Key Elements
Aretum has wide-reaching experience in supporting the Federal Government with cybersecurity. We cover all aspects of securing our nation’s cyber infrastructure from implementations of Program Management, Zero Trust, Penetration Testing, A&A for Federal programs support, and Continuous Security Monitoring. We provide comprehensive cyber solutions including employing Artificial Intelligence, such as Machine Learning.
Implementation & Integration
Aretum’s experience with executing cyber covers working on securing networks, applications, and systems in on-premise environments and in the cloud. We have experience in all aspects of architecting, planning, implementing, managing, and maintaining the security of applications and systems, at a program and enterprise level for our customers.
Our experts have successfully implemented and run security for agencies in on-premises environments, DISA’s datacenters and commercial government cloud environments (e.g. AWS GovCloud)
Offerings
We have designed and managed cloud security and monitoring in multiple cloud provider platforms. Our teams bring expertise in data protection using key management tools, strong access controls, VPC configurations, and web application firewalls (WAFs). Post implementation, we bring expertise in continuous monitoring of cloud networks, applications and resources, alerting, anomaly detection, and incident response. Our teams have expertise in configuring cloud environments for optimal security, balancing availability and the need to manage and mitigate risk.
Our expertise in Zero Trust Architecture (ZTA) includes ensuring no user or device is trusted by default. We guard against both inside and outside threats in the federal agency or data hosting platform, coupled with strong authentication, IAM integration, principles of least privilege access, and continuous monitoring and reauthentication.
We also implement micro-segmentation and policy-based access control to reduce the impact of an attack if it occurs. The use of Zero Trust Network Access (ZTNA) using access gateways to enforce policies and inside-the-network security and perimeter-based security solutions completes our ZTA offerings. We are at the forefront of ZTA implementation for the agencies participating in the DoD Technical Exchanges and focus groups.
Our cybersecurity engineers have implemented IAM integration in multiple cloud environments in AWS, GCP, and Azure. We apply principles of Least Privileged Access, eliminate the use of uber-powerful accounts and roles, and institute strong multi-factor authentication for all users and devices before providing access. We have integrated enterprise level IAM solutions for thousands of DoD service members and their dependents worldwide.
Our teams implement security policies and procedures, continually adapting and strengthening them. Policies are enforceable across the entire IT infrastructure and managed centrally to assure uniform enforcement. We have dedicated teams who create, review, and update all security policies for our clients on regular cycles as well as monitor circumstances to provide ad hoc updates.
In Summary
Established over 10+ years, our holistic approach to cybersecurity includes real world Federal Government experience securing government on-premises and cloud environments that host critical systems and applications.
Penetration Testing
Overview
Our cyber and IT security teams have implemented the use of automated and continuous penetration testing for multiple government programs.
As part of our cyber offerings, our security engineers conduct regular penetration testing and risk assessments to identify vulnerabilities in the environment. We leverage tools like AWS Inspector, Azure Security Center, and implement OWASP principles to design, develop, acquire, operate, and maintain applications and systems.
Offerings
Aretum has teams with experience in both external and internal network penetration testing. There are many aspects including:
- Discovering information leakage in DNS records, scanning for open ports, looking at versions of services to find known exploits
- Testing web application using SQL injection
- Using cross-site scripting (XSS)
- Adding cross-site request forgery (CSRF)
- Attacking jump servers or the DMZ
Our internal penetration testing focuses on searching for unpatched software, open ports, file shares, privilege escalation misconfigurations, weaknesses in SMB and RDP protocols, as well as support for older TLS and SSL protocols and self-signed certificates.
Our team can implement comprehensive vulnerability assessments covering many key susceptibility points including:
- Evaluating broken access controls; detecting cryptographic failures for data in transit and data at rest
- Assessing inadequate protection against injection attacks at the OS command, LDAP, and SQL level
- Identifying protections against Cross-Site Scripting (XSS), finding security misconfigurations and missing hardening
- Discovering older vulnerable unpatched components at the OS, web/application server, database level, as well as in APIs, runtime environments, and libraries.
We have a comprehensive reporting mechanism for these assessments that allow for remediation planning.
Following NIST SP 800-30 and its successive risk assessment processes, our team supports:
- Risk evaluation by looking at the overall maturity of information security architecture
- Implementation of security controls, software supply chains, and security solutions
- Continuous monitoring strategies and programs
- Ongoing authorizations
Our threat modeling allows our team to “think like an attacker” and focus on ones that are the most likely to occur. This effort involves looking at approaches to Denial of Service (DOS) attacks, brute-force attacks, spoofing, tampering, and elevation of privilege. We use scenarios that target system entry points and data, both at rest and in transit. We believe risk evaluation and threat modeling are essential to a federal agency.
Complex software supply chains, use of open-source components, and automated CI/CD pipelines increase the risk of introducing vulnerable software into the IT stack.
Much of securing vulnerabilities on a continuous basis includes protecting outdated, unpatched, or susceptible components, such as libraries, plugins, or frameworks, which can expose applications to known security flaws. We can help build strategies for discovering unsupported or outdated software, including the operating system (OS), web/application servers, database, applications, APIs, and libraries. We also offer patch management tools and frameworks and provide continual testing remediation.
In Summary
Our penetration testing offerings include testing external and internal networks, assessing vulnerabilities, initiating exploits, evaluating risks, conducting threat modeling and assessments, and implementing patch management strategies.
Authorization and Accreditation (A&A)
We have implemented support for A&A in multiple federal agencies to initially obtain an Authority to Operate (ATO) and to manage and maintain ongoing Plan of Action and Milestones (POA&Ms) .
We ensure compliance with DISA Security Technical Implementation Guides (STIGs). We offer security architecture support, IA vulnerability assessments, threat and remediation reporting, and 100% compliance with IA Human Capital Training and Certification requirements (DoD Directive (DoDD)) 8140.01 & DoD 8570.01-m).
Offerings
The steps we follow for an RMF implementation include categorization of systems, control selection (baseline, tailored and supplemental), creation of an SSP (System Security Plan), risk assessment, and support for the Authorizing Official (AO) to approve or reject a system or grant a temporary ATO based on the assessment and risk analysis.
RMF also necessitates ongoing monitoring of security controls using continuous monitoring (including log reviews, vulnerability management, and periodic assessments) and updates to the risk assessment as new threats emerge. Our typical RMF process for a system can last up to 18-20 weeks followed by ongoing monitoring.
For DoD projects, we ensure that all artifacts and evidence are developed, maintained, and documented in DISA’s Enterprise Mission Assurance Support Service (eMASS) and integrated into the Authority to Operate (ATO) packages for assessment and Authorizing Official (AO) decision making on a monthly basis.
Our teams evaluate and recommend FedRAMP and FedRAMP+ DoD-compliant and civilian cloud applications and services for the enterprise. We proactively track and report responses and resolution of detected incidents and IA metrics, including but not limited to the Federal Information Security Management Act (FISMA).
Our security experts write and maintain security plans for all systems and applications, using Security Information and Event Management (SIEM), Open Web Application Security Project (OWASP), and Application Security Verification Standard Project (ASVS) solutions.
We develop, track, update, mitigate and resolve all Plans of Action and Milestones (POA&Ms). We submit Security Technical Implementation Guides (STIG) exceptions and Risk Acceptance requests as needed. As part of our delivery, our team is intentional about keeping POA&M counts low and manageable.
Our expert teams have successfully initiated, obtained, and maintained Authority to Operate (ATOs) customers of all sizes—Enterprise level and smaller — and with a wide range of starting points of compliance.
In Summary
Our Authorization and Accreditation (A&A) support has helped us secure systems and applications in both defense and civilian agencies. Our projects at the Dept. of Defense, USDA, Library of Congress, and other agencies reduce risk and enhance the security posture of their systems.
Continuous Monitoring, Response & Remediation
Overview
We have proven experience recommending, implementing, and maintaining enterprise-level security assessment platforms. Our capabilities include using Security Technical Implementation Guides (STIGs), Security Content Automation Protocol (SCAP) audits, and third-party tools.
Our government approved Standard Operating Procedures provide continuous monitoring by human experts supported by cutting edge automated threat response tools.
Offerings
We perform daily security log monitoring for Areas of Responsibility (AOR) resources. Our team identifies any possible intrusions and provides 24/7/365 Tier 3 security response support for resolution to any outage or out-of-parameter conditions within 15 minutes of occurrence.
We use cutting edge tools such as Advanced threat detection, fingerprinting attacks, and automatic IP blocking to thwart threats and terminate them as they occur.
Our security engineers track and monitor all endpoints, maintaining access control and scanning all connected devices, to ensure the infrastructure of our customers remains safe and secure.
In Summary
Our team offers comprehensive security policies and manages effective incident response. We recommend implementing policies for continuous updating and monitoring, including review of all system and application logs for malicious activity on a daily basis using Security Information and Event Management (SIEM), endpoint, and user access control at the firewall level and with Identity Management.
