Host-Based Security System HBSS

3. HBSS Selected for Enterprise-Wide Solution DoD IA/CND Enterprise-Wide Solutions Steering Group (ESSG) Tasked DISA to procure a DoD enterprise-wide automated, standardized tool to provide end-point, or host-based security, against both insider threats and external threats that are able to penetrate boundary defenses or enter through backdoors. History Initial Contract Awarded: March 2006 BAE Systems (Prime), McAfee, Inc (Sub) HBSS Pilot: April 2006 � Present JTF-GNO Warning Order: July 2007 Enterprise-Wide Implementation: August 2007 (Tent) NETCOM/ESTA Enterprise Network Planning Division (ENPD) has the overall lead for the Army-wide HBSS implementation. On March 31, 2006, DISA, at the request of the ESSG and the USSTRATCOM, purchased from industry an automated Host-Based Security System (HBSS) capability that will provide organizations the mechanism to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all DoD information systems.On March 31, 2006, DISA, at the request of the ESSG and the USSTRATCOM, purchased from industry an automated Host-Based Security System (HBSS) capability that will provide organizations the mechanism to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all DoD information systems.

4. HBSS supports two AENIA capabilities: Anti-Virus, Host Intrusion Prevention System HBSS Deployment Objectives 100% of all Enterprise NIPRNet and SIPRNet workstations will have HBSS installed. 100% of all Enterprise NIPRNet and SIPRNet servers will have HBSS installed or a have a coverage plan. NIPRNet deployment will be pushed first, but both can be done simultaneously. All Army echelons will have trained and certified HBSS users One full cycle of captured INFOCON data * �The HBSS solution(s) shall be the Enterprise-wide solution(s) across the �Department of Defense (DoD) (Combatant Commands, Intelligence Community (non-Title 50 elements), Services, and DoD Agencies), Coast Guard, National Guard, and the Reserves� on all classifications of networks hereafter referred to as the �ENTERPRISE�. All �ENTERPRISE� owned and leased computers and networks are covered under this agreement, regardless of the persons operating the computer systems. Contractors will be permitted to use the software on government-owned/leased equipment only.� * �The HBSS solution(s) shall be the Enterprise-wide solution(s) across the �Department of Defense (DoD) (Combatant Commands, Intelligence Community (non-Title 50 elements), Services, and DoD Agencies), Coast Guard, National Guard, and the Reserves� on all classifications of networks hereafter referred to as the �ENTERPRISE�. All �ENTERPRISE� owned and leased computers and networks are covered under this agreement, regardless of the persons operating the computer systems. Contractors will be permitted to use the software on government-owned/leased equipment only.�

5. The McAfee HBSS solution comprises the following components: McAfee Host Based Security Manager (ePO Server) McAfee ePO Console McAfee ePO Common Management Agent McAfee Host Intrusion Prevention Software (HIPS) McAfee Assets 2500 Baselining Module ePO server is the hub of HBSS. It consists of four features, robust database, report generating engine, software repository for deployment and rogue system detection. SQL server houses the HBSS databases. Repository server is any existing server with disk space. Clients will connect to the local repository server for updates and files. This will reduce bandwidth requirements in environments with WANS and will reduce server loads on the ePO servers. ePO console is a tool that SAs use to deploy, manage, and maintain the HBSS solution. The console displays client computer properties, sets and enforces security policies to all/some clients, schedules tasks/policies for targeted computers, and it customizes and displays monitoring reports. CMA interacts with ePO server to gather/report data, install products, enforce policies/tasks, maintain connectivity, retrieve/implement updates. Also runs in the background. Assets 2500 Baseling module automates baselining requirements prescribed in the DoD INFOCON policy. It establishes a common, repeatable way of ascertaining the overall status of an organization�s network. It allows SAs to capture, view, report configuration management information about a server, workstation or laptop. HBSS may include HIDS or HIPS: HIDs observes the computer (OS or network interface) sniffing for malicious activity. If it detects it, HIDs terminates the activity and sends an alert to the security manager. HIPs protects against malicious activity such as worms and Trojans. The McAfee HBSS solution comprises the following components: McAfee Host Based Security Manager (ePO Server) McAfee ePO Console McAfee ePO Common Management Agent McAfee Host Intrusion Prevention Software (HIPS) McAfee Assets 2500 Baselining Module ePO server is the hub of HBSS. It consists of four features, robust database, report generating engine, software repository for deployment and rogue system detection. SQL server houses the HBSS databases. Repository server is any existing server with disk space. Clients will connect to the local repository server for updates and files. This will reduce bandwidth requirements in environments with WANS and will reduce server loads on the ePO servers. ePO console is a tool that SAs use to deploy, manage, and maintain the HBSS solution. The console displays client computer properties, sets and enforces security policies to all/some clients, schedules tasks/policies for targeted computers, and it customizes and displays monitoring reports. CMA interacts with ePO server to gather/report data, install products, enforce policies/tasks, maintain connectivity, retrieve/implement updates. Also runs in the background. Assets 2500 Baseling module automates baselining requirements prescribed in the DoD INFOCON policy. It establishes a common, repeatable way of ascertaining the overall status of an organization�s network. It allows SAs to capture, view, report configuration management information about a server, workstation or laptop. HBSS may include HIDS or HIPS: HIDs observes the computer (OS or network interface) sniffing for malicious activity. If it detects it, HIDs terminates the activity and sends an alert to the security manager. HIPs protects against malicious activity such as worms and Trojans.

6. HBSS Capabilities Provides defense-in-depth Protects host machines from exploits and malicious activity Provides centralized management of host-based capabilities Up to 60,000+ hosts from one manager Automated support for INFOCON baselining (SD 527-1) Centrally managed Host-Based Firewall System Centrally managed Host-Based Intrusion Prevention System (HIPS) Robust Buffer Overflow protection Signature and behavioral based IPS Application monitor Protects against system degradation INFOCON baselining (SD 527-1, STRATCOM Directive) The purpose of this SD is to establish guidance and procedures for the Department of Defense (DoD) Information Operations Conditions (INFOCON) System. The INFOCON system is a readiness strategy that provides the ability to continuously maintain and sustain one�s own information systems and networks throughout their schedule of deployments, exercises and operational readiness lifecycle independent of network attacks or threats. INFOCON 5 INFOCON 4 INFOCON 3 INFOCON 2 INFOCON 1INFOCON baselining (SD 527-1, STRATCOM Directive) The purpose of this SD is to establish guidance and procedures for the Department of Defense (DoD) Information Operations Conditions (INFOCON) System. The INFOCON system is a readiness strategy that provides the ability to continuously maintain and sustain one�s own information systems and networks throughout their schedule of deployments, exercises and operational readiness lifecycle independent of network attacks or threats. INFOCON 5 INFOCON 4 INFOCON 3 INFOCON 2 INFOCON 1

7. HBSS Enterprise Planning Requirements needed prior to implementation Network Diagrams (to include bandwidth) Site Surveys Implementation Design Plan HBSS Implementation Goal ePO server placement Dependent upon host count, host locations, bandwidth, and manpower Note: Focus is to implement HBSS on the NIPRNET first, then follow-up with implementation on the SIPRNET.

8. HBSS Pilot Manpower Survey Results AVERAGE AVERAGE ESTIMATED DEGREE OF MANHOURS DIFFICULTY Deployment & Configuration of the ePO Server 71.94 2.38 Population of Hosts from the ePO Server 37.03 2.94 Deployment of the CMA 27.84 2.88 Creation of Distributed Repositories 17.25 3.25 Configuring HIPs Policy 35.00 2.00 Deploying the HIPs and INFOCON Modules 13.13 2.93 Managing and Researching IPS Events in ePO 23.27 per week 2.47 Regular Maintenance of ePO Server 7.08 per week Degree of Difficulty: 1-Very 2-Above Average 3-Average 4-Below Average 5-Minimal Manpower is one of those issues that the Enterprise NetOps Planning Division has taken into account. The implementation design plan will be thoroughly tested in hopes of discovering the manpower needs that are needed to efficiently implement HBSS within the Army�s infrastructure. The HBSS Pilot currently is the only source that provides any type of estimation of required manpower. This slide shows the areas of concentration that will be taken into account during design planning.Manpower is one of those issues that the Enterprise NetOps Planning Division has taken into account. The implementation design plan will be thoroughly tested in hopes of discovering the manpower needs that are needed to efficiently implement HBSS within the Army�s infrastructure. The HBSS Pilot currently is the only source that provides any type of estimation of required manpower. This slide shows the areas of concentration that will be taken into account during design planning.

9. DISA Provisions ePO Servers + Warranty SQL Servers + Licensing HBSS Software (Ghost images) Help Desk Support 24x7 Tier 1 and Tier 2 support with backup technical support from FSO team 24x7 Tier 3 support with vendor Army Provisions Backup ePO Servers Distributed Repositories (as needed) Continued Maintenance and Licensure Server Replacement Engineering and Installation Support

10. HBSS Classroom Training Course This three-day course is a System Administrator level, hands-on, open-book tested course that will cover the installation, configuration and operation of the HBSS solution. HBSS 101 Online Training Course provides an overview, features, capabilities and benefits of deploying HBSS on your networked systems. Training available on the DoD AKO IA Portal. HBSS Training Schedule PACOM August 2007 (2 classes) KOREA October 2007 EUR November 2007 SWA November 2007 Both online and classroom training is provided for the HBSS products. It is required that system administrators complete the HBSS training and review associated documentation before using or installing the HBSS software. For those attending the classroom training, the online training is a required pre-requisite. Training Course Agenda Day 1 - Introduction to McAfee Host IPS, Using ePolicy Orchestrator, Installation Day 2 - General Policies, McAfee Host IPS Policies, Firewall Policies, Application Blocking Policies Day 3 - McAfee HIP Client, Maintenance, Policy Tuning, Asset Management, System Compliance Profiler, Rogue System Detection, Troubleshooting, Course Test HBSS 101 Online training is available to anyone who can access the DoD AKO IA Portal.Both online and classroom training is provided for the HBSS products. It is required that system administrators complete the HBSS training and review associated documentation before using or installing the HBSS software. For those attending the classroom training, the online training is a required pre-requisite. Training Course Agenda Day 1 - Introduction to McAfee Host IPS, Using ePolicy Orchestrator, Installation Day 2 - General Policies, McAfee Host IPS Policies, Firewall Policies, Application Blocking Policies Day 3 - McAfee HIP Client, Maintenance, Policy Tuning, Asset Management, System Compliance Profiler, Rogue System Detection, Troubleshooting, Course Test HBSS 101 Online training is available to anyone who can access the DoD AKO IA Portal.

11. Tactical Pilot Site Determined PM TRCS will host a tactical pilot for HBSS. The tactical pilot will test the functionality of the HBSS components and its ability to communicate effectively over the tactical network. Tactical Pilot Testing Schedule HBSS Training June 2007 Establish Tactical Test Plan June-July 2007 Prepare for Testing July - August 2007 Start Testing August 2007 Conclude Testing August 2007 Training Course Agenda This three-day course is a System Administrator level, hands-on, open-book tested course that will cover the installation, configuration and operation of the HBSS solution. Day 1 - Introduction to McAfee Host IPS, Using ePolicy Orchestrator, Installation Day 2 - General Policies, McAfee Host IPS Policies, Firewall Policies, Application Blocking Policies Day 3 - McAfee HIP Client, Maintenance, Policy Tuning, Asset Management, System Compliance Profiler, Rogue System Detection, Troubleshooting, Course Test HBSS Tactical Test Objectives - Determine Best Location for Hardware (ie. FRHN, JNN) - Validate Bandwidth over Tactical Nodes - Determine Manpower Requirements for Operation - Test Scenarios - Deploy CMA, HIPS Module to work stations. - Conduct routine updates to work stations. - Conduct signature downloads, installations and verifications. - Conduct INFOCON module test. - Document Operational Procedures Training Course Agenda This three-day course is a System Administrator level, hands-on, open-book tested course that will cover the installation, configuration and operation of the HBSS solution. Day 1 - Introduction to McAfee Host IPS, Using ePolicy Orchestrator, Installation Day 2 - General Policies, McAfee Host IPS Policies, Firewall Policies, Application Blocking Policies Day 3 - McAfee HIP Client, Maintenance, Policy Tuning, Asset Management, System Compliance Profiler, Rogue System Detection, Troubleshooting, Course Test HBSS Tactical Test Objectives - Determine Best Location for Hardware (ie. FRHN, JNN) - Validate Bandwidth over Tactical Nodes - Determine Manpower Requirements for Operation - Test Scenarios - Deploy CMA, HIPS Module to work stations. - Conduct routine updates to work stations. - Conduct signature downloads, installations and verifications. - Conduct INFOCON module test. - Document Operational Procedures

12. Conceptual Army-Wide Deployment Schedule

13. HBSS POCs for the Army: LTC Richard Turner, Ch NetOps Implementation Comm 520-538-8903; DSN: 879-8903 richard.j.turner@us.army.mil Cathleen Vetter, HBSS Project Lead Comm 520-538-8026; DSN: 879-8026 cathleen.vetter@us.army.mil HBSS related Web Sites : https://gesportal.dod.mil/sites/HBSS-Program/default.aspx https://powhatan.iiie.disa.mil/tools/hbss/index.html https://www.us.army.mil/suite/page/399876