Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
|
|
- Tyrone Bond
- 8 years ago
- Views:
Transcription
1 Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum September 2011
2 Overview What is SCAP? Why SCAP? How can SCAP be leveraged for the Common Criteria? A proposed approach for integrating SCAP into the domain of Common Criteria 2
3 3
4 Security Content Automation Protocol A protocol leveraging a suite of seven preexisting open specifications that standardize the format and nomenclature by which security software communicates information about software flaws and security configurations. Defines how these specifications are used in concert for the following activities: vulnerability and patch management secure configuration management policy compliance evaluation asset inventorying detecting system compromise Motivating factors: Number and variety of systems to secure Need to respond quickly to new threats Lack of interoperability Complexity of guidance Number of security-related configuration settings Need to verify the security posture regularly SCAP was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. NIST SP
5 SCAP Components OCIL CVE CCE CPE XCCDF OVAL OCIL CVSS Common Vulnerabilities & Exposures Common Configuration Enumeration Common Platform Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Open Checklist Interactive Language Common Vulnerability Scoring System Standard nomenclature and dictionary of security related software vulnerabilities Naming Standard nomenclature and dictionary of software configurations Standard nomenclature and dictionary for product naming Standard XML for specifying checklists and for reporting results of checklist evaluation Expressing Standard XML for system test procedures Assessing Standard XML for expressing questions to an end user Scoring Standard for measuring the impact of vulnerabilities 5
6 Layering the Security Automation Standards Policy What? Why? CCSS Assess OCIL 6
7 Putting it Together Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Assessment language for checking for vulnerabilities (OVAL) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 2011 The MITRE Corporation. All rights Reserved. 7
8 SCAP-enabled Tools are Available Today SCAP is not some vague, future promise Over 40 vendors have tools certified as SCAP compatible Large amounts of freely available content exist Widely deployed in U.S. Government enclaves using a variety of vendors since The MITRE Corporation. All rights Reserved. 8
9 Current SCAP-Validated Vendors List of validated vendors and products available at Information current as of January 28, 2011 Logos are trademarked by their respective corporations 2011 The MITRE Corporation. All rights Reserved. 9
10 CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema CYBEX context ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State
11 SCAP Security Automation Tools CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema SCAP Use Case ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State
12 Status of ITU-T Recommendations x- series Title ITU-T Status Planned Determination x.1500 Cybersecurity Information Exchange (CYBEX) Techniques Final Dec 2010 x.1520 Common Vulnerabilities and Exposures Final Dec 2010 x.1521 Common Vulnerability Scoring System Final Dec 2010 x.cwe Common Weakness Enumeration Final Aug 2011 x.oval Open Vulnerability and Assessment Language Draft Aug 2011 x.cce Common Configuration Enumeration Draft Aug 2011 x.capec Common Attack Pattern Enumeration and Classification Draft Feb 2012 x.maec Malware Attribute Enumeration and Classification Draft 2012 x.cwss Common Weakness Scoring System Draft 2012 x.cee Common Event Expression Draft 2012 x.cpe Common Platform Enumeration Draft 2012 x.arf Asset Reporting Format Draft 2012 x.xccdf Extensible Configuration Checklist Description Format Draft 2012
13 SCAP For Product Consumers (SP ) Consumers Organizations should use security configuration checklists that are expressed using SCAP to improve and monitor their systems security. Organizations should take advantage of SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards, and guidelines. Organizations should use SCAP for vulnerability measurement and scoring. Organizations should acquire and use SCAP-validated products. 13
14 SCAP For Product Vendors (SP ) Product Names Provide CPE names for all products Configuration Controls Each security relevant configuration control is assigned a CCE through a federated CCE creation process. Secure Configuration Baselines Development of configuration checks to confirm that a system is running under the specified secure configuration. Use XCCDF and OVAL to allow for machine interpretable content. USE CPE and CCE to allow for platform targeting and data correlation. Security Advisories Incorporate CVEs in initial vulnerability alert. Assign CVSS scores to vulnerabilities. Include OVAL Definitions as a standardized machine interpretable check for the issue. Include CPE Names for affected software Support Automated System Integrations Develop Systems that can be Assessed Provide OVAL extensions for new platforms 14
15 15
16 SANS: 20 Critical Security Controls (a.k.a. CAG) transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. Enabling agreement between those responsible for compliance and those responsible for security. The Top 20 Controls were developed by a consortium including: US NSA, US Cert, US DoD, the US Department of Energy Nuclear Laboratories, US Department of State, industry experts Automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. US Department of State ipost demonstrated more than 80% reduction in "measured" security risk 16
17 SANS: 20 Critical Security Controls (a.k.a. CAG) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10.Continuous Vulnerability Assessment and Remediation 11.Account Monitoring and Control 12.Malware Defenses 13.Limitation and Control of Network Ports, Protocols, and Services 14.Wireless Device Control 15.Data Loss Prevention SCAP Enables Automation 17
18 SCAP Supports International Drivers SCAP and its targeted use cases are not just driven by US needs SCAP also supports numerous international drivers as well Commercial industry mandates such as the Payment Card Industry Data Security Standard (PCI-DSS) Requirement 6 ISO security process and practices standards such as the series ITU security information structure and exchange recommendations such as X.1000, X.1100, X.1200 & X.1500 series In-development standards and mandates surrounding supply chain security Etc. 18
19 It s Not Only About Discrete Specification and Assessment Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 19
20 Continuous Monitoring Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. (NIST ) A result of numerous events coming together: SANS Top 20 Critical Controls (CAG) US OMB FISMA Reporting Memo (M-10-15) ipost: Implementing Continuous Risk Monitoring at the DoS CM provides a foundation for many IA activities: IT Security Reporting, Vulnerability Management, Inventory Management, etc. Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making. To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze securityrelated information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools. OMB memo M
21 CAESARS & Standards CAESARS: Continuous Asset Evaluation, Situational Awareness, and Risk Scoring - Reference Architecture Presentation Analytics CPE, Database CVE, CVSS CPE, OVAL, XCCDF, CCE, CVE, CVSS CPE, CVE, Sensors OVAL, CVSS CPE, CCE, OVAL, XCCDF CPE, CCE, CVE OVAL, XCCDF, CVSS Standardized Results Standardized Tasking 21
22 Comply to Connect SCAP and TNC Integration Network Access Control (NAC) is seen as a key enabling technology for several of the SANS Top 20 Critical Security Controls. SCAP provides a set of standard data formats that can be used to describe desired system configurations. Trusted Network Connect (TNC) provides a standards based NAC solution. SCAP and TNC can be used together to provide a complete standards based approach. 22
23 Coordinated Security Asset Management System Endpoint Security (via NAC) SIM / SEM MAP IPAM IF-MAP Protocol Physical Security ICS/SCADA Security AAA Routing Server or IDS Switching Wireless Firewalls Cloud Security Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #23
24 Coordinated Security & NAC Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #24
25 TNC and SCAP Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers SCAP Client Software SCAP Analysis Software SCAP External Scanner Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #25
26 26
27 SCAP Value for the Common Criteria Inventory Management Evaluators: Clear understanding of 3rd party components in TOE Consumers: Clear understanding of which systems are deployed and if those systems are the same ones that were evaluated Vulnerability Management Vendors: Ensure all TOE 3rd party components are patched before submitting for evaluation Evaluators: Test for known vulnerabilities in TOE 3rd party components Configuration Policy Vendors: Secure configuration specification for products to be evaluated Evaluators: Ensure product is being evaluated as intended Consumers: Secure configuration compliance to ensure operational system is still the same as the one that was evaluated 27
28 Paralleling the TNC/SCAP Approach for CC Evaluated Products Common Criteria evaluated products are trusted to operate in the deployed environment Standard secure configuration baseline is defined as part of the CC evaluation Continuously monitor configuration state of deployed product If configuration changes from standard baseline (i.e. the product running is no longer the product that was evaluated), report an alert, revoke operation privileges for the product and/or remove it from the network 28
29 SCAP and NIAP Integration Overview MITRE Developed a white paper that describes the logical ways in which to integrate SCAP into NIAP. - Shared paper with firewall protection profile group. - Briefed the firewall protection profile group during RSA. - Could be added to emerging profiles as they are ready. Motivation: SANS Top 20 Continuous Monitoring DHS Cyber Ecosystem Enable automated monitoring of products Faster more accurate identification of issues Deliver actionable secure configuration guidance Identified seven areas to utilize SCAP Aligned with relevant CAG controls 29
30 Seven Areas for Integration Identified 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. 30
31 Areas for Integration Aligned with SCAP 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. SCAP For Product Vendors Product Names Configuration Controls Support Automated System Integrations Secure Configuration Baselines Support Automated System Integrations Security Advisories Security Advisories 31
32 32
33 SCAP covers a wide range of use cases, practices, standards and content Integrating it all in one big chunk would likely prove very challenging and make its practical application less likely We suggest a staged integration approach that starts out low-effort and builds capability in a tiered fashion 33
34 Staged Integration Area Tier 1 Utilize Standard Naming Standardized Product Names CPE SWID* Tier 2 Define Structured Guidance API for CPE Tier 3 Assess & Validate Standardized Configuration Item Identification CCE Enable Automated Secure Configuration Checking Structured Secure Configuration Guides Inventory/Asset Management Support API for CCE XCCDF, CPE, CCE Specify OVAL construct for CCE XCCDF, CPE, CCE, OVAL Compliance Definitions OVAL Inventory Definitions Vulnerability Identification, Disclosure, and Response Practices Patch Checking CPE, CVE, CVSS SWID* CPE, CVE, CVSS SWID* OVAL Vulnerability Definitions OVAL Inventory Definitions *SWID - (ISO/IEC ) - the software identification tag standard is focused on authoritative software identification 34
35 Staged Integration Tier 1 Tier 2 Tier 3 Utilize Standard Naming Low effort integration of the most mature SCAP components. Enables correlation across information sources. Requires knowledge of CCE, CPE, CVE, and CVSS. Define Structured Guidance & Enable Automation Structured guidance and published APIs. Foundation for automated system checking. Requires knowledge of XCCDF and exposure of APIs. Assess and Validate Automated checking of system state (patched, configured securely, vulnerable, etc.). Requires knowledge of OVAL. 35
36 For More Information More information on the standards CVE Vulnerabilities; CCE Configuration controls; CPE Platforms/applications; OVAL Checking language; OCIL Questionnaire language; XCCDF Structuring; CVSS Scores severity of vulnerabilities; NVD Resources for SCAP users; Making Security Measureable More resources on SCAP and beyond; Page The MITRE Corporation. All rights Reserved.
37 Questions?
38 Optional Detail Slides
39 1. Standardized Product Names Vendor Actions: Register and maintain a CPE Name for the product Ensure that all dependent products have registered CPE Names Provide programmatic means to query the product for its CPE Name List CPE Names in product documentation Validator Role: Verify CPE Name is listed in Official CPE Dictionary Verify that CPE API is documented and functioning properly Benefit: Register a CPE Name for the product and its dependencies. Enables fast, accurate correlation across information sources Enables correlation of product and platform information for use in asset management, situational awareness, and continuous monitoring. 39
40 2. Standardized configuration item identification Vendor Actions: Identify all security relevant configuration controls Assign CCE IDs to all security relevant configuration controls Validator Role: CCEs are listed for the product Product s Secure Configuration Guide includes CCE references. Benefit: Assign a CCE to all security relevant configuration controls in the product. Enables fast, accurate correlation across information sources Completes a first step toward supporting automated configuration checking Tool vendors understand what the configuration items are, and what to check for 40
41 3. Enable automated secure configuration checking Instrument security relevant configuration controls for automated configuration checking. Vendor Actions: For each CCE in the product, provide a programmatic means to check and set the state of that value Identify the proper OVAL construct for checking the state of each CCE Validator Role: Verify vendor listing of programmatic methods for all CCEs Benefit: Enables automated checking during NIAP evaluation Provides foundation for automated secure configuration guides Product is instrumented for continuous monitoring 41
42 4. Structured secure configuration guides Enable standardized automatic software configuration checking using CPE, OVAL and XCCDF. Vendor Actions: Create an SCAP-expressed benchmark for the secure configuration of the product Validator Role: Verify that the SCAP-expressed benchmark is available and valid Benefit: Enables faster more accurate checking for adherence to the policy. End users can use SCAP-validated tool of their choice to determine if a the product is properly configured. An evaluator can run automated verification of the secure configuration on all test systems 42
43 5. Inventory/asset management support Vendor Actions: Publish an OVAL Definition for detecting the presence of the product Reference the CPE Name for the product in the OVAL Definition Validator Role: Verify that an OVAL Inventory Definition has been published Benefit: Enable standardized automatic software inventories using CPE and OVAL. End users can use SCAP-validated tool of their choice to determine if the product is present on their system. 43
44 6. Vulnerability identification, disclosure and response practices Vendor Actions: Include a CVE ID in all vulnerability alerts Include CPE Names for all affected products in all vulnerability alerts Provide a CVSS base score for all vulnerabilities Publish an OVAL Definition for detecting the presence of the vulnerability Validator Role: Verify documented use of SCAP in flaw remediation practices Benefit: Enable standardized automatic software vulnerability checking using CPE, OVAL and CVE. Faster responses to security advisories by end users. Vulnerabilities are identified, prioritized, and described in a standardized way. 44
45 7. Patch checking Enable standardized automatic software patch checking using CPE, OVAL and CVE. Vendor Actions: Publish standardized patch checks as OVAL definitions Include the list of affected products by CPE Name in patch bulletins List all vulnerabilities addressed by their CVE ID Validator Role: Verify that the documented vendor patch processes include OVAL, CPE. and CVE. Benefit: End users can use SCAP-validated tool of their choice to determine if a patch is installed on their system to help keep their system up to date 45
BMC Client Management - SCAP Implementation Statement. Version 12.0
BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP
More informationHow To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
More informationContinuous Monitoring
Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums
More informationSecurity Orchestration with IF-MAP
Security Orchestration with IF-MAP Gary Holland, Lumeta/IMRI 2 November 2011 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Trusted Network Connect Explanation of IF-MAP
More informationSecurity Coordination with IF-MAP
Security Coordination with IF-MAP Matt Webster, Lumeta 28 Sept 2010 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Recap of TNC Explanation of IF-MAP What is IF-MAP?
More informationFDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
More informationSecurity Content Automation Protocol for Governance, Risk, Compliance, and Audit
UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security
More informationFederal Desktop Core Configuration (FDCC)
Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to
More informationEnhancing Security for Next Generation Networks and Cloud Computing
V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationAn Enterprise Continuous Monitoring Technical Reference Architecture
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
More informationHow To Monitor Your Entire It Environment
Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17
ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17 TSB Briefing to the Regional Offices, 28 Feb 2011 Martin Euchner Advisor of ITU-T Study Group 17 Martin.Euchner@itu.int
More informationApplying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)
NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationSACM Vulnerability Assessment Scenario IETF 94 11/05/2015
SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 What is it? Walks through an automated enterprise vulnerability assessment scenario Begins with an enterprise ingesting a vulnerability report
More informationSecurity compliance automation with Red Hat Satellite
Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the
More informationTNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group
TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationSCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationMANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY
MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology
More informationSolving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense
Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationQualys PC/SCAP Auditor
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
More informationARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel
ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationReport: Symantec Solutions for Federal Government: CyberScope
CyberScope and Tighter Cybersecurity y Reporting Requirements: Are You Ready? Report: Symantec Solutions for Federal Government: CyberScope CyberScope and Tighter Cybersecurity y Reporting Requirements:
More informationAutomating Compliance with Security Content Automation Protocol
Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationOrchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer
Orchestrated Security Network Automated, Event Driven Network Security Ralph Wanders Consulting Systems Engineer Orchestrated Security Network! " TCG/ TNC Architecture! " IF-MAP! " Use cases of IF-MAP!
More informationManagement (CSM) Capability
CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationSymantec Control Compliance Suite Standards Manager
Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationAUTOMATING THE 20 CRITICAL SECURITY CONTROLS
AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate 2012 the Year of Data Breaches 2013 continued in a similar Way Background
More informationWhite Paper: Consensus Audit Guidelines and Symantec RAS
Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with
More informationSTIGs,, SCAP and Data Metrics
Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security
More informationContinuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP
Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective
More informationCDM Hardware Asset Management (HWAM) Capability
CDM Hardware Asset Management (HWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationCONTINUOUS MONITORING
CONTINUOUS MONITORING Monitoring Strategy Part 2 of 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring (CM) and how
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationSOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013
SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov
More informationAn Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance
An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead Thoughts on Current State
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationTwenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 NOTICE to readers of this draft document: Criticisms and suggestions
More informationAutomating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009
Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis.
More informationQuestion(s): 4/17 Geneva, 16-25 September 2009 TEMPORARY DOCUMENT
INTERNATIONAL TELECOMMUNICATION UNION STUDY GROUP 17 TELECOMMUNICATION STANDARDIZATION SECTOR STUDY PERIOD 2009-2012 English only Original: English Question(s): 4/17 Geneva, 16-25 September 2009 Source:
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationMassively Scaled Security Solutions for Massively Scaled IT
Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,
More informationGuide to Enterprise Patch Management Technologies
NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3
More informationSecunia Vulnerability Intelligence Manager (VIM) 4.0
Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading
More informationHow To Get The Nist Report And Other Products For Free
National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893) Now What? What does NIST have for you to use and how do you get it? How do you contact
More informationTop 20 critical security controls
Top 20 critical security controls What it is These Top 20 Controls were agreed upon by a powerful consortium under the auspices of the Center for Strategic and International Studies. Members of the Consortium
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationThe Emergence of Security Business Intelligence: Risk
The Emergence of Security Business Intelligence: Risk Management through Deep Analytics & Automation Mike Curtis Vice President of Technology Strategy December, 2011 Introduction As an industry we are
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationNetwork Access Control (NAC) and Network Security Standards
Network Control (NAC) and Network Security Standards Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #1 Agenda Goals of NAC Standards What
More informationTowards security management in the cloud utilizing SECaaS
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationCDM Software Asset Management (SWAM) Capability
CDM Software Asset Management (SWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT
More informationBuilding a More Secure and Prosperous Texas through Expanded Cybersecurity
Building a More Secure and Prosperous Texas through Expanded Cybersecurity Bob Butler Chairman, Texas Cybersecurity, Education and Economic Development Council April 2013 About the Texas Cybersecurity
More informationQRadar SIEM 6.3 Datasheet
QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar
More informationWhite Paper. Understanding NIST 800 37 FISMA Requirements
White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security
More informationCYBEX The Cybersecurity Information Exchange Framework (X.1500)
CYBEX The Framework (X.1500) Anthony Rutkowski Yaana Technologies, USA tony@yaanatech.com Damir Rajnovic FIRST, USA gaus@cisco.com Youki Kadobayashi NAIST, Japan youki-k@is.naist.jp Robert Martin MITRE,
More informationFederal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding
Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding John L Lee, CTO Co-Chair, IPv6 Address Planning Team, ACT-IAC, Federal IPv6 Task Force Internet Associates, LLC A Certified
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationThe Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole
The Future Is SECURITY THAT MAKES A DIFFERENCE Overview of the 20 Critical Controls Dr. Eric Cole Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical
More informationTrusted Network Connect (TNC)
Trusted Network Connect (TNC) Open Standards for Integrity-based Network Access Control and Coordinated Network Security April 2011 Trusted Computing Group 3855 SW 153rd Drive, Beaverton, OR 97006 Tel
More informationIndependent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN
Independent Security Operations Oversight and Assessment Captain Timothy Holland PM NGEN 23 June 2010 Independent Security Operations Oversight and Assessment Will Jordan NGEN Cyber Security 23 June 2010
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationSecurity Automation Workshop 2014 Minutes
Security Automation Workshop 2014 Minutes Disclaimers: The intent of this workshop was to gather together individuals from industry, standards bodies, and government to engage in an open and honest dialogue
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationReference Ontology for Cybersecurity Operational Information
The Computer Journal Advance Access published October c The British 8, 2014 Computer Society 2014. This is an Open Access article distributed under the terms of the Creative Commons Attribution License
More informationSECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK
SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationD. Best Practices D.2. Administration The 6 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.2. Administration The 6 th A 1 of 26 The previous section described how to improve IT security through use of better development
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationDoD Secure Configuration Management (SCM) Operational Use Cases
Defense Information Systems Agency A Combat Support Agency DoD Secure Configuration Management (SCM) Operational Use Cases DISA PEO-MA Computer Network Defense Enclave Security 26 September 2010 This brief
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationPragmatic Metrics for Building Security Dashboards
SESSION ID: GRC-W03 Pragmatic Metrics for Building Security Dashboards James Tarala Principal Consultant Enclave Security @isaudit Problem Statement What s measured improves. Peter Drucker In an era of
More informationPCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES
CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS
More informationThe Ontological Approach for SIEM Data Repository
The Ontological Approach for SIEM Data Repository Igor Kotenko, Olga Polubelova, and Igor Saenko Laboratory of Computer Science Problems, Saint-Petersburg Institute for Information and Automation of Russian
More informationSecunia Vulnerability Intelligence Manager
TECHNOLOGY AUDIT Secunia Vulnerability Intelligence Manager Secunia Reference Code: OI00070-076 Publication Date: July 2011 Author: Andy Kellett SUMMARY Catalyst Secunia Vulnerability Intelligence Manager
More informationUnderstanding How They Attack Your Weaknesses: CAPEC Sean Barnum MITRE
Understanding How They Attack Your Weaknesses: CAPEC Sean Barnum MITRE HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS). The Long-established Principal of Know Your Enemy One who
More informationAHS Flaw Remediation Standard
AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationTransformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation
Transformational Vulnerability Management Through Standards Robert A. Martin MITRE Corporation The Department of Defense s new enterprise licenses for vulnerability assessment and remediation tools [1,2]
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More information