Intrusion Prevention at the U.S. Postal Service

1
Intrusion Prevention at the U.S. Postal Service

• Delivering Security Each Day, Every Day!
• Presented by Charles L. McGann, Jr., Manager of
  Secure Infrastructure Services, United State
  Postal Office

2
Disclaimer

• This presentation is not an endorsement of any
  product or service by any vendor.
• It is a presentation on the Intrusion Prevention
  activities that the U.S. Postal Service is
  engaged in and the resulting vendor products and
  support currently utilized.

3
Agenda

• Define Intrusion Prevention
• The U.S. Postal Service
• The Beginning - Security Assessment
• Technology Evaluation and Requirements
• Product Selection
• Implementation
• Measures of Success
• Lessons Learned Whats Next
• Questions

4
What is Intrusion Prevention?

• Intrusion prevention systems are any devices
  and/or software that exercises access control to
  protect computers and software from exploitation.
  They can rely on patterns of behavior or known
  malicious signatures to prevent access or
  activities.
• Intrusion prevention technology is considered by
  some to be an extension of Intrusion Detection
  Systems (IDS) technology, but it is actually
  another form of active access control, like an
  application-layer firewall.

5
A View of the USPS

• Class A Network One of Worlds Largest
• 34,000 Attached Locations
• 12,000 Dial-up or Other Connections
• 700,000 Plus Employees
• 160,000 Workstations, 14,000 Mobile Devices and
  240,000 Active Domain Registered Users
• 3,000-plus Business Partner Connections
• 7 Major IT Processing and Development Facilities
• Distributed Mail Processing Environment at 460
  Facilities

6
Sensor Detection Tracking
7
Our Strategy

• Address our disappearing perimeter
• Firewalls are not doing it
• Security from the inside out
• Secure the entry points
• Adapt to changing environment
• Protect our customer and business competitive
  data, and infrastructure
• Protect USPS brand image

8
Our View of Prevention
9
Securing Network and Computing Environment
5 Internet Access Points San Mateo Eagan Raleigh
Memphis Headquarters
E1
10
Security Assessment

• Performed a security assessment of the
  environment
• Recognized the changing business model in 1998
• Identified what else was happening in USPS IT
• Identified areas of concern and opportunities
• Identified what security tools existed
• Identified where to start and why what was
  important
• Identified stakeholders and logical links

11
Security Assessment cont.

• Performed a security assessment of the
  environment
• Commissioned a Guardant/Secure Computing Study
• Presented findings to IT management
• Developed a four-year capital project program
• Established new functions and relationships

12
Security Assessment cont.

• Recognized the changing business model in 1998
• Expanding Internet activities
• Changing customer needs
• Increased competition and resource usage
• Identify what else was happening in USPS IT
• Increase in business partner access
• Standardization and centralization of IT
  environment
• Moving to centralized support and control

13
Security Assessment cont.

• Identified areas of concern and opportunities
• Define our current state
• Identify successful/unsuccessful security
  postures
• Identify our perimeter
• Identified what security tools existed
• Firewalls, proxy servers, routers
• Embedded operating systems capabilities
• Where was the technology moving

14
Security Assessment cont.

• Identified where to start and why what was
  important
• What could we currently manage
• What was our biggest risk threat landscape
• Evaluate and update IT security policies - follow
  NIST guidelines where possible and appropriate
• Identified stakeholders and logical links
• What existed that we could leverage
• What new tools/processes were on the horizon
• What was the impact to others

15
Technology Requirements

• Large-scale capability
• Multi-platform/location capability
• Centralized management and reporting
• Little or no impact small footprint
• Leader in security technology space
• Full product suite of security tools and support

16
Technology Requirements cont.

• Large-scale capability
• 21,000 servers and 5 glass houses
• One of the largest intranets in the world
• 160,000 workstations
• Multi-platform/location capability
• Midranges Unix, Intel, Open Source/Linux
• Workstations Intel, Linux/Unix
• Multiple console view capabilities

17
Technology Requirements cont.

• Centralized management and reporting
• Corporate visibility through metrics
• Standardize security policy and response
• Policy enforcement
• Little or no impact small footprint
• Desktop challenges
• Bandwidth concerns
• Broad spectrum of user capabilities

18
Technology Requirements cont.

• Leader in security technology space
• Experienced in security issues and technology
• Proven products
• Proven organization going to be here awhile
• Full product suite of security tools and support
• Covers desktop, midrange, network issues
• Ability to support 24x7 from several locations
• Integrated reporting Master Console

19
Product Evaluation Selection

• Independent assessments by Electronic Data
  Systems (EDS)
• Capabilities of currently owned products
• New products in the market space
• Emerging technologies and ideologies
• Bakeoff of 3 products resulted in Internet
  Security Systems being selected to provide
  enterprise security products.

20
Implementation

• Create hardening standards
• Inventory the environment
• Design and build the infrastructure
• Centralize management and reporting
• Standardize the processes
• Monitor progress

21
Implementation cont.

• Create hardening standards
• Standardize the basic OS and services
• Get consistency for like servers
• Eliminate unused and unneeded services
• Inventory the environment
• Install host-based IDS on all servers
• Install desktop protection on all
  workstations/laptops
• Install network-based IPS

22
Implementation cont.

• Develop the infrastructure
• Where to put event collectors and consoles
• How much traffic and information is too much
• Centralize management and control of systems
• Limit access for changes
• Develop change control process with stakeholders
• Develop standard deployment processes
• Deploy standard configurations
• Monitor activities and changes

23
Implementation cont.

• Standardize the processes
• Consistent changes for security filter sets
• Mirror maintenance windows
• Develop Zero Day plans
• Monitor progress
• Use daily/weekly/monthly metrics
• Measure what has value
• Automatic notification

24
Implementation cont.

• Other activities
• Production acceptance signoff
• Random security vulnerability assessment
• Any compromise results in an SVA
• Environment monitoring
• What new activities affect our asset base
• Patch monitoring and tracking
• Event monitoring

25
Measures of Success

• No successful attacks on any server when
  protected with Server Sensors
• No successful virus/worm outbreak after
  installation of desktop protection and anti-virus
  software
• Reduction of network traffic due to eliminating
  malicious traffic at all levels with
  defense-in-depth strategy

26
Metrics of Success
27
Metrics of Success cont.
28
Metrics of Success cont.
29
Metrics of Success cont.
30
Lessons Learned

• Set expectations and set boundaries
• Senior management commitment
• Separation of duties is critical to SUCCESS
• Use proven technology that fits your environment
• Map your environment
• Identify all assets
• Market and communicate your successes

31
Lessons Learned cont.

• Identify your stakeholders
• Involve stakeholders in the strategic plans
• Measure what has value
• Manage or monitor
• Obtain appropriate rights for security functions

32
Lessons Learned cont.

• Partner with others internal and external
• Hire security expertise
• Any entry device is your perimeter
• Use what you already have
• Standardize, standardize and standardize
• PATCH, PATCH, PATCH

33
Whats Next

• Spyware management using ISS Proventia Desktop
  integration and Symantec antivirus
• Proactive software validation before network
  access
• Integration and correlation of security log
  information snapshot in time
• Data protection
• Application security assessments