CD FY10 Budget and Tactical Plan Review FY10 Tactical Plans for Computer Security Ron Cudzewicz October 8, 2009 Tactical plan names listed here…DocDB# FY10 Tactical Plan for Computer Security3378

CD FY10 Budget and Tactical Plan Review 2 FY10 Tactical Plan for Computer Security Tactical Plan Leader: Joe Klemencic Service Activity List Compliance-Auditing- Oversight Information Systems Security Manager Information Security Officer Certification Agent Integrated Security Management Security Researcher Project Activity List DOE Compliance Scanning Infrastructure Vulnerability Detection and Management NLCIO, DOE, CSWG CS Administration

CD FY10 Budget and Tactical Plan Review 3 Service Activity: Information Systems Security Manager Goals Related to this Activity (Project 511) –Comply with the ISSM responsibilities as assigned in DOE M –Define and communicate the strategic direction of the Fermilab Computer Security program. –FNAL computer security representative to the DOE. –Continuous review and updating of all existing computer security policies and plans. –Formulate new policies and plans as needed. Key Metrics –Effort Reporting Service Documentation : Issues and Risks –None

CD FY10 Budget and Tactical Plan Review 4 Service Activity: Information Security Officer Goals Related to this Activity (Project 511) –Comply with the ISO responsibilities as assigned in DOE M –Communicates individual incident and potential incident reports to the ISSM. –Initiates ISSM-approved protective or corrective actions. –Participation in ISSM self-assessment and training programs. –Communicate OSE policies to the OSG and other participating organizations and policy enforcement. Key Metrics –Effort Reporting –Milestones: Continued DOE funding. Service Documentation : Issues and Risks (specific to this activity, includes allocation impact) 1.None

CD FY10 Budget and Tactical Plan Review 5 Service Activity: Certification Agent Goals Related to this Activity (Project 511) –Comply with the CA responsibilities as assigned in DOE M –Conducts comprehensive assessment of management, operations, assurance, and technical security controls in an information system. –Provides the system owners with the level of effort and resource requirements for conducting the ST&E process. –Provide forensics expertise during and/or after computer security incidents. Key Metrics –Percentage of ST&E controls assessed within the past 12 month period as part of the ongoing continuous monitoring process. –All DOE Office of Science data calls responded to on or before their deadlines. –Datacalls : current status chart: –Datacalls: yearly response chart rollup. –Milestones: Continued DOE funding. Service Documentation : Issues and Risks 1.None

CD FY10 Budget and Tactical Plan Review 6 Service Activity: Integrated Security Management Goals Related to this Activity (Project 50, not members of computer security team) –Special requests related to Computer Security requirements, eg Effort requested by computer security for data collections FCIRT incident response activity Audit preparation and interviews Key Metrics –Effort Reporting –Milestones, Service Documentation : Issues and Risks 1.None

CD FY10 Budget and Tactical Plan Review 7 Service Activity: Security Researcher Goals Related to this Activity are still under development by security management. Key Metrics –Effort Reporting –Milestones, if any applicable (may be none for some Service Activities) Service Documentation : Location of a Service Definition and related documentation Issues and Risks

CD FY10 Budget and Tactical Plan Review 8 Service Activity: Compliance-Auditing-Oversight Goals Related to this Activity (Project 50 only members of Computer Security Team) –Re-architect the business internet traffic inspection to facilitate the increase in bandwidth –Expand the CST central logging facilities horizontally –Implement internal sensors to alert on potentially malicious traffic –Encourage use of central services. –Minimize impact of DOE requirements on scientific program. –Continue to refine security controls for Open Science Enclave (OSE). Key Metrics –Effort Reporting –Milestones Service Documentation : Issues and Risks

CD FY10 Budget and Tactical Plan Review 9 Project Activity: DOE Compliance Goals Related to this Activity –Maintain hardware and software on currently installed systems to support data collection, anomaly detection and policy enforcement as mandated by the DOE. –Implement DNS Blackhole servers to redirect users to restricted resources when attempting to contact malicious sites or services. –Implement Intrusion Detection Systems and Traffic Profilers on internal networks to facilitate anomaly detection and rapid detection of compromised nodes –Augment training and general security awareness among Fermilab employees through the Computer Security Awareness Day and ongoing computer security awareness training. –Provide resources to facilitate metrics creation, data mining and introduction of automated utility computing –Procure the equipment and services to facilitate the relocation of equipment in FCC2 computer room. –Procure larger hard drives for continuous growth of data collection and to replace failed units. –Procure additional equipment to support new DOE directives and initiatives on a contingency basis. Key Milestones Project Documentation : Issues and Risks 1.Developing an agile posture toward possible, unplanned-for DOE new requirements to minimize non-compliance risks.

CD FY10 Budget and Tactical Plan Review 10 Project Activity: Scanning Infrastructure Goals Related to this Activity –Install new distributed scanner hardware. –Maintain and expand existing scanner infrastructure– memory, processor, storage upgrades. Key Milestones –Metrics: More comprehensive scanner results. Project Documentation : URL to Project Web Site or project definition documentation Issues and Risks 1.An aging scanner infrastructure leaves the lab more vulnerable.

CD FY10 Budget and Tactical Plan Review 11 Project Activity: Vulnerability Detection and Management Goals Related to this Activity –Installation of additional Splunk systems– hardware and software licenses. Special FY09 funding provided by DOE for this purpose, $216K –Procure software maintenance and updates for production web proxies Key Milestones –Procurement –Installation –Metrics: More comprehensive metrics generation by the Splunk systems. Project Documentation : Issues and Risks 1.Potential compromise of Fermilab’s ability to respond quickly to cyber attacks. 2.Increased vulnerability to data loss, corruption and web based services.

CD FY10 Budget and Tactical Plan Review 12 Project Activity: NLCIO, DOE, CSWG Goals Related to this Activity –Attend Cyber Security-related workshops, conferences and training sponsored by the DOE Office of Science. Key Milestones –Metrics, Project Documentation : Issues and Risks 1.Failure to understand and influence current regulations increases the operational burden on the Lab.

CD FY10 Budget and Tactical Plan Review 13 Project Activity: CS Administration Goals Related to this Activity –Provide sufficient equipment, technologies, personal computers, etc. to carry out the mission of the CST Group. Key Milestones –Metrics Project Documentation : Issues and Risks 1.None

CD FY10 Budget and Tactical Plan Review 14 Ripple Effect on Shared IT Services (What new requirements does your service have for other services) Enhanced log collection Long term digital certificate offering Multi-factor authentication Electronic ID Management Adoption of Centralized Authentication Exemption Processing and Recording Note: Help avoid emergency procurements, whih incur added costs. At least put an ‘X’ where need is expected, even if details are not yet known.  Descriptors: Agreed to? Whose budget covers costs? Is the driver a service or a project? A = Agreed with service provider; N = New need, not yet agreed to by service provider. M = “My” budget contains this; T = Shared service budget should contain this. S = Steady-state service drives this; P = Project activity alone drives this. Only activities with “new” demands on shared IT services since last FY need be listed. * Network Connectivity: expansion of existing service * Network-Attached Storage a.k.a. BlueArc: additional storage space

FY10 FTE and M&S: Request vs. Allocation CD FY10 Budget and Tactical Plan Review 15 Level 0/1 Activity: Computer Security Project Priorities: High= Already committed to stakeholders to meet identified demands. Medium= Provisioning for planned stakeholder demands, especially demand coming in near-term. Low= Exploration to prepare for anticipated demand, especially demand coming in long-term. If you wish to raise a priority beyond these definitions, please make your case in the Discussion.

CD FY10 Budget and Tactical Plan Review 16 Impact of Preliminary Allocation With this preliminary allocation, we will be able to continue our strategic direction of becoming more proactive. Maintain our active role in understanding and influencing DOE cyber security policy.

CD FY10 Budget and Tactical Plan Review 17 Summary of Past Action Items None

CD FY09 Tactical Plan Status 18 Tactical Plan Summary Summary –Failure to complete the rearchitecure of the FY09 purchased hardware for the internet data inspection efforts due to external dependencies (facilities, networking, vendor bugs) will result in an even greater loss of inspected packets which is currently around 60%-80% packet loss as the internet bandwidth increases. –Failure to obtain and implement internal IDS/Profilers will result in a continued diminishing view into internal anomaly detection. –Delays incurred by the DNS rearchitecture project by the LAN group will result in a missed opportunity to implement DNS Blackhole servers to deny and track access attempts to hostile external resources.

CD FY09 Tactical Plan Status 19 Tactical Plan Summary Summary (cont’d) –Due to the ever increasing data collection sources, the current Splunk server will be operating beyond the implemented index licensing and hardware specifications, resulting in data loss and missed log collection opportunities. –Scanning and data processing devices are in a constant need of upgrades or replacement due to the ever increasing data collection and data mining efforts. Failure to stay on top of performance and storage issues will result in data loss, excessive analysis time and a reduced data retention interval as specified in the GCE Security Plans.

CD FY09 Tactical Plan Status 20 Tactical Plan Summary Summary (cont’d) –Due to the specialized hardware and software in use, maintenance costs continue to rise as we increase the licensing to align with the additional data collection. Failure to renew maintenance will result in a freeze of signature and other constantly changing analyzer datasets resulting in mis-detection of new threats and failure to repair failed hardware. –Business injects and out of scope operational issues interfere with the successful implementation of new resources, data mining efforts and support of existing infrastructure.