Marine Corps Takes Lead in Cyber Resiliency
Photo: Defense Dept.
In December, Congress passed the fiscal year 2017 National Defense Authorization Act, which mandates that the Defense Department implement continuous monitoring using cybersecurity tools in a measure to protect the nation’s information-technology infrastructure from malicious cyber attacks.
The legislation’s requirements were derived from the Marine Corps’ highly successful deployment of cybersecurity tools over the past several years under a program titled, “Comply-to-Connect,” the objective of which was to create near real-time visibility and control of the service’s laptops, desktops and servers.
In deploying the software suite across the enterprise, many of the Corps’ manual tasks related to IT operations and security became automated, including patch, software and hardware inventory as well as power and security configuration management.
Through automation, the service was able to realize immediate security benefits and cost savings. In fact, automated power management alone reduced power consumption and savings that provided funding for the entire program.
Another key benefit of the program was the reduction in manpower to support Defense Department security audits, which were automated and resulted in near perfect scores.
The ability to rapidly apply patches from a wide variety of operating systems vendors and common desktop application vendors enabled the Marine Corps to increase first-time patch success rates from 60 percent to more than 95 percent, dramatically reducing labor costs while eliminating vulnerabilities. The patch management system included tens of thousands of “out-of-the-box” policies for patch management, covering Windows and non-Windows environments.
As far as software and hardware inventory, the system scans the network for an IP address and takes an inventory of all hardware and software in the enterprise. Inventoried hardware and software are then monitored continuously, including for the ability to determine software usage.
The program’s initial requirements were satisfied by IBM and ForeScout Technologies. The requirements continue to evolve, with contractors RSA and BMC Software Inc. being added to the project over the past two years.
By providing granular visibility across the enterprise as to which software products are being over- or under-utilized, the Corps has the opportunity to save millions of dollars in software license fees from under-utilized software titles.
Another element was “security configuration management.” Like patch management, thousands of out-of-the-box security configuration management policies were deployed to enforce the Defense Information Systems Agency’s security technical information guide controls, which continuously inspect devices for compliance, effectively automating many of the Defense Department’s auditing functions while providing compliance reporting with near real-time data.
The system has the flexibility to report compliance by geographic location, machine type — server, desktop or laptop — and operating system.
In addition, the power management system saved the Corps funding. Many organizations are forced to leave desktop computers on at night and over weekends to support the patch management IT operational requirements. The Comply-to-Connect solution automates the power management settings of tens of thousands of desktops instantly from a central management console. As a result, the Marine Corps automatically powers down devices based on its policies, thus enabling hundreds of thousands of dollars in savings from reduced power consumption.
The system’s rapid detection and response provides the ability to execute ad-hoc queries across the network with parallel execution on each endpoint, enabling the detection and mitigation of zero-day exploits across complex distributed networks within minutes.
Another benefit is automated command cyber readiness inspections audits. The Defense Department spends hundreds of millions of dollars preparing for these audits. The Comply-to-Connect system has built-in reporting, eliminating the need and expense of audit preparations.
The Defense Department has the largest, most complex and distributed IT infrastructure in the world, consisting of millions of globally distributed end points. The Marine Corps’ Comply-to-Connect enterprise implementation provided a test case for a department-wide implementation and demonstrated the system’s scalability and robustness, having been deployed to more than 220,000 devices.
The Comply-to-Connect deployment also demonstrated interoperability with the department’s host-based security system and assured compliance assessment solution by continuously monitoring the health of IT assets that these programs manage.
In addition, it offers the department the ability to support new requirements, such as the enterprise scorecard initiative and the mandate to migrate to Windows 10. Comply-to-Connect already supports Windows 10 from both an operating system deployment and patching use case.
DoD should continue to expand on the success of other federal agencies that have deployed many of the same tools through the Department of Homeland Security-sponsored continuous diagnostics and mitigation (CDM) program, which has been deployed to more than 4 million end points, with many of the same tools, requiring a proactive approach for continuous monitoring and compliance enforcement.
Devices must comply with security policies before they connect to protected networks and resources; otherwise, they are placed in network quarantine until they are compliant.
This can help reduce security breaches. However, unless the right tools and processes are in place for remediation and compliance enforcement, end-user productivity can be severely impacted. By using proven tools which come with prepackaged automation content, the risk of selecting the wrong tools are minimized.
Several large civilian agencies, including the Departments of Veterans Affairs and Justice, realized immediate benefits from continuous diagnostics and mitigation, including increased first-time success rates of 65 to 98 percent from automated patch management, saving labor and enhancing the security posture across their enterprises.
By implementing automated software inventory and usage functionality, departments can now minimize software expenditures while reducing unauthorized software on their networks.
By focusing on integration and interoperability of proven cybersecurity tools, the Comply-to-Connect program can vastly increase the Defense Department’s IT infrastructure health, reduce costs and complexity through automation and the consolidation of current systems management tools.
The acquisition strategy for a department-wide implementation must consider both the licensing of the tools and the deployment services under a single program office to be most effective.
One might suggest to review the best and worst of host-based security systems and assured compliance assessment solutions and continuous diagnostics and mitigation procurements as a starting point for the acquisition strategy.
DISA awarded the host-based security system contract to a single prime contractor who managed the vendors and deployments under a multi-year contract vehicle, locking DoD into a single relationship for software and services.
The CDM program awarded task orders to multiple prime contractors initially for software acquisitions and, much later, for deployment services. Neither of these programs addressed integration of tools and support for the resulting solutions.
A potential solution might be a department-wide blanket purchase agreement with task order awards to multiple prime contractors based on their existing knowledge of the department’s services challenges.
Using this approach, the program office should be responsible for integration of the selected tools and management of task order for deployments.
Tom Burke is a senior executive with IBM’s federal security division.