Enabling Enterprise Resilience through Security Automation ...

Software & Supply Chain Assurance:Enabling Enterprise Resilience throughSecurity Automation, Software Assurance,and Supply Chain Risk ManagementJoe Jarzombek, PMP, CSSLPDirector for Software & Supply Chain AssuranceCyber Security & CommunicationsUS Department of Homeland Security

Risk Management (Enterprise Project):Shared Processes & Practices Different FocusesEnterprise-Level:• Regulatory compliance• Changing threat environment• Business CaseProgram/Project-Level:• Cost• Schedule• PerformanceWho makes risk decisions / trades?Who “owns” residual risk from tainted/counterfeit products?* “Tainted” products are those that are corrupted with malware, orexploitable weaknesses & vulnerabilities that put users at risk

ICT Supply Chain ExploitationToward a Common Frame of Reference for SwA & SCRM

SwA & SCRM ImperativeIncreased risk from supply chain due to:• Increasing dependence on commercial ICT formission critical systems• Increasing reliance on globally-sourced IThardware, software, and services• Varying levels of development & outsourcing controls• Lack of transparency• Residual risk passed to end-user enterprise• Counterfeit products• Tainted products with malware, exploitable weaknessesand vulnerabilities• Growing technological sophistication among ouradversaries• Internet enables adversaries to probe, penetrate, andattack us remotely• Supply chain attacks can exploit products & processesthroughout the lifecycle

Who is susceptible to supply chain exploitation?Banking and FinanceDefense IndustrialBaseEnergyGovernment FacilitiesHealthcare and PublicHealthInformation andCommunicationsTechnologyNuclear PowerTransportation8

Econ. Dev.Impact SCRM OpsUSG CapabilityBuild AwarenessDevelop SCRM System ConceptsWhere is DHS being pulled?1. Protect Critical Infrastructure 2. Bridge Security/Acquisition Gaps1.1 Build partnership with private sector telecomm and ITcompanies to address SCRM (DHS)2.1 Develop frame of reference for common discussion of SCRMthreats, exploits, acquisition gaps, security measures. Developand pilot analytic processes for evaluating SCRM.1.3 Augment USG procurement of ICT equipment andservices, to give USG system owners authority to requireSCRM in response to emerging threats (GSA)2.2 Develop SCRM analytic tools for implementing SCRMconsistently across D/As (including domain specific acquisitionsupport, text analytics, risk-based decision support, forensics,control languages, standard messaging formats)2.3 Track successful implementations of SCRM for promulgationof cost-effective, best practices1.5 Consider new legislative authorities to regulate SCRMacross dependent sectors (DOD & DOC)1.6 Develop multi-tiered, standards-driven approach tostandards-based risk management frameworks for SCRM(NIST & DHS & FCC)2.4 Support the development of SCRM policies, procedures, andgovernance for the implementation and monitoring of SCRMacross civilian D/As2.5 Develop operations for detection, forensics, incidentresponse in collaboration with US-CERT and the NCCIC1.7 Fund transition of critical technologies into domestic,sustainable production capabilities (OSTP & DPAC)2.6 Build relationships with acquisition groups and pilot SCRMtools, evaluate success, and continuously improve| 10 |

Supply Chain Exploit Frame of Reference■ Complex, emerging supply chain risks■ Diverse, emerging policies, standards, best practicesWe need a common language to describesupply chain exploitation, so that:1. Greater customization of security controls(to reduce implementation costs)2. Better collaboration across partners (toimprove effectiveness of security activities)11

(1) A Common Language for SC ExploitsExploit TechniquesMalevolent BehaviorExamination/ DisclosureAlteration/ MalwareCoercion/ InfluenceTheft/DestructionCounterfeitingMalicious LogicExfiltrate/ Expose DataDestroy/Corrupt DataElevate PrivilegesDeny AccessDestroy/Corrupt EquipmentProduction/IntegrationEnvironmentalWeaknessesExploits and weaknesses vary across systems, domains ofcustody, and phase of the system lifecycle.TechnicalWeaknessesPoor or Inadequate:RequirementsTestingDesignDevelopmentPracticesBusiness WeaknessesCross-PurposeIncentivesDiversionsInadequate Training/EduIneffective Policy…Ineffective ProcessesMarket/CountryWeaknessesSmall MarginsWeak IntellectualProperty RulesWeak Privacy RulesLack BusinessIndependenceVulnerable Systems| 12 |

Domain of Custody(1) Common Language ExampleWithin TrustedCustody ofProducerTransit orEn-RouteStorageWithin TrustedCustody ofAcquirer1Knowledge ofdelivery processKnowledge of labequipment3Design of copierNeed for insiderDataConcept Develop Produce Utilize Support Dispose54Use Stolen IP212345Exploit TechniqueSteal design of lab fromcontractorExamine discarded copierAlter copier to stenographdata to cover sheetCoerce contractedmaintenance to providerecycled cover sheetsDecipher cover sheets forintellectual propertyPhase of System Lifecycle| 13 |

(2) Countermeasure PrioritizationSecure Designs & ArchitecturesTestable RequirementsReliable Provider EvaluationsDependable IntelligenceContinuous SecurityMitigations(linked to Exploitsand Weaknesses)Indicators(of Exploits orWeaknesses)Mitigations and Indicators vary across systems, domains ofcustody, and phase of the system lifecycle.Individual ExploitIndicatorsUnauthorized ActivityTheft or DestructionUnexpected or UnusualFinancial Activity orInterestsOvert ThreatsCompany Exploit IndicatorsPrevious IncidentsFailed/Inconsistent Aspects ofTrusted DeliveryForeign AssociationsUnexpected or Unusual FinancialActivity or InterestsSupply Chain Exploit CapabilitiesMarketplace / CountryIndicatorsMovement of Manufacturingtoward foreign ownershipGovernment subsidiesIntelligence or GovernmentConcernsNewsBasis for Prioritization ofMitigations| 14 |

(2) Countermeasure Prioritization EXAMPLE■ DHS draft SCRMAttachment to the4300AImplementationGuide mapscountermeasures tothreats for analysisand selection ofcountermeasuresthat manage threatswith a potentialbusiness impact.| 15 |

| 16 |(3) Need Measured, Phased ApproachMeasure, Monitor, andReprioritize Practices(Especially for Visibility,Understanding, and Control)■ To assess effectiveness ofSCRM policy, it is necessary toidentify measurable outcomes ofSCRM, as well as the level ofimplementation■ Measurement framework wouldserve as a foundation forunderstanding and improvingSCRM practicesExample OutcomesRisk UnderstandingConfidence in the quality of risk-related dataAbility to use risk estimates in investmentdecisionsAbility to identify significant new risksAbility to assess protection levels against newlyidentified threatsAbility to effectively prioritize gaps forremediationInteragency PartnerEngagementAbility to describe risks to senior businessleadersAbility to persuade interagency partners tomake decisions based on risk infomrationClear understanding of who holds responsibilityfor addressing control gapsInteragency partners understand theirresponsibilities in managing riskInteragency partners understand risk dataInteragency partners actively manage and closerisks independentlyInteragency partners willingly and formallyaccept residual risksExample Levels of ImplementationDegree ofImplementationMaturity ofProcess• Level 1: None• Level 2: 1 – 25%• Level 3: 26-50%• Level 4: 51-75%• Level 5: 76-100%ContractingFirm knowledge of the controls portfolio inplace at major contractorsAbility to describe the risk landscape of majorcontractorsContractors understand requirements necessaryto comply with regulationsContractors have confidence in ability to satisfyregulatory requirements and address gapsContractors have confidence that informationon configurations of controls is current andaccurateContractors have the ability to anticipate newregulations and requirements• Level 1: Focus only on known risks• Level 2: Focus on emerging risks on an ad-hoc basis• Level 3: Maintain a comprehensive list of risks that are consistently addressed• Level 4: Defined processes of identifying, defining, and incorporating emerging risks• Level 5: Monitor and optimize process for incorporating emerging risksIntensity ofApplication• Level 1: Little understanding of mission• Level 2: Basic understanding of mission• Level 3: Strong understanding of mission, but not priorities and strategic direction• Level 4: Strong understanding of mission with some sense of strategic direction• Level 5: Strong and broad understanding of process and well-developed sense of strategic goals

| 17 |Examples of TransferableTechnology/Resources:• Test and Evaluation Processes• Instantiation of BRANCH (Business Risk Analysis Clearing House)

SCRM StrategyUS-CERTNCCIC NCIXI&ADOJIdentify &RespondText AnalyticsCapability EvalsEngineerToolsTrainingDOE&DOJEducationFedVTEOutreach &CollaborateManageSupply ChainRisk4300AITAR QEGD102-01InfluencePolicyPolicies implement standardsStandards are a foundation of good policyDevelopStandardsIR7622SP800-53SP800-161| 18 |

SCRM Systems Engineering Needs1. A common language to describe supply chain exploits(1 st rule of systems engineering – needed for SCRM)2. Realistic method to prioritize mitigations3. Phased implementation approach that includes monitoring/validating effectiveness of SCRM to discourage:– BOGSAT prioritization methods with no validation that cause“spending into oblivion” OR– “Hands-up” “cannot afford” responses of smaller components, yetinterconnect into secured systems4. Standard approaches for sharing measurable security plansto incorporate into provenance processes| 19 |

(3) Need Measured, Phased ApproachAdapt NIST 800-39 Risk Management guidance:1. the multitiered organization views and process elements must be elaborated upon for the integrated organizationfor SCRM (greater depth into supply chains), and2. the risk management features must expanded to account for non-traditional IT operations (greater breadth toinclude development/acquisition operations and logistics).Example Elaborations:Tier One – Organization/Enterprise View■■■Governance and Risk Executive includes integrated structure for IT, security, logistics, contracting, and so forthRisk Management Strategy frames supply chain threats and vulnerabilities (in both products and processes)Investment Strategies include secure replacement of exploitable modulesTier Two – Mission/Business View■■Risk Awareness includes supply chain concerns, such as tainted and counterfeit productsEnterprise/Infosec Architecture include development lifecycles and contracting detailsTier Three – Information System View■Appropriate activities built in across lifecycle phases (e.g., development, acquisition, sustainment, operations)| 20 |

(4) Security “Pipework”| 22 |

Term Definitions■ NIST IR 7622– ICT Supply Chain Risk■ Risks that arise from the loss of confidentiality, integrity, or availability of information or informationsystems and reflect the potential adverse impacts to organizational operations (including mission,functions, image, or reputation), organizational assets, individuals, other organizations, and theNation. NIST SP 800-53 Rev 3: FIPS 200, adapted– ICT Supply Chain Risk Management■ The process of identifying, assessing, and mitigating the risks associated with the global anddistributed nature of ICT product and service supply chains.■ CNSS Instruction 4009– Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event and istypically a function of 1) the adverse impacts that would arise if that circumstance or event occurs, and 2) thelikelihood of its occurrence– Vulnerability is a weakness that could be exploited by a threat source– Threat is any circumstance or event with the potential to adversely impact organizational operations, assets,individuals, other organizations, or the Nation– Impact is the magnitude of harm that can be expected| 23 |

Identifying DHS Concerns about howSupply Chain Exploits put users at risk■ SwA/SCRM Working Groupsession to collaborativelyaddress how a frame ofreference could assist:– Provide a common lexicon– Discuss countermeasures– Catalogue inspection/detection andanalysis tools and techniquesDRAFT24

Next SwA WG 25-27 June 2013 at MITRE in McLean VAJoe Jarzombek, PMP, CSSLPDirector for Software & Supply Chain AssuranceCyberdecurity & CommunicationsDepartment of Homeland SecurityJoe.Jarzombek@hq.dhs.gov(703) 235-5320

Cybersecurity and CommunicationsResponsible for enhancing security, resiliency, and reliability of the nation's cyber andcommunications infrastructure; actively engages the public and private sectors aswell as international partners to prepare for, prevent, and respond to catastrophicincidents that could degrade or overwhelm strategic assets.Works to prevent or minimize disruptions to our critical information infrastructure inorder to protect the public, the economy, government services, and overall securityof the United States by supporting a series of continuous efforts designed to furthersafeguard federal government systems by reducing potential vulnerabilities,protecting against cyber intrusions, and anticipating future threats.As the Sector-Specific Agency for the Communications and Information Technology (IT)sectors, CS&C coordinates national-level reporting consistent with the NationalResponse Framework, and fulfills the mission through its five divisions:· The Office of Emergency Communications (OEC)· The National Cybersecurity and Communications Integration Center (NCCIC)· Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR)· Federal Network Resilience (FNR)· Network Security Deployment (NSD)

| 28 |A New Paradigm Presents a ProblemOldNewFromToBombs and BulletsBits and Bytes■ The increased reliance on Bits and Bytes increases the riskof nontraditional attacks– Incidents of malicious cyber activity growing rapidly year over year– Counterfeit electronics entering government networks

Why it Matters■ Industrial Espionage, National Security– CFIUS■ Counterfeit■ Criminal activity– Operation b70– Microsoft’s Digital Crimes Unit disrupted morethan 500 different strains of malware with thepotential for targeting millions of innocentpeople.29

Interdependencies Between Physical & Cyber Infrastructures:Convergence of Safety, Security and Dependability Considerations-- Need for secure/resilient software applicationsHomelandSecurity

Software Assurance Addresses Exploitable Software:Outcomes of non-secure practices and/or malicious intentExploitation potential of vulnerability is independent of “intent”DefectsEXPLOITABLE SOFTWAREUnintentionalVulnerabilitiesMalwareIntentionalVulnerabilities‘High quality’ canreduce securityflaws attributable todefects; yettraditional S/Wquality assurancedoes not addressintentionalmalicious behaviorin software*Intentionalvulnerabilities:spyware & maliciouslogic deliberatelyimbedded (might notbe considereddefects)Software Assurance (SwA) is the level of confidence that software functions asintended and is free of vulnerabilities, either intentionally or unintentionally designedor inserted as part of the software throughout the life cycle.*From CNSS Instruction 4009 “National Information Assurance Glossary” (26APR2010)