Raytheon Oakley Systems - AFCEA ePO (HBSS) ArcSight SureView™ ... –Fully interoperable with other host based security system architectures and leading Security Information and

Page 1

Copyright © 2013 Raytheon Company. All rights reserved.

Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Raytheon Oakley

Systems

Michael Crouse

VP, Sales & Marketing

Daniel Velez

Director, Program Operations



Cleared for release. #IIS2013-226.

Page 2

About us

Founded as Oakley Networks in 2001

Acquired by Raytheon in 2007

US Government & Fortune 500 customers

9th Generation Enterprise Audit and Insider

Threat Solutions

SureView – Export Controlled Dept of Commerce

Raytheon Oakley Systems

Securing Classified

Networks and

Fortune 500 customers

since 2001

Page 3 Copyright © 2013 Raytheon Company. All rights reserved.

Raytheon Oakley Systems – Products

Insider Threat, Enterprise Audit, Risk Management, IP Theft Protection, Cross

Domain, External Data Source Integration, & Analytics

Page 4



c

SureView™ Innovation and Integration

SureView™

McAfee ePO

(HBSS) ArcSight

SureView™

Investigations Dashboards

Policies

Events

64-bit audit social networking reporting scalability malware detection Linux

Printer Keyboard Email Office Clipboard File IM Log On System Process Browser Terminal

Servers

Lotus

Notes

Application

Channel

Registry USB Video

Page 5



Policy-Driven Auditing

Specifies what to audit and what should be in the audit record

Specifies what not to collect

Ex: “Do not collect email to/from [email protected]”

Leverages simple “If/Then” statements

Enables Multiple Stakeholders

Ex: Active Malware Protection (AMP)

AUDITED ACTIVITY AUDIT RECORD

- SAP code names

- fingerprinted text

• File write to removable media

• File contains sensitive data

• Date/Time, Username, Workstation

• Offending Device

• Action: Capture File

• Action: <email> Security Staff

• Action: <forward> ArcSight

mailto:[email protected]

Page 6



Management Controls

US DoD Image

Role-based Access

Robust Operator Auditing

Segregation of Collected Data

Chain of Custody Features

Non-technical Oversight

Integration with 3rd Party Enterprise

Tools such as ePO and various SIEM’s

ArcSight, SPLUNK, etc.

Access to controls based on

role, mission requirements, and authorization

Page 7



Analyze events from networks across air gapped domains on one investigator workbench.

CrossView™: Cross Domain Auditing

SureView™ / CrossView™ Cross Domain Solution

Analyst Workbench

Network A

Network B

Network C

Page 8



Convergence: External Data Source Aggregation

Facility Access Information

Personnel Security Information

HR Data Communications

Foreign Travel Information

Shared Space Audit Data

Multi-source data aggregation and single search queries

Page 9



Future

Convergence: Conceptual Architecture D

eskto

p A

ge

nts

Collector Node Central Database Master Node Enterprise Application Suite

Arbitrary External Data Sources

RE

ST

AP

Is

(re

qu

ire

s s

ep

ara

te

Con

ve

rge

nce

lice

nse

)

Analytics Node

Connector Modules

Phase 1 Data

Analytics

Page 10



Spotlight - Analytics Interface

Enables customers to discover and

understand meaningful patterns in large sets

of audit data through seamless integration

with best of breed analytical tools including: – Risk assessment algorithm,

– Anomaly detection,

– User trend analysis,

– Role based profiling w/ threat indicators

Analytics Platform modules may be developed by ROS, authorized 3rd-party partners, or directly by customers

Analytics Platform provides optimized access to SureView data and a means for sending the results of analysis back into the SureView system for presentation to analysts

Page 11



Spotlight: Conceptual Architecture

Collector Node

Central Database

Master Node

Enterprise Application Suite

REST APIs

Spotlight Framework

Analytics Node

An

aly

tics M

od

ule

s

Management & Status

User Interface

Page 12



Support for Person-Centric Investigations

Implies a shift away

from the traditional

primary association of

collected data to an

SureView agent.

Particularly relevant to: – Convergence customers who are

aggregating audit data from

multiple external data sources

– SureView customers with hosted

virtual desktop environments

– CrossView customers with users

whose behavior they audit across

multiple domains

Add features to more easily attribute collected audit data to

an identifiable person.

Page 13

SureView Value Proposition

Demonstrably Superior Cyber Audit Capability

– Operationally-proven, mature and scalable solution with overall install base of over

hundreds of thousands endpoints to date

– Unobtrusive and configurable policy-based endpoint auditing with full context event replay

– Comprehensive coverage and collection of end-user behavior on desktops, workstations

and laptops, whether connected to the network or completely offline

Low Risk

– Fully accredited for operation on JWICS, SIPRNET & other classified/unclassified networks

– Fully interoperable with other host based security system architectures and leading Security

Information and Event Management (SIEM) tools such as ArcSight

– Comprehensive mission support for services, training, and documentation

Compliant

– Compliant with DCID 6/3 and ICD 503 as well as DISA STIG security requirements

– Fully validated NIST FIPS 140-2 encryption modules for all cryptographic functions

– Standardized audit policies and common, exportable data format enable discovery and

retrieval of audit information.

Cost Effective

– Low Total Cost of Ownership (TCO)

– Flexible Pricing for Focused Observation Investigations and Enterprise Auditing

– Support for Hosted Virtual Desktops to align with agency virtualization and cloud strategies

Page 14

To Demonstrate the power of the ROS

SureView system with Convergence and

Advanced Analytics Options

Page 15

Agenda

Scenario 1 – Unapproved Job Outsourcing

Scenario 2 – Intellectual Property Theft

Page 16


Scenario: FJEA insider, Aaron

Reed, exposes his agency to

tremendous risk when he

covertly outsources his job

to a 3rd party in China and

opens up access to mission

resources in the process.

This demonstration shows

how the correlation of aggregated data from multiple sources can

illustrate a rich view of the context around user activities that

provides valuable insight into an insider’s motivate and intent.

This kind of proactive approach is essential to mitigating today’s

complex array of insider threat risks.

Page 17


Video Demo

Page 18


Scenario: Impact of Company Reduction In Force Notification (RIF) on

employee behavior causing increased risk of an Insider Threat incident.

Bob Davis potentially working with a 2nd Party inside the company to

exfiltrate sensitive company data.

This demonstration shows that an effective insider threat mitigation

program requires aggregation and correlation of data from various data

repositories.

With context and audit records from multiple sources, the time to discover

and investigate incident is reduced.

Page 19


Video Demo

Page 20 Copyright © 2013 Raytheon Company. All rights reserved.

Contact Info

Michael Crouse Vice President, Sales and Marketing


443-858-8527

[email protected]

Cleared for release. #IIS2013-226.

Daniel Velez Director, Program Operations


703-244-9887 [email protected]

Raytheon Oakley Systems - AFCEA ePO (HBSS) ArcSight SureView™ ... –Fully interoperable with other host based security system architectures and leading Security Information and

Documents