WHITE PAPER Continuous Diagnostics & Mitigation: CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
Table of Contents What is CDM Requirements, Mandates & Policy that drive for adoption of Continuous Monitoring.... 3 Key components of CDM initiatives and respective challenges.... 4 Mapping CDM to present security processes, controls and technologies leveraging the RedSeal Solution.... 9 Why CDM Should Begin with RedSeal... 10 Device Security: Baseline Security for Individual Devices.... 12 Network Security: Security for the End-to-End Network.... 12 Endpoint Security: Big Picture Risk.... 12 Visualization & Analytics... 13 The Bigger Picture.... 13 About RedSeal Networks, Inc.... 14 WHITE Paper 2
What is CDM Requirements, Mandates & Policy that drive for adoption of Continuous Monitoring In today s budget and resource restrained government environment where missioncritical functions are dependent upon information technology, the ability to manage this technology to assure confidentiality, integrity, and availability of information is now also mission-critical. When designing enterprise and security architecture, agencies work to securely meet the IT infrastructure needs of its governance structure, missions, and core business processes. Information security is a dynamic process that must be proactively managed to identify and respond to new vulnerabilities, evolving threats, and constantly changing operational environment. The Risk Management Framework (RMF) developed by NIST, describes a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Continuous network diagnostics is a critical part of the risk management process. In addition, an organization s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts. Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Without a doubt, the practice of continuous monitoring has the potential to dramatically improve the security of federal systems -- but only if federal IT managers commit themselves to it in a big way. Install Tools/Sensors Progress Report via Dashboard Fix High Priority Vulnerabilities First Systems Scanned Every 72 Hours Prioritorize Analyze & Triage Automated Vulnerability Search Collect Results From the Agency & Departments Figure 1: Continuous Diagnostics Life-cycle WHITE Paper 3
The White House has demanded continuous monitoring since 2010, but many agencies did not have the resources or know-how to initiate such a program. As part of the FY13 Homeland Security Appropriations Bill, funding for cyber security had been requested and $202 MM had been allocated, for DHS to assist other Federal agencies in enhancing their cybersecurity efforts. Under the new five-year project, DHS, which is responsible for protecting civilian networks, will shoulder the financial burden to finish activating continuous diagnostics government wide. The Homeland Security Department is footing a potentially $6 billion bill to provide civilian agencies with the technology and expertise needed for near real-time threat detection and cyber risk management. This new initiative (part of CDM), called continuous monitoring as a service, or CMaaS, will bundle sensors, risk-status displays and professional consulting services for agencies. Key components of CDM initiatives and respective challenges The principle of continuous diagnostics is simple enough. By assessing the state of essential information security controls across the enterprise on an ongoing basis, agencies can ensure that their cyber defenses are in place and up-to-date and proactively manage risk. To facilitate this, automated tools, can go a long way toward simplifying the process of collecting and analyzing security data by providing security officials with near-real-time information on their security posture. Continuous diagnostics of computing and network assets requires up-to-date knowledge of the security posture of every workstation, server, and network device, including operating system and application versions and patches, vulnerabilities, and threat signatures and patterns. Information security managers will use the summary and detailed information to manage and report the security posture of their respective agencies. While each agency is required to implement continuous diagnostics, they are not required to implement a one size fits all solution. Each agency can implement the continuous diagnostics solution that best fits its own requirements and environment as long as its solution provides the required monthly data to the DHS repository known as CyberScope. Defense and intelligence agencies will have to provide their required security data to the Defense Department and intelligence community versions of CyberScope. WHITE Paper 4
CDM is composed of four pillars: 1. Real time intelligence, context, and Optimal Risk Posture The goal is to have a Network Infrastructure Security Management system that continuously visualizes critical attack risk and non-compliance in complex enterprise security infrastructure. Fundamentally this will be achieved by adding real-time asset discovery and vulnerability management, intelligence-driven response, and continuous feedback to meet changing federal requirements. Open interfaces and standard protocols help agencies integrate new and legacy systems at minimal cost. The system collects data from ongoing processes, correlates against multiple contextual factors, takes action automatically where appropriate, and presents the remaining issues in priority order. The most important and at-risk assets receive the most immediate and significant attention prioritization is key. 2. Automated & Scalable Automated continuous diagnostics solutions enable agencies and enterprises to monitor IT controls effectively and innear real time. Manual processes that involve basically a human dimension will not deliver the level of in-depth visibility and control IT departments need to support effective operations. Automated continuous diagnostics is a better approach that more efficiently and effectively: a. Discover Risky Assets in the IT infrastructure. b. Validates actual changes to the IT infrastructure against planned change requests. c. Identifies changes that occur without an approval. d. Enforces policies that limit unauthorized access in the IT infrastructure. e. Provides reports on IT infrastructure policies to highlight best practices and control violations. Automation through technology is essential to achieve continuous diagnostics. Today s version of continuous diagnostics requires significant changes, primarily a reliance on automation and the integration of controls. By adding the element of automation, periodic scanning whether for patch-related vulnerabilities, configuration errors or logging failures, or IT access policy violations becomes continuous, with the ability to show trends and improvements over time. WHITE Paper 5
3. Move from Static Periodic Accreditation to Ongoing Authorization Transform the historically static and paper based security control assessment and authorization process into an integral part of a dynamic enterprise-wide risk management process. This change will deliver near-real-time awareness and assessment of information security risk and rapid response to support organizational risk management decisions. Most agencies have baseline capabilities in core processes such as antivirus updates, operating system, and application patching assessment, along with SCAP-enabled products to evaluate FDCC/USGCB compliance. With CDM, and DHS s Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) Reference Architecture and Framework Extension (FE) expands the focus of security efforts from point compliance to an ecosystem of dynamic resilience as you detect, you report, and take action in real-time. 4. FISMA Compliance via Mission Assurance A strategically and well thought out continuous diagnostics program conserves government resources, delivers cyber situational awareness and reduces the chance of network disruption. Agencies collectively spend billions of dollars to manually monitor and report on information security programs. In the face of budget constraints and the ever increasing threat, to comply with FISMA agencies need to turn to continuous diagnostics solutions. A comprehensive approach via CDM is needed to enable agencies to monitor their entire IT environment continuously, remediate those items out of compliance and vulnerable, and report in compliance with federal data call requirements. CDM is not a FISMA replacement. Continuous diagnostics will be the single most important support for C&A by providing deeper information that can be baselined, analyzed and measured over time. The trending information, then, will become more important for compliance and for overall improvements in operations, security and risk posture. Direct correlation of infrastructure performance translates to better FISMA scores. The goal is to provide network, security, and risk management teams with a firm understanding of where security is working, where investment is needed, and where greatest cyber-attack risks lie. This understanding, or security intelligence, enables organizations to allocate resources where needed most, embed best practice into daily operations, and take prioritized action when needed. WHITE Paper 6
RedSeal Security Suite & Visual Analytics Real Time Intelligence & Content Automated & Scalable Static to Ongoing Authorization Compliance via Mission Assurance Progress Report via Dashboard Fix High Priority Vulnerabilities First Install Tools/Sensors Systems Scanned Every 72 Hours Prioritorize Analyze & Triage Automated Vulnerability Search Collect Results From the Agency & Departments Figure 2: RedSeal Leads the Continuous Diagnostics Life-cycle Based on yearly/quarterly FISMA scorecard and reports, agencies are struggling to comply within most of the critical control areas. So what are the impediments to an agencies success implementing CDM? Changes to IT infrastructure driven...by dynamic networks and the exponential growth by dynamic networks and the in the number and types of attacks are out-pacing exponential growth in the number the ability to track changes across a heterogeneous and types of attacks are out-pacing the ability to track changes across a IT infrastructure with manual processes and current heterogeneous IT infrastructure with paper-based systems. The idea behind continuous manual processes and current paperbased systems. The idea behind the health of the organization s network. diagnostics is to know, in real-time or near real-time, continuous diagnostics is to know, in real-time or near real-time, the health of the organization s network. This empowers the Department of Homeland Security and agencies to address threats or potential threats sooner. WHITE Paper 7
However, agencies have been hard pressed to identify solutions that meet the visibility, ease-of-use, real-time tracking, and reporting requirements. Instead, agencies have turned to teams of consultants to monitor and report on a plethora of heterogeneous systems a few times a year. To comply with FISMA in the face of resource constraints, federal agencies need continuous diagnostics solutions specifically designed to overcome current diagnostics challenges by enabling: The ability to establish a baseline inventory of networks and their associated IT assets Visibility across disparate systems desktops, servers, network devices through a single console Streamlined adoption with a solution that implements easily, requires minimal training, and generates tangible results immediately Automation of repeatable processes which optimizes the use of IT and staff Vulnerability Management Reports in prioritized order for resolution SCAP Interoperability for reporting (CyberScope) In addition to the above, governance plays a role in every step for a successful CDM program for any agency. WHITE Paper 8
Mapping CDM to present security processes, controls and technologies leveraging the RedSeal Solution The initial phase of CDM focuses on four functional capabilities: management of hardware and software assets, configuration, and vulnerability, which are baseline capabilities to protect data. An end to end logical model of the network with automated analytics is required to provide network, security, and risk management teams with an overview of the security posture, gaps identified within the network and the worst breaches prioritized to be fixed first. With a firm understanding of where security is working, where investment is needed, and where their greatest attack risks lie. This security intelligence enables organizations to allocate resources where needed most, embed best practice into daily operations, and take prioritized action when needed. It suffices to say that the goal wasn t to mitigate every conceivable cyber risk, rather to solidify protections against foreseeable threats, while providing security experts with the time and the timely intelligence needed to focus their energies on the unforeseeable. This approach, while not the ultimate objective, is one that is gaining increasing acceptance in the federal community. The remainder of this white paper outlines the thinking behind the critical controls and how RedSeal Networks is best suited to help organizations implement them. RedSeal is a Network Infrastructure Security Management system that continuously visualizes critical attack risk and non-compliance in complex enterprise security infrastructure. It provides network, security, and risk management teams with a firm understanding of where security is working, where investment is needed, and where greatest cyber-attack risks lie. This understanding, or security intelligence, enables organizations to allocate resources where needed most, embed best practice into daily operations, and take prioritized action when needed. Many of the most respected organizations in the world use RedSeal to build world-class operations that systematically reduce attack risk over time. WHITE Paper 9
Why CDM Should Begin with RedSeal Ever since OMB updated its FISMA guidance with continuous diagnostics requirements, federal government agencies have been overly leveraging the SANS methodology which maps closely to the continuous monitoring controls in NIST special publication 800-53. Some federal organizations have chosen to follow the NIST 800-53 framework directly. In either case most of the controls though not all fall generally into the categories outlined by the SANS 20. In any case, there is broad acceptance of the SANS 20 as a focal point for federal organizations limited by resources time, and money. RedSeal solution supports more than half of the prioritized SANS 20 Critical Controls and is looked upon as a critical component for the success of CDM current and future phases. RedSeal provides the intelligence necessary to proactively improve defenses, maintain continuous compliance and mitigate real-world risks by identifying all the available pathways of access and exposed vulnerabilities present across a network. The platform is focused on delivering continuous diagnostics, compliance automation and risk measurement and control. This solution is more security than assessment-driven. As a continuous diagnostics offering focused on correlating IT, network and vulnerability data feeds, RedSeal identifies risk associated with security effectiveness, as opposed to more policy and compliance driven tools. Protect RedSeal 6 Platform Continuous Monitoring & Compliance Automation Access Management Correlation Configuration Assessment Vulnerability Exposure Visualize Comply Figure 3: RedSeal mapping to SANS controls focused on CDM WHITE Paper 10
RedSeal supports the major vendor products like Vulnerability scanners, SIEMS, GRC s etc. allowing one to quickly and easily import network, security and vulnerability information into the tool. Once a user connects a device, RedSeal automatically builds out network maps and begins correlating this information with the configuration and vulnerability data and builds this into a threat reference library. RedSeal is positioned to find and help eliminate gaps in one s security controls and, more importantly, prioritize or measure the impact of those gaps so that users can balance security investments with the highest return on those investments. RedSeal also takes into account the underlying business value of enterprise/individual systems and assets, based on their importance to operations or retention of sensitive data, allowing users to prioritize mitigation even more effectively. The network mapping function is a wonderful visual representation of assets and the interconnections that may exist based on network and various controls in the environment. The ability to conduct a reachability study based on a threat and to determine where and how far that threat could propagate in an enterprise is a valuable analysis tool. This provides a great opportunity to mitigate either a threat or vulnerability before the actual compromise or exploit. The correlation capability of the RedSeal product takes a lot of the noise out of the traditional vulnerability scan process by providing a real risk priority based on the entire environment. RedSeal is a necessary precursor to any agency or enterprise embarking on a Continuous Diagnostics program, as it gives a quick ROI and network health check in terms of what to invest, when to invest and where to invest. Given the sequestration and budget constraints, leveraging RedSeal as an initial step to analyzing cyber posture will go a long way in prioritizing investments and improved cyber security posture. Specifically RedSeal solution can be divided into four focus areas: Device, Network, Endpoint Security and Visualization & Analytics. Device Security Network Security Endpoint Security Visualization & Analytics Figure 4: RedSeal Solution WHITE Paper 11
Device Security: Baseline Security for Individual Devices RedSeal automatically analyzes individual device configurations for compliance with best practices. The system includes over 100 out-of-the-box configuration checks for firewalls, routers, load balancers, and wireless controllers. Examples of configuration checks include default password enabled, password not encrypted, IP redirect allowed, incorrect inverted netmask, missing NTP configuration etc. Custom checks are also easily defined. Secure Device Configuration analysis reduces attack risk and automates audits for many of the largest networks in the world. Network Security: Security for the End-to-End Network Faced with an ever-expanding IP space, the exponential increase in numbers of connected devices, distributed management environments and changing threat landscapes, securing a large-scale network requires an agile approach to network security. Continuous diagnostics of security controls and comprehensive cyber situational awareness represent the building blocks of a proactive network security. RedSeal uniquely supports continuous diagnostics and network security management initiatives, enriching cyber situational awareness with active network discovery to produce a common operational picture of the network infrastructure including: Network Devices, Security Zones and Access policies, User-Role Based Wireless Network Security Policies, Perimeter Defense, Network topology and Network Segmentation. Endpoint Security: Big Picture Risk RedSeal accomplishes this by analyzing the configurations of all network devices to determine how they work together automatically. First, it creates an accurate map of the network so you know how everything is connected. Then RedSeal identifies all potential access between every two points in the infrastructure. Click anywhere on the map and you ll instantly see what access is permitted to and from that point to every other point in your network. RedSeal automatically identifies the group of devices that collectively enable access between any two points in your network. RedSeal even pinpoints the exact rules that enable access within individual devices. With RedSeal, you can quickly isolate the root cause continuous of risky or non-compliant access on your network. In the case of a change request, RedSeal identifies which devices (if any) are currently blocking the desired access and pinpoints the specific rules and ACLs that require change. This can also be used to provide current and historical information required for Incident Response and Forensic Damage Assessment. With the intelligence on how network devices interact with each other for different types of traffic, RedSeal can quickly analyze the exposure of vulnerabilities discovered by the scanners and priority them base on potential feasibility, probability and severity of the exploits, thus providing users a clear prioritized list of end point vulnerabilities to act upon. WHITE Paper 12
Visualization & Analytics RedSeal solution layers an entirely new metrics and performance assessment engine on top of the existing tools for analyzing every potential pathway of access to the network. To visually demonstrate how attackers could compromise the enterprise s networks and where exposures exist, RedSeal metrics include key risk indicators for attack risk (direct and stepping stone type), vulnerability exposure, and policy compliance - presented in a variety of customizable dashboards and ad-hoc reports, all available via a web interface. With much of risk assessment becoming vague and abstract, agencies need meaningful security metrics that clearly demonstrate how well their security infrastructure and staff are performing to give them a more quantitative way of measuring success. Operators are buried in unquantified data produced by vulnerability scanners, IDS, SIEM, and DLP platforms. Better quantification, contextualization, and visualization of that information layered on top of metrics can make practical and dramatic changes to security operations. The Bigger Picture Having fully implemented the prioritized essential controls agencies will be significantly closer to an effective, resilient cyber defense posture. Though it may be tempting to conclude that successful implementation and continuous diagnostics of the 20 controls is the final goal, implementing security controls should not be a compliance exercise. Instead, it should be part of a broader effort to advance an agency s operational mission by reducing overall risk. The Security Posture of today s network environments must be adapted to the concept of Post Prevention. Sophisticated attacks like APT s are forcing agencies to view groundzero as When it happens rather than If it happens. The need for an all-encompassing and continuous Big Picture of the network has become a necessity. Instead of looking for malicious files, registry entries or configuration changes, continuous diagnostics systems must now look for network behavior patterns. By creating a common platform to quantitatively manage risk, leveraging existing third-party technologies, and turning disparate data streams into actionable intelligence, agencies can achieve not only full implementation of the prioritized Critical Controls, but move more quickly towards longterm risk management maturity. And that s precisely where RedSeal can help. WHITE Paper 13
About RedSeal Networks, Inc. RedSeal Networks is the leading provider of Network Infrastructure Security Management for cyber attack prevention. Using patented network visualization and predictive threat modeling, RedSeal provides the most complete picture of risk from cyber attacks. The RedSeal Platform delivers the industry s most powerful network security insights, illuminates network security dark space and enables enterprises to continuously monitor controls. The world s largest government and commercial organizations use RedSeal to prioritize vulnerability remediation efforts dramatically cut compliance costs and optimize their security architectures. For further information regarding the Red Seal Networks award-winning government specific solutions (e.g., for FISMA Compliance, Continuous Diagnostics), visit: http://www.redsealnetworks.com/solutions/federal/ WHITE Paper 14
RedSeal Networks, Inc. 2540 Mission College Bvld, Santa Clara, 95054 Tel (408) 641-2200 Toll Free (888) 845-8169 www.redsealnetworks.com 2013 RedSeal Networks, Inc. All rights reserved. RedSeal and the RedSeal logo are trademarks of RedSeal Networks, Inc.