• HOME
• NEWS & EVENTS

HOST-BASED SECURITY

A Defense Information Systems Agency (DISA) initiative originally focused on improving the security of individual computers and other equipment is being transformed into an enterprise-level campaign to strengthen situational awareness and reinforce command and control over networks throughout the Department of Defense (DoD).

The program, called the Host-Based Security System (HBSS), took an important step forward early this summer with the launching of a hosting service at DISA computing centers to help smaller military services and agencies implement the program. While the schedule for the program’s official launch is classified, intensive efforts are underway by both the DoD and IA industry experts to put the program into place globally, train for it and provide operational support.

Mark Orndorff, director of DISA’s Mission Assurance and Network Operations Program Executive Office, summarized the program in a recent article, stating, “What we’re doing today is building out an enterprise architecture to take what was originally designed to improve the security of end-points, but pull information from a system and correlate it to a DoD enterprise level, so that commanders operating and defending the network will know the status of their security posture, giving us a readiness report card that’s machine generated.

“It will give us the ability to collect and correlate alarms as attacks propagate around the network and will give us the visibility of things such as anti-virus signature updates and anti-virus scan runs — essentially, letting us know what’s on the network. It will also give us the ability to look for what we call ‘rogue’ systems. These could be systems installed by DoD, systems configuration-managed by the DoD operators and defenders, systems added to the network, friendly systems added outside the management control of the network operators, and potentially malicious systems,” he explained.

“The whole focus is getting global situational awareness to help us know exactly what’s on the network, the readiness posture of everything on the network, and the network-alerting information to help us fight through an attack,” Orndorff continued.
While the new program will be largely transparent to end users, DISA officials suggest that it will dramatically change the way administrators and operators of the network do business.

“What we hope we are giving system administrators is a set of tools to improve the security of the networks, and additionally, providing a set of dashboards or views into the status of their network [in order] to change their whole routine. This will allow them to move from a reactive posture to attacks, to being proactive with the focus on prevention first,” Orndorff said.

“Whether it’s compliance with security policy, updating and patching computers, or maintaining anti-virus, there’s a whole set of things users on the ground who administer networks need to deal with every day,” he pointed out. “HBSS will now give a set of meaningful and actionable reports and dashboards to help focus time and attention on the key issues that need to be addressed every day.”

Program Evolution

HBSS started several years ago as an initiative to try to improve the security of DoD computing platforms. Recognizing that there was a gap in the network when an off-the-shelf computer system was put on the network, officials addressed some specific objectives, such as the common problem of buffer-overflow attacks, and decided to buy an encompassing tool to mitigate multiple risks.

In addition, the DoD policy for Information Operations Condition (INFOCON) procedures requires the baselining of systems to identify all loaded software on a host and then periodically re-baselining to identify any deltas. Anything found during the re-baselining may cause an attack or threat, thus changing software that wasn’t deliberately installed by the system administrator. The original focus was to automate the baselining effort and provide some specific controls to mitigate a set of attacks.

Since then, awareness and concern over the cyber-threat has grown exponentially, as has DoD’s focus on cyber-operations. With this, a greater need has grown for automation to provide better command and control, better situational awareness, and the ability to operate at network speed with machine-to-machine flows of information.

“Even though those objectives weren’t part of our original focus, we realized HBSS was a great platform to address those emerging requirements,” Orndorff said.

“It seemed like a pretty awesome undertaking even when it started out,” he acknowledged, “but it has definitely grown since then. The good news is we have high-level leadership support for this program. Commanders at all levels are tracking progress in implementation and providing the support to get resources on board to get this operating effectively.”

HBSS is a centrally managed, host-based Tier 3 enclave-level tool, according to Ann Baron-DiCamillo, HBSS program manager. “Within the tool, there are different point products, such as an intrusion detection system and intrusion prevention system, a firewall system, policy compliance reporting, device control capabilities, rogue system detection capability, and an architecture capability to include third party and other government developed integration products,” said Baron-DiCamillo. “The server pushes an agent to the host to install, manage, and add to all point products on the host,” Baron-DiCamillo continued. “HBSS supports INFOCON baselining, robust whitelist capability, buffer overload protection, and situational awareness from an asset alert reporting capability.

“The situational awareness includes a variety of asset information, such as operating system versions, anti-virus/anti-spyware, etc. From alert reporting, two-point products within the host-based security system do alerting: the Host Intrusion Prevention System — which is the intrusion prevention and detection system — and the anti-virus,” she added.

The system will also have the ability to add government-developed capabilities. This capability can address those specific threats the DoD is experiencing which industry may be unaware of or not especially concerned about. The department will also be able to develop government additions to the framework to address emerging threats or DoD-specific threats and use the HBSS system to push out those capabilities.

DISA’s strategy for implementing and supporting the program also has evolved, officials note. The initial strategy was to set up an enterprise contract and buy a DoD-wide license for software, as well as the key hardware components needed to roll this out. But with each component, agency military service and field activity were essentially responsible for developing implementation plans, with some support and training from DISA.

“That’s still the plan that, for most part, the larger military services are executing,” Orndorff said. “But we’ve added an option where DISA will host some of the infrastructure for the services and components out of our enterprise computing centers. The components will still have the operational responsibility to manage alarms and operate and defend their portion of the network, but we will take over some of the burden of standing up the infrastructure and maintaining, upgrading, and patching it — all the normal responsibilities needed to do to operate a new capability.

“The enterprise service option has recently become available with initial implementations occurring over the past month. We are quickly moving out with the fielding process. The specific deadlines are classified, but we’re moving quickly toward the finish line,” he said.

Training Needs

Given the pervasiveness of the new system and the major changes it will involve in operations, officials realize training and managing expectations are critical. They are using a variety of methods, including online programs, classroom training, and the latest collaboration tools.

For example, the initiative is taking advantage of an existing partnership with Carnegie-Mellon University, which had already developed a capability called the virtual training environment to push general information assurance and security training to users and administrators. “What we did was to take advantage of the capability and build in a group of HBSS-specific modules for high level leaders, administrators and users,” says Chris Paczkowski, chief, CND Enclave Security Division. “It’s a multi-part targeted set of training products, which allows us to deliver the training anywhere in the world, 24 hours a day. For the first time since I’ve been in this business, we’re getting feedback that the online training is better than the classroom training.”

“We’ve always had traditional classroom training for administrators, but we wanted to give more of a focus to the management side,” Baron-DiCamillo explained. “So we’ve worked to create specific classes geared more toward senior management. Instead of going through four days of classes, you can choose different modules that fit your role in the HBSS deployment.”

To address newly emerging topics and focus areas, officials are also using DISA’s Defense Connect Online, which offers a variety of collaboration tools. In addition, teams of enterprise implementers are available to visit locations to assist in getting started.
Several companies also are helping with implementation, testing, and operational support. The prime contractor is BAE, which subcontracts to McAfee for the products, and there are additional contracts for implementation support and training.

“During this implementation phase, we’ve tried to set expectations by defining what we think is a safe first step in getting this rolled out,” Orndorff explained. “We have some pretty good plans for where we want to take it next, with at least three waves of improvement already on the drawing boards. By the time we get to the second wave, I’m sure we’ll be thinking about the fourth one. We’ll continue to evolve this to leverage it to the maximum extent possible.”

The program is also coordinating closely with other DoD efforts. The Enterprise Solutions Steering Group, which is led by U.S. Strategic Command and includes participation from the military services, the National Security Agency, DISA, and other agencies, decides on priorities and develops technical approaches. While DISA then takes the lead on the acquisition side, participants emphasize that it truly represents a DoD enterprise approach to addressing network defense requirements.

“We’re enthusiastic about HBSS, and we’re excited about what this brings to DoD networks,” said Orndorff. “But this is just one component of a strategy to secure and defend the networks. It doesn’t solve all of our problems or eliminate other key defense capabilities that we’re working on in parallel. It’s not a silver bullet, but is part of an integrated framework to help defend DoD networks.”

Sign up to receive HBSS e-mail updates. (.mil addresses only)