Ensuring the safety of very large IT environments spread over numerous geographic locations is incredibly challenging. Even strong perimeter defenses, such as well-tuned network firewalls and intrusion detection and prevention systems, aren't perfect safeguards against rapidly emerging endpoint threats.
Just one person opening an email attachment and inadvertently installing a keylogger program, Trojan or rootkit on his or her workstation or phone can allow an attacker to access to that system and potentially the entire network. Exacerbating aAn already risk-prone situation is exacerbated by are a mix of zero-day exploits and vulnerable applications, including Web browsers, Adobe Flash Player and Oracle Java products that can be exploited for remote code execution.
Mobile devices and other new technologies are making endpoint security more challenging and increasing the need for fresh approaches.
Photo Credit: Army
Daunting task
"Managing an enterprise deployment for endpoints across DoD is one of the most daunting information technology tasks anywhere in the world," said Scott Montgomery, public sector chief technology officer for Intel Security in Santa Clara, Calif. "The sheer number and type of devices; the multi-tiered management structure; the number of locations; the different classification levels; the wide difference in bandwidth availability between the garrison and tactical/afloat communities; the rapid rotation of managing personnel; the intense pace of the adversaries, criminals, and terrorists; the state of software vulnerabilities; the shallow pool of expert practitioners; and the agonizing process of DoD accreditation and certification are factors that make success an extreme challenge."
Related Webcast: How the Military uses Cyber Security to Bring Total Visibility to Networks
DoD networks are currently protected with a mix of technologies and techniques, including a public key infrastructure (PKI), enterprise anti-malware tools, assured compliance assessment solutions (ACASes) and rogue wireless detection. Also key to the DISADefense Information Systems Agency's current network protection strategy is the Host Based Security System (HBSS), a commercial -off-the-shelf (COTS)-based application that's designed to monitor, detect, and counters known cyber -threats. HBSS is based on several security technologies developed by McAfee; Intel acquired McAfee in 2011.
In a recent C4ISR & Networks webcast, "How the Military uses Cyber Security to Bring Total Visibility to Networks," Mark Orndorff, program executive officer of DISA's Mission Assurance Executive and Network Operations, expressed his concern that existing endpoint security methods are failing to keep pace with emerging security challenges and that new approaches to network perimeter security must be considered. "The stronger and more pervasive use of encryption has made the dependence and use of the perimeter protections less effective," he observed. "Plus, we've got this mobile workforce where we're all using our computers, our mobile devices, from many different entry points."
Keeping pace
While still effective, HBSS is beginning to show its age. Since its initial deployment, HBSS has had to keep pace with a variety of new endpoint devices, ranging from mobile phones to vehicle-based sensors, all requiring fast and dependable network access. "Whereas in 2008 an endpoint was a desktop, a laptop or a server, an endpoint is now simply where a user touches mission applications and data," Montgomery said.
As endpoints continue evolving, so doesis DISA's approach to endpoint security. "Focusing a lot on boundary defenses is something that we've got to think through," Orndoff said. "How are we going to improve security with less reliance on perimeter protection?"
Orndoff said that he would like to see "ideas on how we could make the workstation side ... less critical and bring some of those security functions into the data center, or into the cloud, so that we would have a more efficient way, and more agile way, of providing those capabilities without depending so much on a heavyweight, endpoint security solution." He noted that adopting a zero trust model was a possibility.
According to Forrester Research, zero trust networks are designed from the inside out in a modular, scalable way. All traffic is treated as threat traffic until it's verified that the traffic is authorized, inspected and secured. Access control is properly implemented and enforced to eliminate human temptation to access restricted resources. All network traffic is logged and inspected to verify that users are indeed doing the right thing instead of simply trusting that they are doing the right thing.
Orndoff is particularly interested in moving some or all endpoint security services into the cloud. "I think that's an innovation that we'd want to take a look at and see how you could apply any or all of that to our environment," he said.
