View
224
Download
8
Category
Preview:
Citation preview
Continuous Monitoring as a Service (CMaaS)Technology Stack Overview
This lesson describes the CMaaS technology stacks that will be deployed in CDM Phase 1.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
. ePOS t a c k
RetinaS t a c k
CounterACTS t a c k
SplunkS t a c k
IaaSDHS Data Center
ComponentNetworks . .
Endpoints .
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
Data is collected by McAfee ePolicyOrchestrator (ePO), BeyondTrust Retina, andForeScout CounterACT.
Data collected throughout the environmentwill be indexed by Splunk, which willnormalize the data and prepare it forconsumption by the CDM D/A dashboard.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
The CMaaS ePO stack is comprised oftools in IaaS, Component networks,and endpoints.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
Each Component ManagementEnclave McAfee ePO server managesall of ePO’s various extensionsincluding Policy Auditor andApplication Control.
Additionally, Policy Auditor andApplication Control plugins will beinstalled as part of the McAfee Agentdeployment.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
This technology stack allowsComponents to host their existing ePOextensions within the new CMaaS ePOinfrastructure, maximizing value frominvestments that are already widelydeployed across the DHS today.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
Agent Handlers help balance trafficcoming into the IaaS Componentenclaves, reducing the network loadto the primary servers.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
Additionally, updates may be sent outthrough Agent Handlers configured asePO repositories. This approachminimizes network impact byleveraging Agent Handlers to distributeupdates, rather than directly from theIaaS servers.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
The Retina stack is comprised of the Beyond Insight Management Console in IaaS, hardware sensors in Component networks, as well as software sensors on individual endpoints.
Beyond Insight manages RetinaNetwork Security Scanners and theirscan configurations.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
To maximize scan volume while minimizing bandwidth requirements, Retina Network Security Scanners may be deployed in various locations throughout component networks.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
The Retina Protection Agent (or RPA) isa software-based version of the RetinaNetwork Security Scanner.
A key advantage of the Retina stack isthat network-based hardware sensorshave an option to NOT scan deviceswith RPA installed, further minimizingnetwork bandwidth impacts.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
The CounterACT stack is comprised of ForeScout Enterprise Manager in IaaS, hardware sensors in Component networks, as well as CounterACT Secure Connector on endpoints.
The Enterprise Manager is the soleconfiguration and managementportal for all CounterACT devices.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
To maximize visibility of the network, CounterACT may be deployed in various locations throughout component networks.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
SecureConnector continually checkshost properties, and sends updatesonly when it detects a change. Thisevent-driven reporting eliminateslatency in detecting changes on theendpoint, and minimizes bandwidthutilization.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
Finally, the Splunk stack consists of toolslocated exclusively within IaaS, ormore specifically the EnterpriseManagement Enclave andComponent Management Enclaves.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
The Splunk deployment within eachComponent enclave includes one ormore indexers and one or morededicated search heads, based onvolume requirements.
Component enclave Splunk indexersaggregate data from theComponent’s ePO, BeyondInsight, andCounterACT tools.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
One or more Splunk Search Heads inthe Enterprise enclave query SplunkIndexers from all Components. TheseSearch Heads are the peering pointsfor the Department-level CDMDashboard Solution.
UNCLASSIFIED / FOR OFFICIAL USE ONLY
CMaaS Technology Stack Overview
One of the search heads alsofunctions as a Splunk DeploymentServer that manages configuration ofall Splunk indexers and search headsfrom each Component.
Recommended