ARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel

Similar documents

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

DoD Secure Configuration Management (SCM) Operational Use Cases

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Closed loop endpoint compliance an innovative, standards based approach A case study - NMCI

Federal Desktop Core Configuration (FDCC)

How To Use A Policy Auditor (Macafee) To Check For Security Issues

An Enterprise Continuous Monitoring Technical Reference Architecture

Total Protection for Compliance: Unified IT Policy Auditing

Patch and Vulnerability Management Program

Qualys PC/SCAP Auditor

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

BMC Client Management - SCAP Implementation Statement. Version 12.0

Automating Compliance with Security Content Automation Protocol

How To Monitor Your Entire It Environment

Continuous Monitoring

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

STIGs,, SCAP and Data Metrics

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

SCAP Compliance Checker Version 3.1 for Windows February 12, 2012

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

IBM Endpoint Manager Product Introduction and Overview

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

Manage Vulnerabilities (VULN) Capability Data Sheet

Mark S. Orndorff Director, Mission Assurance and NetOps

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Security compliance automation with Red Hat Satellite

Secstate: Flexible Lockdown, Auditing, and Remediation

McAfee Vulnerability Manager 7.5.1

How To Protect A Network From Attack From A Hacker (Hbss)

Vulnerability Management

VSI Predict Able. We Focus on Your IT So You Can Focus on Your Business

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

NAVAL POSTGRADUATE SCHOOL THESIS

A Comprehensive Cyber Compliance Model for Tactical Systems

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

GFI White Paper PCI-DSS compliance and GFI Software products

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

Status Update. Jon Baker September 28, 2010

The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data

How To Manage Sourcefire From A Command Console

Symantec Control Compliance Suite Standards Manager

Oracle Database Security Myths

AGENDA. CNDSP Program CNDSP is a Team Sport. Protect Respond CNDSP Contacts Questions

The SIEM Evaluator s Guide

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Critical Security Controls

AppSentry Application and Database Security Auditing

IBM Tivoli Endpoint Manager for Security and Compliance

Concierge SIEM Reporting Overview

Avoiding the Top 5 Vulnerability Management Mistakes

eeye Digital Security Product Training

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Proactively Managing Servers with Dell KACE and Open Manage Essentials

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

McAfee Policy Auditor 6.0 software Product Guide for epolicy Orchestrator 4.6

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

FREQUENTLY ASKED QUESTIONS

Joint Information Environment Single Security Architecture (JIE SSA)

The Operating System Lock Down Solution for Linux

Enabling Security Operations with RSA envision. August, 2009

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

How To Get The Nist Report And Other Products For Free

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Security Event Management. February 7, 2007 (Revision 5)

McAfee Policy Auditor software

Cyber Security RFP Template

CONTINUOUS MONITORING

Critical Controls for Cyber Security.

Endpoint Security Management

SUSE Linux Enterprise 12 Security Certifications

CHAPTER 67 INFORMATION SYSTEMS TECHNICIAN (IT) NAVPERS H CH-63

Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Consolidated Afloat Networks and Enterprise Services (CANES)

VMware vsphere 5.1 Advanced Administration

INCIDENT RESPONSE CHECKLIST

SourceFireNext-Generation IPS

RAVEN, Network Security and Health for the Enterprise

Consolidated Afloat Networks and Enterprise Services (CANES)

Transcription:

ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel

Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer and Analysis Tool (ARCAT)

SCAP Interfaces & Data Exchange Scaled to an Enterprise Internet Passive Sensors SCAP Enterprise-Level Network Map and Compliance Report SCAP SCAP Content With Assessment & Reporting Policies Enterprise Backbone Networks Passive Sensors SCAP Component-Level Network Map and Compliance Report SCAP RISK Mgmt & SA SCAP Host-Based Agents Partial SCAP capability Host-BasedSCAP SCAP Assessment Tool Map/Vis SCAP Fusion SCAP Database Network Scanner SCAP C&A SIM SCAP capability in development No SCAP capability Campus Area Network Remediation Tool(s)

Federal DoD SCAP Interfaces - DoD/Federal Level Reporting DoD Component SCAP Reports FDCC STIG IAVA CTO INFOCON Vulnerability Malware Inventory Device OS Application Summary Results Mixed Results Granular Results SCAP XCCDF Results OVAL Results CPE Inventory Devices Grouped By: Operational Attributes Identifiers Network Configuration Enclave OVAL, XCCDF reporting provides: Software Flaws, Weak Settings, Policy Compliance Audit Reports ` Compliance Inventory Audit ` epo Audit Management `

OMB, DoD, Component Assessment Policies ARF, ASR, ARCAT, and Where They Fit Asset Mgmt Web Service T2 Asset Management ARF & ASR ARF/ASR-Based Federated Query T2 Asset Data Repository Tier 1 and other Tier 2 Data Consumers Tier 3 Base/Post/ Camp/Station Network Inventory, Config Summary, & Map (ARCAT or COTS Tool) ARF ARF ARF Host Compliance Asset Configuration Compliance Status HBSS Host Management Console Asset Compliance Manager (XCCDF) Module(s) Benchmarks Asset Compliance Assessment Rules HBSS Common Management Agent Asset Configuration Compliance Other HBSS Modules Asset Inventory Manager (CPE) SW Inventory Module(s) Dsicovery Rules Asset Configuration Remediation & Modification Host Host Passive Network Scanner (e.g., Trickler) Asset Asset Configuration Compliance Compliance Assessment Status Rules Module(s) FY09+ Modules Asset Asset Configuration Compliance Compliance Assessment Status Rules Module(s) FY09+ Modules Host HBSS Common Management Agent MANAGED HOST Asset Asset Configuration Configuration Remediation Compliance & Modification Module(s) HBSS Common Management Agent MANAGED HOST Asset Asset Configuration Configuration Remediation Compliance & Modification Module(s) UNMANAGED HOST Host Host Asset Asset Configuration Compliance Compliance Assessment Status Rules Module(s) FY09+ Modules Asset Asset Configuration Compliance Compliance Assessment Status Rules Module(s) FY09+ Modules Host Active Vulnerability SCAP Scanner (e.g., STAT, ISS, SCCVI MANAGED HOST HBSS Common Management Agent Asset Asset Configuration Configuration Remediation Compliance & Modification Module(s) MANAGED HOST HBSS Common Management Agent Asset Asset Configuration Configuration Remediation Compliance & Modification Module(s) UNMANAGED HOST Host Host Host MULTI-FNCTN DEVICE ROUTER PRINTER

Assessment Results Format The detailed, per-device assessment results language

ARF Functionality Packages information any SCAP validated tool must already produce OVAL Results XCCDF Results Adds network info, CPE inventory, Ops-Attributes CPE Inventory = findings reported against OS & applications Supports object re-use References instead of building stand-alone objects Has built-in replication support Action/Status tags Simplistic Supports comprehension and Cross-Domain Solution (CDS)

ARF Data Schema Top Level Concept A report consists of some number of report objects Each type of object is assigned a unique ID and can be referenced Intended to support paging 0 to many report objects/page

ARF Vision Reports - on a per-device basis of: Installed SW & HW Patches, vulnerabilities, settings Running services & processes Network infrastructure Organized by: Organization Network Physical area Building Enclave-Level CND Situational Awareness Per-device assessments Host Based Scanner Network Scanner Passive Device Characterization ARF ARF ARF ARF Aggregate Deconflict Correlate Remediation Control CND Data Store CNDSP Network & Device Situational Awareness Capability Logical Mapping Devices Shapes People Physical Mapping Automatically Shared with CERTs and C2 Chain Networks Organizations Circuits Operational Attribute Collection SIM Logical and physical context for alerts C&A Risk managed against a machinecheckable baseline Enclave System Administrator Existing TBD

Device Record The Key ARF Data Type The stuff from the DoD data modeling efforts We re pretty sure we need We re pretty sure we can get No hardware inventory (disk drive, µprocessor, memory, etc.) May re-look that before 1.0 release

Per Software Product Data (aka cpe-record)

Summary Results When you just want a single question answered

Summary Results Functionality Allows for Concise reports on single assessment checks CPE platform definitions For a CPE mask, how many devices have a matching CPE? CVEs Which devices have/don t have CVEs? CCE parameters How many/which devices have each parameter value? OVAL Definitions - How many/which devices resolve to true or false for each OVAL def? XCCDF Benchmarks Average benchmark score, max score, min score, pass/fail How many/which devices pass or fail each rule Patches - How many/which devices have resolved to true or false for each patch? Provides results either as Counts and (optionally) Lists per finding (true/false, pass/fail, not applicable, not checked, error) Lists can include: IP, Domain Name, Record Identifier Plus population data and scan data

Sample CPE Summary Report for cpe:/a:adobe:flash

Sample Arbitrary XCCDF Benchmark with 1 Rule, Listed by IP Address, Ungrouped

ARCAT When you have a bunch of ARFs and want to look at and evaluate them

Assessment Results Consumer & Analysis Tool (ARCAT) Status ARCAT development began in June 09 Reference implementation of standard for device data reporting - - Assessment Results Format (ARF) ARCAT is a generic ARF consumer (i.e. not a sensor, a sensor output data collection capability) Used for reporting compliance with FDCC, STIG, IAVA, and CTO Used for collecting inventories of devices and installed applications/os May serve as basis for multi-sensor network assessment data fusion capability Source code to be made available within DoD and can be shared across US Government

Vision ARCAT Spiral One 1) Consumer 2) Repository 3) GUI (to a very limited degree)

Provides ability to associate devices with operational/environmental information e.g. Where is it, who owns it, who defends it, what network is it on, how important is it, etc.. (see example above)

Shows device information collected from all sensors and any environmental information associated supports clickable drill down for any device

Shows device detail that can be packaged in standard ARF device inventory or compliance fields.

Combines installed software descriptions, plus any vulnerabilities, settings, patches, services, and open ports/protocols associated.

Shows compliance with any XCCDF checklist e.g. FDCC, STIG, IAVM, CTO

Supports search for common data elements reported in ARF.

Provides summarized roll-up for decision maker-level situational awareness.

Why ARCAT? Serves as reference implementation to ensure ARF provided by tools is valid Acts as development platform to do proof-of-concept for vendor discussions Allows for testing of bandwidth, processing, and implementation of new reporting capabilities Serves as surrogate network sensor central collection point pending commercial availability

When? Spiral 1 of ARCAT is complete and can be accessed by DoD personnel on DKO at the CND Architecture Web Site Has been distributed internal to DoD as development platform/sample implementation DISA VMS Navy NRL Others Can share with other organizations, but Not ready for deployment as finished product Not locked down in STIG d mode No promises on scalability or stability Will request memo documenting limited liability/terms of use

Lt Col Joe Wolfkiel e-mail: jlwolfkiel@nsa.gov phone: 410-854-5401 POC