Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Case study

U.S. Department of Health

and Human Services (HHS)
HP Enterprise Security Customer Case Study

Public Sector

Establish a centralized Department-wide
cybersecurity program to enhance the security of
HHS systems across all operating divisions

Leverage HP Enterprise Security software, including
HP ArcSight and HP Tipping Point, to implement a
comprehensive cybersecurity program

IT matters
The ability to leverage open source intelligence
threat feeds has accelerated the creation of critical
alerts, shortening the time to insight into security
threats and greatly enhancing the security of HHS

Business matters
Use of the HP Enterprise Security solution
including the creative use of firewall technology to
ensure data privacy among operating divisions The HP Enterprise Security solution that we have
has significantly reduced HHS staff time required to
detect and assess security events.
implemented at HHS provides global situational
With the establishment of a Department-wide awareness and a common operational picture, greatly
cybersecurity program with consistent tools and enhancing our ability to protect critical Department data.
processes, threat data can now be provided in a
visual representation suitable for management, HP ArcSight and HP TippingPoint technologies, and the HP
and much more accurate identification of malicious
activity on the network is possible.
subject matter experts that support them, are central to
the success of our cybersecurity program.
Dan Galik, HHS Chief Information Security Officer

The U.S. Department of Health and Human Services (HHS), a

federation of several largely autonomous divisions, lacked
Department-wide method for monitoring and dealing with
threat data. In response to this challenge, HHS implemented a
cybersecurity program HP Enterprise Security software at the
Case study | U.S. Department of Health and Human Services

The U.S. Department of Health and Human The deployment model involved setting up
Services (HHS) had a governmentsized each security enclave with its own complete
cybersecurity challenge. As a federation of system and network-attached storage, and
largely autonomous operating divisions then configuring the central HP ArcSight
including the Centers for Medicare and system to receive data and alerts from all
Medicaid (CMS), National Institutes of Health participating locations. Creative use of firewall
(NIH), National Libraries of Medicine (NLM), technology ensured that each division could
Indian Health Service (IHS), Health Resources peer its own data along multiple loggers,
and Services Administration (HRSA), Food and while preventing access to the data of the
Drug Administration (FDA), Centers for Disease CSIRC or other divisions.
Control and Prevention (CDC), and Office of
the SecretaryHHS had a vast amount of
sensitive data that needed protection. At
Live dashboards
the same time, it lacked Department-wide
Having established a centralized cybersecurity
situational awareness and a consistent,
program in an amazingly short 12-month
effective method for dealing with threat data.
period, the CSIRC now deploys common alerts
down to the operating division level, provides
In response to this challenge, the HHS
consistent monitoring across the Department,
Computer Security and Incident Response
and coordinates events of interest. When
Center (CSIRC) leveraged an integrated
we see something that we think is important
set of tools to develop and implement a
for whatever reason, we open a case in HP
comprehensive cybersecurity program. Today
ArcSight, explains Graham. We take all of the
there are seven HP ArcSight softwarebased
data and artifacts that are associated with that
security enclaves; in addition to the CSIRC,
incident and post them into the case manager.
these include CMS, NIH, IHS, HRSA, Information
Then we contact the operating division with
Technology Infrastructure and Operations
what we found, and why it is important.
(ITIO), and NLM. CDC currently provides alerts
to the CSIRC via an onsite HP TippingPoint
As an example, the CSIRC has live
sensor. The HHS Cybersecurity Program is
dashboardsredrawn every three minutes,
rapidly gaining visibility within the Department
based on daily threat feed updatesthat
and will be extended to more operating and
show connections to foreign countries. Its
staff divisions going forward.
near real-time data on the dashboards,
and the analysts have an excellent visual
Bringing it together representation to work with, says Graham.
We contacted one of the operating divisions
Jeff Graham is the Federal lead for several that showed a connection to a foreign country,
projects within the HHS CSIRC, including and at first they werent too concerned; they
the deployment of HP ArcSight and assumed it was authorized foreign scientists
complementary HP TippingPoint solutions. connecting to webmail, or something similar.
Around 2008 it became evident that there was Then we sent them the image and explained
a lot of duplication of effort, both in security what we were seeing: Within a three-minute
monitoring and response, he recalls. Many time period, that same system was connected
of the operating divisions were not leveraging to three foreign countries on a channel not
Department-level systems; for example, most typically used for encrypted traffic. Suddenly
were using their own incident management they became very interested in what we had
systems. There was a clear need to bring it found, and they decided to take action on it.
together with state-of-the-art cybersecurity
HP TippingPoint spots a hole
The first step was to select the best Security
More than 17 open source and custom threat
Information and Event Management (SIEM)
feeds come into HP ArcSight, including the US
technology, which would become the
Computer Emergency Readiness Team (US-
centerpiece of the new program. We ran
CERT), Zeustracker, and the SANS network.
a number of technical evaluations before
One of the most important feeds is from the
deciding on a SIEM technology, and we
HP TippingPoint intrusion detection/prevention
chose ArcSight, says Graham. We started
software installed at the different security
our deployments in 2009 and are now fully
enclaves. As with HP ArcSight, HP TippingPoint
installed at the majority of operating divisions.

Case study | U.S. Department of Health and Human Services

was chosen based on a fully open competition or events that are hitting multiple divisions at
and technical evaluation, and deployed using the same time.
the same federated model. HHS selected
the HP TippingPoint platform for its ability The impact of the HP ArcSight deployment on
to filter network traffic based on specific the security team has been transformative.
characteristics, including signatures for known Says Graham: The team went from
attacks and vulnerability-specific filters. essentially a phone help desk function to
actually creating cases in HP ArcSight based
HP TippingPoint recently proved its value in on the threat use cases, and coordinating
the area of cloud-based file sharing. Explains security activities with the Department. My
Graham: Any traffic going out over a Secure mandate to the HP ArcSight subject matter
Socket Layer (SSL) connection is assumed to experts is that we cant overrun the analysts
be encrypted, so it is typically not proxied; in with data. We need information that is very
other words, nobody is inspecting that traffic. specific, and in quantities that are consumable
But when you have things like Dropbox by the analysts on duty. With HP ArcSight, I
where somebody can install a client inside think weve done that with great success.
the government network, connect out over
SSL to share files, put the client on their home
machine, and then access those files again
Getting the word outfast
you have no idea where Department data is
The impact on the CSIRCs internal customers
going. You dont even know if its part of a
has been equally impressive. If US-CERT or
malicious exfiltration operation.
the FBI calls us and says, This is known bad,
you need to get it out right away, normally we
Graham continues: One of the things weve
would create a situational awareness or early
been able to do is configure HP TippingPoint
warning indicator report and send it to the
to alert us in HP ArcSight about Dropbox
operating divisions, says Graham. By using
and other peer-to-peer sites, and then use
HP ArcSight and open source intelligence,
ArcSights event graphs to generate a clear
we can put that information in a specific
picture for management. As a result, at both
format and drop it into a file share location,
the Department and the operating division
where ArcSight picks up the data every three
levels, they have begun blocking that traffic on
minutes. So in three minutes, that traffic is
their firewalls. Thats a good thing.
already deployed to the division, and they are
already generating alerts if the event is seen
Dont bury the analysts out there. We cant even craft an email in that
amount of time.
A key goal of the HHS Cybersecurity Program
was to address the problem of too much The CSIRC employs HP ArcSight to look at the
data to interpret properly. With nearly 6,000 local network, and then uses open source
events per second, and 3.8 billion total events threat feeds to look at the entire Department.
on one CSIRC Logger, the analysts were They are looking for specific things:
literally overwhelmed. In order to make sense connections to foreign countries, Domain
of it all, the CSIRC implemented tools and Name System (DNS) traffic that is going the
processes to identify relevant use cases; elicit wrong way, known command-and-control
specific, actionable information; reduce log channelsin short, the big picture. With this
event noise; and provide the analysts with high-level situational awareness, the CSIRC
real, timely threat-related data. HP ArcSight is can brief management at any time on the
the anchor of this program. health of the network.

While still in the planning phase, and working

closely with HP ArcSight subject matter
Subject matter expertise
experts, we recognized that the CSIRC does
To support the continuing rollout of the
not necessarily care about the same things
cybersecurity program, HHS maintains an
that the operating divisions care about, says
onsite HP ArcSight staff presence. According
Graham. For example, if CMS has a virus
to Graham, their support is invaluable. There
within the division, they have systems there
is no doubt in my mind that we could not have
to detect that, and they have an incident
accomplished all this without the staff we have
response team that can handle that traffic.
herefederal, contract, and the HP ArcSight
What we are looking for are the events that
subject matter experts, he says. In fact,
they dont have the time or resources to track,

Case study | U.S. Department of Health and Human Services

theres a funny story related to that: I attended Concludes Graham: We are still in our infancy,
a recent HP Protect conference, where an just now starting to fully mature the threat
ArcOSI representative was talking about feeds and some of the other use cases. But
an upcoming version of that open source we have already seen enormous benefits,
intelligence product and the new capabilities including positive findingsactive situations
that it would deliver. I walked up to the that needed to be addressed immediatelyat
gentleman afterwards and said, Im confused, all operating divisions where we are deployed.
because we are already doing this. He said, I believe we are on a ramp up to do some
Thats not possible. It hasnt been released amazing things here at the Department
yet. But once I told him who we were working that are just not available in other federal
with at HP ArcSight, he said, Oh, thats why. government agencies. We would not have
The ArcSight people we have are absolutely been able to do this without HP ArcSight.
top of the class.

The fame of the HHS Cybersecurity Program

About The U.S. Department
is spreading fast. Weve brought in US-CERT, of Health and Human
the FBI, and folks from the Department of Services
Justice, says Graham. When we briefed
US-CERT on our open source intelligence The U.S. Department of Health and Human
and threat use cases, they were absolutely Services is the principal agency for protecting
floored. They have now asked us to brief at the the health of all Americans. It is comprised of
United States Government Forum of Incident the Office of the Secretary and 11 operating
Response and Security Teams (GFIRST) and divisions. The agencies perform a wide variety
some of their other conferences. So were of tasks and services, including research,
going to be stepping out and singing the public health, food and drug safety, grants
story. and other funding, health insurance, and many

Customer at a glance:
HP ArcSight ESM
HP ArcSight Logger
HP ArcSight Connector Appliance
HP TippingPoint N-series IDS/IPS

Sign up for updates Share with colleagues Rate this document

2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed
as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA5-0067ENW, November 2013

You might also like