SESSION 706 Wednesday, November 4, 9:00am - 10:00am Track: Framework Fusion 7 Steps to Secure Configuration Management Ram Ramdattan rdattan@yahoo.com Session Description Cyber-security threats are growing exponentially, and most large organizations are struggling to secure their critical IT infrastructures and reduce the business impact of cyber-threats. The Secure Configuration Management (SCM) standard from NIST represents a fundamental capability that enterprises need to build in order to mitigate cyber-threats. This session will explore the building blocks for this next evolution of configuration management, placing particular emphasis on the rationale, basic framework, process, tooling, and expected outcomes. (Experience Level: Intermediate) Speaker Background Ram Ramdattan is an acknowledged thought leader and strategist with a keen sense for the next gamechanger and particular experience with practice development, IT consulting, delivery engagements, and alliances. Over the last fifteen years, Ram has enabled success at Fortune 500 organizations by focusing on business value and by leading initiatives in service strategy, cyber-compliance, asset and configuration management, change management, change controls, IT governance, and service automation.
Session 706 7 Steps to Secure Configuration Management Ram Ramdattan Sr. Industry Principal Infosys Limited We cannot solve our problems with the same thinking we used when we created them - Albert Einstein 2
Change based outages are making big news UNITED NYSE Major Impact Orange County WSJ 3 Data breaches* top the board s agenda *partial list When Where Aug Ashley Madison June OPM Jan 15 Morgan Stanley Nov 14 Sony Pictures Oct JPMC Sep The Home Depot Sep Google Dec13 Target 4
Impacts and Costs are significant Average cost of a data breach is $3.8 Mn, representing a 23% increase since 2013 Ponemon Institute - 2015 Global Cost of Data Breach Study Almost half the breaches last year came from unpatched IT assets -HP Cyber Risk Report, 2015 An unplanned data center outage costs about $8000/minute Emerson and Ponemon Institute 5 Key Observations Cyber security threats to IT Operations are evolving, affect every business and are increasingly sophisticated Reliance on technology systems availability for our every day needs is higher than ever. Now more than ever, changes to IT systems need to be managed securely and with predictable outcomes. 6
Problem Statement How can IT Service Management elevate their presence to ensure greater systems security and availability? 7 IT Service Management at the core Configuration Management Change Management Release Management 8
From the 20* Critical Security Controls 9 # Critical Control Rank 1 2 3 Inventory of Authorized and Unauthorized devices Inventory of Authorized and Unauthorized software Secure Configurations for Hardware and software 10 Secure Configurations for Network devices *maintained by the Council on Cyber Security, NIST and SANS Very High Very High Very High High/Med ium Need to change the paradigm From Here Implement New Configurations Sub-par comparison to baseline Approval Review IT Systems New Vulnerabilities Potential for vulnerabilities Change Drivers RFC System & Org. Impact 10
Need to change the paradigm To Here Implement New Configurations Continuous configuration monitoring 11 Change Drivers Approval Review RFC IT Systems New Vulnerabilities CM governance Update configuration baseline NIST 800-128 leads to the meeting of the worlds Secure Configuration Management is the management and control of secure configurations for an information system to enable security and facilitate the management of risk 12
Monitor Remediate The Lifecycle Monitoring Revisiting, Tracking configurations Planning Scope,Asset Classes, Process,Tools Controlling Configuration Changes Implementing Identifying & implementing configurations 13 How does it work? Read configuration Automation Protocol Vulnerability Repository SecCM Product Unauthorized Changes Authorized Changes Environment 14
SecCM is complementary to SACM - 1 Service Asset and Configuration Management (SACM) Passive state- effected post change Directed towards recording and accuracy of configuration items Focus on all service centric configurations Secure Configuration Management (SecCM) Active state- effected during change Directed towards maintaining CI baselines and remediation. Focus only on key security relevant configurations 15 SecCM is complementary to SACM - 2 SACM Driven by general change management policy Requires input from discovery tools Standard tools for automation SecCM Relies on change management policy that specifies restricted CI s Requires input from vulnerability database Requires specific protocol, configuration specification language and identifiers for automation 16
Companies with SecCM products* *Based on SCAP v1.2 validation by NIST 17 Why is ITSM positioned to drive SecCM? Knowledge of CI s especially critical CI s IT Business Service Management mindset Ease of integration with existing Configuration Management system 18 ITSM Understanding of IT Change Management processes and standards Able to deliver SecCM as a service
So where do we start? 1 2 3 7 19 Step 1a- Understand key components Open Checklist Interactive Language (OCIL) Common Vulnerabilities and Exposures (CVE) Authenticated Configuration Scanner Security Content Automation Protocol (SCAP) NCP Checklists 20
Change Requester CI Owner Step 1b- Updates to Change Management Tomorrow Restricted CI s in scope under Change Control policy Determine what can change Determine what cannot change Certify & Flag Authenticated Configurations Change Anything Today Test, get approval, deploy Deploy ok/ deal with impact Potential for new vulnerabilities 21 Step 2- Initiate the Plan People Program V Tooling Process 22
Step 3- Updates to key Policies IT Asset Management Policy IT Change Management Policy IT Configuration Management Policy Information Security Management Policy 23 Step 4a Prioritize Asset Classes OS LAN Storage Desktops Converged Hardware WAN Software Laptops Mobility Server+ Middleware Network Storage EUC 24
Step 4b- Identify / Align Asset Class - Configuration Owners CI Types Bridge Concentrator Firewall Gateway Hub CI Roles Primary Owner Primary Delegate CI Owners ABC DEF GHI Roles Approved by Managed by Owned by Reviewed by Subscribed by Supported by 25 26 Step 5 Recommend baselines CCE ID Win7 CCE- 9953-1 Policy Path Computer Configuration \Administrative Templates \Network \Network Connections Policy Setting Win7 Prohibit installation and configuration of Network Bridge on your DNS domain network Rationale Enabled To prevent the computer from forwarding internal traffic to other networks Registry Setting HKLM \Software \Policies \Microsoft \Windows \Network Connections!NC_Allow NetBridge _NLA
Step 6 Implement SecCM tooling Select Pilot Iterate across Asset classes Update/Adjust Baselines Roll out SecCM implementation Activate change for restricted CI s Communication and Awareness 27 Step 7- Manage SecCM as a Service Threat Intelligence & Awareness Define Service Levels 1 Request and Fulfillment Service Transition & Operations CSI 2 Re-assess Baseline Ongoing Reporting 28
Getting SecCM right takes effort and time Define 1 Deliberate 3 Test 5 List of Controlled Understand issues, Load into SCAP Configuration Items risks and needs per system and test (CCI) per CI type asset class. 2 Compare current Update & integrate with current schema Interim secure configuration For implementation 4 6 Fix Update CI s based on test results. 29 Getting SecCM right takes effort and time 7 8 Production Rollout secure configuration into production. Updated Docs Attribute Lists Business Classes Sign Off Gather stakeholder alignment and formal signoff for secure configuration CMS data model CMS relationships Process & Data model requirements 30
References http://voiceofoc.org/2015/06/it-system-outages-hit-multiple-county-departments/ http://www.wsj.com/articles/trading-halted-on-new-york-stock-exchange-1436372190 http://www.avaya.com/usa/about-avaya/newsroom/news-releases/2014/pr-140305/ http://www.foxbusiness.com/markets/2015/07/08/united-airlines-grounds-flights-dueto-system-issues/ http://www.emersonnetworkpower.com/documentation/enus/brands/liebert/documents/white%20papers/2013_emerson_data_center_cost_down time_sl-24680.pdf https://nvd.nist.gov/scapproducts.cfm http://scap.nist.gov/validation/index.html https://web.nvd.nist.gov/view/ncp/repository 31 Q&A 32
Thank you for attending this session. Please don t forget to complete an evaluation form!