Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Guidance Office Instruction:

CSO-GUID-2108 Office Instruction

Title:

Endpoint Protection Enterprise Security Architecture Guidance Version Number:

1.0 Effective Date:

March 31, 2022 Primary Contacts:

Jonathan Feibus Responsible Organization: OCIO/CSO

==

Description:==

CSO-GUID-2108, Endpoint Protection Enterprise Security Architecture Guidance, provides additional information in complying with the endpoint protection security requirements specified in CSO-STD-2108, Endpoint Protection Enterprise Security Architecture Standard.

Training:

As requested Approvals Primary Office Owner Office of the Chief Information Officer (OCIO) / Computer Security Organization (CSO)

Signature Date SWG Chair Bill Bauer

/RA/

2/15/22 CISO Jonathan Feibus

/RA/

2/15/22

CSO-GUID-2108 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL GUIDANCE......................................................................................................................... 1 2.1 ANTIMALWARE SOLUTIONS................................................................................................................ 2 2.2 HOST-BASED BOUNDARY PROTECTION.............................................................................................. 2 2.3 APPLICATION CONTROL..................................................................................................................... 2 2.4 CLOUD-BASED ENDPOINT SECURITY.................................................................................................. 3 2.5 ENDPOINT ENCRYPTION.................................................................................................................... 3 2.6 SECURITY INFORMATION AND EVENT MANAGEMENT SOLUTIONS......................................................... 3 2.7 ZERO TRUST ARCHITECTURE AND ENDPOINTS................................................................................... 3 3

SPECIFIC GUIDANCE.......................................................................................................................... 4 3.1 ANTIMALWARE PROTECTION.............................................................................................................. 4 3.2 HOST-BASED APPLICATION BOUNDARY PROTECTION......................................................................... 5 3.3 SYSTEM APPLICATION ALLOWLISTING AND BLOCKLISTING................................................................... 5 3.4 FILE INTEGRITY MONITORING............................................................................................................ 7 3.5 WEB CONTENT FILTERING................................................................................................................. 7 3.6 HOST-BASED NETWORK BOUNDARY PROTECTION............................................................................. 7 APPENDIX A.

ACRONYMS..................................................................................................................... 9 APPENDIX B.

GLOSSARY.................................................................................................................... 10

Computer Security Standard CSO-GUID-2108 Endpoint Protection Enterprise Security Architecture Guidance 1 PURPOSE CSO-GUID-2108, Endpoint Protection Enterprise Security Architecture Guidance, provides additional information in complying with the endpoint protection security requirements specified in CSO-STD-2108, Endpoint Protection Enterprise Security Architecture Standard, for the Nuclear Regulatory Commission (NRC) systems that store or process information up to, and including, the Safeguards Information (SGI) level.

This document is intended for system administrators, system and solution architects, information technology (IT) system managers (operational and project-related), system owners, and Information System Security Officers (ISSOs) to ensure compliance with CSO-STD-2108.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision (Rev.) 5, Security and Privacy Controls for Information Systems and Organizations, provides specific control information related to malicious code protection and integrity checks for the enterprise endpoint security systems. Additionally, NIST SP 800-207, Zero Trust Architecture, identifies a change in cybersecurity paradigm that moves defenses from static, network-based parameters to mainly focus on users, endpoints, and resources. These documents provide further guidance to facilitate compliance with CSO-STD-2108.

2 GENERAL GUIDANCE The security requirements specified in CSO-STD-2108 relate to endpoint protection of NRC systems. This document presents the approach and the high-level concepts and terminology associated with endpoint protection technologies used to derive the security requirements specified in the standard.

Endpoints traditionally referred to desktop computers or laptops, that were secured by the use of antivirus software and firewalls. In the current environment, endpoints include a wide array of devices, such as Government Furnished Equipment (GFE) mobile desktops, tablets, and loaner smartphones, as well as Bring Your Own Device (BYOD) laptops, tablets, smartphones, and other user-owned devices, all of which require much more security than an antivirus software and firewalls provide. Endpoint security predominantly refers to the protection of devices that are operated by the end users. Endpoints are the points where users access and manipulate data. Hence, these points can become an entry point for network breaches, if not secured properly.

The following subsections introduce endpoint protection technologies that are commonly used in the enterprise networking environment.

CSO-GUID-2108 Page 2 2.1 Antimalware Solutions Antivirus and antimalware solutions are a critical part of any robust endpoint security plan.

Traditionally, antivirus software is used to protect the endpoints by detecting and removing viruses and other harmful software such as Trojan horses, adware, and more. Over time, adversaries developed more sophisticated malware to infect the endpoints and penetrate the private networks.

Depending on the type of antivirus or antimalware solution deployed, more sophisticated threats can be detected and analyzed in real-time. The typical attack chain for an endpoint involves installation of malware on a device. In most cases, this occurs when the endpoint user clicks on a malware-bearing link in an email or downloads malware in a file, such as a Portable Document Format (PDF) document. The end user does not notice any change, as the attacker wants the endpoint user to continue working and access a functional but compromised endpoint to breach the network. In response to such attacks, Endpoint Detection and Response (EDR) systems were developed to tackle advanced malware in real-time. As adversaries keep on challenging the EDR systems in protecting the endpoints, more versatile Extended Detection and Response (XDR) systems are being developed and deployed.

Traditional endpoint security is reactive and detects potential security threats by matching signatures and attack patterns. However, EDR tools use predictive methods and focus on identifying persistent threats and new malware forms that are designed to evade traditional security defenses. EDR solutions provide increased visibility necessary to respond to advanced cybersecurity threats, such as polymorphic malware, advanced persistent threats, and phishing.

Most EDR solutions protect against both known and unknown malware by using technologies such as machine learning that do not require daily updates. They look beyond malware and leverage behavioral analytics to automatically detect and stop an attack.

However, XDR solutions are more versatile and use a cross-platform approach to endpoint protection. While EDR solutions collect and correlate activities across multiple endpoints, XDR broadens the scope of detection beyond endpoints and analyses data across endpoints, networks, servers, as well as cloud-based systems, and more. This provides a unified view across multiple tools and attack vectors. XDR sifts through thousands of information logs by using the power of artificial intelligence, machine learning, and automation. Therefore, due to such enhanced features, XDR is gaining widespread acceptance over EDR solutions.

2.2 Host-based Boundary Protection A host-based boundary protection solution is software-based and used to monitor and control incoming and outgoing network traffic. Such solutions play a key role in securing the endpoints.

The software-based boundary protection solution can be used to monitor endpoint traffic according to a set of predetermined rules and settings. This can be used to keep unauthorized users and devices from connecting to the endpoints and tapping into secure private networks.

2.3 Application Control Application control is a security mechanism that blocks or restricts unauthorized applications from executing in a way that places endpoint data at risk. Keeping the endpoints safe involves restricting what end users can and cannot do. Application monitoring and control provides one such avenue to impose restrictions and oversight on which applications users can install and run on the endpoints. Most application control solutions include allowlisting and blocklisting

CSO-GUID-2108 Page 3 capabilities that are used to allow or block execution of applications and automatically protect the endpoints. Application monitoring facilitates acceptable applications from the ones that pose a threat to the endpoints. Even when applications are permitted, they should be monitored closely for any security incidents.

2.4 Cloud-based Endpoint Security As the use of cloud computing is on the rise, it means that endpoints can also be distributed throughout the cloud architecture (e.g., servers are hosted in the cloud). Therefore, cloud-based endpoint security becomes even more important if third-party cloud services are engaged. In this case, it is essential to set up a security perimeter within the cloud architecture that enforces access privileges and application control to secure the cloud-based implementation. The cloud-based endpoint solutions also provide security for the remote endpoints (e.g., mobile desktops, tablets).

2.5 Endpoint Encryption Endpoint encryption strengthens overall security by adding an extra layer of protection to data in the event an endpoint is lost or stolen. Therefore, Full Disk Encryption (FDE) should be used on all endpoints to safeguard data. Both hardware and software FDE are acceptable contingent upon compliance with all applicable requirements specified in CSO-STD-2009, Cryptographic Control Enterprise Security Architecture Standard, for the level of sensitive information stored, processed, or transmitted to the endpoints (e.g., servers).

2.6 Security Information and Event Management Solutions Managing endpoint security is an enormous task, especially when managing applications and anticipating possible events. Since there can be a very large number of endpoint devices (both physical and virtual) within an enterprise system, keeping track of them and the risks they present will require a centralized logging system. However, logging data from these devices may not be useful unless this information is correlated to the likelihood of a security event occurring. This is where Security Information and Event Management (SIEM) solutions can play a big role in identifying vulnerabilities, calculating risks based on the likelihood of an event, and automating a security response.

SIEM tools use agents (e.g., Splunk agents) to collect logs from the endpoints that are processed and filtered to provide alerts, reports, and dashboards that can be customized to fit specific security needs. SIEM solutions can also centralize antivirus, access control, and password management monitoring capabilities in one place, making endpoint security easier to monitor across the board.

2.7 Zero Trust Architecture and Endpoints Endpoint security is handled differently in a new architecture, named zero trust architecture (ZTA). ZTA is a security framework that requires all users and endpoints, whether in or outside of the agency network, to be authenticated, authorized, and continuously validated for security configuration before access is granted to applications and data. ZTA assumes that there is no traditional network boundary; meaning that networks can be local, in the cloud, or a combination with resources anywhere, as well as users in any location.

CSO-GUID-2108 Page 4 ZTA combines advanced technologies such as risk based multi-factor authentication, identity protection, next-generation endpoint security, robust cloud technology to verify an endpoint or systems identity, consideration of access in real-time, and the maintenance of system security.

ZTA also requires encryption of data, securing email, and verifying the uncompromised state of endpoints before they connect to applications.

ZTA requires continuous monitoring and validation that a user or endpoint device has the right privileges and attributes for maintaining a connection to the network. Hence, all access requests are continuously vetted prior to allowing access to any cloud or on-premises endpoints. This is why enforcement of zero trust (ZT) policies rely on real-time visibility into user and endpoint identity attributes, such as:

User identity and type of credential Number and privileges of each credential on each endpoint Endpoint hardware type and function Geographical location of endpoint Firmware version Operating system version and patch levels Applications installed on endpoint The ZT model accounts for continuous verification and limiting the access through identity-based segmentation and least privileges. Further details related to ZTA are provided in NIST SP 800-207.

3 SPECIFIC GUIDANCE In order to provide a clear delineation between the capabilities of endpoint protection technologies, it is essential to define and clarify the capabilities of each technology to ensure that an endpoint protection solution meets specific requirements. One or more endpoint protection solutions can be selected to increase the security posture beyond the capabilities of a single solution.

3.1 Antimalware Protection Antimalware protection is a software solution that protects endpoints against viruses, worms, Trojan horses, rootkits, keyloggers, spyware, adware, and other malicious programs.

Antimalware solutions protect data that is:

Transmitted over a network, locally executed, or accessed by providing real-time on-access scanning capabilities.

Stored at rest on local devices by performing scheduled on-demand scans of local drives.

Antimalware protection solutions can also repair damage caused by malware and assist in responding to malware through repairing or quarantining infected files.

CSO-GUID-2108 Page 5 Antimalware protection uses a combination of signature-based detection and heuristic analysis to provide protection against the execution of malicious programs.

Signature-based detection - Searches for known patterns of data, which requires prior detection, analysis, categorization, and cataloging by the software vendor, and vendor updates that are sent to the enterprise management repository for distribution to the endpoints.

Heuristic analysis - Attempts to detect previously unknown viruses and new variants of existing viruses by analyzing potentially malicious behavior to determine the security risk to the system.

For antimalware protection to be fully effective, it needs to scan threats in real-time, so files are verified against the signature definitions file and the behavior analyzed as part of its heuristic analysis.

3.2 Host-Based Application Boundary Protection The host-based application boundary protection (ABP) solution is designed to filter application activity by attempting to recognize behavior consistent with malware activity. When the system detects unwanted and/or malicious program activity, an agent installed on the endpoint blocks the program execution in real-time.

ABP solutions monitor the network-based attacks. Since ABP is capable of analyzing program behavior, it not only combats known threats, but also new malware whose signatures have not yet been developed. The ABP solutions scan threats in real-time in order to block attacks. In this regard, ABP uses heuristic detection behavior found in antimalware protection solutions.

ABP is not a replacement for an antimalware protection solution. Traditional antimalware solutions evaluate entire programs and block, quarantine, or delete them. ABP is more focused on assessing interactions between the evaluated executable and the libraries. ABP may choose to block a part of an applications behavior. With many new viruses and variants identified each day, the traditional signature-based antimalware protection solutions are being blended with ABPs behavior analysis to augment protection capabilities. Similarly, many endpoint protection solutions offer both ABP and application allowlist and blocklist capabilities in one product.

3.3 System Application Allowlisting and Blocklisting The terms allowlist and blocklist are used to describe not only a list of executables but also how the allowlisting and blocklisting software uses them.

Allowlist - A list of executable files that is applied in a deny-all, allow-by-exception approach. All executables are prohibited except those that are explicitly allowed by the list. Blocklist - A list of executable files that is applied in an allow-all, deny-by-exception approach. All executables are allowed to run except those that are explicitly denied by the list.

System application allowlisting and blocklisting is an effective solution to block unauthorized applications and code on endpoints by:

CSO-GUID-2108 Page 6 Creating an allowlist of all executable binary and script files permitted to execute on the endpoint based on one or more factors, including filename, hash, and digital certificates.

Maintaining an inventory of known malware or unauthorized applications by creating a blocklist of executable binary and script files that are prohibited from executing.

Providing the ability to monitor and control the behavior of applications. Applications are granted or denied access to specific files and folders (and registry keys in Windows) by:

- Allowing only authorized applications to run on endpoints;

- Preventing all unauthorized code, including binaries and scripts from running; and

- Protecting against memory-based attacks and application tampering.

For example:

Application allowlisting and blocklisting prevents unauthorized code from running by determining if the application is attempting to run at a higher privilege level than the user running the application. This requires real-time monitoring of program execution and linking (e.g., executables calling Dynamic-link Library [DLL] or libraries).

Using vendor research and trend analysis that determines the trustworthiness of individual applications based on their use, as collected by the vendors researchers.

For example:

An executable that is a part of the Microsoft Windows operating system or a common application like Adobe Acrobat Reader is deemed very trustworthy by the endpoint protection software.

A lesser-known, lesser-used application is deemed less trustworthy or not trustworthy at all by the endpoint protection software.

The system administrators can use the following information during customization of the allowlists and blocklists:

When allowlisting and blocklisting software detects the execution of a binary or script file, the software:

1. Compares the file to the allowlist or blocklist (or both, depending on its configuration), and then

2. Allows or blocks the execution.

Some endpoint protection solutions allow both allowlists and blocklists to operate simultaneously, so that administrators can review which applications are being run and then include them in one list or the other for subsequent executions.

Allowlists and blocklists can include permitted and prohibited vendors, products, and individual executables based on the use of certificates (code signing), file hashes, and, less optimally, file attributes.

CSO-GUID-2108 Page 7 3.4 File Integrity Monitoring File integrity monitoring (FIM) is an effective solution to monitor and provide alerts on specific file changes in a system. FIM is an internal process that validates the integrity of the operating system, database, and application software files to determine if they have been tampered with or are corrupt. FIM compares using a verification method between the current file state and a known, good baseline.

The system is either scanned periodically or in real-time (or both), and the current configuration is compared against the original. Any changes detected to the file are logged and included in reports.

3.5 Web Content Filtering Web content filtering enforces an acceptable use policy for internet access by blocking content defined by organizational policy, while allowing safe and appropriate content to pass. The web content filtering solution:

Monitors internet requests; Applies internet usage filters per request; and Logs and reports on internet usage activity.

This requires real-time inspection of web requests in order to block inappropriate and/or prohibited content.

Web content filtering typically operates either as a client-side only application or through a central proxy/gateway. It monitors the content of the web pages based on the category of the site (e.g., adult, gambling, violence). In addition to filtering the content of web pages, the application mitigates additional potential threats by attempting to block malware, fake antivirus offers, botnets, keyloggers, and other web-based threats. However, web content filtering applications are not a replacement for antimalware protection solutions since the content filtering application is limiting its analysis to specific sources.

3.6 Host-Based Network Boundary Protection Host-based network boundary protection (NBP) solutions protect endpoints and allow for fine granularity when determining which network ports, protocols, and services need to be enabled or disabled on an endpoint and block, detect, and prevent unauthorized network activities.

The most secure implementation of an NBP solution is a deny-all, allow-by-exception policy in which all network ports, protocols, and services, except those that are required for the operation of the system, are blocked.

NBP solutions restrict incoming and outgoing network activity on a host and protect the host regardless of which network is connected to the host. Incoming and outgoing network activity is restricted on a host and protected through the use of stateful packet inspection. This requires real-time inspection of traffic during ingress and egress in order to block undesirable and/or prohibited traffic.

CSO-GUID-2108 Page 8 NBP solutions are stateful, meaning that they maintain context about active sessions and use that state information to determine a course of action.

For example:

If a packet (i.e., one unit of binary data sent through a network) does not match an existing connection, the packet is evaluated according to the ruleset for new connections.

If a packet matches an existing connection based on comparison with the current state information, the packet is allowed to pass without further processing.

NBP solutions inspect several elements of network traffic to and from the endpoint, including:

Source and destination Internet Protocol (IP) address; User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) ports; Current stage of the connection (i.e., session initiation, handshaking, data transfer, or completion connection); and Traffic for specific protocols such as Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol/Secure (HTTPS), Secure Shell (SSH), and others.

CSO-GUID-2108 Page 9 APPENDIX A.

ACRONYMS ABP Application Boundary Protection BYOD Bring Your Own Device CSO Computer Security Organization DLL Dynamic-link Library EDR Endpoint Detection and Response FDE Full Disk Encryption FIM File Integrity Monitoring GFE Government Furnished Equipment HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol/Secure IP Internet Protocol ISSO Information System Security Officer IT Information Technology NBP Network Boundary Protection NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer PDF Portable Document Format SIEM Security Information and Event Management SGI Safeguards Information SP Special Publication SSH Secure Shell STD Standard SUNSI Sensitive Unclassified Non-Safeguards Information TCP Transmission Control Protocol UDP User Datagram Protocol XDR Extended Detection and Response ZT Zero Trust ZTA Zero Trust Architecture

CSO-GUID-2108 Page 10 APPENDIX B.

GLOSSARY Adware Software that, once downloaded to the endpoint, automatically displays or downloads advertisements on the endpoint.

Allowlist A list of executable files that is applied in a deny-all, allow-by-exception. All executables are prohibited except those which are explicitly allowed by the list.

Antimalware Software designed to protect endpoints from viruses, worms, Trojan horses, spyware, adware, and other malicious programs.

Antivirus Software designed to protect endpoints from malicious software.

Blocklist A list of executable files that is applied in an allow-all, deny-by-exception. All executables are allowed to run except those which are explicitly denied by the list.

Botnet Software designed to infect large numbers of endpoints, causing endpoints to perform automated tasks without the user knowing it (e.g., send out spam email messages, spread viruses, attack endpoints).

Bring Your Own Device Device (e.g., personal tablet, smartphone, laptop) not leased or owned by NRC, which NRC has agreed can process sensitive information as long as the user signs an agreement to incorporate specific controls on the device and follow NRC rules regarding processing such information on the device.

Egress Traffic or commands exiting a devices network interface.

Endpoint A remote computing device that is attached to a network, and is capable of sending, receiving, or forwarding information over a communications channel that uses an IP address and port number.

Endpoint Protection A security approach utilizing system application allowlisting and blocklisting, data integrity monitoring, web content filtering, antimalware protection, host-based NBP, host-based ABP for greater security of endpoints within a system.

Heuristic Analysis The practice of identifying malware based on previous experiences, observations of malware behavior, and typical points of attack.

Host-based Application Boundary Protection A software package, or component of an endpoint security suite, which monitors a single host for malicious activity, analyzes that activity, logs information about the activity, and attempts to block/stop activity.

Host-based Network Boundary Protection Software-based or hardware-based security tool which controls incoming and outgoing network traffic by analyzing network data packets based on a predetermined ruleset.

Ingress Traffic or commands coming into a devices network interface from an external source.

Keylogger A hardware device or a software program that records the real-time activity of a user including the keyboard keys pressed.

CSO-GUID-2108 Page 11 Malicious Code Software or firmware intended to perform an unauthorized process that has an adverse impact on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

Mobile Desktops Laptops provided to users by the Office of the Chief Information Officer (OCIO), allowing users to remotely connect to the NRC infrastructure to access NRC resources and process information up to, and including, the Sensitive Unclassified Non-Safeguards Information (SUNSI) level.

Packet Logical grouping of information that includes a header containing control information and user data.

Spyware Software that is secretly or surreptitiously installed into a system to gather information on individuals or organizations without their knowledge; a type of malicious code.

Trojan Horse A program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Virus A program that can copy itself and infect an endpoint without permission or the knowledge of the user. A virus might corrupt or delete data on a device, use email programs to spread to other devices, or even erase everything on a hard disk.

Worm A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread. See malicious code.

CSO-GUID-2108 Page 12 CSO-GUID-2108 Change History Date Version Description of Changes Method Used to Announce &

Distribute Training 15-Feb-22 1.0 Initial release Post to OCIO/CSO Standards SharePoint site N/A