative (CNCI) was established via presidential directive in 2008 to defend the nation from both immediate and future threats.2 After taking office in 2009, President Obama identified cybersecurity as one of the country’s most serious economic and national security challenges, and ordered the development of a more comprehensive approach to cybersecurity in America, including the continued evolution of the CNCI.
As part of the CNCI, federal agencies must comply with the Trusted Internet Connections (TIC) initiative, which mandates the consolidation of the federal government’s external access points to minimize risk and improve incident response. By providing comprehensive visibility across an organization’s entire network, Lancope’s StealthWatch® System not only supports compliance with the CNCI, TIC and other federal initiatives, but also significantly improves the security posture of federal agencies.
StealthWatch Provides In-Depth Network Intelligence for CNCI & TIC
Lancope’s StealthWatch unifies security, network and application performance monitoring to eliminate dangerous network blind spots and dramatically reduce the time, cost and complexity associated with identifying and troubleshooting issues. By leveraging NetFlow and other flow data from existing routers and switches, StealthWatch can pinpoint the root cause of network and security problems within minutes, right down to the exact device, application or user responsible. In addition to detecting zero-day attacks that often bypass perimeter defenses, StealthWatch can also uncover insider threats such as security policy violations, misconfigured devices, data leakage, unauthorized access and network misuse not detected by traditional tools. Additionally, the historical data provided by StealthWatch is ideal for conducting network forensic analysis for incident investigation.
According to the CNCI, “to date, the U.S. Government has been implementing traditional approaches to the cybersecurity problem—and these measures have not achieved the level of security needed.” Unlike traditional, perimeter-based defenses that are quickly becoming less effective in light of exponential network growth and increasingly sophisticated attacks, flow-based technologies like StealthWatch mark a progressive step forward in federal security strategy.
The CNCI and TIC initiatives call for federal agencies to improve government network security by:
- Consolidating and standardizing security for external access points through TIC Access Providers (TICAP) and Managed Trusted Internet Protocol Service (MTIPS) Providers
- Improving intrusion detection and prevention through the deployment of the EINSTEIN system
- Employing increased collaboration throughout government entities for threat detection, management and incident response
Lancope’s StealthWatch features a number of advanced capabilities that take federal agencies beyond the requirement of securing the gateways at the TIC, significantly improving network and security operations. The system is scalable to meet the needs of even the largest networks, and also monitors virtual environments, enabling federal agencies to progress their infrastructure without sacrificing network performance and security. For federal networks to be truly secure, the following StealthWatch capabilities should be deployed not only by TICAPs and MTIPS providers, but also by agency-level incident responders.
|StealthWatch Capabilities Supporting CNCI & TIC|
|Comprehensive, Continuous Monitoring||StealthWatch goes above and beyond the “set it and forget it” compliance and auditing controls mandated by the CNCI to provide more comprehensive monitoring and protection of government networks. The system provides a complete picture of the entire infrastructure to create a baseline of traffic volume and normal behavior for all network devices and components. Beyond just flagging violations to specified compliance policies, StealthWatch takes a more holistic approach by detecting and alarming on any type of network activity that might signify a risk to security or performance. The comprehensive situational awareness provided by StealthWatch enables both TICAP/MTIPS and agency-level administrators to make faster, more informed decisions for addressing a wide range of network and security issues.|
|Behavior-Based Anomaly Detection||While perimeter-based defenses like IDS and IPS (as mandated by the CNCI through the EINSTEIN program) provide a key layer of network security, they are limited in scope, as it is extremely expensive and complicated to deploy them throughout the internal network. Additionally, in today’s complex security environment, cyber attacks are increasingly penetrating signature-based perimeter defenses like IDS/IPS and infiltrating the interior of the network. Not relying on signature updates to detect attacks, StealthWatch uncovers both zero-day attacks that bypass perimeter defenses, as well as insider threats, complementing IDS/IPS deployments to further bolster security. Since even slight anomalies can indicate larger network issues, implementing behavioral analysis technologies at all levels of federal networks (including within individual agencies) is critical for speeding the detection of network events and improving the overall effectiveness of the CNCI.|
A major component of the TIC initiative is session traceability, or the ability to take a retrospective look at security incidents to determine which systems were affected in order to speed incident response. The systems currently used by the federal government for this initiative – application gateways and full-session capture – collect overwhelming amounts of data, making network forensic analysis extremely challenging. Through the automated collection and analysis of flow data, StealthWatch significantly streamlines troubleshooting and incident response by quickly pinpointing affected systems all the way down to the agency level, without requiring time-consuming, manual data analysis. Beyond just finding the infected host, StealthWatch also enables agencies to analyze the full extent of a compromise by displaying additional details such as which other endpoints were contacted by the infected host. StealthWatch can also store flow data well beyond the 7 days online / 30 days offline required by TIC, retaining the information for months to further strengthen federal agencies’ ability to respond to and contain damaging attacks. As with the capabilities mentioned above, session traceability is critical at both the TICAP/MTIPS level and the individual agency level.
|Network Bandwidth & QoS Reporting||As external access points are consolidated across federal agencies through the TIC, maintaining high availability and performance for these diminished gateways becomes even more critical. Unlike other security technologies mandated through the TIC initiative, Lancope’s StealthWatch also provides in-depth monitoring and reporting capabilities for network and application performance. StealthWatch’s performance monitoring capabilities help federal agencies better comply with TIC requirements, and also keep networks up and running to ensure the continuity of vital government operations.|
|Host Group Locking||Through Host Group Locking technology, StealthWatch facilitates the simple creation and enforcement of policies separating high-risk areas of the network from other segments, for example, blocking a host group that is connected to the Internet from communicating with a host containing sensitive data. Host Group Locking also improves the ability to monitor the effectiveness of firewall policies and manage exceptions for authorized protocols.|
|Identity Tracking||StealthWatch further expedites incident response by providing quick, simple access to the exact user IDs tied to network events. This extra level of insight introduces user accountability to the security framework and greatly simplifies incident investigations.|
|Log Association||While flow collection and analysis is an extremely effective means of securing and ensuring high performance for federal networks, there are times when additional data from sources such as firewall logs can be helpful for providing additional context around an event. StealthWatch therefore enables the collection and association of log data from various sources to provide a quick understanding of what is happening across the entire network through a single view, without having to switch back and forth between various tools.|
|Integrated Internal & External Monitoring||In addition to providing in-depth intelligence on the internal network, StealthWatch also conducts behavioral analysis on data from perimeter devices such as firewalls. The system assigns Concern Index™ points to IP addresses that are continuously denied access to the network by perimeter technologies, so that when malicious users evade perimeter defenses, they will already be red hot, lighting up their activity to IT administrators as a potential concern immediately upon entry. By combining internal and external monitoring, government agencies can achieve greater contextual awareness for combating sophisticated threats.|
StealthWatch Enables Increased Collaboration and Situational Awareness
A major theme reflected throughout the CNCI is increased collaboration and integration of cybersecurity strategies and technologies across the various federal agencies in an effort to strengthen security. Without adequate visibility into their own networks and the various threats they face, government agencies are not able to effectively collaborate and share vital information and best practices with one another. By delivering a single view into actionable intelligence relevant to both network and security teams, StealthWatch fills in the gaps where other technologies leave off, enabling the situational awareness and improved incident response needed to maintain a strong security posture and comply with cybersecurity regulations.
1 - OMB Fiscal Year 2010 FISMA Report to Congress, http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY10_FISMA.pdf
2 - The Comprehensive National Cybersecurity Initiative (CNCI) - http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative