Accenture Cyber Security Enterprise Situational Awareness, Risk Assessment, and Active Defense Accenture Proprietary, All Rights Reserved, Not for Distribution Copyright © 2010 Accenture. All right reserved

Agenda Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management

Enterprise Situational Awareness- Problem and Challenges Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Problem Without full visualization and situational awareness of the GIG, it is difficult to provide an adequate cyber defense Currently no means to validate the network defensive posture Need enhanced situational awareness to improve network defense and effective combat operations Providing the effective and efficient means for COCOMS, Agencies, and other organizations to share compliance information A comprehensive solution includes Making it easy to share and distribute information Information must be relevant for each level of the organizational hierarchy The data transmission must not negatively impact the computational and network resources of the organizations and the GIG A vendor neutral capability that provides and distributes the networks’ defensive posture across the organizational hierarchy

Accenture Compliance Automation Reporting for Enhanced Situational Awareness Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Accenture Compliance Automation Reporting (CAR) provides near-real time reporting throughout the organizational hierarchy Aggregates information from the lower levels and rolls up to the higher levels up to headquarters Data is summarized, transformed, and compressed to provide appropriate information at each level, which minimizes amount of data transmitted CAR, Powered by the Accenture Federated Framework, provides enterprise wide enhanced situational awareness

CAR Dashboard and Application Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management CAR’s Functions Provides a unified dashboard to access and display multi-vendor security compliance and risk applications at the organizational level (lowest level) Inputs FDCC scores in XCCDF format Groups FDCC fail scores into 7 risk categories (0-6, risk category 0 = 100% compliance) Provides a per desktop compliance score (0-100%) vs. risk score (0 – 7) of the organization on a two-dimensional graph that clearly identifies outliers Transforms XCCDF to an industry standard lightweight data interchange format and compresses it to two orders of magnitude less than original format Distributes the compressed risk and compliance data up the organizational hierarchy via the Accenture Federated Framework

Accenture Compliance Automation Reporting (CAR) Architecture and Data Flow Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management CAR, Powered by Accenture Federated Framework Employs GOTS & open source software Reduced cost of ownership Vendor Agnostic Conforms to Federal standards Real-time, federated architecture Consumes and Produces SCAP (XCCDF) HBSS Environment SQL Usage SCAP Usage

Accenture Federated Framework Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Java based framework comprised of three components Application Layer - allows for custom business logic development (e.g., CAR) Data Processing Layer – provides access to enterprise data and interfaces to applications and software tools Federated Message-Oriented Middleware – distributes compressed data securely to all other Accenture Federated Framework nodes in the enterprise CAR

Start Demo CAR Demo Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Start Demo

Active Defense Forensic Quarantine Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Zero-day attacks …. We propose an approach to detect and stop the spread zero-day malware when the data is in motion. The proposed solution includes HBGary’s Digital DNA McAfee ePO Server Virtual Armor’s Blockhouse Accenture’s CAR and Dynamic Distributed Network (DDN)

Goals Indentify zero-day malware Determine if malware is spreading Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Indentify zero-day malware Determine if malware is spreading Determine where it has spread Assess impact Prevent it from spreading further Isolate compromised machines Determine vector Remediate

Proposed Architecture and Process Flow Enterprise Situational Awareness Active Defense Open Architecture for Data Processing and Distribution Prioritization Risk Management Digital DNA detects zero-day malware HBGary distributes malware signature to BlockHouse Blockhouse sends malware signature and network device change requests Blockhouse monitors firewall and network devices and identifies malware DDN configure network devices to protect network from new malware CAR distributes malware signature to all sites in federation to update other Blockhouse servers 5 6 3, 4 2 1

HBGary Digital DNA

Virtual Armor BlockHouse

Still Working on the this summary Recommended Approach Think Big: Develop a Multi-Tiered offering for aggregation of data. Use a customer-focused approach within in the framework of a broad strategy that can achieve value through economies of scale. Develop a prioritization and risk management process from the visual views Collaborate from Cyber Command down to the services and agencies. Start Small: Provide Compliance Automation Reporting Framework at a lower command Develop the compliance definition and apply it into the report. 3 Month engagement Write a Governance process for Compliance Reporting Write a prioritization and risk management plan Initial releases will have minimal features that meet the customer needs Scale Fast: Build on success by quickly pulling in additional groups In parallel, evolve the Tiers with the lowest TCO to make them applicable to a broader audience Re-visit the “waterfall” after each change to the app set to re-evaluate candidacy for a higher Tier to help drive down costs. Subsequent releases will increase features to deliver capabilities not currently possible with the current desktop approach. Accenture Proprietary, All Rights Reserved, Not for Distribution Copyright © 2010 Accenture. All right reserved 13

Backup Slides

Threat Analysis Center Asset Capabilities Cyber Range (Virtualized) Compliance Automation Reporting Framework Cyber Tool Set as a service Security Operation Center Transfer of data using SCAP (ARF) Past (Trend Analysis) Present (Real Time Mitigation and Remediation) Future (Predictive Analytics) Forensic Tools (Non Criminal activity) Threat Anomaly Correlation Malware Detection, Analysis and reverse engineering Vulnerability Replay Software Quality Assurance Security Engineering Monitoring Triage Coordination with outside SOC Arc Sight, Symantec, or McAfee Tools Consider A Security Operations Analysis Center – Everyone already has a NOC and SOC All can be reused throughout the Threat Analysis Framework Accenture Proprietary, All Rights Reserved, Not for Distribution Copyright © 2010 Accenture. All right reserved

GeoCode View GEO Code View - SAS