Page 1
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Raytheon Oakley
Systems
Michael Crouse
VP, Sales & Marketing
Daniel Velez
Director, Program Operations
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Cleared for release. #IIS2013-226.
Page 2
About us
Founded as Oakley Networks in 2001
Acquired by Raytheon in 2007
US Government & Fortune 500 customers
9th Generation Enterprise Audit and Insider
Threat Solutions
SureView – Export Controlled Dept of Commerce
Raytheon Oakley Systems
Securing Classified
Networks and
Fortune 500 customers
since 2001
Page 3 Copyright © 2013 Raytheon Company. All rights reserved.
Raytheon Oakley Systems – Products
Insider Threat, Enterprise Audit, Risk Management, IP Theft Protection, Cross
Domain, External Data Source Integration, & Analytics
Page 4
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
c
SureView™ Innovation and Integration
SureView™
McAfee ePO
(HBSS) ArcSight
SureView™
Investigations Dashboards
Policies
Events
64-bit audit social networking reporting scalability malware detection Linux
Printer Keyboard Email Office Clipboard File IM Log On System Process Browser Terminal
Servers
Lotus
Notes
Application
Channel
Registry USB Video
Page 5
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Policy-Driven Auditing
Specifies what to audit and what should be in the audit record
Specifies what not to collect
Ex: “Do not collect email to/from [email protected]”
Leverages simple “If/Then” statements
Enables Multiple Stakeholders
Ex: Active Malware Protection (AMP)
AUDITED ACTIVITY AUDIT RECORD
- SAP code names
- fingerprinted text
• File write to removable media
• File contains sensitive data
• Date/Time, Username, Workstation
• Offending Device
• Action: Capture File
• Action: <email> Security Staff
• Action: <forward> ArcSight
Page 6
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Management Controls
US DoD Image
Role-based Access
Robust Operator Auditing
Segregation of Collected Data
Chain of Custody Features
Non-technical Oversight
Integration with 3rd Party Enterprise
Tools such as ePO and various SIEM’s
ArcSight, SPLUNK, etc.
Access to controls based on
role, mission requirements, and authorization
Page 7
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Analyze events from networks across air gapped domains on one investigator workbench.
CrossView™: Cross Domain Auditing
SureView™ / CrossView™ Cross Domain Solution
Analyst Workbench
Network A
Network B
Network C
Page 8
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Convergence: External Data Source Aggregation
Facility Access Information
Personnel Security Information
HR Data Communications
Foreign Travel Information
Shared Space Audit Data
Multi-source data aggregation and single search queries
Page 9
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Future
Convergence: Conceptual Architecture D
eskto
p A
ge
nts
Collector Node Central Database Master Node Enterprise Application Suite
Arbitrary External Data Sources
RE
ST
AP
Is
(re
qu
ire
s s
ep
ara
te
Con
ve
rge
nce
lice
nse
)
Analytics Node
Connector Modules
Phase 1 Data
Analytics
Page 10
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Spotlight - Analytics Interface
Enables customers to discover and
understand meaningful patterns in large sets
of audit data through seamless integration
with best of breed analytical tools including: – Risk assessment algorithm,
– Anomaly detection,
– User trend analysis,
– Role based profiling w/ threat indicators
Analytics Platform modules may be developed by ROS, authorized 3rd-party partners, or directly by customers
Analytics Platform provides optimized access to SureView data and a means for sending the results of analysis back into the SureView system for presentation to analysts
Page 11
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Spotlight: Conceptual Architecture
Collector Node
Central Database
Master Node
Enterprise Application Suite
REST APIs
Spotlight Framework
Analytics Node
An
aly
tics M
od
ule
s
Management & Status
User Interface
Page 12
Copyright © 2013 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Support for Person-Centric Investigations
Implies a shift away
from the traditional
primary association of
collected data to an
SureView agent.
Particularly relevant to: – Convergence customers who are
aggregating audit data from
multiple external data sources
– SureView customers with hosted
virtual desktop environments
– CrossView customers with users
whose behavior they audit across
multiple domains
Add features to more easily attribute collected audit data to
an identifiable person.
Page 13
SureView Value Proposition
Demonstrably Superior Cyber Audit Capability
– Operationally-proven, mature and scalable solution with overall install base of over
hundreds of thousands endpoints to date
– Unobtrusive and configurable policy-based endpoint auditing with full context event replay
– Comprehensive coverage and collection of end-user behavior on desktops, workstations
and laptops, whether connected to the network or completely offline
Low Risk
– Fully accredited for operation on JWICS, SIPRNET & other classified/unclassified networks
– Fully interoperable with other host based security system architectures and leading Security
Information and Event Management (SIEM) tools such as ArcSight
– Comprehensive mission support for services, training, and documentation
Compliant
– Compliant with DCID 6/3 and ICD 503 as well as DISA STIG security requirements
– Fully validated NIST FIPS 140-2 encryption modules for all cryptographic functions
– Standardized audit policies and common, exportable data format enable discovery and
retrieval of audit information.
Cost Effective
– Low Total Cost of Ownership (TCO)
– Flexible Pricing for Focused Observation Investigations and Enterprise Auditing
– Support for Hosted Virtual Desktops to align with agency virtualization and cloud strategies
Page 14
To Demonstrate the power of the ROS
SureView system with Convergence and
Advanced Analytics Options
Page 16
Scenario 1 – Unapproved Job Outsourcing
Scenario: FJEA insider, Aaron
Reed, exposes his agency to
tremendous risk when he
covertly outsources his job
to a 3rd party in China and
opens up access to mission
resources in the process.
This demonstration shows
how the correlation of aggregated data from multiple sources can
illustrate a rich view of the context around user activities that
provides valuable insight into an insider’s motivate and intent.
This kind of proactive approach is essential to mitigating today’s
complex array of insider threat risks.
Page 18
Scenario 2 – Intellectual Property Theft
Scenario: Impact of Company Reduction In Force Notification (RIF) on
employee behavior causing increased risk of an Insider Threat incident.
Bob Davis potentially working with a 2nd Party inside the company to
exfiltrate sensitive company data.
This demonstration shows that an effective insider threat mitigation
program requires aggregation and correlation of data from various data
repositories.
With context and audit records from multiple sources, the time to discover
and investigate incident is reduced.
Page 20 Copyright © 2013 Raytheon Company. All rights reserved.
Contact Info
Michael Crouse Vice President, Sales and Marketing
Raytheon Oakley Systems
443-858-8527
Cleared for release. #IIS2013-226.
Daniel Velez Director, Program Operations
Raytheon Oakley Systems
703-244-9887 [email protected]