ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security has undergone a sea change in the past 10 years. Compliance mandates in the form of industry standards and Federal rules like NERC, FFIEC, HIPAA/HITECH and PCI-DSS are the new norm. To stay in compliance, IT teams need to be able to keep up with updates and changes to existing mandates while also being prepared for new ones. To maximize efficiency, manage risk and reduce potential violations due to compliance failure, organizations need to security tools whose features support multiple specifications within and across different compliance frameworks. In order to find the right tools, one must first start by mapping functionality to a specific section or requirement in the most critical internal or external compliance mandate. Then, look across other frameworks applicable to your business to see how many can be met by a solution. For example, security monitoring, as well as configuration standards and event logging are mentioned in many guidelines and a tool that provides real-time visibility and endpoint compliance capabilities like NAC can support the requirement across multiple mandates. By filtering the core requirements and mapping it to specific objectives, organizations can find solutions that help them stay ahead and on track for compliance, while realizing additional benefits and savings. Major Mandates Many organizations find themselves complying with mandates that they did not initially realize impacted them. For example, a higher education institution that provides school loans and a health care department may need to comply with PCI, HIPAA, and GLBA. While many compliance frameworks described in this paper are specific to the United States, most have bearing to complementary standards in other countries; for example, PCI-DSS applies to payment processing entities worldwide. HIPAA and privacy laws also apply to entities outside worldwide with unique specifications depending on the origin or destination of the IT resources or sensitive data under management. The major mandates that most companies need to address are outlined below: PCI-DSS A set of security standards issued by the 5 major card brands and overseen by the PCI Security Standards Council. This applies to any entity that stores, processes or transmits credit card data. ISO 27002 An internationally accepted framework for ing security management systems. 27002 supplies a list of security controls, their objectives, and ation guidance spanning access control, endpoint compliance, event logging, incident response and more.
FFIEC The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets and oversees standards for federal examination of financial institutions by agencies including the FDIC and NCUA. HIPAA/HITECH HIPAA is a healthcare mandate for protection of health or electronic personal health (e-phi). HITECH expanded applicability for safeguarding health and personal identifiable (PII) to business associates of covered entities. GLBA/Privacy Mandates privacy controls and safeguards for customer and nonpublic personal (NPI) managed by financial institutions. This can be extended to include the protection of PII with regards to state and country privacy and privacy breach notification laws. NERC Ensures the reliability of the North American power system by overseeing standards for critical infrastructure protection (CIP) reliability standards. Entities involved with power systems must be in compliance. DISA STIGs The Security Technical Implementation Guides (STIGs) and configuration standards required for DOD systems. Many organizations outside of the DOD have adopted standards as part of their overall security program. The guidelines require port-based control (securing physical and logical network ports to prevent unauthorized access to the enclave), continuous endpoint compliance and active host-based security systems (HBSS). NIST Provides special publications on a variety of cyber-security matters. Many government agencies must comply with NIST standards and organizations outside of the government have adopted NIST standards as part of their program. How Network Access Control (NAC) Works NAC, which stands for network access control, is technology used to assure trusted access to network resources. By employing 802.1x or other security mechanisms, NAC can identify users and network-attached devices while enforcing security policies based on discovered network, identity and device attributes. Beyond allowing, limiting or blocking devices access to network resources and sensitive data, NAC also provides visibility, endpoint compliance and threat prevention capabilities. For example, NAC supports a health-check before an entity is allowed to access network resources. If the entity does not have the proper configuration settings, the latest patches or active host-based security functions, a NAC solution can quarantine the device and support remediation activities to ensure the device is in compliance with a pre-defined corporate policy. NAC can also be used for auto-discovery, classification and policy assessment of devices, and can also be used to resolve endpoint issues and violations. Once a device is on the network, NAC can still monitor the device to ensure continuous compliance and take action when unwanted behavior is detected. Like other tools, NAC platforms interface with an enterprises network, security and identity infrastructure and can support compliance-relevant reporting. Mapping CounterACT to Compliance ForeScout CounterACT is a NAC platform that supports a number of critical security and protection functions across multiple compliance mandates. Many compliance mandates are not prescriptive about specific controls. These compliance frameworks discuss objectives and activities, but leave the final IANS: How NAC maps to leading compliance mandates 2
decision regarding which specific tool or solution to be ed to the end-user organization. It is extremely important for each organization to perform a thorough assessment of available solutions and select those that can address the needs of the organization while supporting an efficient compliance program that satisfies multiple mandate requirements. In other words, an effective security solution is a little like a compliance Swiss army knife for IT. More importantly, organizations should look at where security tools can enable or add efficiency to compliance enforcement, auditing, and documentation processes. The table below extracts the core security functions of ForeScout CounterACT for network access control into 9 areas. The table then maps these across 8 mandates to illustrate how a NAC solution such as ForeScout CoutnerAct can be used to address a large number of compliance processes and requirements. Note that these are just a few examples of how NAC can help support compliance programs. When reviewing the table keep in mind that compliance is a holistic process and that even when a specific task is not explicitly called out that does not mean it is not necessary or will not support the overall mission. For example, GLBA does not call out anti-malware by name, but it does require organizations to take appropriate precautions to protect NPI. Validating that anti-malware is active on devices supports NPI protection. Organizations that must adhere to certain mandates that are not listed below can still use the table as a baseline and do their own mapping using the core ForeScout CounterACT features and their security and compliance requirements. IANS: How NAC maps to leading compliance mandates 3
ForeScout CounterACT Network Access Control/Port Control Endpoint - Integrity/Com pliance/contin uous Monitoring Identification and removal of rogue WAPs PCI DSS v2 DISA STIGs FFIEC HIPAA/ HITECH 1.3.1 limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis Enclave STIG, V4R3 2.9.1 The Enclave perimeter must block and/or secure all PPSs in accordance with the Vulnerability Assessments and the DoD PPS CAL See DISA STIGS for Individual Operating Systems. CounterACT can identify all network devices and can classify known and unknown devices. CounterACT can also identify and remediate HBSS (Host-based Security Systems) issues dynamically. General Wireless Policy STIG V1R6 Only authorized wireless systems used SCI Network Access - Access Control SCI Access Control - Operating System Access, FFIEC 10.11 Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking 164.312(a)(1) Access Control 164.308(a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); NERC ISO 27002 NIST SP800-53 SP800-37 CIP-007-4 Requirement R2 - Ports and Services- The establish, document and a process to ensure that only those ports and services required for normal and emergency operations are enabled CIP 002-4 R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP-005-3 R1. Electronic Security Perimeter The ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s) Section 11.4 Network Access Control 11.5 Operating system access control 11.7 Mobile computing and teleworking AC - Access Control & AC-3 Access Enforcement CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory AC-18 Wireless Access GLBA 314.3 Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer IANS: How NAC maps to leading compliance mandates 4
End Point Security Mobile Security Threat Remediation 5.1 Deploy anti-virus software on all systems commonly affected by (particularly personal computers and servers) 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attack See DISA STIGS for Individual Operating Systems General Wireless Policy STIG V1R6 Only authorized wireless systems used Enclave STIG, V4R3-3.1.1 Host-based IDS - (EN550: CAT III) The IAO will ensure the SA is responsible for initial response to real-time alarms and performance of retrospective analysis of reports SCI Access Control - Operating System Access, FFIEC 10.11 Supplement Guidance: Controls ebanking - Appendix E: Wireless Banking Information Security - Security Monitoring 164.308(a)(5)(ii)(B) - Protection from 45 CFR Parts 160 and 164, Data comprising PHI can be vulnerable to a breach in any of the commonly recognized data states: data in motion (i.e., data that is moving through a network, including wireless transmission 7); Response and Reporting (R) - 164.308(a)(6)(ii) - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. CIP-007-3 R3. Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R4. Malicious Software Prevention The use anti-virus software and other ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s) CIP 002-4 R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP-007-4 R8. Cyber Vulnerability Assessment The perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following: R8.4. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan 11.5 Operating system access control 11.7 Mobile computing and teleworking 12.6 Technical vulnerability management, Section 13: Information security incident management CM-2 Baseline Configuration and SI-3 Malicious Code Protection AC-19 Access Control for Mobile Devices SI-2 Flaw Remediation - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 5
Data Leakage Endpoint Intelligence Log Management Assurance Requirement 10: Track and monitor all access to network resources and cardholder data 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards Requirement 10: Track and monitor all access to network resources and cardholder data Enclave STIG, V4R3-3.1.2 Host-based Content Security Checking See DISA STIGS for Individual Operating Systems See Network Infrastructure STIGs SCI Access Control - Operating System Access Information Security - Security Controls Implementation and Security Monitoring Information Security - Security Controls Implementation and Security Monitoring 164.308(a)(4) Information Access Management 164.308(a)(4) Information Access Management 164.308(a)(1) Information System Activity Review and 164.312(b) Audit Controls CIP-003-4 R4. Information Protection The and document a program to identify, classify, and protect associated with Critical Cyber Assets CIP 002-4 R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R1, the develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The update this list as necessary, and review it at least annually CIP-007-4 R5.1.2. The establish methods, processes, and that generate logs of sufficient detail to create historical audit trails CIP-007-4 R6. Security Status Monitoring The ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, automated tools or organizational process controls to monitor system events that are related to cyber security of individual user account access activity for a minimum of ninety days 11.6 Application and access control 11.5 Operating system access control PE-19 Information Leakage CA-7 Continuous Monitoring and CM- 3 Configuration Change Control and CM-8 Information System Component Inventory 10.10 Monitoring SI-4 Information System Monitoring 314.3 Standards for safeguarding customer - (3) Protect against unauthorized access to or use of such that could result in substantial harm or inconvenience to any customer - (3) Detecting, preventing and responding to attacks, intrusions, orother systems failures. IANS: How NAC maps to leading compliance mandates 6
When evaluating the value of a solution like ForeScout CounterACT, it is helpful to assess the tool not only for how it can support compliance for specific mandates, but also how it can be used to meet the intent of various mandates, increase visibility and effectuate controls, improve overall network and device health, as well as yield operational efficiencies. In addition to the specific support for compliance mandates listed above, the ForeScout CounterACT NAC solution provides the following benefits: Fortify IAM for network access Enable port control without requiring agents Enforce guest management Identify and eliminate rogue devices and WAPs Provide device classification and inventory Support application whitelisting and blacklisting Identify and remediate endpoint compliance gaps Enable mobile security and BYOD policy Automate compliance reporting Increase situational awareness and reduce risk profile Conclusion Keeping up with compliance is the new norm for all companies and organizations; no vertical industry or company is exempt, and new rulings and mandates are being introduced and evolve every year. To stay ahead of the compliance onslaught, IT organizations need to comprehensive programs that take into account the entire fabric of compliance and not focus on mandates one at a time. To make this process easier, organizations can security tools that offer features which can be applied to address compliance controls for multiple mandates or to expedite compliance documentation and validation processes. ForeScout CounterACT is a network security tool that can be efficient and effective at addressing a large variety of compliance needs and automating a wide array of GRC processes. IANS: How NAC maps to leading compliance mandates 7