SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Similar documents
SOFTWARE ASSET MANAGEMENT

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Trusted Network Connect (TNC)

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

State of Oregon. State of Oregon 1

Software Asset Management (SWAM) Illustrative Process

Network Access Control (NAC) and Network Security Standards

Management (CSM) Capability

CDM Software Asset Management (SWAM) Capability

Manage Vulnerabilities (VULN) Capability Data Sheet

Certification Report

Ovation Security Center Data Sheet

Security Orchestration with IF-MAP

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Certification Report

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Software Asset Management (SWAM) Capability Data Sheet

NERC CIP VERSION 5 COMPLIANCE

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Data Sheets RMS infinity

TNC Endpoint Compliance and Network Access Control Profiles

Security Issues in Cloud Computing

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

CDM Hardware Asset Management (HWAM) Capability

Software Asset Management (SWAM) Capability Description

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Network Security Guidelines. e-governance

Security Coordination with IF-MAP

THE TOP 4 CONTROLS.

Cyber Security for NERC CIP Version 5 Compliance

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

GoodData Corporation Security White Paper

Ovation Security Center Data Sheet

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

5 Steps to Advanced Threat Protection

FREQUENTLY ASKED QUESTIONS

SANS Institute First Five Quick Wins

Enterprise Energy Management with JouleX and Cisco EnergyWise

Patch Management Policy

Cisco Advanced Malware Protection for Endpoints

Patch and Vulnerability Management Program

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Network Access Control in Virtual Environments. Technical Note

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

SOA REFERENCE ARCHITECTURE: SERVICE ORIENTED ARCHITECTURE

CA IT Client Manager Asset Inventory and Discovery

Symantec Control Compliance Suite Standards Manager

Certification Report

AHS Flaw Remediation Standard

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

Vistara Lifecycle Management

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Trusted Network Connect (TNC)

Software Audits Three Ways to Cut the Cost and Pain of a Software Audit

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

Insightix Discovery & NAC. Lite Edition. Installation Guide. Version 3.0. May United States. International 945 Concord St.

Verve Security Center

Certification Report

Security Management. Keeping the IT Security Administrator Busy

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

A Look at the New Converged Data Center

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Cisco Trust Anchor Technologies

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Sygate Secure Enterprise and Alcatel

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Complete Patch Management

Comprehensive Device Management Platform comprising of Management Suites specialized in addressing different problem domains, extensively

20 Critical Security Controls

The Protection Mission a constant endeavor

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Certification Report

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Microsoft s Compliance Framework for Online Services

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Security Compliance and Data Governance: Dual problems, single solution CON8015

Configuration Management in the Data Center

DIVISION OF INFORMATION SECURITY (DIS)

Information and Communication Technology. Patch Management Policy

Total Protection for Compliance: Unified IT Policy Auditing

Transcription:

SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov

The National Cybersecurity Center of Excellence (NCCoE) works with industry, academic and government experts to find practical solutions for businesses most pressing cybersecurity needs. The NCCoE collaborates to build open, standards-based, modular, end-to-end solutions that are broadly applicable, customizable to the needs of individual businesses, and help businesses more easily comply with applicable standards and regulations. This document describes a problem that is relevant to many industry sectors. NCCoE cybersecurity experts will address this challenge through collaboration with a community of interest including vendors of cybersecurity solutions. The solution will become an NCCoE Building Block : an approach that can be incorporated into multiple use cases. The solution proposed by this effort will not be the only one available in the fast-paced cybersecurity technology market. If you would like to propose an alternative architecture or know of products that might be applicable to this challenge, please contact us at conmon-nccoe@nist.gov. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 1. DESCRIPTION Goal Continuous monitoring includes, but is not limited to, the information technology (IT) security and operational practices of asset management, configuration management, and vulnerability management. This building block will demonstrate software asset management capability by focusing on accurate, timely data collection and secure exchange of software inventory data from computing devices. The software asset management functionality demonstrated by this building block may be used as part of a larger continuous monitoring capability supporting basic situational awareness of the software that is installed and in use on monitored devices. Background Many, if not all, of an organization s mission or business essential functions governance structure and core business processes are dependent upon information technology. It is critical that organizations deploy solutions based on sound architectural approaches that support operational and security needs to protect the confidentiality, integrity and availability of information. Identifying and responding to new vulnerabilities, evolving threats and an organization s constantly changing security and operational environment is a dynamic process that must be effectively and proactively managed. Continuous monitoring is defined as maintaining ongoing awareness to support organizational risk decisions 1. Maintaining awareness of the software assets that reside 1 NIST SP 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations Continuous Monitoring Building Block Software Asset Management 1

22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 on a network is critical to risk management and for defining the scope of authorization activities. Software asset management (SAM) also supports disciplined network operations, change control and configuration management practices. A continuous monitoring system is composed of many different capabilities that enable collection of security and operational data, analysis of real-time and historic data, and reporting of metrics in support of operational, risk-based decision making at many different contexts within an organization. To achieve this, a continuous monitoring system must provide awareness of threats and vulnerabilities, visibility into organizational assets, and support measurement of the effectiveness of deployed security controls Tools supporting SAM help maintain an inventory of software installed and used within the organization. This can be accomplished with a combination of system configuration, network management and license management tools, or with a special-purpose tool. SAM software tracks the life cycle of an organization s software assets and provides capabilities such as remote management of devices and other automated management functions. The implementation and effective use of SAM technologies is a key component required to assist organizations in automating the implementation, assessment and continuous monitoring of software-related security controls such as those found in NIST Special Publication (SP) 800-53 Revision 4, ISO/IEC 27001:2005 Annex A, and other community-specific control catalogs. Security Challenge In order to support organizational, risk-based decision making and automated action, it is necessary to have accurate, timely information about the current state of software installed, authorized and used on computing devices, also called endpoints, accessing organizational resources and supporting critical business functions. The automated collection and secure exchange of software inventory data enables automation of common business processes relating to authorizing the execution of software, and understanding of what patches and software updates are needed to ensure software vulnerabilities are minimized, and of what software configurations need to be applied to ensure compliance with organizational configuration policies. A variety of activities are required to successfully manage software throughout its life. New software is released by a publisher, installed by an organization or user, maintained by applying patches (e.g., hot fixes, service packs) and updated software versions, and finally is uninstalled or retired when it is no longer of use or when the product reaches end-of-life. Throughout this lifecycle, a number of business processes are performed to manage the software. Licenses are tracked and purchased as needed as part of a license management process; software media is acquired as part of a supply chain; software is updated to take advantage of new features as part of a change management process; and patches are applied to fix security and functional flaws as part of vulnerability and patch management processes. Continuous Monitoring Building Block Software Asset Management 2

62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 In many organizations, SAM processes are either manual or are supported by a collection of proprietary solutions. Often proprietary solutions are lacking in integration with other operational and security systems, aligned with specific product families, and provide different informational views into the software they manage. SAM, as envisioned in this building block, requires a standardized approach that provides an integrated view of software throughout its lifecycle. Such an approach must support the following capabilities: Authorization and verification of software installation media - The ability to verify that the media is from a trusted publisher and that the integrity of the installation media has been maintained Software execution whitelisting The execution environment verifies that the software to be executed is authorized for execution and that the executable file has not been tampered with Publication of installed software inventory When connected to an authorized network, a device s full or updated software inventory is securely reported to an external configuration management database of the whole organization s installed software Software inventory-based network access control Control access to network resources at the time of connect based on published installed software inventory. Access should be limited to network resources if software is outdated or patches are not installed based on digital policies When used together, these capabilities enable enterprise-wide management of what software is allowed to be installed and executed. The provided information will also provide software version information to support license, vulnerability and patch management needs. Finally, using reported software inventory, network access can be controlled, enabling the device to be connected to a remediation network so the appropriate changes can be made before allowing it full access to the operational network. The ability to support the intended business processes and the value obtained from automated collection and exchange of endpoint inventory data depends crucially on the trustworthiness of the SAM processes implemented in each endpoint. At the very least, SAM processes must not undermine the trustworthiness of an endpoint by becoming a new avenue for attack. Therefore, SAM endpoint processes must leverage the best trusted computing mechanisms (whether specifically identified with trusted computing or not) that are available on each particular platform. Since endpoints are highly variable in terms of available trusted computing mechanisms, and since trusted computing mechanisms should be increasing and improving all the time, it is neither practical nor desirable to establish a security threshold. Rather, the goal is for SAM processes to be flexible or configurable to take advantage of the best security features a platform has to offer. Continuous Monitoring Building Block Software Asset Management 3

103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 2. SECURITY CHARACTERISTICS Provide organizational visibility into endpoint device software inventory supporting security and operational, risk-based decision making Provide assurance that software installation media is authentic based on digital signatures and cryptographic hashes Identify vulnerabilities associated with software prior to installation and during the lifecycle of installed software Maintain a comprehensive, up-to-date view of the state of software installed on computing devices using an enterprise data store Uphold or improve the assurance of an endpoint s effective trusted computing base; endpoint SAM processes must not degrade endpoint security assurance 3. APPROACH This building block focuses on the demonstration of SAM capabilities, based on standardized data formats and transport protocols. The general approach will address the following challenges: Verifying the identity of the software publisher providing installation media Verifying that installation media is authentic and hasn t been tampered with Determining what software is installed and in use on a given endpoint device including legacy and end-of-life products By process of elimination, determining software that is installed on an endpoint device that was not deployed using authorized mechanisms Restricting execution of software that was not installed using authorized mechanisms Identifying the presence of software flaws in installed software The data format at the core of this solution is the software identification (SWID) tag, which is an XML-based data format containing a collection of information describing a unit of software. A SWID tag contains data elements that identify a specific unit of software and provides other data elements that enable categorization, identification and hashing of software components, references to related software and dependencies, and other data points. SWID tags can be associated with software installation media, installed software and software updates (e.g., service packs, patches, hotfixes). SWID tags associated with installation media enable the media to be identified, verified using hash algorithms, and the publisher of the media to be authenticated using XML digital signatures containing a certificate. SWID tags managed by software installers, responsible for managing the deployment of software and software updates to an endpoint, are organized in a secure storage location on the endpoint device. These tags enable the software to be identified, Continuous Monitoring Building Block Software Asset Management 4

140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 dependencies and related software to be referenced, the installation location to be defined, and executables and other supporting files that are part of the installation to be identified and hashed supporting footprint verification. The data pertaining to executable files can be used to verify them at runtime, which, in-part, supports whitelisting and blacklisting of application execution. Today SWID tags are available for some commercially available software. Through the development of this building block, additional SWID tagging support will be developed for additional commercial software. For software that currently supports SWID tagging, support for SWID tagging will be expanded as needed. Additionally, SWID tags can be developed and deployed for custom software developed by an organization, allowing this software to be managed using commodity software asset management tools. Thirdparty generation of SWID tags can be used to provide the data needed to manage legacy products that do not have associated SWID tags. Secure transport protocols are required to enable SWID tag data to be exchanged. The Trusted Network Connect (TNC) specifications provide the standards-based mechanisms to support the secure exchange of SWID tag information. The TNC standards enable accurate software inventory information to be made available to the enterprise. Using the TNC protocols, collected SWID tag data can be published to a data store managed by a policy server. This persisted information can be used to support configuration, vulnerability management, attack detection, network access control decision making, and other security automation tasks. The building block s SAM capabilities, based on SWID tags and TNC transport protocols, will: Allow installation media to be verified as authentic Enable software execution to be limited to authorized software based on organizational policies Demonstrate a standardized approach for securely collecting and exchanging software inventory data from networked endpoint devices, including those accessing a network remotely Enable use of authoritative, vendor-provided SWID tag information to drive business processes Make exchanged software inventory data available to operational and security systems where it can be evaluated against organizational policies supporting human-assisted and automated, risk-based decision making The solution must conform to the Trusted Computing Group (TCG) Trusted Network Connect (TNC) Endpoint Compliance Profile (ECP) 2. Data collection of SWID tag-based software inventories must occur based on software installation change events. 2 TCG TNC Endpoint Compliance Profile Version 1 (pre-release) Continuous Monitoring Building Block Software Asset Management 5

177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 Solutions addressing the building block will be developed in stages. Existing commercial software functionality we be used and additional development will be performed as needed. As each stage is completed it will be assessed against the original objective and this document will be revised to reflect any relevant changes to the original approach. Gaps in technology and standards will be identified and solutions to these gaps will be created if possible. At the completion of each stage a determination will be made as to whether or not it is feasible to continue. The building block will be developed in the following stages: Stage 0 Establish SWID Tag Environment Prepare an environment for deployment and management of SWID Tag Data. Development Approach Development at this stage will focus on demonstrating two capabilities for supported platforms: a managed SWID tag installation environment and installer support for deploying SWID tags. Management of Installed SWID Tags This capability will focus on establishing an environment on each endpoint platform for storage of installed SWID tag data. This environment is illustrated in Figure 1. During software installation, installers will deploy SWID tag information for the installed software to the SWID tag data store. This data store is typically the directory identified by the SWID tag specification. For platforms that do not have an identified location, alternate storage mechanisms will be used. In developing this capability, platform-specific security Figure 1 - Stage 0 Architecture mechanisms will be identified to protect the SWID data from tampering and unauthorized access. Techniques will be identified to maintain and verify the integrity of stored data and limit access to read and modify SWID tags to authorized processes and users. Installation environments will: Endpoint Installation Environment Filesystem SWID Tag Data Store Limit write and modify access to the stored SWID tag data to installation processes Limit read access to the stored SWID tag data to installation processes and processes that require access to SWID tag information Deployment of SWID Tag Data During Software Installation During software installation, the software installer is responsible for deployment of SWID tag information to the SWID tag data store. Development in this area will demonstrate that the appropriate capabilities are present in installers to manage the deployment and maintenance of SWID tags. Continuous Monitoring Building Block Software Asset Management 6

216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 Installers will: Deploy SWID tag data to the SWID tag data store for installed software and software deltas (e.g., patches, updates) Clean up any legacy SWID tag data for software that is uninstalled or upgraded during the installation process Outcomes Maintain an accurate accounting of installed software utilizing SWID tags Uphold or improve the assurance of an endpoint s effective trusted computing base; endpoint SAM processes must not degrade endpoint security assurance Stage 1 Publish Installed SWID Tag Data While SWID tag information in an endpoint s SWID tag data store is useful to capabilities implemented on the endpoint, being able to share this information with external capabilities enables the same information to be used in support of a variety of enterprise business, operational and security processes. Development Approach Prerequisite: Stage 0 Establish SWID Tag Environment During this stage, development will focus on Policy Server Endpoint using the standardized transports provided by Software Inventory Installation the TNC standards. By demonstrating Database Environment capabilities based on these standards, SWID Filesystem tag data can be used to communicate accurate SWID Tag SWID Data software inventory information across a secure Data Store channel for software installed on an endpoint. This exchange, depicted in Figure 2, will be between a SWID collector on the endpoint and Figure 2 - Stage 1 Architecture a policy server that will receive the published SWID tag data. Two modes of exchange must be supported: collector initiated publication of full or incremental SWID data and policy server initiated requests for specific SWID tag data. Regardless of the mode of exchange, the policy server will interact with the SWID collector on an endpoint device to access current and ongoing updates of SWID tag data. The policy server will maintain historic information for the software inventory of each endpoint it manages. Techniques will be identified to secure historic SWID tag data over the long-run. The SWID collector will: Support publication of SWID data based on the Endpoint Compliance Profile using the SWID Message and Attributes for IF-M specification which provides a standardized interface for messaging Continuous Monitoring Building Block Software Asset Management 7

254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 Support publishing of full and incremental, event-driven SWID data to a policy server The policy server will: Receive exchanged SWID data Store published SWID tag data for future retrieval, analysis, and possible automated or manual policy decision making and action Outcomes Provide organizational visibility into endpoint device software inventory supporting security and operational, risk-based decision making Enable identification of vulnerabilities associated with software throughout the lifecycle of installed software Maintain a comprehensive, up-to-date view of the state of software installed on endpoints using an enterprise data store Actively monitor software changes on one or more endpoints Enforce enterprise policies based on missing patches or the presence of unapproved software Stage 2 Media Verification Using SWID Tags Media tampering is a significant attack vector presenting challenges for both software publishers and consumers. One of the benefits of a SWID tag is that it can be used to authenticate the publisher and verify the integrity of installation media. This enables install-time verification of the software media providing greater software assurance at the point of install. Development Approach Prerequisite: Stage 0 Establish SWID Tag Environment Development of this capability augments installation by enabling verification of installation media using a media tag. A media tag is a variant of a SWID tag that is bundled with the software installation media. The media can be an optical disk (e.g., DVD, BluRay), a shared network resource or a downloadable installation package. A media tag contains information that identifies the installation media, the software revision to be installed, and a file manifest containing paths and cryptographic hashes for each component of the software media. This collection of information can be signed using the XMLDSig standard which supports use of x.509 certificates. Processing of installation media in this stage requires inclusion of the SWID media tag within the media. Installation environments will support: Verification of the XML digital signature, including validating the certificate included in the signature based on a collection of available trusted root certificates Continuous Monitoring Building Block Software Asset Management 8

292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 Verification of the installation media based on the file manifest and associated cryptographic hashes Outcomes Provide assurance that software installation media is authentic based on digital signatures and cryptographic hashes Verify the integrity of installation media as a precursor to software installation Enable the authorization of software installation based on the identification of the publisher and product Stage 3 Execution Authorization Using Installed SWID Data By establishing greater trust and verification around the distribution and installation of software, the threat of many potential attack vectors is reduced. Once a higher degree of assurance exists that software is installed through authorized channels, policies can be enforced to limit execution to only the software that has been installed through these channels. Development Approach Prerequisite: Stage 0 Establish SWID Tag Environment Developed solutions will utilize executable Endpoint information in a SWID tag to allow or restrict Installation access to execute a program based on an Environment organizationally defined whitelist or blacklist. To Filesystem support this, the execution environment will SWID Tag access installed SWID data, illustrated in Figure Data Store 3. These solutions will verify the integrity of the executable prior to execution using the cryptographic hash information associated with the executable in the SWID tag s package footprint. If this verification fails, then the execution will be prevented. Additional policies may be employed to restrict execution privileges for specific users based on available SWID tag data. These policy expressions will use normalized software identifiers and metadata attributes in the SWID tag. Outcomes SWID Data Figure 3 - Stage 3 Architecture Execution Environment Execution Authorization Capability Software execution is restricted to software installed through authorized channels Organizations can define software execution policies based on SWID tag data Policies are able to be defined and shared across multiple organizations, tools and processes Continuous Monitoring Building Block Software Asset Management 9

328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 Stage 4 Network-Based Policy Enforcement Based on SWID Information Controlling access to network resources enables organizations to ensure that the state of an endpoint is acceptable at the time of connection and on an ongoing basis. Detecting and evaluating the software inventory of a device is an important dimension of network access control decisions. Development Approach Prerequisite: Stage 1 Publish Installed SWID Data Demonstrated solutions will make use of a policy server to make network access control decisions. Using published information collected from the endpoint, supported by stage 1, the policy server will authorize a computing device s connection to the network. If its software inventory is found to be non-compliant, the endpoint will be segregated for remedies to be addressed or disconnected. Developed solutions will need to: Figure 4 - Stage 4 Architecture Establish TNC compliant infrastructure (e.g., policy decision point, policy enforcement point) Implement network access control based on configured software usage and patching policy Virtual local area network (VLAN) segregation of non-compliant hosts Patching on segmented VLAN Solutions will support the following workflow: 1. When connecting to a network, the endpoint will discover the policy enforcement point 2. The endpoint will publish full or updated software inventory using SWID data 3. If the published software inventory is determined not to be compliant, access will be rejected or limited according to policy. If the endpoint is compliant, it will be granted access to network resources Non-compliant endpoints will be handled according to the configured policy. If remedies can be applied the following workflow will be supported: 1. The endpoint will be relocated to a remediation VLAN 2. Patches will be downloaded and applied 3. Non-compliant software will be requested for removal 4. Once deficiencies are address, the endpoint will be re-verified and allowed access to the network Continuous Monitoring Building Block Software Asset Management 10

365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 Another supported variation will be to move the endpoint to a monitoring LAN with limited access if unapproved software is present. Outcomes Prevent endpoints from accessing network resources if installed software is not compliant with software whitelist/blacklist or patch policy Demonstrate support for a variety of mechanisms for remedy Other Possible Stages The demonstration stages defined in this document represent areas where standards and product capabilities exist or are supportive of the solution. Additional stages may be added that address other capabilities that can be enabled using these foundations. This may include dashboards that provide a network, enterprise, or organizational view of software inventory and software vulnerability information among other possibilities. Through collaboration, new areas for expansion will be identified and documented. 4. RELEVANT STANDARDS ISO/IEC 19770-2:2009, Information technology Software asset management Part 2: Software identification tag TCG TNC Endpoint Compliance Profile Version 1.0, Revision 9, 23 August 2013 TCG SWID Message and Attributes for IF-M Version 1.0, Revision 14, 23 August 2013 TCG TNC IF-IMC Version 1.3, Revision 18, 27 February 2013 TCG TNC IF-IMV Version 1.4, Revision 8, 23 August 2013 TCG TNC IF-T: Binding to TLS Version 2.0, Revision 7, 27 February 2013 TCG TNC IF-TNCCS: TLV Binding Version 2.0, Revision 16, 22 January 2010 TCG TNC IF-PEP: Protocol Bindings for RADIUS, Specification Version 1.1, February 2007 TCG PDP Server Discovery and Validation Version 1.0, Revision 9, 23 August 2013 Continuous Monitoring Building Block Software Asset Management 11

389 390 391 392 393 394 395 396 397 5. HIGH-LEVEL ARCHITECTURE The architecture for this building block, illustrated in Figure 5, depicts two distinct components: the policy server and the endpoint. The endpoint represents the computing device for which the software inventory is monitored. The policy server is the point of publication for software inventory data generated at the computing device. It is expected that multiple computing devices will interact with a single policy server. Organizations may choose to implement multiple policy servers responsible for maintaining software inventory data for a network, office, data center or other organizational scope. 398 399 400 401 402 Figure 5 - Building Block Architecture The diagram, illustrated in Figure 6, represents the TNC architecture that is used to transport software inventory data and to support network access control functionality supported by this building block. 403 404 Figure 6 - TNC Architecture Continuous Monitoring Building Block Software Asset Management 12

405 406 407 408 409 410 411 412 413 414 415 416 In this diagram the endpoint is the Access Requestor (AR) and the policy server is the Policy Decision Point (PDP). Access control is enforced by the Policy Enforcement Point (PEP) which is typically a network device (e.g., wireless access point, switch, firewall). 6. COMPONENT LIST Network infrastructure devices (e.g., routers, switches, firewalls) o Vendor provided o Either physical or virtualized Operating system virtualization cluster o Various operating system installations (e.g., Windows, OS X, Linux) o Virtualization hardware o Virtualization stack Application software Continuous Monitoring Building Block Software Asset Management 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information