An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Similar documents
Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

BMC Client Management - SCAP Implementation Statement. Version 12.0

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Federal Desktop Core Configuration (FDCC)

Automating Compliance with Security Content Automation Protocol

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

An Enterprise Continuous Monitoring Technical Reference Architecture

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

Continuous Monitoring

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

STIGs,, SCAP and Data Metrics

Manage Vulnerabilities (VULN) Capability Data Sheet

Open Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT)

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel

Security compliance automation with Red Hat Satellite

Qualys PC/SCAP Auditor

CDM Vulnerability Management (VUL) Capability

How To Get The Nist Report And Other Products For Free

VRDA Vulnerability Response Decision Assistance

Making Vulnerability Management Operational

Secstate: Flexible Lockdown, Auditing, and Remediation

How To Monitor Your Entire It Environment

DoD Secure Configuration Management (SCM) Operational Use Cases

Towards security management in the cloud utilizing SECaaS

Transformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation

Secunia Vulnerability Intelligence Manager (VIM) 4.0

NCIRC Security Tools NIAPC Submission Summary Harris STAT Scanner

Total Protection for Compliance: Unified IT Policy Auditing

Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI

Guide to Enterprise Patch Management Technologies

D. Best Practices D.2. Administration The 6 th A

Introduction to OVAL: A new language to determine the presence of software vulnerabilities

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

AHS Flaw Remediation Standard

Compliance series Guide to meeting requirements of USGCB

Common Platform Enumeration (CPE) Technical Use Case Analysis

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

Security Coordination with IF-MAP

GFI White Paper PCI-DSS compliance and GFI Software products

Status Update. Jon Baker September 28, 2010

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

NetIQ FISMA Compliance & Risk Management Solutions

Management (CSM) Capability

Obtaining Enterprise Cybersituational

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

OVAL Developer Days. July 11-12, 2006

Security Control Standard

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

3 Web Services Threats, Vulnerabilities, and Countermeasures

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

SCAP Compliance Checker Version 3.1 for Windows February 12, 2012

Toward an Ontology Architecture for Cyber-Security Standards

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Software Vulnerability Assessment


SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

6. Exercise: Writing Security Advisories

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Adobe Systems Incorporated

NIST Cyber Security Activities

CONTINUOUS MONITORING

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach

Symantec Control Compliance Suite Standards Manager

Security Orchestration with IF-MAP

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

NAVAL POSTGRADUATE SCHOOL THESIS

Common Result Format (CRF ) Specification Version 0.3 Jon Baker Andrew Buttner Todd Wittbold The MITRE Corporation

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

FY15 Quarter 1 Chief Information Officer Federal Information Security Management Act Reporting Metrics V1.0

The Ontological Approach for SIEM Data Repository

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Turn-key Vulnerability Management

Secunia Vulnerability Intelligence Manager

Pragmatic Metrics for Building Security Dashboards

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Vulnerability Management

A Microsoft U.S. Public Sector White Paper by Ken Page and Shelly Bird. January government

How To Improve Nasa'S Security

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Transcription:

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead

Thoughts on Current State of Vulnerability and Configuration Management Automation and communication is normally limited to a single discipline - vulnerability, compliance, configuration, and asset management remain compartmentalized Automation and communication usually occurs through proprietary methods - therefore data sharing, analysis, aggregation, etc. is typically only possible within a product line Increasing number of mandates - means increasing number of frameworks, standards, regulations, guidelines, sometimes these documents conflict Relatively static number of security configurations Increasing number and complexity of vulnerabilities and threats

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

A Definition of SCAP SCAP is a suite of vulnerability management standards that together enable standardization and automation of vulnerability management, measurement, and technical policy compliance checking along with enhanced product and database integration capabilities with machine readable reporting. Languages Enumerations

Security Content Automation Protocol (SCAP) Standardizing How We Communicate CVE CCE CPE XCCDF OVAL CVSS Common Vulnerability Enumeration Common Configuration Enumeration Common Platform Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Common Vulnerability Scoring System Standard nomenclature and dictionary of security related software flaws Standard nomenclature and dictionary of software misconfigurations Standard nomenclature and dictionary for product naming Standard XML for specifying checklists and for reporting results of checklist evaluation Standard XML for test procedures Standard for measuring the impact of vulnerabilities

Integrating IT and IT Security Through SCAP Vulnerability Management CVE Misconfiguration OVAL CVSS Asset Management CPE SCAP CCE Configuration Management XCCDF Compliance Management

Linking Configuration to Compliance <Group id="ia-5" hidden="true"> <title>authenticator Management</title> <reference>iso/iec 17799: 11.5.2, 11.5.3</reference> <reference>nist 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3</reference> <reference>gao FISCAM: AC-3.2</reference> <reference>dod 8500.2: IAKM-1, IATS-1</reference> <reference>dcid 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference> </Group> Keyed on SP800-53 Security Controls Traceability to Mandates <Rule id="minimum-password-length" selected="false" weight="10.0"> <reference>cce-100</reference> <reference>disa STIG Section 5.4.1.3</reference> <reference>disa Gold Disk ID 7082</reference> <reference>pdi IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-1.4</reference> <reference>nsa Chapter 4 - Table 1 Row 4</reference> Rationale for security <requires idref="ia-5"/> configuration [pointer to OVAL test procedure] Traceability to Guidelines

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

SCAP Enumerations and Benefits Enable faster, more accurate correlation Facilitate information exchange Requirements what do we need to check for? Reporting what did we find? Roll-up how do standard elements map to local needs? Allow increased automation Diverse tools can share input and output 9

Enumerated Entities in SCAP CVE - Vulnerabilities CCE - Configuration Settings CPE - Platforms 10

Common Vulnerability Enumeration (CVE) Definition: CVE is a format to describe publicly known information security vulnerabilities and exposures. Using this format, new CVE Ids will be created, assigned, and referenced in content on an as-needed basis without a version change. 33,000 vulnerabilities (publicly accessible) Specification: http://cve.mitre.org Searchable Database: http://nvd.nist.gov XML Feeds: http://nvd.nist.gov

Common Configuration Enumeration (CCE) Definition: CCE is a format to describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools. Specification: http://cce.mitre.org Schema Location: http://cce.mitre.org

Example CCE Assigns standardized identifiers to configuration issues, allowing comparability and correlation ID: CCE-3121-1 Description: The "restrict guest access to application log" policy should be set correctly. Technical Mechanisms: (1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy Parameter: enabled/disabled 13

Common Platform Definition: CPE is a structured naming scheme for IT platforms (hardware, operating systems, and applications) for the purpose of identifying specific platform types. Specification: http://cpe.mitre.org Schema Location: http://cpe.mitre.org/specification/ index.html Dictionary: http://nvd.nist.gov/cpe.cfm Mailing list: http://cpe.mitre.org/registration.html

CPE Name Format cpe:/ part : vendor : product : version : update : edition : language Uniform Resource Identifier (URI) repeatable format 2 people in different rooms will come up with the same name name is built by using known information 7 (optional) components 15

Official CPE Dictionary Collection of known CPE Names help users determine which names exists help those creating new names enough information to identify the platform others can build more elaborate repositories based off dictionary Hosted by NIST at: http://nvd.nist.gov/cpe.cfm 16

Security Data Without Enumerations Web Sites Guidance Document s Alerts & Advisories data correlation and product integration is: Mostly manual Key word driven Costly Error prone Pair-wise between data sets Unscalable Assessmen t Tools Managemen t Tools Reporting Tools result: Data is locked in proprietary repositories 17

Security Data With Enumeration common identifiers: Web Sites Guidance Document s Alerts & Advisories Community agree upon tags Easily added to legacy repositories & tools Assessmen t Tools Managemen t Tools Reporting Tools KEY: common identification enables correlation and product integration! Faster More accurate Less expensive 18

extensible Checklist Configuration Definition: XCCDF is an XML-based language for representing security checklists in a machine-readable form. An XCCDF document represents a structured collection of security checks. Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance Specification: http://nvd.nist.gov/xccdf.cfm Schema Location: http://nvd.nist.gov/xccdf.cfm

XCCDF Use Cases Docume nt XCC DF HTML XML Other tools Compliance tools

XCCDF and Checking Engines XCCDF does not specify platform-specific system rule checking logic. The Rule/check element contains information for driving a platform-specific checking engine. XCCDF Benchma rk XCCDF Benchmark Compliance Tester Tailoring values, Tests to perform Test results Target system Platform-specific checking engine 21

Open Vulnerability Assessment Language (OVAL) Definition: OVAL is a XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form. Specification: http://oval.mitre.org Schema Location: http://oval.mitre.org/language/ download/schema/version5.3/index.html

Structure of an OVAL Definition 23

Common Vulnerability Scoring System (CVSS) Definition: CVSS is a scoring system that provides an open framework for determining the impact of information technology vulnerabilities and a format for communicating vulnerability characteristics. Specification: http://csrc.nist.gov/publications/nistir/ ir7435/nistir-7435.pdf SCAP CVSS Base Scores: http://nvd.nist.gov

Metrics and Scores

http://nvd.nist.gov/cvss.cfm?calculator&version=2 National Vulnerability Database CVSS

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

SCAP Validation Program Provides product conformance testing for Security Content Automation Protocol (SCAP) and the SCAP component standards National Voluntary Laboratory Accreditation Program Independent testing laboratories Reports validated by NIST http://nvd.nist.gov/validation.cfm (Validation Program) http://nvd.nist.gov/scapproducts.cfm (Validated Products)

Currently being validated FDCC Scanner Authenticated Vulnerability and Patch Scanner Authenticated Configuration Scanner Unauthenticated Vulnerability Scanner Mis-configuration Remediation Vulnerability Database Mis-configuration Database Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE)* Common Vulnerability Scoring System (CVSS) extensible Configuration Checklist Document Format (XCCDF) Open Vulnerability Assessment Language (OVAL) * Not currently available for validation SCAP Validation Capabilities Currently on list, not yet being validated Intrusion Detection and Prevention Systems (IDPS)* Patch Remediation* Malware Tool* Asset Scanner* SCAP Component Standards http://cve.mitre.org http://cce.mitre.org http://cpe.mitre.org http://www.first.org/cvss/index.html http://nvd.nist.gov/xccdf.cfm http://oval.mitre.org

19 SCAP Validated Products from 13 Vendors SCAP Validation Program was started February 2008

Reference Implementations NIST XCCDF interpreter Java based Uses MITRE OVAL interpreter for processing MITRE OVAL Interpreter Open source BSD licenses

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

National Vulnerability Database NVD is the U.S. government repository of public vulnerability management information. It is designed to be based on and support vulnerability management standards (especially SCAP) It receives 69 million hits per year Used by Payment Card Industry, Federal Desktop Core Configuration, DHS, GSA Smartbuy, and security products

NVD Program Areas Vulnerability Database Security related software flaws 33,000 vulnerabilities National Checklist Program Repository of low level checklists for securing OSs and applications 132 checklists Federal Desktop Core Configuration (FDCC) support Validation Program Product conformance to the Security Content Automation Protocol (SCAP)

National Checklist Program Hosted by the National Vulnerability Database

Computer Network Defense Streamline and automate vulnerability and configuration management across the U.S. Department of Defense (DOD) Draft DOD CONOPS for SCAP SCAP enable the NIST National Vulnerability Database (NVD) SCAP enable the DISA Vulnerability Management System (VMS) Integrate NVD and VMS

Use Case: The Office of Secretary of Defense Computer Network Defense Data Pilot

NVD and DISA Vulnerability Management System Integration

Relationship between the Federal Desktop Core Configuration (FDCC) and SCAP. FDCC: A set of configuration settings designed to secure Windows XP and Windows Vista (policy) SCAP: A method for representing configuration and/or vulnerability information in machinereadable format (technology) Together: FDCC represented in machinereadable format using SCAP (technology enabling policy)

FDCC XML Sample <Rule id="at.exepermissions" selected="false" weight="10.0"> <title>at.exe Permissions</title> <description>failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.</description> <reference> <dc:type>gpo</dc:type> <dc:source>computer Configuration\Windows Settings\Security Settings\File System</dc:source> </reference> <requires idref="cm-6"/> 800-53 reference > OVAL <requires idref="ac-3"/> <ident system="http://cce.mitre.org">cce-393</ident> -- CCE <check system="http://oval.mitre.org/xmlschema/oval-definitions-5"> <check-content-ref href="fdcc-winxp-oval.xml" name="oval:gov.nist.fdcc.xp:def:129"/ </check> </Rule>

Summary SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise

Questions? Presenter: John Banghart SCAP Validation Project Lead John.banghart@nist.gov Banghart_john@bah.com SCAP Homepage: http://nvd.nist.gov/scap.cfm SCAP Validation Tools: http://nvd.nist.gov/scapproducts.cfm SCAP Validation Homepage: http://nvd.nist.gov/validation.cfm National Vulnerability Database: http://nvd.nist.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information