A Quieter Environment Enhancing Small IT Teams In The Defense Industrial Base (DIB)

Summary:

A RUDE AWAKENING FOR BETTER CYBER POSTURE

In 2020 a large US based construction firm [that operates for the Department of Defense] suffered from a massive phishing attack that ultimately resulted in fraudulent payments being sent to an offshore location. Luckily with the assistance of law enforcement and banking institutions a majority of the money was recovered.

This phishing attack was a wake-up call for the company to tighten up their security and take preventative action for both their commercial and GCC High environments. This preventative action plan included preparing their environment to take on government contracts in a secure and compliant manner while taking actionable steps towards outsmarting the adversary to avoid yet another phishing/ransomware attack.

Considering that the customer would begin taking on additional government contracts, they began looking for a partner to assist their small IT team, as well as help them to achieve CMMC compliance.

Problem

A NEED FOR A SECURE AND COMPLIANT GCC HIGH ENVIRONMENT

Before the Conquest team stepped into the picture, the customer’s environment was built only to accommodate their commercial environment. While the M365 E3 capabilities were established, there was no continuous monitoring in place. The environment was also not able to support any of their federal engagements where they would need to have housed Controlled Unclassified Information (CUI) from current and historical projects. Prior to this engagement, they were fully utilizing the government infrastructure within their (at the time) parent company’s environment. This process was tedious and unsustainable as they would be preparing to branch off from their parent company in due time.

As part of their consideration process for services, they recognized their need to achieve CMMC compliance to win contracts with the DoD. The journey to CMMC compliance would have taken years to complete with their newly formed IT team, which consisted of only a handful of people that were challenged by limited resources, heavy workloads and a shifting regulatory environment. Through detailed analysis and verification of community best practices around meeting these requirements in a timely manner they determined that the current approach was unsustainable. They simply did not have the bandwidth to provide the upkeep around both commercial and federal environments and failure to comply would result in missed revenue-generating opportunities and the possibility of additional cyber-attacks.

Solution

COMPLIANCE & BEYOND

After scoping the environment, the combined forces of the internal team and Conquest defined a clear path towards compliance, maturity, and effectiveness to deliver a holistic and integrated solution to the client. Stemming from the heightened need for CMMC compliance and a secure enclave to house government data, the customer team closed in on the decision to build out a GCC High environment, an enclave to be separated from their commercial environment.

Microsoft’s GCC High has the necessary controls in place to enable organizations to store and handle controlled unclassified information (CUI). Under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, organizations that store, process, or transmit export-controlled data that is controlled under International Traffic and Arms Regulation (ITAR), or the Export Administration Regulations (EAR) have been subject to safeguarding this information since December 2017. GCC High is the cloud environment that Microsoft attests to meeting these requirements.

As a Microsoft Gold Partner, and Microsoft US Defense and intelligence 2022 Partner of the Year Winner, Conquest Cyber was a top contender to configure the GCC High enclave and provide full monitoring and management of the enclave.

To kick off the project, the Conquest team prepared their environment by building out a greenfield GCCH environment from scratch, and ensuring all applications were configured according to best practices for Microsoft security. After the cloud build was complete, the migration was initiated for their team to begin operating effectively.

MONITORING AND MANAGING

Now that the customer has two environments to support their different lines of effort, the Conquest team continued to equip them with the right resources to maintain a cyber resilient program with a tailored approach to each ecosystem by leveraging the ARMED ATK platform to provide:

Cyber Program Management through DEFEND: Provides a real-time view of overall program maturity

CMMC (Cybersecurity Maturity Model Certification) 2.0 and Publication 4812 Compliance Management through COMPLIANCE: Helps visualize and manage industry-specific regulatory requirements

24x7x365 Extended Detection and Response, Advanced Threat Hunting, and Managed Sentinel Service through SECOPs: Provides one centralized Security Operations Center (SECOPs) for all security alerts and incidents

Attack Surface Management through SHIELD: Provides real-time critical asset inventory and vulnerability insights, along with patch management, vulnerability management, firewall management, and phishing testing and awareness management

Monitoring and managing through Conquest has filled gaps that have ultimately resulted in cost savings. Conquest saved the company an estimate of $70k on cyber insurance policy within the first year. Eliminating the need to hire cybersecurity specialists is another example of cost savings. Additionally, this allowed their current IT team to take on more internal projects resulting in time savings while they handed off all security needs to Conquest. In addition to the cloud build, monitoring, and managing, a variety of SCyOps services continue to be conducted to further ensure the cyber resiliency aspect including: 

WE DON’T HAVE TO HIRE SOMEONE TO MANAGE ALL OF THOSE SECURITY PIECES. IF WE RUN INTO AUDITS OR HAVE ANY QUESTIONS AROUND SECURITY, WE COULD JUST ASK THE CONQUEST TEAM VERSUS TRYING TO FIGURE IT OUT OURSELVES… THEY ARE LIKE THE TIER-FOUR TEAM THAT WE NEED.

– Director of IT at a Large Construction Firm

Distinctives

CONTINUED SERVICES – A TRUSTED PARTNERSHIP

At Conquest, we believe that compliance is never the finish line, as it significantly trails the broad realization of risk. All aspects of any environment require close attention to detail to decipher the immediate threats that the organization is facing and what is worth the attention from a team with a very small bandwidth.

Companies that serve the Defense Industrial Base are some of the most targeted of the critical infrastructure sectors, leaving them with hundreds of thousands of alerts that come through on a daily basis. The Conquest SECOPS team was able to remove 98% of the case load – only escalating 1.4% of cases to the customer in a one-year timespan. We were able to do this by identifying the customer’s crown jewels and directly connecting the dots between their risk and operations while also turning away false positives and unnecessary information.

Additionally, Conquest takes the time to sit down with the customer on a continuous basis to conduct bi-weekly ticketing and tuning reviews, and quarterly Cyber Resiliency Reviews (CRRs). These reviews help the customer clearly understand the risks they are facing within their environment and drives clarity to where they are currently at in their cyber program versus what needs to be done differently to achieve and maintain compliance, maturity, and effectiveness.

Lastly, the Conquest team is always readily available. The customer has continuous access to the Conquest knowledge base, Azure experts, and tailored threat intelligence. These available assets have allowed the customer to:

• Evaluate overall budgeting, including tracking Sentinel ingestion costs
• Ensure they select the most cost effective Sentinel tier
• Make informed decisions with tailored threat intelligence
• Push out updated baseline rules and tuning down unnecessary data and false positive
• Effectively document and showcase evidentiary compliance requirements

How can Conquest implement solutions like GCC High environments so quickly and effectively? This capability is due in part to a close relationship with Microsoft.

As a Microsoft Gold Competency and FastTrack Partner, Conquest is qualified to build and manage secure cloud solutions through digital transformation services.

SOC monitoring tools like ARMED ATK integrate directly with the Microsoft ecosystem to provide additional layers of protection through detection, isolation, remediation, and process design. This holistic visibility empowers organizations to harness the full capabilities of a Microsoft Security, Compliance, and Identity suite.

To ensure a swift audit, the organization was able to implement audit logging and reporting capabilities using the ARMED ATK platform. This reduces audit burden and allows them to continuously implement their evidence to support their cyber strategy and maintain compliance.

Thanks to multiple successful projects like this one, Conquest won the Microsoft US Defense and Intelligence Partner of the Year Award in June 2022.

Outcomes

FURTHER BENEFITS – A QUIET ENVIRONMENT

With the help of Conquest and the need for a secure and compliant GCC High enclave, the customer was able to leverage additional layers of security to enable cyber resiliency across their infrastructure while achieving and maintaining compliance. With training, cloud configurations, numerous working sessions to renew their policies and procedures, and providing proper documentation tools needed to prove compliance, the customer was able to achieve over 95% CMMC compliance.

Additionally, monitoring both commercial and federal environments would be a crucial part of this engagement to avoid another detrimental cyber-attack. Using the ARMED ATK modules, their IT team has only had to review 152 out of 11,138 cases in their environment in the last year. Removing this heavy workload from their small IT team has lifted a weight from their shoulders and has gotten them closer to cyber resiliency than they’ve ever been before without the need to grow their team.

PROJECTED SPEND SCENARIOS

PRE-CONQUEST RISK FACTORS

• Lack of visibility into alerts ans suspicious activity within the Azure cloud environment
• Wide breadth of tooling deployed without sufficient integration and proper configuration
• Overburdening of current resources managing suite of tools.

REMEDIATION WITH CONQUEST

• 24/7/365 monitoring of cloud activity; immediate notifications of malicious and/or suspicious actions with remediation recommendations.
• Consolidated cybersecurity suite of tools; identified roles and responsibilities across organizations.
• Extension of cybersecurity team that enables the customer’s resources to prioritize other initiatives; access to outsources SOC, Cloud Engineers, Project Managers and Microsoft expertise.