Continuous Monitoring

Similar documents
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

An Enterprise Continuous Monitoring Technical Reference Architecture

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

How To Monitor Your Entire It Environment

BMC Client Management - SCAP Implementation Statement. Version 12.0

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

Federal Desktop Core Configuration (FDCC)

How To Improve Nasa'S Security

Massively Scaled Security Solutions for Massively Scaled IT

Automating Compliance with Security Content Automation Protocol

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

FREQUENTLY ASKED QUESTIONS

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Security Information and Event Management

Audit of the Board s Information Security Program

Security Control Standard

Security Controls Assessment for Federal Information Systems

2014 Audit of the Board s Information Security Program

U.S. CONSUMER PRODUCT SAFTEY COMMISSION OFFICE OF INSPECTOR GENERAL FY 2015 FEDERAL INFORMATION SECURITY MANAGEMENT ACT REVIEW REPORT

Pragmatic Metrics for Building Security Dashboards

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

FY15 Quarter 1 Chief Information Officer Federal Information Security Management Act Reporting Metrics V1.0

Security compliance automation with Red Hat Satellite

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

NOTICE: This publication is available at:

FITSP-M. Lab Activity Guide

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

CONTINUOUS MONITORING

United States Department of Agriculture. Office of Inspector General

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

FY 2015 Inspector General Federal Information Security Modernization Act Reporting Metrics V1.2

Total Protection for Compliance: Unified IT Policy Auditing

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

White Paper. Understanding NIST FISMA Requirements

FedRAMP Standard Contract Language

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Security Control Standard

Looking at the SANS 20 Critical Security Controls

How To Audit The Mint'S Information Technology

VA Office of Inspector General

Cyber Security Metrics Dashboards & Analytics

SMITHSONIAN INSTITUTION

Qualys PC/SCAP Auditor

CDM Vulnerability Management (VUL) Capability

Compliance Risk Management IT Governance Assurance

Department of Homeland Security

NASA OFFICE OF INSPECTOR GENERAL

Meeting RMF Requirements around Audit Log Management

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

Measure More, Spend Less. Better Security

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

How To Get The Nist Report And Other Products For Free

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

OFFICE OF INSPECTOR GENERAL

2012 FISMA Executive Summary Report

Secunia Vulnerability Intelligence Manager (VIM) 4.0

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Overview. FedRAMP CONOPS

Enhancing Security for Next Generation Networks and Cloud Computing

How To Manage Security On A Networked Computer System

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Critical Controls for Cyber Security.

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

NetIQ FISMA Compliance & Risk Management Solutions

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

Continuous Diagnostics & Mitigation:

VA Office of Inspector General

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Addressing FISMA Assessment Requirements

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Compliance Overview: FISMA / NIST SP800 53

Information Security for Managers

TRIPWIRE NERC SOLUTION SUITE

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

VA Enterprise Design Patterns: 4. IT Service Management (ITSM) 4.3: Configuration Management

POSTAL REGULATORY COMMISSION

Logging In: Auditing Cybersecurity in an Unsecure World

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Evaluation of DHS' Information Security Program for Fiscal Year 2014

DHS Information Security Performance Plan

LogRhythm and NERC CIP Compliance

THE TOP 4 CONTROLS.

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

Transcription:

Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com

Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums (M-11-33, M-10-28) DHS Federal Information Security Memorandums (FISM 11-02) The Deltas CM Tools & Technologies: Guidelines: SP 800-137 Information Security Continuous Monitoring Automation Domains, Tools and Technologies (SCAP, NVD) CAESARS Framework & State s ipost CM Challenges The Organization of the SP 800-53 The Limitations of CAESARS GAO Report: Limitations of ipost and Risk Scoring Program

Evolution of FISMA Compliance 800-37 r1 Deltas C&A vs RMF Joint Task Force Organization-wide RM Strategy Risk Executive (function) [Tier 1] Information Security Architect [Tier 2] Information System Security Engineer [Tier 3] Risk Redefined OMB 11-33 FISMA Reporting Instructions DHS Cyberscope

Initiation Traditional C&A Risk Management Framework Phase Task Subtask Step Task 1: Preparation. Information System Description 1.2 Information System Description Security Categorization Threat Identification Vulnerability Identification Security Control Identification Initial Risk Determination 2: Notification Notification Planning And Resources 3: SSP Analysis, Update, And Acceptance. Security Categorization Review System Security Plan Analysis System Security Plan Update System Security Plan Acceptance 1.1 Security Categorization 1.3 Information System Registration 2.1 Common Control Identification 2.2 Security Control Selection 3.1 Security Control Implementation 3.2 Security Control Documentation 2.3 Monitoring Strategy 2.4 Security Plan Approval

Continuous Monitoring Accreditation Certification Traditional C&A Risk Management Framework Phase Task Subtask Step Task 4: Security Documentation Supporting Materials Control Methods And Procedures 4.1 Assessment Preparation Assessment Security Assessment 4.2 Security Control Assessment 5: Security Certification Documentation 6: Accreditation Decision 7: Security Accreditation Documentation 8: Configuration Management 9: Control Monitoring 10: Status Reporting And Documentation RMF 6.6 RMF 6.7 Security Assessment Report 4.3 Security Assessment Report Findings And Recommendations 4.4 Remediation Actions System Security Plan Update POAM Preparation 5.1 Plan of Action and Milestones Accreditation Package Assembly 5.2 Security Authorization Package Final Risk Determination 5.3 Risk Determination Risk Acceptability 5.4 Risk Acceptance Security Accreditation Package Transmission System Security Plan Update Documentation Of Information System 6.1 Information System and Environment Changes Changes Security Impact Analysis Security Control Selection 2.3 Monitoring Strategy (sorta) Selected Security Control Assessment 6.2 Ongoing Security Control Assessments System Security Plan Update 6.4 Key Updates POAM Update 6.3 Ongoing Remediation Actions Status Reporting 6.5 Security Status Reporting Ongoing Risk Determination and Acceptance Information System Removal and Decommissioning

Joint Task Force Transformation Initiative ongoing effort to produce a unified information security framework for the federal government. SP 800-37 Risk Management Department Committee Framework on DITSCAP/ SP 800-53r3 of Defense National NIACAP Security DIACAP Security Controls Systems SP 800-39 Managing Information Security Risk DoD, ODNI, NSA(CNSS 1253), ISO/IEC Office (27001) of the National Director DCID 6/3 of C&A Institute Guidelines Collaboration of Johns Hopkins APL Among Public And National Standards and MITRE Intelligence Corporation (NVD) Private Sector Technology Booz Allen Hamilton Entities

Organization-wide RM Strategy/ New Roles Risk Executive (function) Information Security Architect Information System Security Engineer

OMB 11-33 FISMA Reporting Instructions FAQ #9. Must the Department of Defense (DoD) and the Office of the Director of National Intelligence (ODNI) follow OMB policy and NIST guidelines? Answer: Yes, for non-national security systems DOD and ODNI are to incorporate OMB policy and NIST guidelines into their internal policies.. Note: NSA Uses CNSS1253, which looks very similar to a compilation of FIPS 199/200, references 800-53, and provides a very FDCC/USGCB-like baseline of configuration settings.

Clarifying DHS Cybersecurity Responsibilities (M-10-28) Critical Infrastructure Protection US-CERT Trusted Internet Connection Initiative Primary Responsibility for the Operational Aspects of Cybersecurity [FISMA Reporting] Instructions New FISMA Reporting Metrics Cyberscope

DHS FISM 11-02 (aka OMB 11-33) FISMA Reporting Instructions FAQ #28. Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? Answer: No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs.

FY2011 Reporting Metrics 13. Continuous Monitoring 13.1. What percentage of data from the following potential data feeds are being monitored at appropriate frequencies and levels in the Agency: 13.1a.IDS/IPS 13.1b.AV/Anti- -Malware/Anti- -Spyware 13.1c.System Logs 13.1d.Application Logs 13.1e.Patch Status 13.1f.Vulnerability Scans 13.1g.DNS logging 13.1h.Configuration/Change Management system alerts 13.1i.Failed Logins for privileged accounts 13.1j. Physical security logs for access to restricted areas (e.g. data centers)

DHS Cyberscope Monthly Data Feeds to DHS 1. Inventory 2. Systems and Services 3. Hardware 4. Software 5. External Connections 6. Security Training 7. Identity Management and Access Government-wide benchmarking on security posture Agency-specific interviews

Risk Management OODA Loop Redefined

SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as: Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats Support Organizational Risk Management Decisions Begins With Leadership Defining A Comprehensive ISCM Strategy Encompassing technology processes procedures operating environments people

SP 800-137 ISCM Criteria Risk Management Strategy: 1. How the organization plans to assess, respond to, and monitor risk 2. Oversight required to ensure effectiveness of RM strategy Program Management 1. Defined by how business processes are prioritized 2. Types of information needed to successfully execute those business processes Monitoring System Level Controls and Security Status Reporting 1. Security Alerts 2. Security Incidents 3. Identified Threat Activities

Risk Tolerance Enterprise Architecture Security Architecture Security Configurations Plans for Changes to Enterprise Architecture Available Threat Information Guidance: 800-137

The CM Process Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program SP 800-137

Role of Automation in ISCM Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications, Mechanisms, Activities, Individuals) Use open specifications such as SCAP Offer interoperability with other products (help desk, inventory management, configuration management, and incident response solutions) Support compliance with applicable federal laws, regulations, standards, and guidelines Provide reporting with the ability to tailor output Allow for data consolidation into Security Information and Event Management (SIEM) tools and dashboard products. SP 800-137

Security Automation Domains Vulnerability & Patch Management Event & Incident Management Malware Detection Asset Management Configuration Management Network Management License Management Information Management Software Assurance SP 800-137

Automation Domain Tools and Technologies NIST Guidelines 1 - Vulnerability Management 2 - Patch Management Vulnerability scanners Patch management tools NIST SP 800-40 Creating a Patch and Vulnerability Management Program 3 - Event Management NIST SP 800-92, Computer Security Log Management 4 - Incident Management 5 - Malware Detection 6 - Configuration Management Intrusion detection/ prevention systems and logging mechanisms Antivirus/ Malware detection mechanisms NIST SP 800-94, Guide IDPS NIST SP 800-83, Malware Incident Prevention and Handling SCAP, SEIM, Dashboards NIST SP 800-126r2 The Technical Specification for SCAP Version 1.2 SP 800-137

Automation Domain 7 - Asset Management 8 - Network Management 9 - License Management Tools and Technologies System configuration, network management, and license management tools Host discovery, inventory, change control, performance monitoring, and other network device management capabilities License management tools 10 - Information Management Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems SP 800-137

Software Assurance Technologies Security Automation Domain #11 Software Assurance Automation Protocol (SwAAP - measure and enumerate software weaknesses): CWE Common Weakness Enumeration Dictionary of weaknesses that can lead to exploitable vulnerabilities CWSS Common Weakness Scoring System Assigning risk scores to weaknesses CAPEC Common Attack Pattern Enumeration & Classification Catalog of attack patterns MAEC Malware Attribute Enumeration & Characterization Standardized language about malware, based on attributes such as behaviors and attack patterns SP 800-137

DHS Reporting Metrics 12. Software Assurance 12.1Provide the number of information systems, developed in-house or with commercial services, deployed in the past 12 months. 12.1a.Provide the number of information systems above (12.1) that were tested using automated source code testing tools. 12.1b.Provide the number of the information systems above(12.1a) where the tools generated output compliant with: 12.1b (1).Common Vulnerabilities and Exposures (CVE) 12.1b (2).Common Weakness Enumeration (CWE) 12.1b (3).Common Vulnerability Scoring System (CVSS) 12.1b (4).Open Vulnerability and Assessment Language (OVAL) Source code testing tools are defined as tools that review source code line by line to detect security vulnerabilities and provide guidance on how to correct problems identified.

Automation and Reference Data Sources Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP How to Implement SCAP Partially Automated Controls Reference Data Sources National Vulnerability Database (NVD) Security Configuration Checklists SP 800-137

NVD Primary Resources 1. Vulnerability Search Engine 2. National Checklist Program 3. SCAP Compatible Tools 4. SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) 5. Product Dictionary (CPE) 6. Impact Metrics (CVSS) 7. Common Weakness Enumeration (CWE) SCAP Program Scan NVD Data Feed SP 800-137

SCAP: What Can Be Automated? Vulnerability and Patch Scanners Authenticated Unauthenticated Baseline Configuration Scanners Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB) SP 800-137

How to Implement SCAP with SCAP-validated Tools SP 800-137

and SCAP-expressed Checklists SP 800-137

Partially Automated Controls Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String) Define Possible Answers to a Question from Which User Can Choose Define Actions to be Taken Resulting from a User's Answer Enumerate Result Set Used in Conjunction with extensible Configuration Checklist Description Format (XCCDF) SP 800-137

Technologies for Aggregation and Management Dashboards Meaningful And Easily Understandable Format Analysis Provide Information Appropriate to Roles And Responsibilities Security Information and Event Management (SIEM), analysis of: Vulnerability Scanning Information, Performance Data, Network Monitoring, System Audit Record (Log) Information Audit Record Correlation And Analysis SP 800-137

IR 7756 CAESARS Framework

IR 7756

IR 7756

CM Documents IR 7756

Department of State s ipost Custom Application Continuously Monitors Uses Data from Various Monitoring Tools Holistic View Of Risk Leveraging Competitiveness Encourage Risk Reduction

ipost Development Stages Deploy Enterprise Monitoring Tools Aggregate Monitoring Data: ipost Establish Risk Scoring Program

Monitoring Tool Data Sources Component ID What is Scored Source Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee) Patch PAT Patches required by a host SMS (System Center) Security SCM Failures of a host to use required security settings McAfee Policy Auditor Compliance Anti-Virus AVR Out of date anti-virus signature file SMS (System Center) Unapproved OS UOS Unapproved operating systems AD Cyber Security Awareness Training CSA Every user who has not passed the mandatory awareness training within the last 365 days DoS Training Database SOE Compliance SOE Incomplete/invalid installations of any product in SMS (System Center) the Standard Operating Environment (SOE) suite AD Computers ADC Computer account password ages exceeding AD threshold AD Users ADU User account password ages exceeding threshold AD (scores each user account, not each host) SMS Reporting SMS Incorrect functioning of the SMS client agent SMS (System Center) Vulnerability Reporting Security Compliance Reporting VUR Missed vulnerability scans Foundstone (McAfee) SCR Missed security compliance scans McAfee Policy Auditor

Risk Scoring

Remediation

CM Challenges The Organization of the SP 800-53 Emerging CM Technologies SCAP OCIL The Limitations of CAESARS Department of State s ipost and Risk Scoring Program

18 Families 198 Controls Organization of Security Controls 892 Control Items (Parts/Enhancements)

Evident in USGCB

Mapping STIG to 800-53

Using Fishbone to Find Root Controls Plan, Engineer, & Prepare for Operations Operate, Monitor, & Improve Plan Prepare Operate & Check Improve Effectiveness Measure Requirements Definition PP Track Desired State PP Find Systemic Problems PP 11 Design/ Test/ AQ/ Infrastructure PP 7 Assign Scores to Delta PP 1 A Policy & Planning PP 8 Track Actual 5 PP 6 Value Proposition/ Operational Metric 10 ID Score Deviations PP Fix Issues by Priority PP Prep Staff PP 4 2 9 Manage & Operate PP 3

The Limitations of CAESARS Lack of Interface Specifications Reliance on an Enterprise Service Bus Incomplete Communication Payload Specifications Lack of Specifications Describing Subsystem Capabilities Lack of a Multi-CM Instance Capability Lack of Multi-Subsystem Instance Capability CM Database Integration with Security Baseline Content Lack of Detail on the Required Asset Inventory Requirement for Risk Measurement

GAO Report on Scope of ipost Risk Scoring Program (1) Addresses windows hosts but not other IT assets on its major unclassified network (2) Covers a set of 10 scoring components that includes some, but not all, information system controls that are intended to reduce risk (3) State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment

Minimum Security Controls (FIP 200) Access Control Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Controls Monitored by ipost Security Compliance (AD Group check) Awareness Training Reporting Patching, SOE, Reporting(Inventory) AD Computers & Users Vulnerabilities Patching, Antivirus

Challenges with Implementation of ipost (1) Overcoming limitations and technical issues with data collection tools (2) Identifying and notifying individuals with responsibility for site-level security (3) Implementing configuration management for ipost (4) Adopting a strategy for continuous monitoring of controls (5) Managing stakeholder expectations for continuous monitoring activities

FITSI Objectives Review FISMA Compliance OMB Memorandums DHS FISMs NIST Standards & Guidelines Evolution via Deltas CM Tools & Technologies: Guidelines: SP 800-137 Automation Domains, (SCAP, NVD) CAESARS Framework & State s ipost CM Challenges The Organization of SP 800-53 The Limitations of CAESARS Your Organization s ISCM 1. Consistent Body if Knowledge 2. Training Baseline Overcome CM Challenges with Collective Contributions

Q&A Tina Kuligowski Tina.Kuligowski@Securible.com TinaKuligowski@gmail.com 571-229-0543

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information