florida department of management services · florida department of management services 4050...
Post on 21-May-2020
3 Views
Preview:
TRANSCRIPT
September 3, 2015
Joel Atkinson, Associate Category Manager
Florida Department of Management Services
4050 Esplanade Way, Suite 360
Tallahassee, FL 32399-0950
Reference: Department of Management Services RFI Cyber-Security Assessment, Remediation, and Identity Projection,
Monitoring, and Restoration Services
Dear Joel Atkinson,
HP Enterprise Services, LLC (HPES) appreciates the opportunity to present our response to the Florida Department of
Management Services (DMS) RFI for Cyber-security Assessment, Remediation, and Identity Protection, Monitoring, and
Restoration Services.
HPES is a global leader in cybersecurity services, and our security experts possess the methodologies, tools, knowledge,
certifications, and the direct hands-on experience to provide most of the pre-incident and post-incident services covered
by this RFI through the General Services Administration (GSA) Schedule 70 contract. The scope for schedule 70 does
not include identify monitoring, protection, and restoration services potentially affected by a cyber-security incident, but
can be handled as “open market” items.
We believe of particular importance to the State of Florida and its Agencies will be HPES’ recently announced
partnership with FireEye/Mandiant. This partnership is unique within the cybersecurity industry and leverages
Intellectual Property and specialized capabilities from both companies, through HPES’ GSA schedule 70 - allowing us to
deliver these pre and post-incident services seamlessly for our end clients.
On average today, breaches require 205 days just to detect, cost $3.5M per occurrence, take 32 days to respond after
detection and reported 69% of the time by a third party1 – HP/FireEye Advanced Compromise Assessment, Managed
Advanced Threat Protection, and Global Incident Response services are now available to prevent/remediate Advanced
Persistent Threats (APTs) and associated malware for all State of Florida Agencies and Departments. FireEye
capabilities have been at the center of remediation for most if not all of the recent publically announced breaches at
Target, Home Depot, Sony, the White House, DOD Joint Chiefs of Staff, Anthem, and CareFirst. We look forward to
eliminating the need to respond post-incident through proactively detecting/preventing these highly advanced threat-based
intrusions, and stand ready to respond post-incident should the need arise.
HPES is also as an awardee of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM)
Program Blanket Purchase Agreement (BPA) which is open to state & local governments. The CDM program
provides tools and services that enable government IT networks to strengthen the security posture of their cyber networks.
1“On average” metric sources : Mandiant M-Trends 2015 Report
HP Enterprise Services, LLC
13600 EDS Drive
Herndon, VA 20171
The tools and services delivered through the CDM program provide the ability to enhance and automate critical security
controls monitoring; correlate and analyze critical security-related information; and enhance risk-based decision making at
the agency and state enterprise level. Information obtained from the automated monitoring tools allows for the correlation
and analysis of security-related information across the enterprise. Information on this BPA sponsored by the U.S.
Department of Homeland Security can be found at http://h10131.www1.hp.com/public/contract-vehicles/dhs-cdm/ and on
the U.S. General Services Administration website http://www.gsa.gov/portal/content/177883
John Prestidge
Account Sales Executive
HPES State and Local Government
Introduction HP Enterprise Services and FireEye, Inc. have announced a joint partnership to bring security consulting and managed
monitoring services to our clients within US Public Sector.
The initial consulting capabilities include the Advanced Compromise Assessment which involves a team of HP and
FireEye (Mandiant) consultants performing a technical assessment of a customer’s environment to determine whether
or not that environment has been breached by a threat actor such as a nation state or criminal enterprise. Alternatively,
or depending upon the results of the Advanced Compromise Assessment, a joint team of HP and FireEye (Mandiant)
personnel will perform a deep technical Incident Response to determine the full breadth and impact of a penetration
and breach by the threat actor.
Our security qualifications include but are not limited to the following differentiators:
Having over 5,000 security professionals globally with over 40 years of industry experience delivering cyber-
security services.
Providing security services used by 9 of the 10 Top Banks, 9 of the 10 Top Software Companies, and 10 of the 10
Telecom’s.
Our client list includes all major branches of the Department of Defense.
Managing 10 Global Security Operations Centers with over 1,000 managed security customers.
Preventing over 23 Billion monthly security events and provide security services for the world’s largest Intranet –
the Navy and Marine Corps Intranet.
Selection as a Continuous Monitoring cybersecurity vendor on the US Department of Homeland Security’s
Continuous Diagnostics and Mitigation (CDM) Blanket Purchase Agreement.
Our Security Services are vendor agnostic – and include product/service offerings from a rich partner ecosystem
including Equifax, FireEye, Splunk, , RSA, F5, CA, Blue Coat, Palo Alto Networks, as well as a broad range of
HP developed security products and intellectual property which combine holistically to provide the best security
services in the market
Through our security product and services teams, we are the source of many of the vulnerability discoveries that
are fed into Microsoft, VeriSign, and others. In fact, we discover 4 times the critical vulnerability found by the
rest of the market combined! We monitor thousands of technologies from over 200 vendors for system
vulnerabilities and publish more than 8,500 bulletins per year.
Providing advisory, transformational, and/or managed cybersecurity services – depending upon each client’s
unique requirements.
Having a broad and deep portfolio of security services, including:
- Cyber-Situational Awareness and Defense services.
- Data Protection and Privacy Consulting services.
- Distributed Denial of Services (DDoS) Protection services.
- Data Loss Prevention services.
- Endpoint Security services.
- Identity Access Management and Identity Governance and Administrative services.
- Security Intelligence and Incident Response services.
- Security Strategy and Risk Management services.
- Network Security services.
- Threat and Vulnerability Management services.
- Security Information and Event Management (SIEM) services.
- Security Forensic services
While we have world-class leadership in security products, multivendor-based security services, and decades of global
security experience – you’ll find us fully committed to you and all Florida State Agencies with exceptional responsiveness
and the experience/capabilities to address all of the RFI’s requirements and more. To help answer any questions prior to
potential next steps, and to make it easy to share details on HPES’ cybersecurity capabilities, experience, and
differentiators with your key decision makers, we have created a custom microsite for review, per the access information
below. On this site, you will find detailed information on security metrics, examples, service descriptions, and
whitepapers to further illustrate the unique pre/post-incident security solution value that HPES is capable of providing the
State of Florida.
DMS HPES Microsite address https://h10131.www1.hp.com/spp/539/floridadepartmentofmanagementservices/
User Name florida
Password 2015+security
Note: Both the username and password above are all lower case. The password has a non-alphanumeric character as a best practice making it more difficult to crack.
Background
We can protect what matters. Together.
Today's adversaries are ceaselessly targeting business of all sizes, in all geographies and in all industries. Enterprises can't afford to take a 'wait and see' posture when protecting their assets. Studies show that on average it takes 205 days to identify that a breach has taken place; something has to change to balance the scales and protect your most valuable assets; using advanced threat protection services does just that.
We find the right solutions to solve each client's unique security problem; helping to detect active threats, stopping attacks before they happen, mitigating risk and proactively addressing lingering security vulnerabilities. HPES along with FireEye takes the fight to the adversary, to stop threats before they become breaches and mitigate intrusions with a swift incident response team that brings cutting edge tools and experience to solve the most pressing forensic investigations.
HPES and FireEye have just raised the bar for advanced threat protection services and incident response. We know your adversaries will respond, and we will proactively be there with you armed with HP Enterprise Services’ unparalleled global reach and portfolio of world-class security service offerings. To include a comprehensive suite of security remediation services underpinned by FireEye's advanced threat detection, intelligence, methodologies and incident response expertise.
The ultimate goal of a cyber-security solution is encapsulated in a concept referred to as “decision support”—real-time information on active threats, incidents, and security posture obtained from a robust security infrastructure. This infrastructure is supported by a mature security program that delivers timely recommendations for management action. The solution design incorporates:
The delivery of confidentiality, integrity, availability, and accountability in accordance with risk-management
requirements
A modular approach based on appropriately evaluated and configurable commercial off-the-shelf products
A proactive rather than reactive security solution to provide greater resilience to the attack
Consideration of known threat sources and those that may arise dynamically, using cyber-intelligence tools to warn
of emerging threats
Collecting, storing, and protecting all transactional and accounting data in an audit store, which is made available to
the security operations center (SOC), management, and all other relevant agencies
Maximize security effectiveness
HP Enterprise Security Services developed Cyber Security Consulting Services based on our existing dedicated security architecture practice. Through these focused, robust, and established security architectural principles, we enable organizations to maximize the effectiveness of their IT security strategy and provide a coherent and consistent view of—and protection from—the current threat landscape.
Contact Information
John Prestidge
Account Sales Executive
HP Enterprise Services LLC – State and Local
John.prestidge@hpe.com
603.529.5702 (o)
603.759.7996 (m)
Steve Lazerowich
Enterprise Security Solutions, Practice Principal
HP Enterprise Services LLC – USPS
steven.i.lazerowich@hpe.com
404.774.1213 (o)
301.560.4455 (m)
Response to Section IV 1) Pre-Incident Services:
a) Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.
The State or individual agencies, in advance of an incident, can establish task orders directly against the GSA Schedule with CLINs that would be activated against certain activities. CLINs for preparation, assessment, response plans, training, and a hotline could be activated at time of award, while Incident response; Mitigation and Identity Monitoring, Protection, and Restoration CLINs would be activated on an as needed basis. The individual CLINs could be Firm Fixed Price or Time & Materials, as applicable to the service provided. The terms and condition of the GSA Schedule 70 would apply as well as specific state terms, providing there is no conflict with GSA terms.
Alternatively, the GSA IT Schedule allows for the formation of Blanket Purchase Agreements (BPA) whereby a framework can be established in advance with indefinite delivery-indefinite quantity (IDIQ) requirements to follow. The State of Florida can establish a BPA with single or multiple awardees for use by State Agencies, or state agencies can establish their own BPAs. Pricing and terms would be established through the BPA for use at the task order level. Individual agencies could then place orders against the BPA. Please include the ability to have Contractor Team Arrangements (CTAs) to allow for full solutions including any needed software. Under a Contractor Team Arrangement (CTA), two or more GSA Schedule contractors work together to meet ordering activity needs. By complementing each other's
capabilities, the team offers a total solution to the ordering activity’s requirement, providing a win-win situation for all parties. Information on CTAs can be found at www.gsa.gov/contractorteamarrangements.
b) Assessments – Evaluate a State Agency’s current state of information security and cyber-security incident
response capability.
HP Enterprise Cyber Security Consulting Services provides focused, robust, and established security architectural principles enabling organizations to maximize the effectiveness of their IT security strategy and provide a coherent and consistent view of—and protection from—the current threat landscape.
HP’s Digital Investigation Services (DIS) team is comprised of dedicated consultants with a wide range of corporate, law enforcement, and military cyber-investigative experience. They have experience providing insight and direction in incident response program development, training of incident response staff, investigation of complex security problem scenarios including: internal misuse and abuse, HR investigations, exploitation of vulnerable, publicly accessible systems (hacking), virus / malware outbreaks, denial and distributed denial of service attacks, and targeted, cyber espionage via advanced persistent threats.
In keeping with the theme of this RFI, HPES’ security practitioners are available to provide a variety of services as best meets the needs of either the State and/or any subordinate agencies. These assessment services, Cyber Security Readiness Service, Cyber Security Design Service and the HP/FireEye Compromise Assessment are described in detail below. HPES offers other types of assessments that may also be of interest to the State including those around HIPAA and PCI-DSS.
Cyber Security Readiness Service
In order to design a successful cyber-defense solution or an SOC, an organization needs a security architecture that can
support it. A series of workshops help define the successful implementation of this type of architecture. These workshops
are intended to:
Identify the need for enhanced security management in the context of the business requirement including risk,
compliance, and costs
Define the scope of the project
Identify the security management system within the client environment
Identify the policy and regulatory requirements that the client is required to satisfy
Examine the risk assessments and risk treatment plans, and address any accreditation issues
Identify audit and data retention requirements
Examine the security architecture
Identify the technical estate to be monitored to assess data capture rates and integration issues
Identify the requirements for incident handling, proactive security, and security management services
Identify training and mentoring requirements including a gap analysis on the client’s staff
Identify the disaster recovery and business continuity requirements
Identify program and project management requirements and quality assurance
Deliverables from this stage include:
Business benefits statement
Report on the findings of the assessment phase mapped to a capability maturity model
Outline of project plan for a cyber-solution
Indicative costs of a cyber-solution
Cyber Security Design Service
This service can build on the findings of the Cyber Security Readiness Service or stand-alone if you have already carried
out your own assessment of your cyber security readiness. It is designed to:
Establish the project management structure
Prepare or amend Risk Management and Accreditation Document Sets, if necessary, to include security operating
procedures and Information Security Management System
Prepare detailed project work plans with milestones
Build programs, including roles and responsibilities, processes, technology, compliance, asset register, and dashboard
Create and develop templates for compliancy requirements roadmap, reporting, policies, and procedures
Create and develop templates for security training and awareness programs
Create and develop templates for SOC training, forensic awareness, and mentoring programs
Create SOC physical and technical designs, including threat management systems
Establish the reporting baseline and design reports
Deliverables from this stage include:
Findings report of the design phase
Project steering committee structure
Project Management Office structure
Templates for compliancy requirements, security training and awareness programs, SOC mentoring and training
programs, and policies and procedures (a security handbook)
Report on security architecture design with recommendations for improvements
SOC physical and technical design
Dashboard design
Reporting templates
The HP/FireEye Compromise Assessment consists of two components – a host-based compromise assessment that
focuses on identifying active and dormant indicators of compromise on host systems, and a network-based compromise
assessment that focuses on identifying malicious activity in ingress and egress network traffic.
Host-Based Assessment To perform the host based assessment, HP/FireEye works with your network and system
administrators to have HP/FireEye’s MIR agent installed throughout the network (on all
systems running a Microsoft Windows operating system) and to deploy a MIR
controller on the network. HP/FireEye then performs a series of sweeps across the
network for indicators of compromise (IOCs). HP/FireEye malware and forensics
professionals analyze the results of the scans, and additional, more targeted scans are
conducted as necessary. The results are then collated and provided in a detailed report.
The paragraphs below describe this process in more detail.
Deploying HP/FireEye Intelligent Response (MIR) HP/FireEye Intelligent Response (MIR) is HP/FireEye’s flagship product for finding evidence of compromise across an
enterprise environment, and it is the primary tool used for the host-based assessment portion of the compromise
assessment. The initial phase of the host-based assessment involves planning for the MIR agent deployment to
endpoint systems. Initial planning is required to understand and address potential network segmentation issues,
identify high priority systems or segments that should be scanned first, prepare the agent and controller deployment
mechanisms, and identify any other aspects of the deployment that may require attention. Once the planning is
complete, HP/FireEye will provide the agent package for installation and will provide instructions and guidance for
deploying and testing it. To achieve maximum efficiency, the MIR planning and deployment will be conducted in parallel
with the external network penetration testing.
Sweeping with MIR (Execution and Analysis) Advanced Persistent Threat (APT) intruders use tools and techniques that leave trace evidence on each system they
compromise. We call this trace evidence host-based indicators of compromise. New indicators of compromise emerge
each time the APT intruders attack a network. Therefore, organizations need to be adept at identifying new indicators
of compromise. These new indicators are critical to understanding the scope of the compromise.
HP/FireEye has used MIR to inspect over one million systems at firms compromised by
APT intruders. During these efforts, HP/FireEye has identified and recorded hundreds
of unique host-based and network-based indicators of compromise, and on each
incident response engagement, we continue to add to and revise our host and
network-based indicators of compromise. These are APT indicators that anti-virus and
traditional signature based products do not detect.
HP/FireEye uses the power of MIR to inspect each system for any indicators of compromise, including but not limited to:
Figure 1: MIR
Datasheet
Specific file MD5 signatures
Specific file names and file path structures
Unique indicators in file import tables of executable files
References to over 100 known “hostile” domains in
running processes and active network connections
Indicators in critical registry keys and values
Specific global mutexes used by processes
Rootkits, hidden files and hidden processes
Compressed or encrypted executable files
Network-based indicators in memory
Typically, HP/FireEye performs a series of scans during the host-based assessment. Initially, the scans are directed at
test ranges of systems to allow verification of results and to benchmark scanning performance. Once initial testing has
been completed, HP/FireEye sweeps the environment and reviews matches to known IOCs. The sweeps are tailored for
the environment based on operating systems, types of systems to scan, any known threats, and industry vertical. Based
on the results of initial scans, HP/FireEye may perform follow-up scans to improve search accuracy, add additional IOCs,
and/or focus in on particular systems of interest.
All of the data from the various scans is processed as the assessment progresses as additional scans and systems of
interest are identified from the original scans that are run. Thus, at the end of the host review, HP/FireEye is able to
provide a detailed report explaining what steps were taken to search for evidence of an attack, whether any indicators
of compromise were found, and if so, what systems were affected and what indicators were found on those systems.
HP/FireEye reviews the results with your team to determine whether additional investigative steps are warranted and to
provide recommendations for next steps in terms of further investigation and/or remediation activities.
Note that the current scope does not include further investigation if indicators of compromise are identified. In the
event that evidence of compromise is found, further
investigation, live response analysis, and a full
incident response can be provided on a time and
materials basis at your request.
Network-Based Assessment For the network based assessment, HP/FireEye uses
a combination of HP/FireEye network sensors and
FireEye network appliances. The HP/FireEye
network sensors provide a network-based capability
based on modern network intrusion detection
technologies to monitor an enterprise network for
advanced threat activity. HP/FireEye analysts use
IOCs compiled from previous consulting
engagements, as well as any indicators from your environment from the host based
assessment to perform real-time monitoring for advanced threats in ingress and egress traffic.
The FireEye network appliances monitor the network for indications of potentially malicious activity. Binaries and other
potential malware from this traffic are then extracted and run through a virtual execution environment, which allows us
Figure 2: FireEye
NX Datasheet
to test for a range of threats from a new zero-day exploit, happening in real time on the network to an established
command and control channel used to maintain a persistent connection on the network.
Sensor Deployment Initial planning is required to understand the network architecture, network traffic points of presence, hardware
requirements, and other potentially critical network design issues. Once HP/FireEye has a comprehensive understanding
of the network environment, HP/FireEye delivers all necessary hardware (network sensor systems and FireEye network
appliances) for the selected network traffic points of presence to be monitored.
HP/FireEye pre-configures many of the settings on the network sensors and FireEye devices, so they should only require
minor configuration changes once physically installed by the organization. HP/FireEye can quickly finish the
configuration onsite and test the devices to ensure they are properly capturing and processing network traffic and that
they are properly sending alerts for identified malicious traffic. Once testing is complete, HP/FireEye then configures the
devices to send alerts to HP/FireEye personnel and to a pre-defined e-mail address as specified by your organization.
Network Traffic Alerting The goal of the network based portion of the assessment is to capture any active attacks in process. This may include
brand new attacks against the environment that happen while the assessment is being conducted as well as follow-on
activity from a previous compromise, such as command and control activity, data exfiltration, downloads of new
attacker tools and malware, etc. HP/FireEye provides real-time alerts for these activities so your team sees them as soon
as HP/FireEye does. Then HP/FireEye traces these activities back to the affected system to verify the compromise and
feeds any new IOC’s back into the host based assessment process to conduct additional host based searches, as
appropriate.
As with the host based portion of the assessment, all of the data from the network based compromise assessment is
processed as the assessment progresses and systems of interest are identified. This data feeds back into the host based
assessment and is incorporated into the detailed report, showing whether any indicators of compromise were found,
and if so, what systems were affected and what indicators were found on those systems. HP/FireEye reviews the
network based alerts with your team to determine whether additional investigative steps are warranted and to provide
recommendations for next steps in terms of further investigation and/or remediation activities.
Important note: If indicators of compromise are identified, HP/FireEye can provide surge support to respond to the
incident at your request. Note that incident response activities would extend or preempt the project and delay future
phases. Response surge support is provided on a time and materials basis.
Analysis and Results At the completion of the project, HP/FireEye provides a written report presenting the results of the assessment in a
management summary report that provides a summary of the results, including statistics of compromised hosts and a
list of critical findings. The summary also includes an analysis of your organization’s security posture based on the
results of this assessment. Additionally, the detailed portion of the report provides notes and results from each of the
phases of the compromise assessment and then presents the detailed findings to explain each identified indication of
compromise and the affected systems. The report includes:
Description of the compromise
Type of attack (commodity malware versus targeted attack)
Identified timelines (date of first activity, if determined; date of most recent activity)
A list of affected systems
Recommendations for next steps (remediation or further investigation)
c) Preparation: – Provide guidance on requirements and best practices.
The first step to providing a comprehensive incident response program is to begin with an Enterprise Engagement Process (EPP). The EPP is used to understand the State agency’s existing capability for incident response and ascertain the requirements for incident escalation, investigation, problem management, change management, socialization, training, and process testing. This enables HPES to leverage standard processes and provide increased consistency and quality. The end result is a complete escalation plan, response scenarios, confirmed reporting requirements, and a fully-informed and security-aware partnership. During the EPP, HP Digital Investigation Services (DIS) consultants will:
Complete a technical fact survey that describes the current technical and business environment as well as the
information necessary to successfully respond to a security incident (preparation)
Review existing incident response policies and procedures (preparation)
Develop a custom incident response and escalation plan that covers the response process flow, incident verification
process, incident verification process, incident validation/initial analysis and assessment, escalation process, initial
meeting and contact information (develop plan)
Review the due diligence and escalation plan to verify the process steps and provide training information to the
support organization (preparation)
d) Developing Cyber-Security Incident Response Plans – Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.
HP Digital Investigation Services resolve adverse security events by following proven processes and escalation routes supported by best-in-breed technology. Our approach is grounded in best practices and methodologies that ensure a predictable and immediate reaction to security threats. HPES clearly sets out how we respond to any and all attacks and how your defenses will be supported by our expertise in security and vulnerability protection. We will work with you to provide:
Security incident response planning— Provides a detailed work plan of the business and technical environment
Incident notification process— Provides additional feeds from sources within your IT environment, in addition to
HPES monitoring your IT environment
Security incident investigation— Determines cause, impact, and ways to prevent reoccurrence
Impact mitigation during an incident— Enables instant situational control and minimizes impact with immediate on-
site action by HPES to gain visibility of an incident, and detect and shut down the breach traffic
Executive notification process—Provides immediate notification and ongoing updates of incidences to designated
executives
Final incident report—Delivers a summary report on each incident, actions taken, and recommendations to mitigate
recurrence
Monthly reports—Provide monthly activity and trending, including metrics around severity and motive, case status,
and risks associated with active incidences
e) Training – Provide training for State Agency staff from basic user awareness to technical education.
The HPES team will partner with the State’s Security teams to develop a Security Awareness program (Security Training
Program) that will incorporate the State and Agency security policy guidelines. The overall Security Training Program will
begin with instituting a mission statement that supports State’s organization business plan. The Security Training
Program will align with the State’s current security culture, improve security practices, reduce potential security related
audit concerns, and comply with policies and support improvement.
A Security Awareness (SA) program is designed to accomplish the following:
Establish security as an integral part of business practices
Ensure everyone has a responsibility to exercise and promote good security practices
Provide the information necessary to implement good security practices according to approved policies, standards,
and procedures
Support the State’s requirements to meet and reinforce policy, laws and regulations support
Enhance and add value to services
Reduce risks to the State and its agencies
Sustain changes to threats, business requirements, and compliance standards
The HPES team will leverage the vulnerabilities and risks identified by recommended Vulnerability Assessments which
will help the team define actual program training needs and direction, as well as the Criminal History Record
Information Act (CHRIA), Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information
Services (CJIS) regulations, The United States Social Security Administration (SSA) regulations, IRS (Internal Revenue
Service) Publications, and the Payment Card Industry (PCI) standards compliance requirements.
Elements Description
Understand senior management’s level of
support
Institute Senior Management Security Awareness program
champion to demonstrate Senior Management’s commitment to
security.
Determine the Security Training Program Scope Evaluate the State’s risk and vulnerabilities
Evaluate compliance requirements for:
Criminal History Record Information Act (CHRIA)
Health Insurance Portability and Accountability Act (HIPAA)
Criminal Justice Information Services (CJIS) regulations,
United States Social Security Administration (SSA)
regulations
IRS (Internal Revenue Service) Publications, State ITBs
Payment Card Industry (PCI) standards
Determine Value and Applicability Map Laws, Regulations, Vulnerabilities and Job
Functions/Responsibilities. Designed to identify individuals’
needs and deliver appropriate security training.
Determine how security, laws and regulations
relate to Job Responsibilities
Security Awareness is best shared if the employees understand
why it is applicable to their job responsibilities. Establishing a
baseline of what best practices and reinforce policies for all
employees.
Delivery Methods Establish a Security Awareness internal website to provide
personnel with access to security resources. Post policies, a list
of security personnel, an incident response number, awareness
tips, etc.
Develop Design Establish a Security Awareness Methodology. A Security
Awareness program cannot afford to become stale or dated. It
must keep up with State’s current and the larger security
culture, evolving threats, laws and regulations, changes in
policies and job responsibilities.
Develop targeted Security Awareness programs Develop and implement targeted programs that ensure all
personnel have an awareness of common threats and a
familiarity with security policies and procedures and laws and
regulations.
Build a good balance of security with effective
business practices.
Capture metrics, measure, and report and improve.
Implement a scoreboard that communicates interactively with
the employee to ensure training is completed and provides
management team results.
In order to successfully leverage this approach and deliver quality services, the HPES team will require knowledgeable personnel representing the State security teams, State Management team, and State Policy team. To roll out an effective Security Training program, the HPES team will work with the State security teams to develop a roadmap which will be periodically reviewed to ensure it is achieving Security Training Program goals and continues to align with the State’s business goals.
In addition to Regulation and compliance requirements, the HPES team will work with the State security team to identify
specific requirements for the Security Awareness program; Examples of State additional requirements may include, but
are not limited to:
Legal requirements
Contractual requirements
Policy requirements
Computer personal usage policies and procedures
Computer security awareness training (annually per government regulation)
Understanding of employees participation in a business continuity plan
Proper information handling procedures and practices
E-mail usage policies and procedures
Understanding of the requirements for handling sensitive data
Guidelines for leaving the building after work
Severe weather response
Evacuation plan
Mandatory Security Training
HPES and the State will develop a Security Training program that includes a strategy for defining required Security
Awareness training programs for employees, contractors and subcontractors assigned to work on State projects and
facilities. Required training will be prioritized by the mapping developed through Determining the Value and
Applicability process. This process will also identify the type of training, and level of learning required to be most
effective; i.e. Awareness or active training.
The HPES team understands that there is a difference between “Security Awareness” and “Security Basics Training”.
Awareness presentations are designed to educate how to recognize security concerns and respond accordingly; focused
on benefit, not on fear. In presentations and awareness activities the learner is a recipient of information, whereas the
learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive
packaging techniques. Training is more formal, having the goal of building the knowledge and the skills needed to
facilitate job performance.
“Security Awareness” is explicitly required for ALL employees, whereas “Security Basics Training” is required for those
employees, including contractor employees, who are involved with IT systems. In today’s environment this typically
means all individuals within the organization. The “Security Basics Training” category is a transitional stage between
“Awareness” and “Training.” It provides the foundation for subsequent training by providing a universal baseline of key
security terms and concepts.
The HPES team is committed to developing the appropriate levels of training and has the highly qualified information
security subject matter experts capable of developing and delivering.
Levels of training
Working with State, the HPES team will develop a method to track employees, contractors and subcontractors assigned
to work on the State projects and verify that each individual receives appropriate training on time. The HPES team will
work with the State to implement a Security Scoreboard as a method to track employee’s progress, present friendly
reminders and present Management training completion metrics and results. The Security Training Scoreboard will be
integrated with the State’s security clearance database system to track current training status and overall attainment of
group training goals.
Training requirements will be driven by Project Level, Job Status, Job Profile and. This will provide a means to support
training requirements at a broader level.
The Security Training Scoreboard provides value by tying in with the Security Incident Management system where
analysis reports such as effectiveness of a specific security training vs. number of incidences over time. The HPES team
will work with the State teams to develop these types of reports, compliance reports and security training effectiveness
maturity reports. Reports will be used to evaluate against both the scope of the States security training needs and the
effectiveness of the training provided and the delivery methods. The reports will also be able to allocate future training
resources to derive the greatest value or return on investment.
Ongoing training will be supported by such things as slogans, campaigns, posters, periodic email flyers and website
postings.
Types of training
Levels of training will range from general security awareness, to governance, to targeted training.
Working with the Value and Applicability Mapping process, the method of delivery can easily be identified. The HPES
team will work with a variety of methods to deliver Security training. Examples of training materials/activities include:
Policies, procedures, guidelines
Conduct Office space reviews
Online self-paced training to ensure
Hands-on training courses
Security Awareness Videos
Interactive presentations – in person
Virtual Lunch & Learn sessions
Web based information – Bulletins (Dedicated Security web site)
Training campaigns, including posters, flyers, Brochures, emails
A security reminder banner on computer screens, that display when a user logs on
Promotional/specialty “trinkets” with motivational slogans
The HPES team will work with State’s security team to design to assimilate employees’ consideration of security and
associate it with protection and compliance. The HPES team’s delivery method is mixed to keep it fresh and engaging.
The HPES team will work with State’s security team develop best practices and reinforce policy.
Security Awareness Training
Awareness training presentations must be on-going, creative, and motivational, with the objective of focusing the
learner’s attention so that the learning will be incorporated into conscious decision-making and results in a behavior
that makes security part of everyone’s job.
Working with State’s security team, the HPES team will assist in the development of Employee Self-Assessments and an
All Employee Awareness program. The program will educate participants so they will better understand State’s security
policies and procedures and the ways of preventing common threats. Topics might include:
PC security practices
Clear desk practices
Mobile device security
Handling Sensitive Information
Information Classification
Browsing
Email & instant messaging
Piggybacking and tailgating
Social engineering
Insider threat
Personal safety
Travel Safety
Annual office space reviews
Annual Self-assessment surveys
Targeted Training
The HPES team will work with State’s security team to ensure training methods do not negatively impact productivity.
Targeted training will be focused and have a succinct goal.
The HPES team will work with State’s security team to build the Security training program working with the Security
Planning and Incident Response to assess current security culture, current threats and assess training needs. The
assessment will assist in developing all targeted training; topics such as:
Computer viruses
Remote Access
Backing up data
Continuity Destruction of sensitive materials
Building access
Security incidents
Security alerts
Password management Vendor patch deployment policies/processes
Advanced Persistent threat
Data Protection
Encryption
Security Threats are ongoing; therefore training is an ongoing necessity. The HPES team will work with State’s security
team to help build a sustaining Security training program. The Program’s processes and resources should be reviewed
annually, at the very least, and be used to update both training content and communication methods. As a result, the
program becomes an established part of the organization's culture and is current and engaging.
2) Post-Incident Services
a) Breach Services Toll-free Hotline – Provide a scalable, resilient call center for incident response information
to State Agencies.
State Agency personnel can initiate DIS services by calling HPES’ Security Operations Center, 7 days a week, 24 hours a
day or as agreed in the escalation plan. DIS personnel will respond to the State Agency’s inquiry to immediately begin an
investigation. A typical incident response service level agreement (SLA) is 15-minutes.
b) Investigation/Clean-up – Conduct rapid evaluation of incidents, lead investigations and provide remediation
services to restore State Agency operations to pre-incident levels.
These services are included as the “outputs” and deliverables of either a Compromise Assessment (described above) or
Incident Response services described below.
c) Incident Response – Provide guidance or technical staff to assist State Agencies in response to an incident.
HP DIS provides a team of experienced computer security incident response and digital forensics practitioners. HP DIS
provides a full complement of forensic processes and utilities for support of client needs. Typical HP DIS engagements
for services include targeted data collection, utilization analysis (HR investigations), technical root case analysis (RCA),
and scope of impact (SOI) analysis. All investigation services are supported through forensic data collection best
practices including Chain of Custody documentation, reproducible analysis methods, and detailed reporting as required.
The types of forensic investigations include, but are not limited to:
Targeted data collection services to support a client’s need to extract and preserve evidence to be used in the
furtherance of internal security investigations. Such investigations are supported through complete forensic
acquisition best practices and are performed at the direction of the client.
Utilization investigations provide the client with an understanding of the actions of a user for a given time frame. This
analysis will use available information on the user’s device as well as externally logged data (Active Directory, proxy,
network, etc.) to show timing, behaviors, and outcomes of user actions. Such investigations commonly support HR
investigations and malware investigations.
Technical Root Case Analysis (RCA) investigations attempt to provide insight into the actions contributing to a security
event. These investigations will collect digital artefacts from computers and logging resources (SIEMS, firewalls,
network appliances, authentication services, etc.) and, to the extent available, provide a detailed explanation of the
facts and conditions that lead to the event of concern. Such investigations are used to identify sources of unauthorized
changes, internal misuse, theft, unauthorized access, and impacts to service.
Scope of Impact (SOI) investigations attempt to establish the complete impact of a malicious event to the client
infrastructure. This impact may be defined by the number of devices affected, the duration of the event, the data
exposed, or the source of the impact. SOI investigations, much like RCA involve the collection of and iterative analysis
of any kind of digital artefact that may be leveraged to support the investigation. As this case type typically involves
many networked resources, HP DIS will guide the identification of appropriate digital artefacts, collection in a
forensically sound manner, and provide timely analysis.
Manual and automated malware analysis is often conducted to preserve our customers’ privacy and public image.
When presented with URLs hosting malicious content, processes collected from memory, or executables found on
disk, HP DIS will subject the file to an internal automated analysis process, as well as a manual review including
debugging and decompiling. These two processes are used to identify the behavior of the malware, enumerate its
characteristics, and to establish the potential for data theft and exfiltration. The results of analysis are used with
discretion to support the client by working with its antivirus and network security controls vendors to develop
signatures or improve the control detection ability. Where appropriate the findings from the analysis are used to
further an investigation by establishing the full scope of impact by identifying all systems exhibiting the same
characteristics.
All digital forensic services are provided through an ongoing engagement that will provide the State Agency with timely
updates and responses. Where appropriate, HP DIS will work side-by-side with the State Agency’s internal support
teams, investigation teams, and legal support.
Global Incident Response from HPES and FireEye/Mandiant comprises services that help you detect active threats, manage incidents, and respond to critical security breaches effectively. Our global response teams are available 24/7, working with you to execute an effective remediation plan. This includes deploying proprietary incident response technologies from HPES and FireEye/Mandiant to support the investigation through data capture, analysis, and reporting. This technology is supported by our constantly updated global threat intelligence to anticipate attacks and take preventive measures. We work with you to identify systems and networks that have been compromised by stealthy advanced threats and zero-day malware. We also investigate signs of compromise to determine if attackers are still active or have been in the past. While performing the investigation, we collect evidence and analyze it to determine the attack vector, establish the timeline, and determine the extent of the compromise. We then evaluate which data has been compromised and work toward identifying the attacker. We provide expert advice to help your organization recover from a breach and minimize the impact of the event, reducing both the risk to your business and the potential damage to your reputation. We work closely with you to provide comprehensive and structured reports to help you understand the chain of events and make the right business decisions.
We develop a detailed remediation plan aligned to your business objectives, providing context for the attack, the extent of the compromise, and the intentions and tactics of the attackers. We also recommend actions to contain the breach and eradicate the threat. A detailed security improvement plan provides recommendations to improve your security posture and implement the best security controls to avoid similar incidents in the future. d) Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation and
incident response. Assist State Agency staff with incident mitigation activities.
For purposes of this response, we are assuming that “Mitigation” is defined as reducing the impact of a specific incident
response engagement and/or findings developed as a result of either performance of a Compromise Assessment; Cyber
Security Readiness Assessment; and/or Cyber Security Design Service engagement.
As such HPES personnel will work alongside State Agency personnel to understand the specific nature of findings and/or
events, approaches to reduce, or if possible eliminate, the impact of a finding or event, and how the State Agency may
assess susceptibility to such findings in other systems and Agencies. If requested, HPES will also provide specific
proposals for additional technologies, architectural approaches, business processes and application assessments to
reduce the likelihood of future recurrence.
e) Identity Monitoring, Protection and Restoration – Provide identify monitoring, protection, and restoration
services to any individuals potentially affected by a cyber-security incident.
Identity monitoring, protection and restoration services are outside the scope of the GSA IT 70 Schedule and are
typically handled under the GSA Financial And Business Solutions Schedule 520 which is currently not available to state
and local agencies. HPES, however, has partnered with Equifax, one of the largest sources of consumer and commercial
data and leading provider of these services, offers these services as an “open market” component of our overall
solution.
Equifax is able to provide unique data-driven solutions that deliver value to breach-affected individuals, agencies and
companies. Utilizing our databases, advanced analytics and proprietary enabling technology, Equifax provides real-time
answers for our customers. This innovative ability to transform information into actionable intelligence is valued by
customers across a wide range of industries and markets and serves as the basis for our Identity Monitoring, Protection,
and Restoration portfolio of products.
In the event of a cyber-security incident, Equifax is positioned to quickly respond to the incident on behalf of the
affected organization. Equifax provides ID Theft Protection products as well as ancillary products that provide
comprehensive coverage in response to the incident.
Equifax’s ID Theft Protection includes:
Credit file monitoring - daily monitoring of key changes to 1B or 3B credit files that may be early warning to potential
ID theft
Access to credit reports - enable consumers to ensure the accuracy of their 1B or 3B credit files
Automatic fraud alerts - statement on credit file requesting creditors to take additional steps to verify a consumer’s
identity before approving new loans
Web detect - monitoring of potential exposure of consumers’ SSNs, bank and credit/debit account numbers in
underground trading sites
To further support our partners with their cyber-security incident, Equifax also offers the following services:
Address Refresh and Data Append Services - when address records are old or incomplete, Equifax uses a proprietary
solution to update the old addresses to enable partners to maximize the universe of consumers that they can notify
Mail Shop Services - partners can outsource the processing of notification letter mailings
Data Breach Help Line (Tier 1) - call center to respond to consumer questions about the event and product availability
& enrollment
top related