Incident Response Services
cFocus’ Incident Response experience at multiple agencies (e.g. the Architect of the Capitol, US Patent and Trademark Office (USPTO) and on the DHS Continuous Diagnostic and Mitigation (CDM) Program) enables us to offer rapid and effective incident response services to federal government agencies. We fulfill NIST SP 800-61 Computer Security Incident Handling Guide checklists for each phase of the Incident Handling Life Cycle.
cFocus is a certified Splunk Partner with vast experience integrating Splunk Enterprise and Splunk Enterprise Security into a NIST SP 800-61 compliant Incident Response program—by automating Incident Handling activities with Splunk Enterprise and Splunk Enterprise Security, we have reduced Incident Response times by 17% for our customers. HUD’s Splunk environment must be continually improved to automate the Incident Handling Life Cycle.
Risk & Vulnerability Assessment Services
cFocus has collaborated with the National Center for Advancing Translational Sciences (NCATS) team (which performs all vulnerability assessment and cyber hygiene vulnerability scans on behalf of DHS) on multiple Risk and Vulnerability Assessment (RVA) engagements since 2015, and our vulnerability assessments process is modeled after NCATS RVA best practices. Each vulnerability assessment is custom designed to aggregate vulnerability data (through automated scanning and manual penetration testing) and to provide actionable risk analysis reports with remediation recommendations to government stakeholders:
- Step 1: Prepare for Assessment—cFocus meets with stakeholders to identify the purpose and scope of the vulnerability assessment, discuss assumptions & constraints, document assessment inputs, identify the risk model, and identify analytical approaches to be used during the assessment. We also document the rules of engagement for the assessment to mitigate any possible service disruptions.
- Step 2: Conduct Assessment—We conduct NIST SP 800-115 compliant vulnerability scans and manual penetration tests using open source, commercial, and DHS CDM Approved Products List security tools. We use two ranking systems to analyze assessment data: CARVER (Criticality, Accessibility, Recoverability, Vulnerability, Effect, and Recognizability) identifies risk for high priority systems, and the CVSS (Common Vulnerability Scoring System) ranks vulnerabilities by severity.
- Step 3: Communicate Results—Within 5 business days after completing a vulnerability assessment, Team cFocus delivers a Risk Assessment Report to the stakeholders that conforms to the reporting standard of NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments. The risk report includes:
- Executive Summary—summarizes the purpose, scope, and overall risk level.
- Body of Report—describes purpose of the assessment, assumptions/constraints, risk tolerance inputs, risk model & analytic approach, rationale for risk decisions, uncertainties, risk results, validity period, lists of adversarial/non-adversarial threats.
- Appendices—lists references/sources, assessment team, and supporting evidence.
- Step 4: Continuous Monitoring—cFocus analysts participate in continuous monitoring after the completion of an assessment—we collaborate with stakeholders and conduct targeted vulnerability scans in-between semi-annual assessments to ensure that remediation steps are executed, and patches are installed.
Threat Hunting Services
cFocus is a best value partner that can revolutionize the effectiveness of all cybersecurity services through threat hunting. We have previously stood up Threat Hunting programs at National Institute of Health and multiple private sector customers, and we have continually improved a dynamic range of Cyber Hunt Service procedures, custom play-books, vendor partnerships, and automation strategies.
Each Cyber Hunt Event is organized into a 4-step Cyber Hunt Loop as shown:
- Create Hypothesis—Our analysts create a cyber hunt hypothesis (i.e. an educated guess) of an adversary’s tactics and techniques that pose a threat to the network. Each hypothesis is created based on threat intelligence data, collected data (e.g. endpoint/server data, network data, Splunk incidents, etc.), and analyst expertise.
- Investigate via Tools & Techniques—cFocus analysts investigate hypotheses using various tools and techniques. For example, if a hypothesis states that an adversary may be performing lateral movement in the environment using Pass The Hash techniques, we search systems and domain logs for unusual credential logon activity and verify installation of patch KB2871997 to Windows systems.
- Uncover New Patterns & TTPs—We prove the hypothesis by discovering indicators of compromise (IOC), adversary patterns, and/or anomalies found during investigation. Upon the discovery of IOCs, we collaborate with the CIRT to remediate all threats.
- Inform & Enrich Analytics—Successful hunts that identify and remediate IOCs are used to continually improve the Cyber Hunt process. cFocus analysts automate successful hunt techniques and remediation activities so that subsequent cyber hunts can focus on new hypotheses, and different adversary tactics & techniques.
ATO (Authority To Operate) as a Service™ for Azure
The process to obtain an Azure FedRAMP compliance is time consuming, manual, and paper-intensive. Until now!
Introducing ATO as a Service™, an exclusive Software as a Service that automates Azure FedRAMP compliance, and shortens FedRAMP ATO timeframes for information systems hosted in the Azure Government Cloud.
cFocus Software has partnered with Microsoft Corporation to develop ATO as a Service™, allowing us to tightly integrate best-of-breed Azure automation and continuous monitoring technology.
Want to learn more about ATO as a Service™ for Azure? Click below to set up a demo!