According to Symantec’s 2013 Internet Threat Security Report, the U.S. Federal Government was number four out of the top ten sectors targeted by malware. Other sectors included in the report are Manufacturing, Finance, and Service. In addition, the number of targeted attacks against the DoD and other industries has increased by 42% over the past year. Given our dependence on Information Technology, one can argue that these numbers will only continue to rise, especially with regard to the DoD. While IT has created a more efficient and agile military, it has also created a high risk computing environment in which to conduct day-to-day operations.
Desktop assets in use at the DoD number in the tens of thousands, so securing this layer is critical given the threat statistics referenced above – each desktop can be a potential weak spot waiting to be exploited. The challenge at the DoD has been to minimize the risk posed by desktop assets without sacrificing operational capability. The strategy they have employed is known as the Host Based Security System (HBSS).
What is the DISA HBSS?
HBSS is a suite of commercial-off-the-shelf (COTS) applications created by McAfee. In other words, HBSS is simply a program name crated by DoD. For the purposes of this blog, I will not go into great detail about each one of the HBSS components, but will simply give a summary of the product and its purpose. Additionally, I’ll provide some of the benefits and challenges associated with implementing and maintaining such a powerful suite of applications.
- ePolicy Orchestrator and McAfee agent: The real power behind the HBSS suite is the ability to provide security practitioners and executive management with a unified, real-time view of the security posture of all desktop assets within the organization. The two main components of HBSS that make this possible are the McAfee Agent and ePolicy Orchestrator (EPO). The Agent is the reporting mechanism, while EPO is the report repository. The Agent must first be deployed to all desktop devices within the organization before it provides continuous reporting of the asset it’s installed on. All Agents report to the EPO server which will then store the information in a database. This in a nutshell, is the process which allows HBSS to provide reporting capabilities that are extremely useful and allow leadership to assess risk in real time.
- Policy Auditor: Policy Auditor is used to scan a DoD desktop asset for compliance with DISA security configuration standards. It uses a SCAP/OVAL scan engine, which means it can quickly scan and validate the host’s compliance with DISA STIG benchmarks.
- Rogue System Detection: Rogue System Detection is used by EPO to scan all assets connected to the enterprise for the presence of the McAfee Agent. If the agent is not present, EPO can either send an alert to the HBSS administrators or take a proactive approach by blocking the asset from obtaining network access.
- Asset Baseline Monitor: Asset Baseline Monitor is used to establish a security benchmark across the enterprise. Once a baseline configuration is established, it can be used by EPO to monitor alterations throughout all desktop assets and send alerts if needed.
- Host Intrusion Prevention (HIPS)/Firewall and Virus Scan Enterprise: While the main feature of the Anti-Virus client is to monitor, alert, and prevent malware, the HIPS component provides protection and counter measures against web exploits such as Denial of Service, Buffer Overflow, and Cross-Site Scripting attacks. This protection is very useful given the rise of web attacks that took place in 2012 as stated in Symantec’s 2013 Internet Threat Report.
It’s important to note that all HBSS components are deployed and configured from the EPO console. This framework provides HBSS administrators with central management, as well as the ability to test policy updates in test environments in a much easier fashion.
HBSS provides host level protection for several threat vectors that typically target desktop operating systems. Being able to protect multiple weak points simultaneously offers substantial benefits to the enterprise. Additionally, HBSS provides detailed report capabilities, real-time asset status, central configuration management, and defense-in-depth-protection of the latest cyber threats
While effective at reducing asset exposure to malware exploits, HBSS requires additional resources to manage, and can also cause setbacks in day-to-day operations when initially deployed – considerations of which IT executives should be aware of. HBSS can also be a challenge to incorporate into an existing security program. HBSS will stretch the overall IT budget. Additional manpower, training, infrastructure, and software licensing are some of the costs tied to HBSS. Agencies should conduct a thorough cost/benefit analysis along with risk analysis to determine if HBSS aligns with their information protection strategy.
Fortunately, Segue Technologies currently supports various DoD agencies which utilize HBSS. As such, we are intimately aware of the HBSS components, their purpose, and how it impacts operational capability.
Overall, HBSS is a powerful security tool that greatly improves the security posture of DoD desktop assets. The DoD will continue to fund, deploy, and support HBSS as long as operational capability is not degraded while IT assets are kept secure.