CMaaS Technology Stack Overview - USALearning · Continuous Monitoring as a Service (CMaaS) Technology Stack Overview This lesson describes the CMaaS technology stacks that will be

Continuous Monitoring as a Service (CMaaS)Technology Stack Overview

This lesson describes the CMaaS technology stacks that will be deployed in CDM Phase 1.

UNCLASSIFIED / FOR OFFICIAL USE ONLY

CMaaS Technology Stack Overview



. ePOS t a c k

RetinaS t a c k

CounterACTS t a c k

SplunkS t a c k

IaaSDHS Data Center

ComponentNetworks . .

Endpoints .



Data is collected by McAfee ePolicyOrchestrator (ePO), BeyondTrust Retina, andForeScout CounterACT.

Data collected throughout the environmentwill be indexed by Splunk, which willnormalize the data and prepare it forconsumption by the CDM D/A dashboard.



The CMaaS ePO stack is comprised oftools in IaaS, Component networks,and endpoints.



Each Component ManagementEnclave McAfee ePO server managesall of ePO’s various extensionsincluding Policy Auditor andApplication Control.

Additionally, Policy Auditor andApplication Control plugins will beinstalled as part of the McAfee Agentdeployment.



This technology stack allowsComponents to host their existing ePOextensions within the new CMaaS ePOinfrastructure, maximizing value frominvestments that are already widelydeployed across the DHS today.



Agent Handlers help balance trafficcoming into the IaaS Componentenclaves, reducing the network loadto the primary servers.



Additionally, updates may be sent outthrough Agent Handlers configured asePO repositories. This approachminimizes network impact byleveraging Agent Handlers to distributeupdates, rather than directly from theIaaS servers.



The Retina stack is comprised of the Beyond Insight Management Console in IaaS, hardware sensors in Component networks, as well as software sensors on individual endpoints.

Beyond Insight manages RetinaNetwork Security Scanners and theirscan configurations.



To maximize scan volume while minimizing bandwidth requirements, Retina Network Security Scanners may be deployed in various locations throughout component networks.



The Retina Protection Agent (or RPA) isa software-based version of the RetinaNetwork Security Scanner.

A key advantage of the Retina stack isthat network-based hardware sensorshave an option to NOT scan deviceswith RPA installed, further minimizingnetwork bandwidth impacts.



The CounterACT stack is comprised of ForeScout Enterprise Manager in IaaS, hardware sensors in Component networks, as well as CounterACT Secure Connector on endpoints.

The Enterprise Manager is the soleconfiguration and managementportal for all CounterACT devices.



To maximize visibility of the network, CounterACT may be deployed in various locations throughout component networks.



SecureConnector continually checkshost properties, and sends updatesonly when it detects a change. Thisevent-driven reporting eliminateslatency in detecting changes on theendpoint, and minimizes bandwidthutilization.



Finally, the Splunk stack consists of toolslocated exclusively within IaaS, ormore specifically the EnterpriseManagement Enclave andComponent Management Enclaves.



The Splunk deployment within eachComponent enclave includes one ormore indexers and one or morededicated search heads, based onvolume requirements.

Component enclave Splunk indexersaggregate data from theComponent’s ePO, BeyondInsight, andCounterACT tools.



One or more Splunk Search Heads inthe Enterprise enclave query SplunkIndexers from all Components. TheseSearch Heads are the peering pointsfor the Department-level CDMDashboard Solution.



One of the search heads alsofunctions as a Splunk DeploymentServer that manages configuration ofall Splunk indexers and search headsfrom each Component.

Documents

CMaaS Technology Stack Overview - USALearning · Continuous Monitoring as a Service (CMaaS) Technology Stack Overview This lesson describes the CMaaS technology stacks that will be