Host Based Security System

Last updated January 13, 2024

Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc's ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

History

Seeing the need to supply a comprehensive, department-wide security suite of tools for DOD System Administrators, the ESSG started to gather requirements for the formation of a host-based security system in the summer of 2005. In March 2006, BAE Systems and McAfee were awarded a contract to supply an automated host-based security system to the department. After the award, 22 pilot sites were identified to receive the first deployments of HBSS.^[1] During the pilot roll out, DOD System Administrators around the world were identified and trained on using the HBSS software in preparation for software deployment across DOD.

On October 9, 2007, the Joint Task Force for Global Network Operations (JTF-GNO) released Communications Tasking Order (CTO) 07-12 (Deployment of Host Based Security System (HBSS)) mandating the deployment of HBSS on all Combatant Command, Service and Agency (CC/S/A) networks within DOD with the completion date by the 3rd quarter of 2008.^[2] The release of this CTO brought HBSS to the attention of all major department heads and CC/S/A's, providing the ESSG with the necessary authority to enforce its deployment. Agencies not willing to comply with the CTO now risked being disconnected from the DOD Global Information Grid (GIG) for any lack of compliance.

Lessons learned from the pilot deployments provided valuable insight to the HBSS program, eventually leading to the Defense Information Systems Agency (DISA) supplying both pre-loaded HBSS hardware as well as providing an HBSS software image that could be loaded on compliant hardware platforms. This proved to be invaluable to easing the deployment task on the newly trained HBSS System Administrators and provided a consistent department-wide software baseline. DISA further provided step-by-step documentation for completing an HBSS baseline creation from a freshly installed operating system. The lessons learned from the NIPRNet deployments simplified the process of deploying HBSS on the SIPRNet.

Significant HBSS dates

Summer 2005: ESSG gathered information on establishing an HBSS automated system
March 2006: BAE Systems and McAfee awarded contract for HBSS establishment and deployment
March 27, 2007: The ESSG approved the HBSS for full-scale deployment throughout the DoD enterprise
October 9, 2007: The JTF-GNO releases CTO 07-12
November, 2009: The Air Force awarded Northrop Grumman with the deployment of HBSS on the SIPRNet^[3]

HBSS components

Throughout its lifetime, HBSS has undergone several major baseline updates as well as minor maintenance releases. The first major release of HBSS was known as Baseline 1.0 and contained the McAfee ePolicy orchestrator engine, HIPS, software compliance profiler (SCP), rogue system detection (RSD), asset baseline manager (ABM), and assets software. As new releases were introduced, these software products have evolved, had new products added, and in some cases, been completely replaced for different products.

HBSS Baseline 4.5 MR2 components

As of January, 2011, HBSS is currently at Baseline 4.5, Maintenance Release 2.0 (MR2). MR2 contains the following software:

Microsoft products

Software application	Version
Microsoft Windows	2003 SP2 (5.2.3790)
Microsoft .NET framework	1.1.4322.2433
Microsoft .NET framework	2.2.30729
Microsoft .NET framework	3.2.30729
Microsoft .NET framework	3.5.30729.1
Microsoft Internet Explorer	7.0.5720.13
Microsoft SQL Management Studio	SQL2005 SP3 - 9.00.4035.00

Optional products/components

Software application	Version
Symantec SEP/SAV integration extension	1.3, plugin 1.666
McAfee VirusScan Enterprise	8.7.0.570 (evaluation)
McAfee VirusScan Enterprise 8.7 extension	8.7.0.195
McAfee VirusScan report extension	1.1.0.154

SIPRNet-only products/components

Software application	Version
ArcSight Connector	5.0.4.5717
Rollup Extender	1.2.8

How HBSS works

The heart of HBSS is the McAfee ePolicy orchestrator (ePO) management engine. The McAfee tools are responsible for:

Providing a consistent front-end to the point products
Consolidating point product data for analysis
Presenting point product reports
Managing the point product updates and communications
Ensure application patch compliance

McAfee point products

McAfee considers a point product to be the individual software applications controlled by the ePO server. The HBSS point products consist of the following:

Host intrusion prevention system (HIPS)
Policy auditor (PA)
Assets baseline module (ABM)
Rogue system detection (RSD)
Device control module (DCM)
Asset publishing service (APS)

Host intrusion prevention system

The host intrusion prevention system (HIPS) consists of a host-based firewall and application-level blocking consolidated in a single product. The HIPS component is one of the most significant components of the HBSS, as it provides for the capability to block known intrusion signatures and restrict unauthorized services and applications running on the host machines.

Policy auditor

Policy auditor (PA) was introduced in HBSS Baseline 2.0. Policy auditor is responsible for ensuring compliance with mandates such as: Payment Card Industry Data Security Standard (PCI DSS), Sarbanes–Oxley Act of 2002 (SOX), Gramm–Leach–Bliley Act of 1999 (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Information Security Management Act of 2002 (FISMA), as well as the best practice frameworks ISO 27001:2005 and Control Objectives for Information and related technology (COBIT). PA maps IT controls against predefined policy content, McAfee Policy Auditor helps report consistently and accurately against key industry mandates and internal policies across your infrastructure or on specific targeted systems. Policy Auditor is an agent-based IT audit solution that leverages the Security Content Automation Protocol (SCAP) to automate the processes required for internal and external IT audits.^[4]

Assets baseline module

The assets baseline module, released in Baseline 1.0 as a government off-the-shelf (GOTS) product, is used to address system baseline configurations and changes in order to respond to information operations condition (INFOCON) (INFOCON) changes necessary during times of heightened security threats to the system. During the initial deployment stages of HBSS, the assets module was juvenile and lacked much of the products intended capabilities. However, the application has fully evolved into a robust and feature packed version capable of handling the original software's design goals. ABM was originally known as Assets 1.0. It was upgraded to Assets 2.0 in HBSS Baseline 2.0. Later it was called Assets 3000 in HBSS Baseline 3.0.

Rogue system detection

The rogue system detector (RSD) component of HBSS is used to provide real-time detection of new hosts attaching to the network. RSD monitors network segments and reports all hosts seen on the network to the ePO Server. The ePO Server then determines whether the system is connected to the ePO server, has a McAfee agent installed, has been identified as an exception, or is considered rogue. The ePO server can then take the appropriate action(s) concerning the rogue host, as specified in the RSD policy. HBSS Baseline 1.0 introduced RSD 1.0. RSD was updated to 2.0 in HBSS Baseline 2.0.

Device control module/data loss prevention

The DCM component of HBSS was introduced in HBSS Baseline 2.0 specifically to address the use of USB devices on DOD networks. JTF-GNO CTO 09-xxx, removable flash media device implementation within and between Department of Defense (DOD) networks was released in March, 2009 and allowed the use of USB removable media, provided it meets all of the conditions stated within the CTO. One of these conditions requires the use of HBSS with the DCM module installed and configured to manage the USB devices attached to the system.^[5] The DCM was renamed to the data loss prevention (DLP) in HBSS Baseline 3.0 MR3.

Assets publishing service

The assets publishing service (APS) of HBSS was introduced in HBSS Baseline 4.0 to allow for enclaves to report on asset information to a third-party DoD entity in a standards-compliant format. It adds contextual information to HBSS assets and allows for improved reporting features on systems relying on HBSS data.

Obtaining HBSS

According to JTF-GNO CTO 07-12, all DOD agencies are required to deploy HBSS to their networks. DISA has made HBSS software available for download on their PKI protected patch server. Users attempting to download the software are required to have a Common Access Card (CAC) and be on a .mil network. DISA provides software and updates free of charge to DOD entities.

Additionally, HBSS administrators require the satisfactory completion of HBSS training and are commonly appointed by the unit or section commander in writing.

Learning HBSS

In order to receive and administer an HBSS system, system administrators must satisfactorily complete online or in class HBSS training as well as be identified as an HBSS administrator. Online training takes 30 hours to complete while in class training requires four days, excluding travel. An advanced HBSS class is also available to HBSS administrators wishing to acquire a more in-depth knowledge of the system. HBSS online and in class training is managed by DISA.

HBSS support

The DISA Risk Management Executive Office (RE) formerly field security office (FSO) provides free technical support for all HBSS Administrators through their help desk. DISA has three tiers of support, from Tier I to Tier III. Tier I and Tier II support is provided by DISA FSO, while Tier III support is provided by McAfee. DISA FSO Support is available using one of the following methods:^[6]

Email: disa.tinker.eis.mbx.cdk21-hbss-service-desk [at] mail.mil

DSN: 850-0032

Toll Free: 844-347-2457

The future of HBSS

At its current pace, HBSS has been updated several times from the original Baseline 1.0 to the current Baseline 3.0, MR3 version. Within Baseline 3.0, maintenance releases have been introduced every two to four months, bringing better stability and security with each release. HBSS follows McAfee ePO version updates closely and it is expected to continue this trend as ePO is continuously developed.

Related Research Articles

The Defense Information Systems Agency (DISA), known as the Defense Communications Agency (DCA) until 1991, is a United States Department of Defense (DoD) combat support agency composed of military, federal civilians, and contractors. DISA provides information technology (IT) and communications support to the President, Vice President, Secretary of Defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.

McAfee Corp., formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company headquartered in San Jose, California.

The Non-classified Internet Protocol (IP) Router Network (NIPRNet) is an IP network used to exchange unclassified information, including information subject to controls on distribution, among the private network's users. The NIPRNet also provides its users access to the Internet.

The Global Information Grid (GIG) is a network of information transmission and processing maintained by the United States Department of Defense. More descriptively, it is a worldwide network of information transmission, of associated processes, and of personnel serving to collect, process, safeguard, transmit, and manage this information. It is an all-encompassing communications project of the United States Department of Defense. The GIG makes this immediately available to military personnel, to those responsible for military politics, and for support personnel. It includes all infrastructure, bought or loaned, of communications, electronics, informatics, and security. It is the most visible manifestation of network-centric warfare. It is the combination of technology and human activity that enables warfighters to access information on demand.

The Defense Information System Network (DISN) has been the United States Department of Defense's enterprise telecommunications network for providing data, video, and voice services for 40 years.

NetOps is defined as the operational framework consisting of three essential tasks, Situational Awareness (SA), and Command & Control (C2) that the Commander (CDR) of US Strategic Command (USSTRATCOM), in coordination with DoD and Global NetOps Community, employs to operate, manage and defend the Global Information Grid (GIG) to ensure information superiority for the United States.

Joint Task Force-Global Network Operations (JTF-GNO) was a subordinate command of United States Strategic Command whose mission was to: direct the operation and defense of the Global Information Grid (GIG) across strategic, operational, and tactical boundaries in support of the US Department of Defense's full spectrum of war fighting, intelligence, and business operations.

The Defense Data Network (DDN) was a computer networking effort of the United States Department of Defense from 1983 through 1995. It was based on ARPANET technology.

An information assurance vulnerability alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by US-CERT, https://www.us-cert.gov/ US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC) realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the GIG. US-CERT analyzes each vulnerability and determines if it is necessary or beneficial to the Department of Defense to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that would potentially degrade mission performance.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

Global Command and Control System (GCCS) is the United States' armed forces DoD joint command and control (C2) system used to provide accurate, complete, and timely information for the operational chain of command for U.S. armed forces. "GCCS" is most often used to refer to the computer system, but actually consists of hardware, software, common procedures, appropriation, and numerous applications and interfaces that make up an "operational architecture" that provides worldwide connectivity with all levels of command. GCCS incorporates systems that provide situational awareness, support for intelligence, force planning, readiness assessment, and deployment applications that battlefield commanders require to effectively plan and execute joint military operations.

McAfee VirusScan is an antivirus software created and maintained by McAfee. Originally marketed as a standalone product, it has been bundled with McAfee LiveSafe, McAfee AntiVirus Plus, McAfee Total Protection and McAfee Gamer Security since 2010. McAfee LiveSafe integrates antivirus, firewall and anti-spyware/anti-ransomware capabilities.
In 2006, British telecom company BSkyB started offering Sky Broadband customers a branded version of VirusScan for free upon broadband modem installation.

Check Point Integrity is an endpoint security software product developed by Check Point Software Technologies. It is designed to protect personal computers and the networks they connect to from computer worms, Trojan horses, spyware, and intrusion attempts by hackers. The software aims to stop new PC threats and attacks before signature updates have been installed on the PC. The software includes.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

Secure Computing Corporation (SCC) was a public company that developed and sold computer security appliances and hosted services to protect users and data. McAfee acquired the company in 2008.

<span class="mw-page-title-main">Defense Technical Information Center</span> US Department of Defense repository for research and engineering information

The Defense Technical Information Center is the repository for research and engineering information for the United States Department of Defense (DoD). DTIC's services are available to DoD personnel, federal government personnel, federal contractors and selected academic institutions. The general public can access unclassified information through its public website.

Shavlik Technologies was a privately held company founded in 1993 by Mark Shavlik, who was one of the original developers of Windows NT in the late 1980s and early 1990s at Microsoft.

Netwrix is a Frisco, Texas-based private IT security software company that develops software to help companies identify and secure sensitive data and assist with compliance auditing. After eight acquisitions the company's team geographically expanded to Latin America, UK, Germany, France, Asia, USA as well as other countries. The company's flagship products are Netwrix Auditor and StealthAUDIT that help information security and governance professionals manage sensitive, regulated and business-critical data.

The Joint Information Environment (JIE) is a single, joint, secure, reliable and agile command, control, communications and computing enterprise information environment to which the Department of Defense (DoD) is transitioning in a first-phase implementation that spans fiscal years 2013 and 2014.

George Kurtz is the co-founder and CEO of cybersecurity company CrowdStrike and an American racing driver. He was also the founder of Foundstone and chief technology officer of McAfee.

References

↑ "Host Based Security System (HBSS)". 2010-06-19. Archived from the original on 2010-06-19. Retrieved 2021-08-18.
↑ "infoexchange". 2010-12-05. Archived from the original on 2010-12-05. Retrieved 2021-08-18.
↑ Henry Kenyon, Northrop Grumman Wins Air Force SIPRNET Contract, http://www.afcea.org/signal/signalscape/index.php/2009/11/northrop-grumman-wins-air-force-siprnet-contract/, 3/13/2010 ^{[ dead link ]}
↑ "McAfee Policy Auditor" . Retrieved 15 November 2012.
↑ "DoD Can Use USB Securely | Blog Central". 2011-01-20. Archived from the original on 2011-01-20. Retrieved 2021-08-18.
↑ "DoD Information Assurance Tools". 2010-02-12. Archived from the original on 2010-02-12. Retrieved 2021-08-18.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Host Based Security System (HBSS)". 2010-06-19. Archived from the original on 2010-06-19. Retrieved 2021-08-18.

[2] "infoexchange". 2010-12-05. Archived from the original on 2010-12-05. Retrieved 2021-08-18.

[3] Henry Kenyon, Northrop Grumman Wins Air Force SIPRNET Contract, http://www.afcea.org/signal/signalscape/index.php/2009/11/northrop-grumman-wins-air-force-siprnet-contract/, 3/13/2010 ^{[ dead link ]}

[4] "McAfee Policy Auditor" . Retrieved 15 November 2012.

[5] "DoD Can Use USB Securely | Blog Central". 2011-01-20. Archived from the original on 2011-01-20. Retrieved 2021-08-18.

[6] "DoD Information Assurance Tools". 2010-02-12. Archived from the original on 2010-02-12. Retrieved 2021-08-18.

[1]

[2]

[3]

[4]

[5]

[6]