White Paper

By Scott Montgomery Vice President and Chief Technology Officer McAfee Public Sector

Security Considerations for the Department of Defense Joint Information EnvironmentIntegrated, agile, and available—where and when needed

2 Security Considerations for the Department of Defense Joint Information Environment

Table of ContentsIntroduction 3

Single Security Architecture (SSA) 4

Network Normalization 6

Identity and Access Management 7

Enterprise Services 8

Cloud Computing 9

Data Center Consolidation 10

Conclusion 11

3 Security Considerations for the Department of Defense Joint Information Environment

IntroductionImagine having a $38 billion information technology and security budget. Then imagine saying aloud, “It isn’t enough, and we need to do more with less.” This is exactly the situation the US Department of Defense’s (DoD) CIO Teri Takai finds herself in presently.

The goals of the DoD’s Joint Information Environment (JIE) initiative are to:

• Create IT economies of scale.• Leverage working technologies across a larger DoD surface area.• Reduce each branch of service’s need to purchase, implement, and perpetuate individual technologies.• Adopt an overall “shared first” policy to reduce IT-related man hours, capital expenditures, electricity use, and other

HVAC facility costs.

Together, these goals should drive a substantial improvement in operational efficiency.

The Department of Defense Strategy for Implementing the Joint Information Environment, delivered by the DoD CIO on September 18, 2013, calls out that “… DoD mission success depends upon the ability of military commanders, civilian leaders, and mission partners to act quickly and effectively, based on the most accurate and timely data and information available.” The confidentiality, integrity, and availability of this data will be the enabler of success or will be used as a vehicle by adversaries to create mission disruption and failure for others. The JIE provides the core infrastructure for ensuring this timely, accurate data access. Protecting the JIE will also require timely, accurate data—we must enable everyone who protects and uses the JIE to be effective in achieving the mission.

Just as with any major technology initiative in the DoD or private sector, JIE is an opportunity to architect with security as an integral design element. The document clearly articulates the requirement to move beyond the tactical point products that have constrained the effectiveness and efficiency of the DoD: “DoD IT operations that support warfighter, business operations, and intelligence information are currently limited by component-centric, non-standardized, non-integrated, and non-interoperable capabilities.”

The open and agile Security Connected approach has been the McAfee vision for many years. We believe it can be a vital part of the architecture for the end-to-end, standards-based, integrated, and interoperable JIE that the DoD envisions. The Security Connected methodology adheres to secure-by-design tenets to protect the confidentiality and integrity of the networks enabling the branches of service and our coalition partners while ensuring the high uptime and availability that warfighters depend on, especially in battlefield conditions. This commitment is critical. Neglecting highly integrated security during the initial design and implementation phases will not only increase costs, but will perpetuate vulnerabilities, data losses, and poor situational awareness created by the reactive “bolt on” approach. The toll in data exposure and costs has been shown time and again in the information technology industry:

• Failure to understand the persistent need for strong cryptography during the advent of Wi-Fi networks (as evidenced by TJ Maxx loss of 45 million credit card numbers to wireless wardrivers, 2007).

• Failure to understand the implication of multigigabyte portable USB storage devices (as evidenced by North Carolina Health and Human Services losing 50 thousand data records including Social Security numbers on an unencrypted thumb drive, 2013).

• Failure to use technical controls to enforce written policy regarding data access and distribution (Snowden, Manning, and other whistleblowers).

The McAfee relationship to the DoD and its role in the evolution of JIE are unique. As a cornerstone technology in DISA PEO-MA’s HBSS program (www.disa.mil/hbss), McAfee is singularly involved in the integrity of every fielded DoD system, regardless of which existing organization-centric network is used to access it. This is an awesome responsibility, and one McAfee takes very seriously.

4 Security Considerations for the Department of Defense Joint Information Environment

The JIE presents a unique opportunity for the DoD to make a quantum leap forward in cybersecurity. Interlocking an understanding of the defenses and events occurring in the field with the defenses and events occurring throughout the network can create the most agile, resilient, and effective security infrastructure. The September 18 document calls out key value propositions of integration between network and system operators and defenders:

“The JIE will enable DoD network operators and defenders to work as a more a unified team. For example, it will enable network, system operators, and defenders at multiple levels to have visibility of systems and networks across the department, as well as allow commonality in how cyberthreats are encountered. This means DoD will know who is operating on its networks and what they are doing, and it will be able to attribute their actions with a high degree of confidence. This will minimize complexity for synchronizing cyberresponses, maximize operational efficiencies, and reduce risk.”

McAfee technologies in the endpoint and network connect through an open security management platform, which observes DoD-specific requirements, such as FIPS 140-2, Common Criteria, DISA STIGs, and UC APLs where applicable. The platform includes validated, pre-integrated interoperability with more than 100 software partners, help desk vendors, and IT solutions providers. This extensible security and compliance environment provides an unequalled foundational component for command and control to meet the operational, tactical, and strategic goals of JIE. Among its many benefits, a common policy-based management and data analysis infrastructure reduces the training burden placed on the limited DoD and warfighter resources, an important practical consideration when talent is at a premium.

This paper will examine how McAfee can enable the DoD’s mission and meet security considerations for the six technical challenges described in the Department of Defense Strategy for Implementing the Joint Information Environment.

Single Security Architecture (SSA)The McAfee Labs Threats Report: Third Quarter 2013 offers some security-specific metrics that should be considered when creating and implementing a single security architecture:

• New malware of all types added up to 20 million in the third quarter of 2013.• By the end of a typical workday, McAfee Labs will have discovered about 225,000 more malware samples.• The all-time tally of malware exceeds 172 million binaries.• New rootkits, which tunnel into systems and remain hidden, doubled in number in Q3 2013. • AutoRun threats, often spread via USB drives, remain numerous. • Signed malware, which poses as approved legitimate software, continues to set records, increasing by almost

50 percent.1

These numbers show the increasing sophistication of attacks. Given the DoD CIO’s predicament of flat to down budget and flat to down numbers of highly trained personnel, the JIE must facilitate and promote different behavior from practitioners. This change is the only way to keep up.

For example, JIE vision documents talk about how the reduction of the number of network boundaries will reduce the DoD’s external attack surface, which is accurate. However, it also creates the need for the technical controls placed at this reduced set of boundaries to be not only resilient and high performing, but also be on the bleeding edge with respect to the ability to find, fix, and freeze adversary activity without negatively affecting warfighters. JIE must concentrate its security resources where it is concentrating its demand for IT infrastructure. The JIE describes this model as a “single security architecture.”

The DoD network footprint already includes many McAfee content and network security products, including web and email gateways, firewalls, and intrusion prevention systems (IPS). Because of the shared management and extensible architecture of these systems, many of these technical controls can be leveraged and repurposed as foundational tools in the single security architecture (SSA). For instance, existing data loss prevention policies for email and web can be adapted and extended to support new requirements, without a new information model, learning curve, or new management consoles.

Further, these systems use an appliance model and many can also be virtualized. Where the new design consolidates traffic into fewer, larger points of presence, the DoD can trade in the underlying hardware for bigger, faster appliances without significant operational disruption.

5 Security Considerations for the Department of Defense Joint Information Environment

These network controls can also be interlinked with our breakthrough advanced malware technology, McAfee® Advanced Threat Defense, to facilitate proactive control and rapid response. Where traditional security approaches have focused on blocking known bad “black” files and permitting known good “white” files, McAfee Advanced Threat Defense takes a big step beyond to tackle the great unknown: unusual and anomalous files that can’t be definitively marked as black or white. SSA practitioners can now see, inspect, block, and collect network traffic to maintain network quality of service and evaluate “gray” files not caught by traditional signature-based, behavioral, or reputation-based technologies.

The McAfee advanced threat architecture nests defenses and deep inspections to minimize the impact of security on traffic—so users can be productive in a trusted information environment—while maximizing the ability to enforce policies, detect threats, and combat emerging malware. When McAfee identifies a threat, our integration of scalable and advanced threat defenses at the gateway with endpoint management tools means the DoD can leverage its investment in HBSS to quarantine affected hosts and move to remediate any infection immediately.

Automated quarantine is one way to “rapidly reconfigure networks to thwart advanced persistent cyberthreats to ensure mission integrity and continuity,” an operational effectiveness objective for security described in the cited document. McAfee network and host intrusion prevention systems are pre-integrated, enabling another objective: “Defend networks in cyber real-time by activating rule sets to defeat cyberattacks via the SSA”.

FREEZE

FIND

Faster Time to Malware Conviction, Containment, and Remediation

McAfee Solutions

McAfee GTI

FIX

McAfee GTI Reputation

Ef�cient Antivirus Signatures

Real-Time Emulation Engine

Static Code Analysis

Target-Speci�c SandboxingAutomated Host Cleaning

(McAfee Real Time)

McAfeeGlobal Threat Intelligence

(McAfee GTI)

Malware Fingerprint Query(McAfee Real Time)

McAfee®

ePolicy Orchestrator®

McAfeeEndpoint Agent

Advanced Defense

McAfeeFINDFREEZEFIX

McAfeeNetwork IPS

McAfeeWeb Gateway

McAfeeEmail Gateway

Figure 1. Integration between network and endpoint elements provides a unique, comprehensive defense against malware.

Importantly in terms of SSA integration and interoperability, McAfee Advanced Threat Defense can perform analyses regardless of the network protocol being used or whether the potentially malicious payload has reached an HBSS node on the network. Instead of tools that examine on a per-protocol level, McAfee provides the ability to detect low-and-slow, targeted, and other advanced persistent threats (APTs) regardless of how they arrive. This consolidated model makes it possible to quickly, even automatically, identify blended and cross-protocol threats. The importance of detection and intervention increases in order to protect the integrity of mission data as you reduce the number of network boundaries.

6 Security Considerations for the Department of Defense Joint Information Environment

Network NormalizationThe DoD IT footprint nearly defies measurement. It was created in so many disparate phases, stovepiped from one another, that the JIE network normalization effort is likely the largest in the history of information technology. Consider the statistics regarding the DoD IT footprint presented at a May 2013, AFCEA conference by DoD DCIO David Devries:

• >10,000 operational systems (20% mission-critical).• ~1850 data centers.• ~65,000 servers.• ~7 million computers and IT devices. • ~15,000 networks. • Thousands of email servers, firewalls, proxy servers, and more. • Mobile devices:

º ~493,000 BlackBerry smartphones.

º ~41,000 iOS systems (pilots).

º ~8,700 Android systems (pilots).• In more than 146 countries, 5,000 locations, and 600,000 buildings and structures.

Think about being handed the following task: take what exists above and create a consolidated network infrastructure that will allow end-to-end visibility from one base/camp/post/station’s resources to another’s. One of the key efforts will be the creation of the massive multiprotocol label switching (MPLS) backbone that will allow the networking equipment for the list above to see and reach each other.

Now, look ahead at the goals of JIE to expand use of shared IT infrastructure and enterprise services, thin-client end-user technologies, unified communications, email, and cloud computing services. Each of these incremental services should be implemented in a consolidated and integrated fashion, knit together at a management and monitoring level to permit appropriate oversight over usage, resources, and information security. Thin clients, for example, rely on highly available networks and servers, which, in turn, may rely on virtualization technologies.

Efforts to provide consistent, end-to-end situational awareness across these services will depend upon our ability to continuously diagnose and mitigate threats, vulnerabilities, and issues associated with those normalized networks and devices.

Elsewhere in government, McAfee is at the forefront of this effort with the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. This program, much like the vision documents regarding JIE, talks about the ability to leverage sensors and devices already in place in order to drive continuous, rather than occasional or scheduled, security monitoring. McAfee products approved for the CDM program can also address many of the operational effectiveness objectives described in the cited document, including automatically identifying weak systems, ascertaining configurations, and determining operational risk from improper configurations and unpatched systems.

One revolutionary technology employed in the DHS CDM controls that will allow for this rapid end-to-end visibility is McAfee Real Time. Rather than relying on a traditional hub-and-spoke or client-server model, McAfee Real Time leverages a software-defined cooperative network so that each of the devices above can be utilized to provide not only intense machine-specific situational awareness and remediation, but also act at the speed of the network rather than on a periodic schedule.

The primary benefit to the network normalization effort is that McAfee Real Time in part makes use of existing, fielded HBSS components: the host-based McAfee Agent (MA) and its management infrastructure, McAfee ePO software.

7 Security Considerations for the Department of Defense Joint Information Environment

Figure 2. The existing network model for HBSS (at left) as well as the innovative method McAfee Real Time employs (at right), which will assist DoD in achieving its end-to-end situational awareness goal.

Replacing standard hierarchies, McAfee Real Time uses a client to client communication model for efficiency and resilience. Operators have found McAfee Real Time to be a new approach to systems management that delivers instant visibility and responsiveness and does not slow down as enterprise environments scale up.

McAfee Real Time adds instant system state and health queries and direct actions to the McAfee security information and event management (SIEM) product, McAfee Enterprise Security Manager. This visibility into state adds endpoint context to the event and log data the SIEM collects and correlates from hundreds of sources. As an administrator or investigator dissects events, McAfee Real Time also allows direct interaction with hosts distributed throughout the network.

McAfee Real Time and McAfee Enterprise Security Manager can be beneficial even to DoD entities that have another SIEM technology in place. Many first-generation solutions were designed for slow and historical situational analysis, rather than the “in the moment” situational awareness that is required today. These environments can benefit from high-performance log collection and management deployed as an augmentation to the existing SIEM solution. Because the McAfee SIEM includes a specialized database designed to collect, correlate, and process a very high volume of logs and events, it represents a vital enabler to end-to-end situational awareness across normalized networks and devices as they are used in active and dynamic deployments.

One of the existing DoD services has demonstrated this approach’s merit from a security perspective while significantly decreasing operating costs. Standardization and documentation of their processes and policies should allow rapid and wide duplication across the DoD information network.

Identity and Access ManagementThe ability to properly identify, strongly authenticate, and authorize a warfighter to ensure he has full access to all mission services is paramount, yet daunting. When you add the complexity of the D-DIL and mission partner environments (MPE), it may seem almost overwhelming. Then add the overhead of an existing and temperamental authentication token such as CAC, and the job becomes nearly impossible.

McAfee Enterprise Authentication Services give the DoD an unprecedented level of control across multiple areas to allow enforcement of strong authentication and authorization from silicon to cloud.

8 Security Considerations for the Department of Defense Joint Information Environment

Enforcement points at the authentication gateways give administrators the ability to make a decision based on characteristics including—but not limited to—the user’s home site, current location, and historical attributes, or the location of the resource being accessed. For instance, USMC and NATO partner inclusion in an MPE allows the USMC warfighter to be authenticated not only against the MPE resources, but also against any supporting USMC resources not contained in the MPE, without allowing the NATO MPE partner to have the same reach back into the non-MPE USMC resources. The warfighter could use his CAC; the NATO MPE partner could use another authentication mechanism: fixed password, one-time password (OTP) token, x.509 certificate, or any of a range of other authenticators, including OTP on mobile.

The use cases in JIE architecture documents discuss how to authorize a Site X Warfighter for Site Y resources. This federated trust model is fully supported in McAfee Enterprise Authentication Services and supports existing, mature standards such as SAML, OpenID, and Oauth. Further, the ability to perform risk-based authentication based on user context, user or resource geo-location, or resource classification allows policymakers to ensure that mission resources are available only when optimum authentications and authorizations are enforceable. A user’s physical location can be checked before allowing access to certain mission resources (when in garrison a resource is approved, when in the field it is denied—or vice versa).

McAfee Enterprise Authentication Services supports many use cases:

• User from Site X connecting at Site X, accessing Site X resource. (Normal flow—CAC authentication and access to authorized resources using role-based access control.)

• User from Site X connecting at Site X, but accessing Site Y resource. (Federated trust between X and Y. User authenticates to Site X, using CAC Card or standard primary method, and requests a federation token to access resource at Site Y. Increase authentication checks if Site Y resource requires a higher level of authentication and accesses application at Site Y with the federation token.)

• User from Site X connecting at Site Y, accessing Site Y resource. (Federated trust between X and Y. User connects to Site Y, but is redirected to Site X for authentication and then federated into Site Y. Depending on the authentication level, user is given access to authorized resources.)

• User from Site X, connecting at Site Y, accessing Site X resource. (User connects to Site Y, but is connected to Site X for authentication and subsequent access to the Site X resource.)

In addition to facilitating and enforcing authentication policies across trust boundaries, McAfee Enterprise Authentication Services provides an attribute store to hold centralized and decentralized user context and session information. To avoid duplication of data, it can leverage any site-specific identity store, such as Microsoft Active Directory. The McAfee provisioning engine determines user access dynamically, based on a user’s role/rank, policies, rules, or approvals. The system can propagate the access they need to the local IdAM data stores of each site.

A crucial aspect of identity management is accountability and monitoring. Relationships and privileges change, and users can become abusers. McAfee Enterprise Authentication Services includes workflows to help enforce rules and access windows. In the scenario where a user from Site X wants to request access to Site Y resources, he could submit a request, which, when approved, will trigger automatic provisioning of that access to Site Y. If the access also has a set expiration date, then the access right is automatically revoked, unless renewed. Expiration dates support appropriate enforcement for partners and temporary contractor access as well.

McAfee Enterprise Authentication Services allows administrators to define thresholds for behavior and events that can trigger real-time alerts. Common examples include excessive authorization or authentication failures or a velocity check, such as a sudden increase in the number of authentications within a timespan.

Enterprise ServicesThe following is an excerpt from the DISA PEO-MA mission statement as it relates to the enterprise use of HBSS: “… provide network administrators and security personnel with mechanisms to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all DoD networks and information systems.”

The HBSS program was initially implemented in 2006 and has provided a significant increase in the level of protection available to organizational information security. However, in the time since the initial rollout of HBSS, a divide in effective-ness has been observed. This divide is described best in the September 2013 document, “These services must be available to consumers who function in disconnected, intermittent, or low-bandwidth (DIL) information environments.”

9 Security Considerations for the Department of Defense Joint Information Environment

The JIE needs to optimize security for each environment. HBSS, while a fantastic garrison security tool for high-bandwidth environments, operates at a significant security disadvantage when low-bandwidth or disconnected states prevent access to signatures or use of real-time reputation services such as McAfee Global Threat Intelligence. The re-architecture of enterprise services toward a more joint and tactically enabled environment gives DoD a perfect opportunity to re-examine the role of HBSS and ensure that both the garrison and tactical communities are equally served by host-based protection.

Application whitelisting is an example of a control solution optimized for low- and zero-bandwidth tools. As it enforces consistency and compliance in user environments, application whitelisting provides a very useful enhancement to the HBSS endpoint as a security defense. Application whitelisting permits only approved mission packages to run on an endpoint. The noteworthy benefits of updating the HBSS enterprise service to include application whitelisting represent dramatic improvements over the existing program’s set of tools:

• Commanders can reduce or eliminate the need for ongoing bandwidth while in tactical areas of responsibility (AOR).• The same local agent and management infrastructure as the existing HBSS program of record can be reused, requiring a

minimum of training.• The same organizational roll-up mechanisms in place today can be utilized, requiring minimum incremental ongoing care

and feeding.• Malware introduced through a non-network method such as a DVD or USB stick cannot run and negatively affect mission.• The use of host intrusion prevention and other HBSS components requires ongoing administration to continue to operate

in an optimized fashion, whereas application whitelisting tools typically require no operator intervention at any time during the deployment into a tactical AOR.

Cloud ComputingMcAfee is in an unprecedented period of innovation, partly because Intel as a parent company affords McAfee the opportunity to move closer to the silicon with security operations than was ever possible before. Industry pundits such as Trefis have placed Intel’s percentage of server processor market share at greater than 90%. If we apply that 90% to the footprint estimates provided by Mr. Devries earlier, that would mean that 58,500 of the 65,000 servers in the field would be leveraging Intel technology today. As DoD moves toward internal and hybrid clouds, in particular those built for communities of interest, the ability to leverage McAfee-Intel security at the chip level provides a very bright future.

The Intel model allows for DoD to begin delivering a high level of assurance from the moment the physical device is powered on:

• The Trusted Platform Module (TPM) records the results of the launch process to verify trustworthiness, among other things allowing a few key metrics to be checked:

– Did the firmware and BIOS match the prior running versions or is there an adversary-introduced version running?

– For virtualized systems, does the code of the hypervisor match the prior running version or is there an adversary-introduced hypervisor running?

• The TPM NVRAM can also be provisioned with additional identifying information about the platform and its uses:

– Location information.

– C/S/A organizational information.

– Workload type information.

– Asset tag/reference.• Using the verified TPM allows DoD to set policy to create Trusted Computing Pools, where the integrity of a server is

verified before it is permitted to host mission-facing applications.• Trust-based secure migration can provide geo-location measurement and enforcement for the pool members.2

As the JIE moves to core data centers (CDCs), the use of Intel technology will allow the ability to not only secure the CDC servers from the moment they are powered on, but also provide them to communities of interest and ensure visibility, control, and compliance.

10 Security Considerations for the Department of Defense Joint Information Environment

2. Use integrity status and asset location to control virtual workloads; restrict sensitive workloads by geography.

3. Attest and verify that policy and workload controls are being enforced.

1. Verify platform integrity: Store/ report asset descriptor such as location.

Control

VM VM

ComplianceVisibility

Policy: Secret VM requires trusted host, requires US host.

Figure 3. Intel technology enables location-based controls and compliance for cloud users.

Intel and McAfee have a shared mission of improving cloud security so that businesses can more easily adopt cloud computing and ultimately have a high level of confidence in the control, auditability, and overall security of their cloud deployments from client devices to the data centers.

In terms of securing cloud data centers, our focus is first on improving the integrity of the infrastructure while focusing on protecting data and second on delivering capabilities to make it easier to audit cloud environments to meet compliance requirements. Technologies and solutions today include Intel VT and Intel TXT, McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus, McAfee ePO software, McAfee Application Control, and McAfee Change Control. Future developments will focus on broadening and strengthening security enforcement and auditability across cloud infrastructures.

Data Center ConsolidationLet’s revisit one of the core tenets from the DODSI-JIE: “… increasingly, DoD mission success depends upon the ability of military commanders, civilian leaders, and mission partners to act quickly and effectively, based on the most accurate and timely data and information available.” With consolidation into CDCs, the JIE effort creates an opportunity to restructure how security is designed, performed, and continuously monitored for a variety of servers.

One critical server type is the database. The move to CDCs ensures that database availability continues to be high but does nothing to address the possibility of the data being changed by adversaries in order to negatively affect mission. Recent incursions that McAfee has investigated both in and outside of the DoD show that adversaries are utilizing the database as the initial vector of entry and that DoD deployments may suffer from two of the same issues discussed in the 2012 Independent Oracle User Group’s Enterprise Data Security Survey:3

• “… monitoring is sporadic—most would not know if their data had been breached or corrupted …”• Database administrators (DBAs) apply patches long after vendor patch availability:

– 19%: less than three months

– 20%: three to six months

– 10%: longer than a year from patch date

– 10%: never patch

The patch levels of the database in particular are a long-time shell game played between database administrators (DBAs) and security practitioners. Because of the 24/7/365 nature of most databases, DBAs are not willing to take the risk that a patch will change database behavior and affect a mission negatively. Any delay in patching puts a shared JIE database resource at significant risk, regardless of whether it is in an organizational data center or a JIE CDC.

2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

1 http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q3-2013.pdf2 For more information, the NIST IR 7904 –USG recommendation for Trusted Geo-Location in the Cloud discusses some applicable recommended best practices. 3 http://www.oracle.com/us/products/database/ioug-data-security-survey-1872819.pdf

McAfee, the McAfee logo, ePolicy Orchestrator, and McAfee ePO are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc. 60750wp_dod-jie_1213_fnl_ETMG

When coupled together, these constraints form a lethal problem for warfighters. The release of the patch gives adversaries an indication of the presence of the vulnerability against which they can craft an exploit. Typical DBAs are allowing months and sometimes more than a year to apply the vendor patch, during which time the now widely known vulnerability is exploitable. Lastly, and perhaps most damaging, commanders may be basing mission decisions on data that an adversary has changed without anyone being aware of it.

McAfee recommends that as part of the consolidation of organizational data centers to JIE CDCs, the architecture include specific protections designed around not only the underlying database and its patch levels, but also the commands and parameters that are actually passed by clients to the database server itself. This will allow for confidentiality and integrity to be achieved without impairing high availability.

The McAfee Database Security suite of tools is divided into three effective, complementary solutions designed to assist with the consolidation of DoD data centers into JIE CDCs:

McAfee Vulnerability Manager for Databases

• Agentless discovery of all databases across your environment.

• Conducts more than 4,200 individual vulnerability checks across leading database systems and evaluates risk across all known threat vectors.

• Generates detailed reports, expert recommendations for remediation.

McAfee Virtual Patching for Databases • Updates security posture as soon as new threats are identified without the downtime required by

traditional patching.

McAfee Database Activity Monitoring

• Real-time reliable protection for mission-critical databases across all known threat vectors.

• Generates detailed audit trail reports to meet STIG, CCRI, and other compliance audit requirements.

• Autonomous memory-based sensor implementation effective across both physical and virtual environments.

ConclusionMajor architectural modernization brings major opportunities. The Security Connected approach from McAfee offers the DoD a proven and responsible way to improve mission effectiveness, reduce training requirements, increase cybersecurity, and optimize resources and IT efficiencies. Integration and automation can minimize disruption while facilitating more stringent controls, reducing network and system administration costs, and moving diagnostics and mitigation to a continuous, risk-based model.

With expanding mission and demand, the DoD must optimize for its long-term operational and risk management health, using its acquisition influence to guide the government and its vendor partners toward the vision of an integrated, interoperable, and efficient infrastructure. Steps taken now should ensure that any future product or service deployed can integrate easily with today’s endpoint, network, and management infrastructure, as well as adapt gracefully to the inevitable evolution of the warfighter mission and endless creativity of state agents and cyberthreats.

Please visit mcafee.com/publicsector for solution guides, technology blueprints, and other reference materials describing the Security Connected portfolio.