search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Page 10


www.us- tech.com


TechWaTch


Automated STIG “Hardening” Comes to Government IT


By Jeff Elliott F


or the thousands of hard-work- ing men and women responsi- ble for securing government IT


networks to the Defense Information Systems Agency’s mandatory “STIG” standards, the task can be daunting and even somewhat thankless. That is because the STIGs (Se-


curity Technical Implementation Guides) outline hundreds of pages of detailed rules that must be followed to properly secure or “harden” the government computer infrastruc- ture.


Given that this work is typical-


ly a manual process, it can be ex- tremely tedious and time consuming for IT personnel. In fact, it is esti- mated that the government spends hundreds of millions annually to re- main in compliance with the STIG standards. So, as new software tools enter


the market that automate the process to near pushbutton simplici-


ty, the first reaction after “sounds too good to be true,” is considerable re- lief. By automating the process, a task that once took weeks — or even months — can be completed in a few hours across all endpoints. Ongoing security updates are also automatic and can be completed in minutes.


Explaining the STIGs There can be considerable “fog”


surrounding the STIGs. The STIGs essentially exist because government networks are largely built using com- mercial operating systems (Win- dows/Linux), database management systems, web servers and other net- work devices. The STIGs, therefore, define alterations in operating envi- ronment settings so these environ- ments can be configured in the most secure manner possible. Unfortunately, once an applica-


tion environment is hardened to the STIG specifications, it can cause in-


WEMS Electronics


Serving the military, defense and aerospace industries with custom EMI filters, EMC and RFI filter connectors since 1959


stalled application to “break,” mean- ing it will not install and/or run prop- erly. This impacts both new and lega- cy applications installed on the sys- tem.


Applications are rarely de-


signed or tested to operate in STIG environments. For example, if the STIGs require altering some of the controls of the Windows or Linux op- erating system the application is built on, the application will break. If an application requires specific capabilities to operate and the STIGs prohibit or block those ca- pabilities, the application will fail to load or operate. Unfortunately, there is no


pleted in an hour. The signature and documenta-


tion are included in a secure, en- crypted signature container that is used to scan endpoints (laptops, desktops, physical and cloud servers) without being installed on any of them. The time it takes to remediate hundreds of STIG controls on each endpoint is typically under 90 sec- onds and ConfigOS executes multiple remediations at a time.


There is no generic set of STIG rules that can be applied to all applications...server policies


generic set of STIG rules that can be applied to all applications. In- stead, server policies must be man- ually adjusted on an application- by-application, server-by-server basis, which can take many weeks and cost in excess of $10,000 annually, per server instance. “If the same policies and configu-


rations could be implemented on all systems, STIG compliance would be a rather easy exercise,” explains Brian Hajost of SteelCloud and an expert on automated STIG compliance. “Com- mercial and government applications respond to security policies different- ly. The controls for each system, therefore, have to be uniquely adapt- ed or tuned to each application envi- ronment.” This painstaking task of- ten falls to system administrators, application administrators or infor- mation assurance staff. “There are thousands of IT peo-


ple across government that are asked to address the STIG compliance manually, but many times are not experienced or trained to do so,” says Hajost. “So, they muddle through, but the initial hardening effort can take weeks or even months.”


Automating STIG Compliance Fortunately, new automated


tools are available that automate STIG compliance. Products such as ConfigOS from SteelCloud harden existing government networks auto- matically, even across complex and disparate infrastructures with vary- ing security levels. ConfigOS identifies and hardens


all controls considered a potential se- curity risk. As outlined in the STIGs, risks are categorized into three levels with Category 1 being the most severe and having the highest priority. The software then produces a


4650 West Rosecrans Avenue Hawthorne, California 90250 Phone 310-644-0251 www.wems.com


domain-independent comprehensive policy “signature,” including user-de- fined documentation and STIG policy waivers. In this step alone, weeks, or months of manual work can be com-


must be manually adjusted on an application-by-application, server-by-server basis....


“The government publishes the


[STIG] book and we are just au- tomating the tedious work to get the job done,” says Hajost. ConfigOS supports over 6,000 standard STIG controls in a wide range of tested content. However, the software is al- so designed to allow users to tailor controls to respond to an applica- tion’s requirements. “We could en- force the STIGs to the letter, but that doesn’t work if it means the applica- tion will not run,” explains Hajost. “So ConfigOS creates an operational policy that is as close to the pub- lished STIGs as possible, but still al- lows the application to function as designed,” explains Hajost. The signature containers can


then be transported across large and small networks, classified environ- ments, labs, disconnected networks, and tactical environments with con- nected and disconnected endpoints. No other changes are required to the network, security and no software is installed on any endpoints. The software can also speed im-


plementation of new network applica- tions, servers and appliances by evalu- ating and hardening each prior to in- stallation. Hajost estimates automat- ing the process reduces initial harden- ing time by 90 percent, while reducing system security policy maintenance expenses by about 70 percent. Given that the potential cost


savings of automating STIG policy compliance exceeds hundreds of mil- lions of dollars annually, IT person- nel struggling to secure government networks manually may find this one


task they are happy to automate. Contact: SteelCloud, LLC,


20110 Ashbrook Place, Suite 170, Ashburn, VA 20147 % 703-674-5500 fax: 703-674-5506 E-mail: info@steelcloud.com Web: www.steelcloud.com r


August, 2019


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88