Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Size: px
Start display at page:

Download "Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities"

Transcription

1 Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum September 2011

2 Overview What is SCAP? Why SCAP? How can SCAP be leveraged for the Common Criteria? A proposed approach for integrating SCAP into the domain of Common Criteria 2

3 3

4 Security Content Automation Protocol A protocol leveraging a suite of seven preexisting open specifications that standardize the format and nomenclature by which security software communicates information about software flaws and security configurations. Defines how these specifications are used in concert for the following activities: vulnerability and patch management secure configuration management policy compliance evaluation asset inventorying detecting system compromise Motivating factors: Number and variety of systems to secure Need to respond quickly to new threats Lack of interoperability Complexity of guidance Number of security-related configuration settings Need to verify the security posture regularly SCAP was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. NIST SP

5 SCAP Components OCIL CVE CCE CPE XCCDF OVAL OCIL CVSS Common Vulnerabilities & Exposures Common Configuration Enumeration Common Platform Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Open Checklist Interactive Language Common Vulnerability Scoring System Standard nomenclature and dictionary of security related software vulnerabilities Naming Standard nomenclature and dictionary of software configurations Standard nomenclature and dictionary for product naming Standard XML for specifying checklists and for reporting results of checklist evaluation Expressing Standard XML for system test procedures Assessing Standard XML for expressing questions to an end user Scoring Standard for measuring the impact of vulnerabilities 5

6 Layering the Security Automation Standards Policy What? Why? CCSS Assess OCIL 6

7 Putting it Together Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Assessment language for checking for vulnerabilities (OVAL) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 2011 The MITRE Corporation. All rights Reserved. 7

8 SCAP-enabled Tools are Available Today SCAP is not some vague, future promise Over 40 vendors have tools certified as SCAP compatible Large amounts of freely available content exist Widely deployed in U.S. Government enclaves using a variety of vendors since The MITRE Corporation. All rights Reserved. 8

9 Current SCAP-Validated Vendors List of validated vendors and products available at Information current as of January 28, 2011 Logos are trademarked by their respective corporations 2011 The MITRE Corporation. All rights Reserved. 9

10 CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema CYBEX context ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State

11 SCAP Security Automation Tools CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema SCAP Use Case ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State

12 Status of ITU-T Recommendations x- series Title ITU-T Status Planned Determination x.1500 Cybersecurity Information Exchange (CYBEX) Techniques Final Dec 2010 x.1520 Common Vulnerabilities and Exposures Final Dec 2010 x.1521 Common Vulnerability Scoring System Final Dec 2010 x.cwe Common Weakness Enumeration Final Aug 2011 x.oval Open Vulnerability and Assessment Language Draft Aug 2011 x.cce Common Configuration Enumeration Draft Aug 2011 x.capec Common Attack Pattern Enumeration and Classification Draft Feb 2012 x.maec Malware Attribute Enumeration and Classification Draft 2012 x.cwss Common Weakness Scoring System Draft 2012 x.cee Common Event Expression Draft 2012 x.cpe Common Platform Enumeration Draft 2012 x.arf Asset Reporting Format Draft 2012 x.xccdf Extensible Configuration Checklist Description Format Draft 2012

13 SCAP For Product Consumers (SP ) Consumers Organizations should use security configuration checklists that are expressed using SCAP to improve and monitor their systems security. Organizations should take advantage of SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards, and guidelines. Organizations should use SCAP for vulnerability measurement and scoring. Organizations should acquire and use SCAP-validated products. 13

14 SCAP For Product Vendors (SP ) Product Names Provide CPE names for all products Configuration Controls Each security relevant configuration control is assigned a CCE through a federated CCE creation process. Secure Configuration Baselines Development of configuration checks to confirm that a system is running under the specified secure configuration. Use XCCDF and OVAL to allow for machine interpretable content. USE CPE and CCE to allow for platform targeting and data correlation. Security Advisories Incorporate CVEs in initial vulnerability alert. Assign CVSS scores to vulnerabilities. Include OVAL Definitions as a standardized machine interpretable check for the issue. Include CPE Names for affected software Support Automated System Integrations Develop Systems that can be Assessed Provide OVAL extensions for new platforms 14

15 15

16 SANS: 20 Critical Security Controls (a.k.a. CAG) transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. Enabling agreement between those responsible for compliance and those responsible for security. The Top 20 Controls were developed by a consortium including: US NSA, US Cert, US DoD, the US Department of Energy Nuclear Laboratories, US Department of State, industry experts Automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. US Department of State ipost demonstrated more than 80% reduction in "measured" security risk 16

17 SANS: 20 Critical Security Controls (a.k.a. CAG) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10.Continuous Vulnerability Assessment and Remediation 11.Account Monitoring and Control 12.Malware Defenses 13.Limitation and Control of Network Ports, Protocols, and Services 14.Wireless Device Control 15.Data Loss Prevention SCAP Enables Automation 17

18 SCAP Supports International Drivers SCAP and its targeted use cases are not just driven by US needs SCAP also supports numerous international drivers as well Commercial industry mandates such as the Payment Card Industry Data Security Standard (PCI-DSS) Requirement 6 ISO security process and practices standards such as the series ITU security information structure and exchange recommendations such as X.1000, X.1100, X.1200 & X.1500 series In-development standards and mandates surrounding supply chain security Etc. 18

19 It s Not Only About Discrete Specification and Assessment Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 19

20 Continuous Monitoring Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. (NIST ) A result of numerous events coming together: SANS Top 20 Critical Controls (CAG) US OMB FISMA Reporting Memo (M-10-15) ipost: Implementing Continuous Risk Monitoring at the DoS CM provides a foundation for many IA activities: IT Security Reporting, Vulnerability Management, Inventory Management, etc. Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making. To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze securityrelated information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools. OMB memo M

21 CAESARS & Standards CAESARS: Continuous Asset Evaluation, Situational Awareness, and Risk Scoring - Reference Architecture Presentation Analytics CPE, Database CVE, CVSS CPE, OVAL, XCCDF, CCE, CVE, CVSS CPE, CVE, Sensors OVAL, CVSS CPE, CCE, OVAL, XCCDF CPE, CCE, CVE OVAL, XCCDF, CVSS Standardized Results Standardized Tasking 21

22 Comply to Connect SCAP and TNC Integration Network Access Control (NAC) is seen as a key enabling technology for several of the SANS Top 20 Critical Security Controls. SCAP provides a set of standard data formats that can be used to describe desired system configurations. Trusted Network Connect (TNC) provides a standards based NAC solution. SCAP and TNC can be used together to provide a complete standards based approach. 22

23 Coordinated Security Asset Management System Endpoint Security (via NAC) SIM / SEM MAP IPAM IF-MAP Protocol Physical Security ICS/SCADA Security AAA Routing Server or IDS Switching Wireless Firewalls Cloud Security Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #23

24 Coordinated Security & NAC Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #24

25 TNC and SCAP Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers SCAP Client Software SCAP Analysis Software SCAP External Scanner Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #25

26 26

27 SCAP Value for the Common Criteria Inventory Management Evaluators: Clear understanding of 3rd party components in TOE Consumers: Clear understanding of which systems are deployed and if those systems are the same ones that were evaluated Vulnerability Management Vendors: Ensure all TOE 3rd party components are patched before submitting for evaluation Evaluators: Test for known vulnerabilities in TOE 3rd party components Configuration Policy Vendors: Secure configuration specification for products to be evaluated Evaluators: Ensure product is being evaluated as intended Consumers: Secure configuration compliance to ensure operational system is still the same as the one that was evaluated 27

28 Paralleling the TNC/SCAP Approach for CC Evaluated Products Common Criteria evaluated products are trusted to operate in the deployed environment Standard secure configuration baseline is defined as part of the CC evaluation Continuously monitor configuration state of deployed product If configuration changes from standard baseline (i.e. the product running is no longer the product that was evaluated), report an alert, revoke operation privileges for the product and/or remove it from the network 28

29 SCAP and NIAP Integration Overview MITRE Developed a white paper that describes the logical ways in which to integrate SCAP into NIAP. - Shared paper with firewall protection profile group. - Briefed the firewall protection profile group during RSA. - Could be added to emerging profiles as they are ready. Motivation: SANS Top 20 Continuous Monitoring DHS Cyber Ecosystem Enable automated monitoring of products Faster more accurate identification of issues Deliver actionable secure configuration guidance Identified seven areas to utilize SCAP Aligned with relevant CAG controls 29

30 Seven Areas for Integration Identified 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. 30

31 Areas for Integration Aligned with SCAP 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. SCAP For Product Vendors Product Names Configuration Controls Support Automated System Integrations Secure Configuration Baselines Support Automated System Integrations Security Advisories Security Advisories 31

32 32

33 SCAP covers a wide range of use cases, practices, standards and content Integrating it all in one big chunk would likely prove very challenging and make its practical application less likely We suggest a staged integration approach that starts out low-effort and builds capability in a tiered fashion 33

34 Staged Integration Area Tier 1 Utilize Standard Naming Standardized Product Names CPE SWID* Tier 2 Define Structured Guidance API for CPE Tier 3 Assess & Validate Standardized Configuration Item Identification CCE Enable Automated Secure Configuration Checking Structured Secure Configuration Guides Inventory/Asset Management Support API for CCE XCCDF, CPE, CCE Specify OVAL construct for CCE XCCDF, CPE, CCE, OVAL Compliance Definitions OVAL Inventory Definitions Vulnerability Identification, Disclosure, and Response Practices Patch Checking CPE, CVE, CVSS SWID* CPE, CVE, CVSS SWID* OVAL Vulnerability Definitions OVAL Inventory Definitions *SWID - (ISO/IEC ) - the software identification tag standard is focused on authoritative software identification 34

35 Staged Integration Tier 1 Tier 2 Tier 3 Utilize Standard Naming Low effort integration of the most mature SCAP components. Enables correlation across information sources. Requires knowledge of CCE, CPE, CVE, and CVSS. Define Structured Guidance & Enable Automation Structured guidance and published APIs. Foundation for automated system checking. Requires knowledge of XCCDF and exposure of APIs. Assess and Validate Automated checking of system state (patched, configured securely, vulnerable, etc.). Requires knowledge of OVAL. 35

36 For More Information More information on the standards CVE Vulnerabilities; CCE Configuration controls; CPE Platforms/applications; OVAL Checking language; OCIL Questionnaire language; XCCDF Structuring; CVSS Scores severity of vulnerabilities; NVD Resources for SCAP users; Making Security Measureable More resources on SCAP and beyond; Page The MITRE Corporation. All rights Reserved.

37 Questions?

38 Optional Detail Slides

39 1. Standardized Product Names Vendor Actions: Register and maintain a CPE Name for the product Ensure that all dependent products have registered CPE Names Provide programmatic means to query the product for its CPE Name List CPE Names in product documentation Validator Role: Verify CPE Name is listed in Official CPE Dictionary Verify that CPE API is documented and functioning properly Benefit: Register a CPE Name for the product and its dependencies. Enables fast, accurate correlation across information sources Enables correlation of product and platform information for use in asset management, situational awareness, and continuous monitoring. 39

40 2. Standardized configuration item identification Vendor Actions: Identify all security relevant configuration controls Assign CCE IDs to all security relevant configuration controls Validator Role: CCEs are listed for the product Product s Secure Configuration Guide includes CCE references. Benefit: Assign a CCE to all security relevant configuration controls in the product. Enables fast, accurate correlation across information sources Completes a first step toward supporting automated configuration checking Tool vendors understand what the configuration items are, and what to check for 40

41 3. Enable automated secure configuration checking Instrument security relevant configuration controls for automated configuration checking. Vendor Actions: For each CCE in the product, provide a programmatic means to check and set the state of that value Identify the proper OVAL construct for checking the state of each CCE Validator Role: Verify vendor listing of programmatic methods for all CCEs Benefit: Enables automated checking during NIAP evaluation Provides foundation for automated secure configuration guides Product is instrumented for continuous monitoring 41

42 4. Structured secure configuration guides Enable standardized automatic software configuration checking using CPE, OVAL and XCCDF. Vendor Actions: Create an SCAP-expressed benchmark for the secure configuration of the product Validator Role: Verify that the SCAP-expressed benchmark is available and valid Benefit: Enables faster more accurate checking for adherence to the policy. End users can use SCAP-validated tool of their choice to determine if a the product is properly configured. An evaluator can run automated verification of the secure configuration on all test systems 42

43 5. Inventory/asset management support Vendor Actions: Publish an OVAL Definition for detecting the presence of the product Reference the CPE Name for the product in the OVAL Definition Validator Role: Verify that an OVAL Inventory Definition has been published Benefit: Enable standardized automatic software inventories using CPE and OVAL. End users can use SCAP-validated tool of their choice to determine if the product is present on their system. 43

44 6. Vulnerability identification, disclosure and response practices Vendor Actions: Include a CVE ID in all vulnerability alerts Include CPE Names for all affected products in all vulnerability alerts Provide a CVSS base score for all vulnerabilities Publish an OVAL Definition for detecting the presence of the vulnerability Validator Role: Verify documented use of SCAP in flaw remediation practices Benefit: Enable standardized automatic software vulnerability checking using CPE, OVAL and CVE. Faster responses to security advisories by end users. Vulnerabilities are identified, prioritized, and described in a standardized way. 44

45 7. Patch checking Enable standardized automatic software patch checking using CPE, OVAL and CVE. Vendor Actions: Publish standardized patch checks as OVAL definitions Include the list of affected products by CPE Name in patch bulletins List all vulnerabilities addressed by their CVE ID Validator Role: Verify that the documented vendor patch processes include OVAL, CPE. and CVE. Benefit: End users can use SCAP-validated tool of their choice to determine if a patch is installed on their system to help keep their system up to date 45

BMC Client Management - SCAP Implementation Statement. Version 12.0

BMC Client Management - SCAP Implementation Statement. Version 12.0 BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP

More information

How To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues

How To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

More information

Continuous Monitoring

Continuous Monitoring Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums

More information

Security Orchestration with IF-MAP

Security Orchestration with IF-MAP Security Orchestration with IF-MAP Gary Holland, Lumeta/IMRI 2 November 2011 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Trusted Network Connect Explanation of IF-MAP

More information

Security Coordination with IF-MAP

Security Coordination with IF-MAP Security Coordination with IF-MAP Matt Webster, Lumeta 28 Sept 2010 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Recap of TNC Explanation of IF-MAP What is IF-MAP?

More information

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day

More information

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security

More information

Federal Desktop Core Configuration (FDCC)

Federal Desktop Core Configuration (FDCC) Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to

More information

Enhancing Security for Next Generation Networks and Cloud Computing

Enhancing Security for Next Generation Networks and Cloud Computing V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France

More information

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name

More information

An Enterprise Continuous Monitoring Technical Reference Architecture

An Enterprise Continuous Monitoring Technical Reference Architecture An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell

More information

How To Monitor Your Entire It Environment

How To Monitor Your Entire It Environment Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of

More information

Security Information and Event Management

Security Information and Event Management Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17 ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17 TSB Briefing to the Regional Offices, 28 Feb 2011 Martin Euchner Advisor of ITU-T Study Group 17 Martin.Euchner@itu.int

More information

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 What is it? Walks through an automated enterprise vulnerability assessment scenario Begins with an enterprise ingesting a vulnerability report

More information

Security compliance automation with Red Hat Satellite

Security compliance automation with Red Hat Satellite Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the

More information

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group TNC: Open Standards for Network Security Automation Copyright 2010 Trusted Computing Group Agenda Introduce TNC and TCG Explanation of TNC What problems does TNC solve? How does TNC solve those problems?

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology

More information

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan Information systems Security Association National Capital Chapter January 19, 2010 1 Topics Background

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software

More information

Qualys PC/SCAP Auditor

Qualys PC/SCAP Auditor Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS

More information

ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel

ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer

More information

CDM Vulnerability Management (VUL) Capability

CDM Vulnerability Management (VUL) Capability CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation

More information

Report: Symantec Solutions for Federal Government: CyberScope

Report: Symantec Solutions for Federal Government: CyberScope CyberScope and Tighter Cybersecurity y Reporting Requirements: Are You Ready? Report: Symantec Solutions for Federal Government: CyberScope CyberScope and Tighter Cybersecurity y Reporting Requirements:

More information

Automating Compliance with Security Content Automation Protocol

Automating Compliance with Security Content Automation Protocol Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer Orchestrated Security Network Automated, Event Driven Network Security Ralph Wanders Consulting Systems Engineer Orchestrated Security Network! " TCG/ TNC Architecture! " IF-MAP! " Use cases of IF-MAP!

More information

Management (CSM) Capability

Management (CSM) Capability CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Symantec Control Compliance Suite Standards Manager

Symantec Control Compliance Suite Standards Manager Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate 2012 the Year of Data Breaches 2013 continued in a similar Way Background

More information

White Paper: Consensus Audit Guidelines and Symantec RAS

White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with

More information

STIGs,, SCAP and Data Metrics

STIGs,, SCAP and Data Metrics Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security

More information

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective

More information

CDM Hardware Asset Management (HWAM) Capability

CDM Hardware Asset Management (HWAM) Capability CDM Hardware Asset Management (HWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

CONTINUOUS MONITORING

CONTINUOUS MONITORING CONTINUOUS MONITORING Monitoring Strategy Part 2 of 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring (CM) and how

More information

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015 For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6

More information

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013 SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov

More information

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead Thoughts on Current State

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 NOTICE to readers of this draft document: Criticisms and suggestions

More information

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis.

More information

Question(s): 4/17 Geneva, 16-25 September 2009 TEMPORARY DOCUMENT

Question(s): 4/17 Geneva, 16-25 September 2009 TEMPORARY DOCUMENT INTERNATIONAL TELECOMMUNICATION UNION STUDY GROUP 17 TELECOMMUNICATION STANDARDIZATION SECTOR STUDY PERIOD 2009-2012 English only Original: English Question(s): 4/17 Geneva, 16-25 September 2009 Source:

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Massively Scaled Security Solutions for Massively Scaled IT

Massively Scaled Security Solutions for Massively Scaled IT Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,

More information

Guide to Enterprise Patch Management Technologies

Guide to Enterprise Patch Management Technologies NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3

More information

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secunia Vulnerability Intelligence Manager (VIM) 4.0 Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading

More information

How To Get The Nist Report And Other Products For Free

How To Get The Nist Report And Other Products For Free National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893) Now What? What does NIST have for you to use and how do you get it? How do you contact

More information

Top 20 critical security controls

Top 20 critical security controls Top 20 critical security controls What it is These Top 20 Controls were agreed upon by a powerful consortium under the auspices of the Center for Strategic and International Studies. Members of the Consortium

More information

Information Technology Risk Management

Information Technology Risk Management Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

The Emergence of Security Business Intelligence: Risk

The Emergence of Security Business Intelligence: Risk The Emergence of Security Business Intelligence: Risk Management through Deep Analytics & Automation Mike Curtis Vice President of Technology Strategy December, 2011 Introduction As an industry we are

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Network Access Control (NAC) and Network Security Standards

Network Access Control (NAC) and Network Security Standards Network Control (NAC) and Network Security Standards Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #1 Agenda Goals of NAC Standards What

More information

Towards security management in the cloud utilizing SECaaS

Towards security management in the cloud utilizing SECaaS Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information

More information

CDM Software Asset Management (SWAM) Capability

CDM Software Asset Management (SWAM) Capability CDM Software Asset Management (SWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT

More information

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Building a More Secure and Prosperous Texas through Expanded Cybersecurity Building a More Secure and Prosperous Texas through Expanded Cybersecurity Bob Butler Chairman, Texas Cybersecurity, Education and Economic Development Council April 2013 About the Texas Cybersecurity

More information

QRadar SIEM 6.3 Datasheet

QRadar SIEM 6.3 Datasheet QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar

More information

White Paper. Understanding NIST 800 37 FISMA Requirements

White Paper. Understanding NIST 800 37 FISMA Requirements White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security

More information

CYBEX The Cybersecurity Information Exchange Framework (X.1500)

CYBEX The Cybersecurity Information Exchange Framework (X.1500) CYBEX The Framework (X.1500) Anthony Rutkowski Yaana Technologies, USA tony@yaanatech.com Damir Rajnovic FIRST, USA gaus@cisco.com Youki Kadobayashi NAIST, Japan youki-k@is.naist.jp Robert Martin MITRE,

More information

Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding

Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding John L Lee, CTO Co-Chair, IPv6 Address Planning Team, ACT-IAC, Federal IPv6 Task Force Internet Associates, LLC A Certified

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole The Future Is SECURITY THAT MAKES A DIFFERENCE Overview of the 20 Critical Controls Dr. Eric Cole Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical

More information

Trusted Network Connect (TNC)

Trusted Network Connect (TNC) Trusted Network Connect (TNC) Open Standards for Integrity-based Network Access Control and Coordinated Network Security April 2011 Trusted Computing Group 3855 SW 153rd Drive, Beaverton, OR 97006 Tel

More information

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN Independent Security Operations Oversight and Assessment Captain Timothy Holland PM NGEN 23 June 2010 Independent Security Operations Oversight and Assessment Will Jordan NGEN Cyber Security 23 June 2010

More information

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002 ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Security Automation Workshop 2014 Minutes

Security Automation Workshop 2014 Minutes Security Automation Workshop 2014 Minutes Disclaimers: The intent of this workshop was to gather together individuals from industry, standards bodies, and government to engage in an open and honest dialogue

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Reference Ontology for Cybersecurity Operational Information

Reference Ontology for Cybersecurity Operational Information The Computer Journal Advance Access published October c The British 8, 2014 Computer Society 2014. This is an Open Access article distributed under the terms of the Creative Commons Attribution License

More information

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis

More information

How To Buy Nitro Security

How To Buy Nitro Security McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security

More information

D. Best Practices D.2. Administration The 6 th A

D. Best Practices D.2. Administration The 6 th A Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.2. Administration The 6 th A 1 of 26 The previous section described how to improve IT security through use of better development

More information

NetIQ FISMA Compliance & Risk Management Solutions

NetIQ FISMA Compliance & Risk Management Solutions N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a

More information

DoD Secure Configuration Management (SCM) Operational Use Cases

DoD Secure Configuration Management (SCM) Operational Use Cases Defense Information Systems Agency A Combat Support Agency DoD Secure Configuration Management (SCM) Operational Use Cases DISA PEO-MA Computer Network Defense Enclave Security 26 September 2010 This brief

More information

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

Pragmatic Metrics for Building Security Dashboards

Pragmatic Metrics for Building Security Dashboards SESSION ID: GRC-W03 Pragmatic Metrics for Building Security Dashboards James Tarala Principal Consultant Enclave Security @isaudit Problem Statement What s measured improves. Peter Drucker In an era of

More information

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS

More information

The Ontological Approach for SIEM Data Repository

The Ontological Approach for SIEM Data Repository The Ontological Approach for SIEM Data Repository Igor Kotenko, Olga Polubelova, and Igor Saenko Laboratory of Computer Science Problems, Saint-Petersburg Institute for Information and Automation of Russian

More information

Secunia Vulnerability Intelligence Manager

Secunia Vulnerability Intelligence Manager TECHNOLOGY AUDIT Secunia Vulnerability Intelligence Manager Secunia Reference Code: OI00070-076 Publication Date: July 2011 Author: Andy Kellett SUMMARY Catalyst Secunia Vulnerability Intelligence Manager

More information

Understanding How They Attack Your Weaknesses: CAPEC Sean Barnum MITRE

Understanding How They Attack Your Weaknesses: CAPEC Sean Barnum MITRE Understanding How They Attack Your Weaknesses: CAPEC Sean Barnum MITRE HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS). The Long-established Principal of Know Your Enemy One who

More information

AHS Flaw Remediation Standard

AHS Flaw Remediation Standard AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Transformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation

Transformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation Transformational Vulnerability Management Through Standards Robert A. Martin MITRE Corporation The Department of Defense s new enterprise licenses for vulnerability assessment and remediation tools [1,2]

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information