Automating Compliance with Security Content Automation Protocol

Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology

Agenda Information Security Current State Security Content Automation Protocol Introduction Current Stakeholders Use Cases Validation Program Background and Status Possible Future Directions for SCAP Summary

Current State Security Operations Governance Body Compliance Management Vulnerability Management Configuration Management Asset Management Audit Team OCIO Compliance Management Vulnerability Management Configuration Management Asset Management Standards Body Vulnerability + Threat Increased annual vulnerabilities Increased zero day attacks Decreased exploit timelines Continued mis-configuration Continued exfiltration Continued weak links Operations Team Product Provider Service Provider

What is SCAP? How Standardizing the format by which we communicate What Standardizing the information we communicate Protocol Content CVE OVAL CVSS http://nvd.nist.gov CPE SCAP XCCDF CCE 70 million hits per year 20 new vulnerabilities per day, over 6,000 per year Mis-configuration cross references Reconciles software flaws from US CERT and MITRE repositories Produces XML feed for NVD content

Convergent Evolution of Post-Compilation Software Maintenance 2008: NVD will become production-ready for SCAP version 1.0 2007: OMB mandates use of SCAP validated tools for assessing Federal Desktop Core Configuration (FDCC) 2007: NCP legacy checklists become available through NVD Web site 2007: NCP promotes SCAP as the preferred format for all new checklists 2006-07: Announcements that the following guidelines will be available in SCAP format: DISA Security Technical Implementation Guides (STIG) JTF-GNO Information Assurance Vulnerability Management (IAVM) alerts RedHat Security Guides 2006: NVD becomes reference data for SCAP 2006: SCAP reaches Beta formulation with publication of the NIST Draft Interagency Report (IR) 7343 2005: icat becomes NVD 2002: NCP established through Cyber Security R&D Act of 2002 1999: icat established 2008 2007 2006 2005 2004 2003 2002 NVD SCAP NCP

National Checklist Program Hosted at National Vulnerability Database Website

How SCAP Works Report Checklist XCCDF Platform CPE Misconfiguration CCE General Impact CVSS Software Flaw CVE General Impact CVSS Specific Impact CVSS Results Specific Impact CVSS Results Commercial Government Tools Test Procedures OVAL Patches OVAL

Linking Configuration to Compliance Keyed on SP800-53 <Group id="ia-5" hidden="true"> Security Controls <title>authenticator Management</title> <reference>iso/iec 17799: 11.5.2, 11.5.3</reference> <reference>nist 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3</reference> <reference>gao FISCAM: AC-3.2</reference> Traceability to Mandates <reference>dod 8500.2: IAKM-1, IATS-1</reference> <reference>dcid 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference> </Group> <Rule id="minimum-password-length" selected="false" weight="10.0"> <reference>cce-100</reference> <reference>disa STIG Section 5.4.1.3</reference> <reference>disa Gold Disk ID 7082</reference> <reference>pdi IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-1.4</reference> <reference>nsa Chapter 4 - Table 1 Row 4</reference> <requires idref="ia-5"/> [pointer to OVAL test procedure] </Rule> Rationale for security configuration Traceability to Guidelines

Federal Risk Management Framework SP 800-37 / SP 800-53A Monitor Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness SP 800-37 Authorize Information System Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation SP 800-53A Assess Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements) Starting Point FIPS 199 / SP 800-60 Categorize Information System Define criticality /sensitivity of information system according to potential impact of loss SP 800-70 Implement Security Controls Implement security controls; apply security configuration settings FIPS 200 / SP 800-53 Select Security Controls Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate SP 800-53 / SP 800-30 Supplement Security Controls Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence SP 800-18 Document Security Controls Document in the security plan, the security requirements for the information system and the security controls planned or in place

Integrating IT and IT Security Through SCAP Common Vulnerability Enumeration Common Platform Enumeration Common Configuration Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Common Vulnerability Scoring System Vulnerability Management CVE OVAL CVSS Misconfiguration Asset Management CPE SCAP CCE Configuration Management XCCDF Compliance Management

Agility in a Digital World Organization One Information System Business / Mission Information Flow Organization Two Information System System Security Plan Security Assessment Report Plan of Action and Milestones Security Information System Security Plan Security Assessment Report Plan of Action and Milestones Determining the risk to the first organization s operations and assets and the acceptability of such risk Determining the risk to the second organization s operations and assets and the acceptability of such risk The objective is to achieve visibility into prospective business/mission partners information security programs BEFORE critical/sensitive communications begin establishing levels of security due diligence and trust.

Stakeholder and Contributor Landscape: Industry Product Teams and Content Contributors Ai Metrix

Stakeholder and Contributor Landscape: Federal Agencies SCAP Infrastructure, Beta Tests, Use Cases, and Early Adopters DHS NSA OSD DOJ Army OMB IC DISA EPA NIST DOS

Use Case: The Office of Secretary of Defense Computer Network Defense Data Pilot CND Data Model Overview IP CPE Vuln Asset Config IDs Env Info HW SW net CPE CCE IP MAC EIN FQDN cert owner MAC location IP CPE location Category DHCP Event IP Vulnerability CVSS Remedy CCE CVE CPE MAC Event NAT Event IP CPE CVE CCE Sig Event CVE CPE CEE Event IP/MAC CPE CVE CCE CPE Event IP CPE Assessment Incident Threat IDs Technique Exploit Actor IP Actor Asset IP IP CPE CME CVE Vuln CME Exploit Vuln CME Anomaly Evnt CEE Flow Event IP Log Event CEE

Use Case: The Office of Management and Budget Federal Desktop Core Configuration OMB 31 July 2007 Memo to CIOs: Establishment of Windows XP and VISTA Virtual Machine and Procedures for Adopting the Federal Desktop Core Configurations As we noted in the June 1, 2007 follow-up policy memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations, a virtual machine would be established to provide agencies and information technology providers access to Windows XP and VISTA images. The National Institute of Standards and Technology (NIST), Microsoft, the Department of Defense, and the Department of Homeland Security have now established a website hosting the virtual machine images, which can be found at: http://csrc.nist.gov/fdcc. Your agency can now acquire information technology products that are self-asserted by information technology providers as compliant with the Windows XP & VISTA FDCC, and use NIST s Security Content Automation Protocol (S-CAP) to help evaluate providers self-assertions. Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter these configurations, and agencies must use these tools when monitoring use of these configurations.

SCAP Validation Labs and Products Validated Products: 5 vendors 6 products 7 capabilities-based validations 2 standards-based validations Accredited Laboratories: Electronic Warfare Associates (EWA) Canada ICSA Labs - an independent division of Verizon Business Science Applications International Corporation (SAIC) ATSEC Information Security Corporation COACT Incorporated, CAFE Laboratory

SCAP Validation In-Progress and Potential

Where Can SCAP Go? Continue to reduce the boundary between written specifications and action Expand to implementation and remediation of vulnerabilities and security configurations Extend into additional security technologies (e.g., IDS/IPS, firewall) and into other IT technologies (e.g., asset and configuration management) We are open to additional use cases

Summary SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise

More Information National Checklist Program National Vulnerability Database SCAP Checklists http://checklists.nist.gov http://nvd.nist.gov or http://scap.nist.gov SCAP Capable Products SCAP Events NIST FDCC Web Site http://fdcc.nist.gov FDCC SCAP Checklists FDCC Settings Virtual Machine Images Group Policy Objects NIST SCAP Mailing Lists Scap-update@nist.gov Scap-dev@nist.gov Scap-content@nist.gov

Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Steve Quinn Peter Mell (301) 975-6967 (301) 975-5572 stephen.quinn@nist.gov mell@nist.gov Karen Scarfone Murugiah Souppaya (301) 975-8136 (301) 975-4758 karen.scarfone@nist.gov murugiah.souppaya@nist.gov Matt Barrett Information and Feedback (301) 975-3390 Web: http://scap.nist.gov matthew.barrett@nist.gov Comments: scap-update@nist.gov

Additional Information

Current State: Compliance and Configuration Management FISMA HIPAA SOX DCID COMSEC 97 DoD ISO Vendor 3 rd Party SP 800-53 Title III??? DCID6/3 NSA Req DoD IA Controls 17799/ 27001 Compliance Management SP 800-68 Security Agency Guides NSA Guides DISA STIGS & Checklists??? Guide Guide Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls Windows XP SP1 SP2 Enterprise Mobile Stand Alone SSLF High Moderate Low Millions of settings to manage Configuration Management OS or Application Version/ Role Major Patch Level Environment Impact Rating or MAC /CONF

Current State: Vulnerability Trends 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 CERT/CC NVD OSVDB Symantec 2001 2002 2003 2004 2005 2006 A 20-50% increase over previous years Decreased timeline in exploit development Increased prevalence of zero day exploits Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as configuration weaknesses. Many of the remaining 17 can be partially mitigated via proper configuration.

Security Content Automation Protocol (SCAP) Standardizing How We Communicate CVE Common Vulnerability Enumeration Standard nomenclature and dictionary of security related software flaws CCE Common Configuration Enumeration Standard nomenclature and dictionary of software misconfigurations CPE Common Platform Enumeration Standard nomenclature and dictionary for product naming XCCDF extensible Checklist Configuration Description Format Standard XML for specifying checklists and for reporting results of checklist evaluation OVAL Open Vulnerability and Assessment Language Standard XML for test procedures Cisco, Qualys, Symantec, Carnegie Mellon University CVSS Common Vulnerability Scoring System Standard for measuring the impact of vulnerabilities

Existing Federal Content Standardizing What We Communicate In response to NIST being named in the Cyber Security R&D Act of 2002 Encourages vendor development and maintenance of security guidance Currently hosts 114 separate guidance documents for over 141 IT products Translating this backlog of checklists into the Security Content Automating Protocol (SCAP) Participating organizations: DISA, NSA, NIST, Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, LJK, Secure Elements, ThreatGuard, MITRE Corporation, G2, Verisign, Verizon Federal, Kyocera, Hewlett-Packard, ConfigureSoft, McAfee, etc. Over 70 million hits per year 29,000 vulnerabilities About 20 new vulnerabilities per day Mis-configuration cross references to: NIST SP 800-53 Security Controls (All 17 Families and 163 controls) DoD IA Controls DISA VMS Vulnerability IDs Gold Disk VIDs DISA VMS PDI IDs NSA References DCID ISO 17799 Reconciles software flaws from: US CERT Technical Alerts US CERT Vulnerability Alerts (CERTCC) MITRE OVAL Software Flaw Checks MITRE CVE Dictionary Produces XML feed for NVD content

SCAP Validation Program Capabilities Capability FDCC SCAP CVE CCE CPE XCCDF OVAL CVSS FDCC Scanner X X X X X X X X Authenticated Configuration Scanner X X X X X X Authenticated Vulnerability and Patch Scanner X X X X X Unauthenticated Vulnerability Scanner X X X X Intrusion Detection/Prevention Systems X X X X Patch Remediation X X X X Mic-Configuration Remediation X X X X Asset Management X X X Asset Database X X X Vulnerability Database X X X X Mis-Configuration Database X X X X Malware Tool X X X X NOTE: Xs indicate some degree of testing, but not necessarily all-inclusive testing, for the indicated standard NOTE: Grey font indicates capabilities that are not yet available for test

SCAP Value Feature Standardizes how computers communicate vulnerability information the protocol Standardizes what vulnerability information computers communicate the content Based on open standards Uses configuration and asset management standards Applicable to many different Risk Management Frameworks Assess, Monitor, Implement Detailed traceability to multiple security mandates and guidelines Keyed on NIST SP 800-53 security controls Benefit Enables interoperability for products and services of various manufacture Enables repeatability across products and services of various manufacture Reduces content-based variance in operational decisions and actions Harnesses the collective brain power of the masses for creation and evolution Adapts to a wide array of use cases Mobilizes asset inventory and configuration information for use in vulnerability and compliance management Reduces time, effort, and expense of risk management process Automates portions of compliance demonstration and reporting Reduces chance of misinterpretation between Inspector General/ auditors and operations teams Automates portions of FISMA compliance demonstration and reporting