Continuous Monitoring

Transcription

1 Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski

2 Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP r1, ) OMB Memorandums (M-11-33, M-10-28) DHS Federal Information Security Memorandums (FISM 11-02) The Deltas CM Tools & Technologies: Guidelines: SP Information Security Continuous Monitoring Automation Domains, Tools and Technologies (SCAP, NVD) CAESARS Framework & State s ipost CM Challenges The Organization of the SP The Limitations of CAESARS GAO Report: Limitations of ipost and Risk Scoring Program

3 Evolution of FISMA Compliance r1 Deltas C&A vs RMF Joint Task Force Organization-wide RM Strategy Risk Executive (function) [Tier 1] Information Security Architect [Tier 2] Information System Security Engineer [Tier 3] Risk Redefined OMB FISMA Reporting Instructions DHS Cyberscope

4 Initiation Traditional C&A Risk Management Framework Phase Task Subtask Step Task 1: Preparation. Information System Description 1.2 Information System Description Security Categorization Threat Identification Vulnerability Identification Security Control Identification Initial Risk Determination 2: Notification Notification Planning And Resources 3: SSP Analysis, Update, And Acceptance. Security Categorization Review System Security Plan Analysis System Security Plan Update System Security Plan Acceptance 1.1 Security Categorization 1.3 Information System Registration 2.1 Common Control Identification 2.2 Security Control Selection 3.1 Security Control Implementation 3.2 Security Control Documentation 2.3 Monitoring Strategy 2.4 Security Plan Approval

5 Continuous Monitoring Accreditation Certification Traditional C&A Risk Management Framework Phase Task Subtask Step Task 4: Security Documentation Supporting Materials Control Methods And Procedures 4.1 Assessment Preparation Assessment Security Assessment 4.2 Security Control Assessment 5: Security Certification Documentation 6: Accreditation Decision 7: Security Accreditation Documentation 8: Configuration Management 9: Control Monitoring 10: Status Reporting And Documentation RMF 6.6 RMF 6.7 Security Assessment Report 4.3 Security Assessment Report Findings And Recommendations 4.4 Remediation Actions System Security Plan Update POAM Preparation 5.1 Plan of Action and Milestones Accreditation Package Assembly 5.2 Security Authorization Package Final Risk Determination 5.3 Risk Determination Risk Acceptability 5.4 Risk Acceptance Security Accreditation Package Transmission System Security Plan Update Documentation Of Information System 6.1 Information System and Environment Changes Changes Security Impact Analysis Security Control Selection 2.3 Monitoring Strategy (sorta) Selected Security Control Assessment 6.2 Ongoing Security Control Assessments System Security Plan Update 6.4 Key Updates POAM Update 6.3 Ongoing Remediation Actions Status Reporting 6.5 Security Status Reporting Ongoing Risk Determination and Acceptance Information System Removal and Decommissioning

6 Joint Task Force Transformation Initiative ongoing effort to produce a unified information security framework for the federal government. SP Risk Management Department Committee Framework on DITSCAP/ SP r3 of Defense National NIACAP Security DIACAP Security Controls Systems SP Managing Information Security Risk DoD, ODNI, NSA(CNSS 1253), ISO/IEC Office (27001) of the National Director DCID 6/3 of C&A Institute Guidelines Collaboration of Johns Hopkins APL Among Public And National Standards and MITRE Intelligence Corporation (NVD) Private Sector Technology Booz Allen Hamilton Entities

7 Organization-wide RM Strategy/ New Roles Risk Executive (function) Information Security Architect Information System Security Engineer

8 OMB FISMA Reporting Instructions FAQ #9. Must the Department of Defense (DoD) and the Office of the Director of National Intelligence (ODNI) follow OMB policy and NIST guidelines? Answer: Yes, for non-national security systems DOD and ODNI are to incorporate OMB policy and NIST guidelines into their internal policies.. Note: NSA Uses CNSS1253, which looks very similar to a compilation of FIPS 199/200, references , and provides a very FDCC/USGCB-like baseline of configuration settings.

9 Clarifying DHS Cybersecurity Responsibilities (M-10-28) Critical Infrastructure Protection US-CERT Trusted Internet Connection Initiative Primary Responsibility for the Operational Aspects of Cybersecurity [FISMA Reporting] Instructions New FISMA Reporting Metrics Cyberscope

10 DHS FISM (aka OMB 11-33) FISMA Reporting Instructions FAQ #28. Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? Answer: No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs.

11 FY2011 Reporting Metrics 13. Continuous Monitoring What percentage of data from the following potential data feeds are being monitored at appropriate frequencies and levels in the Agency: 13.1a.IDS/IPS 13.1b.AV/Anti- -Malware/Anti- -Spyware 13.1c.System Logs 13.1d.Application Logs 13.1e.Patch Status 13.1f.Vulnerability Scans 13.1g.DNS logging 13.1h.Configuration/Change Management system alerts 13.1i.Failed Logins for privileged accounts 13.1j. Physical security logs for access to restricted areas (e.g. data centers)

12 DHS Cyberscope Monthly Data Feeds to DHS 1. Inventory 2. Systems and Services 3. Hardware 4. Software 5. External Connections 6. Security Training 7. Identity Management and Access Government-wide benchmarking on security posture Agency-specific interviews

13 Risk Management OODA Loop Redefined

14 SP Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as: Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats Support Organizational Risk Management Decisions Begins With Leadership Defining A Comprehensive ISCM Strategy Encompassing technology processes procedures operating environments people

15 SP ISCM Criteria Risk Management Strategy: 1. How the organization plans to assess, respond to, and monitor risk 2. Oversight required to ensure effectiveness of RM strategy Program Management 1. Defined by how business processes are prioritized 2. Types of information needed to successfully execute those business processes Monitoring System Level Controls and Security Status Reporting 1. Security Alerts 2. Security Incidents 3. Identified Threat Activities

16 Risk Tolerance Enterprise Architecture Security Architecture Security Configurations Plans for Changes to Enterprise Architecture Available Threat Information Guidance:

17 The CM Process Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program SP

18 Role of Automation in ISCM Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications, Mechanisms, Activities, Individuals) Use open specifications such as SCAP Offer interoperability with other products (help desk, inventory management, configuration management, and incident response solutions) Support compliance with applicable federal laws, regulations, standards, and guidelines Provide reporting with the ability to tailor output Allow for data consolidation into Security Information and Event Management (SIEM) tools and dashboard products. SP

19 Security Automation Domains Vulnerability & Patch Management Event & Incident Management Malware Detection Asset Management Configuration Management Network Management License Management Information Management Software Assurance SP

20 Automation Domain Tools and Technologies NIST Guidelines 1 - Vulnerability Management 2 - Patch Management Vulnerability scanners Patch management tools NIST SP Creating a Patch and Vulnerability Management Program 3 - Event Management NIST SP , Computer Security Log Management 4 - Incident Management 5 - Malware Detection 6 - Configuration Management Intrusion detection/ prevention systems and logging mechanisms Antivirus/ Malware detection mechanisms NIST SP , Guide IDPS NIST SP , Malware Incident Prevention and Handling SCAP, SEIM, Dashboards NIST SP r2 The Technical Specification for SCAP Version 1.2 SP

21 Automation Domain 7 - Asset Management 8 - Network Management 9 - License Management Tools and Technologies System configuration, network management, and license management tools Host discovery, inventory, change control, performance monitoring, and other network device management capabilities License management tools 10 - Information Management Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems SP

22 Software Assurance Technologies Security Automation Domain #11 Software Assurance Automation Protocol (SwAAP - measure and enumerate software weaknesses): CWE Common Weakness Enumeration Dictionary of weaknesses that can lead to exploitable vulnerabilities CWSS Common Weakness Scoring System Assigning risk scores to weaknesses CAPEC Common Attack Pattern Enumeration & Classification Catalog of attack patterns MAEC Malware Attribute Enumeration & Characterization Standardized language about malware, based on attributes such as behaviors and attack patterns SP

23 DHS Reporting Metrics 12. Software Assurance 12.1Provide the number of information systems, developed in-house or with commercial services, deployed in the past 12 months. 12.1a.Provide the number of information systems above (12.1) that were tested using automated source code testing tools. 12.1b.Provide the number of the information systems above(12.1a) where the tools generated output compliant with: 12.1b (1).Common Vulnerabilities and Exposures (CVE) 12.1b (2).Common Weakness Enumeration (CWE) 12.1b (3).Common Vulnerability Scoring System (CVSS) 12.1b (4).Open Vulnerability and Assessment Language (OVAL) Source code testing tools are defined as tools that review source code line by line to detect security vulnerabilities and provide guidance on how to correct problems identified.

24 Automation and Reference Data Sources Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP How to Implement SCAP Partially Automated Controls Reference Data Sources National Vulnerability Database (NVD) Security Configuration Checklists SP

25 NVD Primary Resources 1. Vulnerability Search Engine 2. National Checklist Program 3. SCAP Compatible Tools 4. SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) 5. Product Dictionary (CPE) 6. Impact Metrics (CVSS) 7. Common Weakness Enumeration (CWE) SCAP Program Scan NVD Data Feed SP

26 SCAP: What Can Be Automated? Vulnerability and Patch Scanners Authenticated Unauthenticated Baseline Configuration Scanners Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB) SP

27 How to Implement SCAP with SCAP-validated Tools SP

28 and SCAP-expressed Checklists SP

29 Partially Automated Controls Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String) Define Possible Answers to a Question from Which User Can Choose Define Actions to be Taken Resulting from a User's Answer Enumerate Result Set Used in Conjunction with extensible Configuration Checklist Description Format (XCCDF) SP

30 Technologies for Aggregation and Management Dashboards Meaningful And Easily Understandable Format Analysis Provide Information Appropriate to Roles And Responsibilities Security Information and Event Management (SIEM), analysis of: Vulnerability Scanning Information, Performance Data, Network Monitoring, System Audit Record (Log) Information Audit Record Correlation And Analysis SP

31 IR 7756 CAESARS Framework

32 IR 7756

33 IR 7756

34 CM Documents IR 7756

35 Department of State s ipost Custom Application Continuously Monitors Uses Data from Various Monitoring Tools Holistic View Of Risk Leveraging Competitiveness Encourage Risk Reduction

36 ipost Development Stages Deploy Enterprise Monitoring Tools Aggregate Monitoring Data: ipost Establish Risk Scoring Program

37 Monitoring Tool Data Sources Component ID What is Scored Source Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee) Patch PAT Patches required by a host SMS (System Center) Security SCM Failures of a host to use required security settings McAfee Policy Auditor Compliance Anti-Virus AVR Out of date anti-virus signature file SMS (System Center) Unapproved OS UOS Unapproved operating systems AD Cyber Security Awareness Training CSA Every user who has not passed the mandatory awareness training within the last 365 days DoS Training Database SOE Compliance SOE Incomplete/invalid installations of any product in SMS (System Center) the Standard Operating Environment (SOE) suite AD Computers ADC Computer account password ages exceeding AD threshold AD Users ADU User account password ages exceeding threshold AD (scores each user account, not each host) SMS Reporting SMS Incorrect functioning of the SMS client agent SMS (System Center) Vulnerability Reporting Security Compliance Reporting VUR Missed vulnerability scans Foundstone (McAfee) SCR Missed security compliance scans McAfee Policy Auditor

38

39 Risk Scoring

40 Remediation

41 CM Challenges The Organization of the SP Emerging CM Technologies SCAP OCIL The Limitations of CAESARS Department of State s ipost and Risk Scoring Program

42 18 Families 198 Controls Organization of Security Controls 892 Control Items (Parts/Enhancements)

43 Evident in USGCB

44 Mapping STIG to

45 Using Fishbone to Find Root Controls Plan, Engineer, & Prepare for Operations Operate, Monitor, & Improve Plan Prepare Operate & Check Improve Effectiveness Measure Requirements Definition PP Track Desired State PP Find Systemic Problems PP 11 Design/ Test/ AQ/ Infrastructure PP 7 Assign Scores to Delta PP 1 A Policy & Planning PP 8 Track Actual 5 PP 6 Value Proposition/ Operational Metric 10 ID Score Deviations PP Fix Issues by Priority PP Prep Staff PP Manage & Operate PP 3

46

47 The Limitations of CAESARS Lack of Interface Specifications Reliance on an Enterprise Service Bus Incomplete Communication Payload Specifications Lack of Specifications Describing Subsystem Capabilities Lack of a Multi-CM Instance Capability Lack of Multi-Subsystem Instance Capability CM Database Integration with Security Baseline Content Lack of Detail on the Required Asset Inventory Requirement for Risk Measurement

48 GAO Report on Scope of ipost Risk Scoring Program (1) Addresses windows hosts but not other IT assets on its major unclassified network (2) Covers a set of 10 scoring components that includes some, but not all, information system controls that are intended to reduce risk (3) State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment

49 Minimum Security Controls (FIP 200) Access Control Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Controls Monitored by ipost Security Compliance (AD Group check) Awareness Training Reporting Patching, SOE, Reporting(Inventory) AD Computers & Users Vulnerabilities Patching, Antivirus

50 Challenges with Implementation of ipost (1) Overcoming limitations and technical issues with data collection tools (2) Identifying and notifying individuals with responsibility for site-level security (3) Implementing configuration management for ipost (4) Adopting a strategy for continuous monitoring of controls (5) Managing stakeholder expectations for continuous monitoring activities

51 FITSI Objectives Review FISMA Compliance OMB Memorandums DHS FISMs NIST Standards & Guidelines Evolution via Deltas CM Tools & Technologies: Guidelines: SP Automation Domains, (SCAP, NVD) CAESARS Framework & State s ipost CM Challenges The Organization of SP The Limitations of CAESARS Your Organization s ISCM 1. Consistent Body if Knowledge 2. Training Baseline Overcome CM Challenges with Collective Contributions

52 Q&A Tina Kuligowski