State of Michigan Horizon Presentation Citadel Security Software

1
State of MichiganHorizon PresentationCitadel
Security Software

• Tom Bossie
• Director State / Local GovernmentHigher
  Education
• May 19th, 2005
• Lansing, MI

2
Vulnerability Statistics

• Approximately 10 vulnerabilities per day are
  discovered and made public
• 18.78 are Highly Critical
• 36.6 are Moderately
• 37.49 are Less
• 7.13 are Not Critical
• The difference is whether a vulnerability has an
  identified exploit or a suspected exploit

3
Vulnerability Statistics

• 70.7 of all attacks are initiated remotely
• 11.4 of all attacks are initiated from the local
  network
• 17.89 are initiated from the local machine
• 27 of all attacks are to gain system access
• 21 are Denial of Service attacks
• 12 are privilege escalation attacks
• 17 seek to expose sensitive or system level
  information
• Source http//www.secunia.org/advisory_statistics

4
Illustrating the Risk

• Some spyware is suspected of sending captured
  data to North Korean intelligence agency servers
• North Korean government is suspected of selling
  data to criminals and organizing Denial of
  Service Attacks
• South Koreas Defense Ministry claims North Korea
  has an aggressive hacker training program that
  includes five years of university training
• Source http//www.nwfusion.com/reviews/2004/12130
  4rev.html

5

• WHAT IS THE MOST EFFECTIVE STRATEGY TO
  TRANSFORM AND TRANSITION STATE GOVERNMENT FROM
  CURRENT CULTURAL AND OPERATIONAL PRACTICES TO ONE
  OF MORE CROSS-AGENCY COLLABORATION,
  COMMUNICATION, AND COOPERATIONIN ORDER TO
  ACHIEVE A MORE EFFICIENT DELIVERY OF MISSION
  CRITICAL RESULTSAND TO IMPROVE CUSTOMER
  SERVICEBOTH INTERNALLY AND EXTERNALLY?

6
Citadels Hercules

• HOW DO WE PROTECT THE INFORMATION THAT IS
  GATHERED, STORED, AND SHARED WHILE SECURING THE
  NETWORK AND COMPUTING ASSETS THAT SUPPORT THE
  OPERATIONS AND ACTIVITIES OF THE VARIOUS AGENCIES
  AND DEPARTMENTS OF STATE GOVERNMENT?

7
Enterprise Vulnerability Management
8
Citadel Addresses all Classes of Vulnerabilities

• Unsecured Accounts
• Accounts with no PW, no PW expiration, known
  vendor supplied PW, ...
• Unnecessary Services
• Telnet, KaZaa, other P2P, rsh, echo, chargen, ...
• Backdoors
• MyDoom.A, W32.Beagle.I_at_mm, NETBUS, BACKORIFICE,
  SUBSEVEN,
• Mis-configurations
• Netbios shares, Anonymous FTP world read/write,
  hosts.equiv,
• Software Defects
• Buffer overruns, RPC-DCOM, SQL Injection, ...
• Patch Management

Microsoft UNIX Linux
9
Citadel Overview
10
Citadel Security Software

• Leading provider of security solutions that
• Manage Information Security Risk
• Reduce Cyber Security Threats
• Enforce Policy Compliance
• Hercules Suite includes
• Compliance Manager
• Remediation Manager
• AssetGuard Inventory and Risk Management
• ConnectGuard Endpoint Security
• Enterprise Reporting
• SecurePC Desktop Security
• NetOff Network Security

11
Leadership in the Security Industry

• Cyber Security Industry Alliance
• Advocacy group dedicated to the improvement of
  cyber security through public policy, education
  and technically-focused initiatives
• OVAL (Open Vulnerability Assessment Language)
• Carl Banzhof Board Member since 2002
• Kent Landfield Board Member since 2004
• CVE (Common Vulnerabilities Exposures) Standard
• Staff Member on the Editorial Board
• Hercules utilizes CVE coding structures
• OASIS
• Application Vulnerability Description Language
  Standard
• Web Application Security XML (WAS) Technical
  Committee

12
Federal / State Customers
Organized Crime Task Force
13
Defense Information Systems Agency (DISA)

• Announced October 5th, 2004, Hercules is being
  implemented worldwide (in excess of 3M seats)
  across the Department of Defense (DOD)
• Combatant Commands, Intelligence Community, Armed
  Services and DoD agencies, Coast Guard, National
  Guard and Reserves.

14
Defense Information Systems Agency

• Reasons why DoD selected Citadel
• When evaluated against all competition, the
  closest competitor achieved only 40 of Citadels
  capability.
• Demonstrated that vulnerability remediation is
  significantly more that patch management.
• Through their own analysis, it was determined
  that 80 of their risk exposure surfaced from
  unsecured accounts and unnecessary services.

15
A United States Air Force Base ROE Calculation

• Scanned 104 devices, 5,821 vulnerabilities were
  identified (a small percentage were software
  patch related, the rest were backdoors,
  mis-configurations, unnecessary services, and
  unsecured accounts).
• USAF took a conservative estimation of 15 minutes
  to fix 1 vulnerability.
• Total time estimated for manual remediation
  effort is 1455 hours.
• Our solution remediated all 5,821 vulnerabilities
  in 23 minutes.

16
Some Commercial Customers
17
Our Partnerships
18
Recent Awards

• Best Security Management Solution
• US Excellence Award
• Best Government Solution
• Hercules named a winner in eWEEK's Fifth Annual
  Excellence Awards (2005) program, in the
  Vulnerability Assessment and Remediation
  category.
• Citadel CTO Carl Banzhof named to the Top 25 CTOs.

19
Organizational Business Drivers
20
Typical business drivers

• Reduce Business Risk
• Protect data confidential and sensitive
  information
• Maintain service level continuity and technology
  availability
• Drive Cost Efficiencies
• Minimize loss associated with security exploits
• Automate manual protection processes
• Establish consistent enterprise-wide processes
• Realize a rapid ROI on solutions and services
• Demonstrate Compliance
• Comply with current or future government
  legislation and mandates (Gramm-Leach-Bliley,
  Sarbanes-Oxley, FISMA, HIPAA, etc.)
• Reduce organizational and public liability

21
Risk Management Challenges

• You are at WAR against an increasing volume,
  frequency and complexity of security threats
• Organizations are losing REAL information and it
  cost a lot of money
• Security is no longer just worms and viruses
  causing occasional business disruption, it is
  evolving rapidly into a significant matter
  personal exposure, national security and economic
  stability

The Computer Security Institute (CSI) reported
over 141 billion damage from security incidents
in the US in 2004 2004 CSI/FBI Computer Crime and
Security Survey
Last year over 10 million US identities were
stolen with an estimated economic impact to the
US economy of more than 50 billion
22
Keeping up with latest threats

• Most organizations resources and manual processes
  dont cut it!
• Increasing number of threats and vulnerabilities
• Decreasing time to exploit
• Little corresponding increase in IT resources

CERT/CC, Microsoft, SANS
CERT/CC
23
Cost Coordination / Control Challenges

• Inconsistent application of efficient security
  process across the enterprise
• Point tools result in incomplete, fragmented
  security enforcement
• Current manual processes are inefficient,
  duplicate and error-prone
• Lack of coordination across organizational
  boundaries and responsibilities

I Want
I Have
I Get
A secure enterprise with vulnerability mgmt. and
reporting
Lots of disparate GUIs and reports
24
Compliance Management Challenges

• Difficulties providing timely, accurate evidence
  that you are secure and compliant
• Cohesive reporting on enterprise security status
• Incomplete coverage
• Inconsistent formats
• Insufficient depth
• Translating written security policy into
  enforceable action
• Preparing for dynamic audit assessments
  requirements
• Enforcing policy across complex,
  widely-distributed networks
• Securing mobile and rogue devices that puncture
  the perimeter

25
Compliance Drivers
Regulation and Compliance issues continue to be
the top drivers for CSO security investment by
a wide margin. CSO SecuritySensor VIII Study,
Dec 2004

• Sarbanes-Oxley Act
• Gramm-Leach-Bliley Act (GLBA)
• California SB-1386
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Payment Card Industry (PCI) Data Security
  Standard
• ISO17799
• Basel II
• Clinger-Cohen Act

• Presidential Decision Directive 63, Protecting
  America's Critical Infrastructures
• Federal Information Security Management Act
  (FISMA)
• Security Standards for Electric Market
  Participants, Federal Energy Regulation
  Commission (FERC)
• Cyber Security Standard 1200, North American
  Electric Reliability Council (NERC)

26
Citadel Solutions to Secure the State
27
Citadel Enterprise Vulnerability Management
28
Identify
29
Identify Establishing a Baseline

• Identify what you have and what you want
• Asset baseline
• Device discovery
• Device Security Inventory
• NetBIOS
• Ports
• Services
• User groups / accounts
• Software (Peregrine Project data coordination)
• Security configuration baseline
• Policy Identification / Creation

30
Out of the box experience Wizard or Power User
31
Wizard
32
Wizard
33
Wizard
34
Assess
35
Assess Find the Problems

• Find Policy Violations
• Automated compliance audit (Top-down)
• Enforce policy compliance
• Find Vulnerabilities
• Existing in your environment (Bottom-up)
• Vulnerability assessment
• Scan network (x)
• Import
• Aggregate
• In the wild (Targeted)
• Vulnerability notification and advisory
• Decide What to Do
• Visualization
• Risk prioritization
• Vulnerability severity
• Asset business value
• Asset technical value

36
Policy and Configuration Compliance

• Overview
• Targets the security group
• Within many organizations there is a separation
  of work between the Security and IT personnel.
  Security personnel often dont have the authority
  to make changes to the systems in the enterprise.
• By providing a compliance only mode of operation,
  security personnel will be able to audit the
  state of their organizations systems with out
  actually modifying these systems.
• Feature Set
• Check the compliance of devices against a known
  set of parameters.
• Compliance only will be the default mode.
• Remediation will be licensed as an add-on feature
• Compliance Only mode
• The user may perform all tasks now available on a
  Hercules Server except the Hercules Agent will
  not do an actual remediation of its device. It
  will instead perform the compliance portion of
  the remediation.
• Full Remediation mode
• The user can choose to run a Remediation, Policy
  Enforcement or Action Pack in Compliance Only
  mode or Remediation mode.

37
Operational dashboards
Access-anywhere, Customizable Dashboard
38
Operational Dashboards
39
The Power of AssetGuard

• Detailed queries leveraging AssetGuard device
  data can rapidly pinpoint known vulnerable
  devices
• Citadel delivers ActionPacks using AssetGuard
  data to rapidly deploy hot patches and mitigate
  IT security configuration issues.

40
Risk Rating

• Overview
• The value of hardware and software assets across
  an enterprise varies according to their usage,
  whether by the service(s) they provide, by the
  group(s) that they support, etc. In addition,
  some assets are inherently more susceptible and
  vulnerable to attack.
• This feature will automatically calculate a
  devices risk rating based on several factors and
  display the risk graphically to the user. The
  data used in the calculations will be supplied by
  Citadel, with the user also being able to input
  custom data. This feature will be licensed
  separately.
• Feature Set
• Device Risk Value
• Determined by business impact, vulnerabilities,
  and technical asset value.
• Displayed graphically (ie. high, medium, low)
• Device summary list as a column on the Manage
  Devices page
• Security Posture Display
• Dashboard
• Device Group Risk Value
• The values for all devices within a particular
  Device Group will be rolled up (through a similar
  algorithm) to derive a risk value at the Device
  Group level.
• A business impact rating may be applied at the
  group level to adjust the sensitivity of the
  overall Group rating.

41
Risk Rating Algorithm

• Comprised of
• Technical Asset Rating (A)
• Vulnerability Rating (V)
• User defined Business Impact Rating (B)
• Formula
• DeviceRisk A V B
• GroupRisk ? DeviceRisk B

42
Enforce
43
Enforce Fix the Problems

• Policy Enforcement
• Define asset baseline
• Define security baseline
• Enforce IT security configuration
• Scan and Remediate
• Assess vulnerability state
• Remediate detected vulnerabilities
• Near Day Mitigation
• New, critical vulnerabilities
• Key assets

Resolve Policy Exceptions
Eliminate Existing Vulnerabilities
Neutralize the Latest Threats
44
Policy Enforcement Compliance Check

• Compliance Check mode of operation, security
  personnel will be able to audit the state of
  their organizations systems with out actually
  modifying these systems.
• Hercules Policy Compliance provides a
  comprehensive policy and configuration assessment
  process to mitigate risk and ensure compliance
  with security policies, government regulations
  and industry standards.

45
Hercules Policy Templates

• Consistently audit and enforce security policy
  across the enterprise
• Supports multiple operating systems
• Scheduled or on-demand enforcement
• Tailor to your requirements and internal
  environment
• Share consistent policy
• Detailed compliance assessment
• Password settings, account privileges, event
  logs, audit settings, files, services, legal
  notices, etc.
• Brings non-compliant devices back into compliance

46
Extend Enforcement to Endpoint Devices (Remote
computing environment)

• Host-based quarantine and remediation solution
• Protection for disconnected devices (laptops,
  desktops, servers)
• Prevents un-trusted devices that have been off
  the network from gaining access to the network
  until remediated

The consistent sanitization of infected endpoint
devices and enforcement of security and
configuration polices before reconnecting to the
network is critical to ensuring the security of
enterprise networks. - The Meta
Group
Delivers the fastest path to connectivity and
productivity
47
End Point Security

• Capabilities of ConnectGuard
• ConnectGuard blocks a client from communicating
  with the network when it is first powered up.
• The Hercules Client will then contact its
  Hercules Server, and apply appropriate remedies
  and policy settings before being allowed on to
  the network.

48
Cisco NAC Support

• Overview
• Network Admission Control (NAC) is an
  industry-wide initiative that provides for
  endpoint network security
• All endpoint devices seeking network admission
  are validated for their credentials and
  compliance with established security policies
  before being granted access
• NAC architecture allows Hercules to integrate the
  credential validation and policy enforcements of
  devices that seek access to the network into the
  framework
• A Hercules NAP enforcement can be implemented
  with either ConnectGuard or NAC
• Benefit
• Flexible solution for enterprise Network Access
  Control

49
Cisco NAC
50
Scan and Remediate (Bottom-up)
51
Near Day Mitigation (Targeted)

• Actionable asset intelligence
• Immediately identify and remediate
  vulnerabilities on key assets
• Asset Inventory
• Asset Query
• ActionPacks
• Empowers policy enforcement and remediation

Compiled from CERT, SANS and Microsoft websites
52
Maintain and Report
53
Security posture interactive displays
54
Security Risk posture risk quotient
Assists in Security Decisions
55
Enterprise Risk Reporting
56
What is being done to mitigate risk
57
Audit and Compliance Reporting
58
Most significant threats reporting
59

• Enterprise / Departmental Reporting

60
Enterprise Reporting

• Overview
• Three levels of reporting
• Base reporting reports that go with every
  Hercules offering
• Hercules server reporting separately includes
  additional reports and the reporting schema is
  documented
• Hercules enterprise reporting separately
  includes all functionality of Hercules server
  reporting plus the ability to Departmentalize and
  provide rollup reporting for many organizational
  entities
• Benefit
• Report on the state of security across the
  enterprise

61
Management Reports

• Executive Review Report Shows risk assessment,
  vulnerability exposure, device status, and action
  plan.
• Compliance Report - Shows the overall compliance
  of all devices that are in the managed Hercules
  network.
• Policy Compliance Report Shows device
  compliance on a per-policy basis.
• Device Status Report Shows device status,
  inventory, ConnectGuard, and Heartbeat sections.
• Remediation Status Report Shows feedback from a
  scheduled remediation.
• Vulnerability Trend report Shows trends in the
  number of threatening vulnerabilities.
• Compliance Trend Report Shows trends in the
  number of devices compliant for remediations,
  policy enforcements, and action packs.
• Policy Compliance Trend report Shows trends in
  the number of compliant devices for policies.
• Device Status Trend Shows device coverage by
  the Hercules managed network over time.
• Risk Trend Report Shows trends in the risk
  assessment for devices.
• Inventory Differential Shows the delta between
  baseline, historical, and current inventory data.
• Do Not Fix Report Shows vulnerabilities that
  have been marked for Do Not Fix.
• Device Vulnerabilities
• Distinct Vulnerability by Import Session
• Recurring Vulnerabilities
• Remediation History
• Vulnerability and manual Fix
• Vulnerability Comparison by Date-Group
• Return on Investment (ROI)

62
Hercules Reports
63
Executive Review Vulnerabilities
64
Executive Review - Devices
65
Executive Review Action Summary
66
Summary Hercules Advantages
67
The MOST Remedies
20,000 Remedies
68
Thank You! Tom Bossie

• Questions?
• Phone (678) 578.2442
• Web www.citadel.com
• Email tbossie_at_citadel.com

69
What Hercules Delivers

• - Manage IT risk under one roof
• A consistent enterprise business process solution
• - Extend the capabilities of your security team
• Get more done in less time with less effort
• - Matches the scope of your IT security policy
• Eliminate vulnerabilities before theyre
  exploited
• - Thorough auditing, remediation and reporting
• Provides timely, accurate evidence that you are
  secure and compliant
• Makes existing security technologies more
  effective
• - Manages what you manage
• Closes the gaps in security coverage
• - Improves utilization of resources
• Rapid ROI
• Drives cost efficiencies
• Consistent enterprise remediation

70
Hercules AVR Technology

• Worlds largest repository of over 20,000 tested,
  signature remedies
• Remediation intelligence
• Actionable remedies not manual steps
• Controlled automation
• Pre-remediation compliance checks and policy
  enforcement