Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011
Overview What is SCAP? Why SCAP? How can SCAP be leveraged for the Common Criteria? A proposed approach for integrating SCAP into the domain of Common Criteria 2
3
Security Content Automation Protocol A protocol leveraging a suite of seven preexisting open specifications that standardize the format and nomenclature by which security software communicates information about software flaws and security configurations. Defines how these specifications are used in concert for the following activities: vulnerability and patch management secure configuration management policy compliance evaluation asset inventorying detecting system compromise Motivating factors: Number and variety of systems to secure Need to respond quickly to new threats Lack of interoperability Complexity of guidance Number of security-related configuration settings Need to verify the security posture regularly SCAP was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise. NIST SP 800-117 4
SCAP Components OCIL CVE CCE CPE XCCDF OVAL OCIL CVSS Common Vulnerabilities & Exposures Common Configuration Enumeration Common Platform Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Open Checklist Interactive Language Common Vulnerability Scoring System Standard nomenclature and dictionary of security related software vulnerabilities Naming Standard nomenclature and dictionary of software configurations Standard nomenclature and dictionary for product naming Standard XML for specifying checklists and for reporting results of checklist evaluation Expressing Standard XML for system test procedures Assessing Standard XML for expressing questions to an end user Scoring Standard for measuring the impact of vulnerabilities 5
Layering the Security Automation Standards Policy What? Why? CCSS Assess OCIL 6
Putting it Together Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Assessment language for checking for vulnerabilities (OVAL) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 2011 The MITRE Corporation. All rights Reserved. 7
SCAP-enabled Tools are Available Today SCAP is not some vague, future promise Over 40 vendors have tools certified as SCAP compatible Large amounts of freely available content exist Widely deployed in U.S. Government enclaves using a variety of vendors since 2007 2011 The MITRE Corporation. All rights Reserved. 8
Current SCAP-Validated Vendors List of validated vendors and products available at http://nvd.nist.gov/scapproducts.cfm Information current as of January 28, 2011 Logos are trademarked by their respective corporations 2011 The MITRE Corporation. All rights Reserved. 9
CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema CYBEX context ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State
SCAP Security Automation Tools CPE Common Platform Enumeration XCCDF exensible Configuration Checklist Description Format CCE Common Configuration Enumeration OVAL Open Vulnerability and Assessment Language Information Exchange Schema SCAP Use Case ARF Assessment Result Format CVSS Common Vulnerability Scoring System CVE Common Vulnerabilities and Exposures IODEF Incident Object Description Exchange Format Application Specific Extensions CWSS Common Weakness Scoring System CWE Common Weakness Enumeration CAPEC Common Attack Pattern Enumeration and Classification CEE Common Event Expression Events, Incidents, & Heuristics Weaknesses, Vulnerabilities, & State
Status of ITU-T Recommendations x- series Title ITU-T Status Planned Determination x.1500 Cybersecurity Information Exchange (CYBEX) Techniques Final Dec 2010 x.1520 Common Vulnerabilities and Exposures Final Dec 2010 x.1521 Common Vulnerability Scoring System Final Dec 2010 x.cwe Common Weakness Enumeration Final Aug 2011 x.oval Open Vulnerability and Assessment Language Draft Aug 2011 x.cce Common Configuration Enumeration Draft Aug 2011 x.capec Common Attack Pattern Enumeration and Classification Draft Feb 2012 x.maec Malware Attribute Enumeration and Classification Draft 2012 x.cwss Common Weakness Scoring System Draft 2012 x.cee Common Event Expression Draft 2012 x.cpe Common Platform Enumeration Draft 2012 x.arf Asset Reporting Format Draft 2012 x.xccdf Extensible Configuration Checklist Description Format Draft 2012
SCAP For Product Consumers (SP 800-117) Consumers Organizations should use security configuration checklists that are expressed using SCAP to improve and monitor their systems security. Organizations should take advantage of SCAP to demonstrate compliance with high-level security requirements that originate from mandates, standards, and guidelines. Organizations should use SCAP for vulnerability measurement and scoring. Organizations should acquire and use SCAP-validated products. 13
SCAP For Product Vendors (SP 800-117) Product Names Provide CPE names for all products Configuration Controls Each security relevant configuration control is assigned a CCE through a federated CCE creation process. Secure Configuration Baselines Development of configuration checks to confirm that a system is running under the specified secure configuration. Use XCCDF and OVAL to allow for machine interpretable content. USE CPE and CCE to allow for platform targeting and data correlation. Security Advisories Incorporate CVEs in initial vulnerability alert. Assign CVSS scores to vulnerabilities. Include OVAL Definitions as a standardized machine interpretable check for the issue. Include CPE Names for affected software Support Automated System Integrations Develop Systems that can be Assessed Provide OVAL extensions for new platforms 14
15
SANS: 20 Critical Security Controls (a.k.a. CAG) transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. Enabling agreement between those responsible for compliance and those responsible for security. The Top 20 Controls were developed by a consortium including: US NSA, US Cert, US DoD, the US Department of Energy Nuclear Laboratories, US Department of State, industry experts Automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. US Department of State ipost demonstrated more than 80% reduction in "measured" security risk http://www.sans.org/critical-security-controls/ 16
SANS: 20 Critical Security Controls (a.k.a. CAG) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10.Continuous Vulnerability Assessment and Remediation 11.Account Monitoring and Control 12.Malware Defenses 13.Limitation and Control of Network Ports, Protocols, and Services 14.Wireless Device Control 15.Data Loss Prevention SCAP Enables Automation http://www.sans.org/critical-security-controls/ 17
SCAP Supports International Drivers SCAP and its targeted use cases are not just driven by US needs SCAP also supports numerous international drivers as well Commercial industry mandates such as the Payment Card Industry Data Security Standard (PCI-DSS) Requirement 6 ISO security process and practices standards such as the 27000 series ITU security information structure and exchange recommendations such as X.1000, X.1100, X.1200 & X.1500 series In-development standards and mandates surrounding supply chain security Etc. 18
It s Not Only About Discrete Specification and Assessment Inventory Management Universal identifiers for software (CPE) Language for testing procedures for software presence (OVAL/OCIL) Vulnerability Management Universal identifiers for vulnerabilities (CVE) Scoring system for vulnerabilities (CVSS) Configuration Policy Universal identifiers for configurable controls (CCE) Language for testing procedures for configuration compliance (OVAL/OCIL) Language for organized configuration structuring and tailoring (XCCDF) 19
Continuous Monitoring Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. (NIST 800-137) A result of numerous events coming together: SANS Top 20 Critical Controls (CAG) US OMB FISMA Reporting Memo (M-10-15) ipost: Implementing Continuous Risk Monitoring at the DoS CM provides a foundation for many IA activities: IT Security Reporting, Vulnerability Management, Inventory Management, etc. Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making. To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze securityrelated information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools. OMB memo M-10-15 20
CAESARS & Standards CAESARS: Continuous Asset Evaluation, Situational Awareness, and Risk Scoring - Reference Architecture Presentation Analytics CPE, Database CVE, CVSS CPE, OVAL, XCCDF, CCE, CVE, CVSS CPE, CVE, Sensors OVAL, CVSS CPE, CCE, OVAL, XCCDF CPE, CCE, CVE OVAL, XCCDF, CVSS Standardized Results Standardized Tasking http://www.dhs.gov/xlibrary/assets/fns-caesars.pdf 21
Comply to Connect SCAP and TNC Integration Network Access Control (NAC) is seen as a key enabling technology for several of the SANS Top 20 Critical Security Controls. SCAP provides a set of standard data formats that can be used to describe desired system configurations. Trusted Network Connect (TNC) provides a standards based NAC solution. SCAP and TNC can be used together to provide a complete standards based approach. 22
Coordinated Security Asset Management System Endpoint Security (via NAC) SIM / SEM MAP IPAM IF-MAP Protocol Physical Security ICS/SCADA Security AAA Routing Server or IDS Switching Wireless Firewalls Cloud Security Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #23
Coordinated Security & NAC Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #24
TNC and SCAP Together Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers SCAP Client Software SCAP Analysis Software SCAP External Scanner Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #25
26
SCAP Value for the Common Criteria Inventory Management Evaluators: Clear understanding of 3rd party components in TOE Consumers: Clear understanding of which systems are deployed and if those systems are the same ones that were evaluated Vulnerability Management Vendors: Ensure all TOE 3rd party components are patched before submitting for evaluation Evaluators: Test for known vulnerabilities in TOE 3rd party components Configuration Policy Vendors: Secure configuration specification for products to be evaluated Evaluators: Ensure product is being evaluated as intended Consumers: Secure configuration compliance to ensure operational system is still the same as the one that was evaluated 27
Paralleling the TNC/SCAP Approach for CC Evaluated Products Common Criteria evaluated products are trusted to operate in the deployed environment Standard secure configuration baseline is defined as part of the CC evaluation Continuously monitor configuration state of deployed product If configuration changes from standard baseline (i.e. the product running is no longer the product that was evaluated), report an alert, revoke operation privileges for the product and/or remove it from the network 28
SCAP and NIAP Integration Overview MITRE Developed a white paper that describes the logical ways in which to integrate SCAP into NIAP. - Shared paper with firewall protection profile group. - Briefed the firewall protection profile group during RSA. - Could be added to emerging profiles as they are ready. Motivation: SANS Top 20 Continuous Monitoring DHS Cyber Ecosystem Enable automated monitoring of products Faster more accurate identification of issues Deliver actionable secure configuration guidance Identified seven areas to utilize SCAP Aligned with relevant CAG controls 29
Seven Areas for Integration Identified 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. 30
Areas for Integration Aligned with SCAP 1. Standardized Product Names Enables fast, accurate correlation across information sources. 2. Standardized configuration item identification Enables fast, accurate correlation across information sources. 3. Enable automated secure configuration checking Enables automated checking during NIAP evaluation. 4. Structured secure configuration guides Enables automated checking for adherence to the policy. 5. Inventory/asset management support End users can use the asset management tool of choice. 6. Vulnerability identification, disclosure, & response practices Faster responses to security advisories by end users. 7. Patch checking End users can use the patch management tool of choice. SCAP For Product Vendors Product Names Configuration Controls Support Automated System Integrations Secure Configuration Baselines Support Automated System Integrations Security Advisories Security Advisories 31
32
SCAP covers a wide range of use cases, practices, standards and content Integrating it all in one big chunk would likely prove very challenging and make its practical application less likely We suggest a staged integration approach that starts out low-effort and builds capability in a tiered fashion 33
Staged Integration Area Tier 1 Utilize Standard Naming Standardized Product Names CPE SWID* Tier 2 Define Structured Guidance API for CPE Tier 3 Assess & Validate Standardized Configuration Item Identification CCE Enable Automated Secure Configuration Checking Structured Secure Configuration Guides Inventory/Asset Management Support API for CCE XCCDF, CPE, CCE Specify OVAL construct for CCE XCCDF, CPE, CCE, OVAL Compliance Definitions OVAL Inventory Definitions Vulnerability Identification, Disclosure, and Response Practices Patch Checking CPE, CVE, CVSS SWID* CPE, CVE, CVSS SWID* OVAL Vulnerability Definitions OVAL Inventory Definitions *SWID - (ISO/IEC 19770-2) - the software identification tag standard is focused on authoritative software identification 34
Staged Integration Tier 1 Tier 2 Tier 3 Utilize Standard Naming Low effort integration of the most mature SCAP components. Enables correlation across information sources. Requires knowledge of CCE, CPE, CVE, and CVSS. Define Structured Guidance & Enable Automation Structured guidance and published APIs. Foundation for automated system checking. Requires knowledge of XCCDF and exposure of APIs. Assess and Validate Automated checking of system state (patched, configured securely, vulnerable, etc.). Requires knowledge of OVAL. 35
For More Information More information on the standards CVE Vulnerabilities; http://cve.mitre.org CCE Configuration controls; http://cce.mitre.org CPE Platforms/applications; http://cpe.mitre.org OVAL Checking language; http://oval.mitre.org OCIL Questionnaire language; http://scap.nist.gov/specifications/ocil XCCDF Structuring; http://nvd.nist.gov/xccdf.cfm CVSS Scores severity of vulnerabilities; http://www.first.org/cvss/ NVD Resources for SCAP users; http://nvd.nist.gov/home.cfm Making Security Measureable More resources on SCAP and beyond; http://measurablesecurity.mitre.org/ Page 36 2011 The MITRE Corporation. All rights Reserved.
Questions?
Optional Detail Slides
1. Standardized Product Names Vendor Actions: Register and maintain a CPE Name for the product Ensure that all dependent products have registered CPE Names Provide programmatic means to query the product for its CPE Name List CPE Names in product documentation Validator Role: Verify CPE Name is listed in Official CPE Dictionary Verify that CPE API is documented and functioning properly Benefit: Register a CPE Name for the product and its dependencies. Enables fast, accurate correlation across information sources Enables correlation of product and platform information for use in asset management, situational awareness, and continuous monitoring. 39
2. Standardized configuration item identification Vendor Actions: Identify all security relevant configuration controls Assign CCE IDs to all security relevant configuration controls Validator Role: CCEs are listed for the product Product s Secure Configuration Guide includes CCE references. Benefit: Assign a CCE to all security relevant configuration controls in the product. Enables fast, accurate correlation across information sources Completes a first step toward supporting automated configuration checking Tool vendors understand what the configuration items are, and what to check for 40
3. Enable automated secure configuration checking Instrument security relevant configuration controls for automated configuration checking. Vendor Actions: For each CCE in the product, provide a programmatic means to check and set the state of that value Identify the proper OVAL construct for checking the state of each CCE Validator Role: Verify vendor listing of programmatic methods for all CCEs Benefit: Enables automated checking during NIAP evaluation Provides foundation for automated secure configuration guides Product is instrumented for continuous monitoring 41
4. Structured secure configuration guides Enable standardized automatic software configuration checking using CPE, OVAL and XCCDF. Vendor Actions: Create an SCAP-expressed benchmark for the secure configuration of the product Validator Role: Verify that the SCAP-expressed benchmark is available and valid Benefit: Enables faster more accurate checking for adherence to the policy. End users can use SCAP-validated tool of their choice to determine if a the product is properly configured. An evaluator can run automated verification of the secure configuration on all test systems 42
5. Inventory/asset management support Vendor Actions: Publish an OVAL Definition for detecting the presence of the product Reference the CPE Name for the product in the OVAL Definition Validator Role: Verify that an OVAL Inventory Definition has been published Benefit: Enable standardized automatic software inventories using CPE and OVAL. End users can use SCAP-validated tool of their choice to determine if the product is present on their system. 43
6. Vulnerability identification, disclosure and response practices Vendor Actions: Include a CVE ID in all vulnerability alerts Include CPE Names for all affected products in all vulnerability alerts Provide a CVSS base score for all vulnerabilities Publish an OVAL Definition for detecting the presence of the vulnerability Validator Role: Verify documented use of SCAP in flaw remediation practices Benefit: Enable standardized automatic software vulnerability checking using CPE, OVAL and CVE. Faster responses to security advisories by end users. Vulnerabilities are identified, prioritized, and described in a standardized way. 44
7. Patch checking Enable standardized automatic software patch checking using CPE, OVAL and CVE. Vendor Actions: Publish standardized patch checks as OVAL definitions Include the list of affected products by CPE Name in patch bulletins List all vulnerabilities addressed by their CVE ID Validator Role: Verify that the documented vendor patch processes include OVAL, CPE. and CVE. Benefit: End users can use SCAP-validated tool of their choice to determine if a patch is installed on their system to help keep their system up to date 45