The Marine Corps is reducing the likelihood of a computer or laptop introducing a virus or malware to its network. The Marines are employing a new approach to cybersecurity that goes beyond continuous monitoring.
Ray Letteer, the chief of the cybersecurity division for the Marine Corps, said the comply-to-connect initiative is about removing much of the people challenges by automating the software patching and updating the cyber processes in real time.
“A lot of people are using continuous monitoring, there are some tools and policies out there already. But we kind of thought continuous monitoring was admiring the problem. And I personally didn’t want to admire the problem. I wanted something more active,” Letteer said after a panel discussion at the AFCEA Washington, D.C., chapter’s Cybersecurity Summit in Washington Wednesday. “So we set up this program to do a comply-to-connect construct, when you plug it in [to the network] , your box will get remediated based on the current requirements that DoD tells us.”
Letteer said to test out the comply-to-connect concept, the Marines bought a PC from a local retailer and plugged it into the network. He said within about 45 seconds the tools running the comply-to-connect initiative updated the new PC to meet the Marines and the Defense Department’s cybersecurity requirements.
He said the real value of the tool comes when a Marine brings back a laptop or device after spending a few days or weeks in the field.
“The problem has always been when you are on an enterprise network or on a garrison network, whenever you needed to do any patches or updates, it goes over and over, it does reboots and it takes time. In some cases, you go away for three or four hours and come back before it’s done, or sometimes you have to leave it for the weekend to get done,” Letteer said. “This approach we’ve been able to show it’s doing it in minutes rather than hours and days. That’s important when you come in and connect your system into the network, you want to make sure that it’s being done in such a way that it’s not going to unnecessarily impact what the user is trying to do.”
Letteer said the comply-to-connect approach doesn’t just update computers and laptops as they come onto the network, but also ensures those running on the network continuously that they have all the right configuration settings and software patches, and if not, the device is updated immediately.
Many cyber experts say patch management is one of the easiest things an organization can do to protect its systems and networks from vulnerabilities.
“Implement automated patching tools and processes for both applications and for operating system software,” SANS wrote. “When outdated systems can no longer be patched, update to the latest version of application software. Remove outdated, older, and unused software from the system.”
But many agencies do not take enough advantage of automated tools.
The Office of Management and Budget found in its more recent annual Federal Information Security Management Act (FISMA) report to Congress that only 81 percent of all agencies used automated vulnerability management systems that scan agency IT hardware for common vulnerabilities, such as software flaws or required patches, and facilitate remediation of those vulnerabilities to protect against intentional or unintentional misuse or malicious exploits.
Additionally, agency inspectors general found 15 departments still hadn’t developed a mature patch management process despite the fact that 16.3 percent of all cybersecurity incidents reported to the Homeland Security Department’s U.S. Computer Emergency Readiness Team (U.S. CERT) in fiscal 2013 by the largest agencies were related to malicious code attacks. ` Letteer said the Marines, who have been working on this concept for more than two years, said bad actors don’t have to work too hard because so many agencies don’t do the easy stuff such as patching. He said it’s akin to leaving the door unlocked and letting burglars walk right in to your house.
“We found people aren’t really skilled in how to use the tools. They don’t understand things like permissions, certificates and access to the systems. We found in some cases 99 percent of all the patches were never done,” he said. “So how do I get beyond this part of workers who may not be skilled enough and I want to make sure that it’s human proof. That’s why we set up this process to say let’s get these things done so we fix the simple issues.”
The Marines Corps has applied this concept to about 3,500 systems and will expand it to all major regions and bases by the end of December. Then Letteer said the Corps will consider how best to apply comply-to-connect to tactical systems and other programs of record, which have been the toughest challenge to keep up to date without affecting the systems’ effectiveness.
“I actually had a report that was given to me last month that at one time during the day those 3,500 systems were 100 percent compliant. People say you can’t do it, but you really can when you automate it,” he said. “The big delta continues to be how do I work those program of record systems or tactical special systems. Those aren’t part of this process yet because there are still some deltas we have to achieve like how do we handle JAVA, for example, or what happens if you do a patch [and it doesn’t work] . The nice thing about our system is if you do a patch and it doesn’t work, it can unpatch it. Then you can say that one doesn’t work and you can do a plan of action and milestones to get a date for how we will remediate it and what tests we are doing to do. At least we know it now.”
Along with the comply-to-connect initiative, Letteer said the Marines are training program managers on software assurance so they know what questions to ask developers and what to look for in the code itself.
In fact, the Corps held its first class in partnership with the Marine Systems Command with about 16 service members.
“We acquired a particular tool that will help us do software assurance. We want to make sure program managers know what to do. Why give them a tool if you’re not going to train them on how to use it?” Letteer said. “If I can teach the program managers what to do and how to do code because colleges and universities are teaching security and in many cases of code development, they are using shared libraries and pulling dynamic link libraries from somewhere else and putting them in code and so the persistent problem always exists. I want to get away from that.”
Related to the software assurance and patching is another effort by the Marines to protect their websites and Web applications.
Letteer said the Marines recently awarded a contract to have a vendor install Web application firewalls to further improve security of its network.
“I have a Marine Corps Web risk assessment cell and this cell’s task is to look at all the Marine Corps sites from the outside. They are not doing penetration testing, but coming from outside the Marine Corps looking at vulnerabilities as if they were an adversary to see what problems are there,” he said. “One of the two sites was a manpower site and it had a lot of personal identifiable information on it. They’ve done enough work where they’ve actually done not only Web application firewalls, but database firewalls and such. To me, they are the most secure data repository in the DoD right now because they can see everything and remediate everything. We now are going to put them in front of all Marine Corps websites that we own.”