FITSI-DC - Continuous Monitoring

7/28/2019 FITSI-DC - Continuous Monitoring

1/52

Continuous Monitoring

The Evolution of FISMA Compliance

Tina Kuligowski

[email protected]


2/52

Overview

Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53)

OMB Memorandums (M-11-33, M-10-28)

DHS Federal Information Security Memorandums (FISM 11-02)

The Deltas

CM Tools & Technologies:

Guidelines: SP 800-137 Information Security Continuous Monitoring

Automation Domains, Tools and Technologies (SCAP, NVD)

CAESARS Framework & States iPost

CM Challenges

The Organization of the SP 800-53

The Limitations of CAESARS

GAO Report: Limitations of iPost and Risk Scoring Program


3/52

Evolution of FISMA Compliance

800-37 r1 Deltas C&A vs RMF

Joint Task Force

Organization-wide RM Strategy

Risk Executive (function) [Tier 1] Information Security Architect [Tier 2]

Information System Security Engineer [Tier 3]

Risk Redefined

OMB 11-33 FISMA Reporting Instructions

DHS Cyberscope


4/52

Traditional C&A Risk Management Framework

Phase Task Subtask Step Task

Initiation

1: Preparation. Information System Description 1.2 Information System Description

Security Categorization 1.1 Security Categorization

1.3 Information System RegistrationThreat Identification

Vulnerability Identification

Security Control Identification 2.1 Common Control Identification

2.2 Security Control Selection

3.1 Security Control Implementation3.2 Security Control Documentation

2.3 Monitoring Strategy

Initial Risk Determination

2: Notification Notification

Planning And Resources3: SSP Analysis,

Update, And

Acceptance.

Security Categorization Review

System Security Plan Analysis

System Security Plan Update

System Security Plan Acceptance 2.4 Security Plan Approval


5/52

Traditional C&A Risk Management Framework

Phase Task Subtask Step Task

Certification

4: Security

Control

Assessment

Documentation Supporting Materials

Methods And Procedures 4.1 Assessment Preparation

Security Assessment 4.2 Security Control Assessment

Security Assessment Report 4.3 Security Assessment Report

5: Security

Certification

Documentation

Findings And Recommendations 4.4 Remediation Actions


POAM Preparation 5.1 Plan of Action and Milestones

Accreditation Package Assembly 5.2 Security Authorization Package

Accreditation 6: Accreditation

Decision

Final Risk Determination 5.3 Risk Determination

Risk Acceptability 5.4 Risk Acceptance

7: Security

Accreditation

Documentation

Security Accreditation Package

Transmission


ContinuousMon

itoring

8: Configuration

Management

Documentation Of Information System

Changes

6.1 Information System and Environment

Changes

Security Impact Analysis

9: Control

Monitoring

Security Control Selection 2.3 Monitoring Strategy (sorta)

Selected Security Control Assessment 6.2 Ongoing Security Control Assessments

10: Status

Reporting And

Documentation

System Security Plan Update 6.4 Key Updates

POAM Update 6.3 Ongoing Remediation Actions

Status Reporting 6.5 Security Status Reporting

RMF 6.6 Ongoing Risk Determination and AcceptanceRMF 6.7 Information System Removal and Decommissioning


6/52

Joint Task Force

Transformation Initiative

ongoing effort to produce a unified information securityframework for the federal government.

Department

of Defense

Office of the

Director ofNational

Intelligence

Committee on

National Security

Systems

National

Institute ofStandards and

Technology

DITSCAP/

DIACAP

C&A Guidelines

NIACAP

DCID 6/3

SP 800-37 Risk Management Framework

SP 800-53r3 Security Controls SP 800-39 Managing Information Security Risk

DoD, ODNI , NSA(CNSS 1253),

ISO/IEC (27001)

Johns Hopkins APL

MITRE Corporation (NVD)

Booz Allen Hamilton

Collaboration

Among Public And

Private Sector

Entities


7/52

Organization-wide

RM Strategy/ New Roles

Risk Executive (function)

Information Security Architect

Information System Security Engineer


8/52

OMB 11-33 FISMA

Reporting Instructions

FAQ #9. Must the Department of Defense (DoD) and theOffice of the Director of National Intelligence (ODNI)

follow OMB policy and NIST guidelines?

Answer: Yes, for non-national security systems DOD and

ODNI are to incorporate OMB policy and NISTguidelines into their internal policies.

.

Note: NSA Uses CNSS1253, which looks very similarto a compilation of FIPS 199/200, references 800-

53, and provides a very FDCC/USGCB-like baseline

of configuration settings.


9/52

Clarifying DHS Cybersecurity

Responsibilities (M-10-28)

Critical Infrastructure Protection US-CERT

Trusted Internet Connection Initiative

Primary Responsibility for the Operational Aspects of

Cybersecurity

[FISMA Reporting]

Instructions

New FISMA Reporting Metrics

Cyberscope


10/52

DHS FISM 11-02 (aka OMB 11-33)

FISMA Reporting Instructions

FAQ #28. Is a security reauthorization still required every3 years or when an information system has undergone

significant change as stated in OMB Circular A-130?

Answer: No. Rather than enforcing a static, three-year

reauthorization process, agencies are expected toconduct ongoing authorizations of information systems

through the implementation of continuous monitoring

programs.


11/52

FY2011 Reporting Metrics

13. Continuous Monitoring

13.1. What percentage of data from the following potentialdata feeds are being monitored at appropriate frequenciesand levels in the Agency: 13.1a.IDS/IPS

13.1b.AV/Anti--Malware/Anti--Spyware

13.1c.System Logs 13.1d.Application Logs

13.1e.Patch Status

13.1f.Vulnerability Scans

13.1g.DNS logging

13.1h.Configuration/Change Management system alerts 13.1i.Failed Logins for privileged accounts

13.1j. Physical security logs for access to restricted areas (e.g. datacenters)


12/52

DHS Cyberscope

Monthly Data Feeds to DHS1. Inventory

2. Systems and Services

3. Hardware

4. Software5. External Connections

6. Security Training

7. Identity Management and

Access

Government-widebenchmarking on security

posture

Agency-specific interviews


13/52

Risk Management RedefinedOODA Loop

SP800 137


14/52

SP800-137 Inform at ion Secur i ty Con t inuousMonito r ing (ISCM) for Federal Info rmation Sys tems and

Organizat ions

Information security continuous monitoring (ISCM) isdefined as:

Maintaining Ongoing Awareness of Information Security,

Vulnerabilities, and Threats

Support Organizational Risk Management Decisions

Begins With Leadership Defining A Comprehensive ISCM

Strategy Encompassing

technology

processes

procedures operating environments

people


15/52

Risk Management Strategy:

1. How the organization plans to assess,

respond to, and monitor risk2. Oversight required to ensure effectiveness

of RM strategy

Program Management

1. Defined by how business

processes are prioritized2. Types of information needed

to successfully execute those

business processes

Monitoring System Level

Controls and Security StatusReporting

1. Security Alerts

2. Security Incidents

3. Identified Threat

Activities

ISCM CriteriaSP 800-137


16/52

Guidance: 800-137

Risk Tolerance Enterprise Architecture

Security Architecture

Security Configurations

Plans for Changes toEnterprise Architecture

Available Threat

Information


17/52

The CM Process

Define an ISCM Strategy Establish an ISCM Program

Implement an ISCM Program

Determining Appropriate Response

Mitigating Risk

Review and Update the Monitoring Program

SP 800-137


18/52

Role of Automation in ISCM

Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications,

Mechanisms, Activities, Individuals)

Use open specifications such as SCAP

Offer interoperability with other products (help desk, inventory

management, configuration management, and incident response

solutions)

Support compliance with applicable federal laws, regulations,

standards, and guidelines

Provide reporting with the ability to tailor output

Allow for data consolidation into Security Information and Event

Management (SIEM) tools and dashboard products.

SP 800-137


19/52

Security Automation Domains

Vulnerability &PatchManagement

Event & IncidentManagement

Malware Detection

Asset Management Configuration

Management

Network

Management

License

Management

Information

Management

Software

Assurance

SP 800-137


20/52

Automation

Domain Tools and Technologies NIST Guidelines

1 - Vulnerability

Management

Vulnerability scanners NIST SP 800-40 Creating a

Patch and Vulnerability

Management Program2 - Patch

Management

Patch management

tools

3 - Event

Management

Intrusion detection/

prevention systems and

logging mechanisms

NIST SP 800-92, Computer

Security Log Management

4 - Incident

ManagementNIST SP 800-94, Guide IDPS

5 - Malware

Detection

Antivirus/

Malware detection

mechanisms

NIST SP 800-83, Malware

Incident Prevention and

Handling

6 - Configuration

Management

SCAP, SEIM, Dashboards NIST SP 800-126r2 The

Technical Specification for

SCAP Version 1.2

SP 800-137


21/52

Automation

Domain Tools and Technologies

7 - AssetManagement

System configuration, network management, andlicense management tools

8 - Network

Management

Host discovery, inventory, change control,

performance monitoring, and other network devicemanagement capabilities

9 - License

Management

License management tools

10 - Information

Management

Data Loss Prevention (DLP) Tools: network analysis

software, application firewalls, and intrusion

detection and prevention systems SP 800-137


22/52

Software Assurance TechnologiesSecurity Automation Domain #11

Software Assurance Automation Protocol (SwAAP -measure and enumerate software weaknesses):

CWE Common Weakness Enumeration

Dictionary of weaknesses that can lead to exploitable

vulnerabilities

CWSS Common Weakness Scoring System

Assigning risk scores to weaknesses

CAPEC Common Attack Pattern Enumeration & Classification

Catalog of attack patternsMAEC Malware Attribute Enumeration & Characterization

Standardized language about malware, based on

attributes such as behaviors and attack patterns

SP 800-137

DHS R ti M t i


23/52

DHS Reporting Metrics

12. Software Assurance

12.1Provide the number of information systems,developed in-house or with commercial services,

deployed in the past 12 months.

12.1a.Provide the number of information systems above (12.1)

that were tested using automated source code testing tools.

12.1b.Provide the number of the information systems

above(12.1a) where the tools generated output compliant with:

12.1b (1).Common Vulnerabilities and Exposures (CVE)

12.1b (2).Common Weakness Enumeration (CWE)

12.1b (3).Common Vulnerability Scoring System (CVSS) 12.1b (4).Open Vulnerability and Assessment Language

(OVAL)

Source code testing tools are defined as tools that review source code line by line

to detect security vulnerabilities and provide guidance on how to correct

problems identified.

A t ti d R f D t


24/52

Automation and Reference Data

Sources

Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP

How to Implement SCAP

Partially Automated Controls

Reference Data Sources National Vulnerability Database (NVD)

Security Configuration Checklists

SP 800-137

NVD Primary Resources


25/52

SCAP ProgramNVD Primary Resources1. Vulnerability Search Engine

2. National Checklist Program

3. SCAP Compatible Tools

4. SCAP Data Feeds (CVE, CCE,

CPE, CVSS, XCCDF, OVAL)5. Product Dictionary (CPE)

6. Impact Metrics (CVSS)

7. Common Weakness

Enumeration (CWE)

NVDData Feed

Scan

SP 800-137
http://www.netiq.com/http://www.symantec.com/business/control-compliance-suitehttp://www.telos.com/


26/52

SCAP: What Can Be Automated?

Vulnerability and Patch Scanners Authenticated

Unauthenticated

Baseline Configuration Scanners

Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB)

SP 800-137

How to Implement SCAP with


27/52

How to Implement SCAP with

SCAP-validated Tools

SP 800-137


28/52

and SCAP-expressed Checklists

SP 800-137


29/52

Partially Automated Controls

Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String)

Define Possible Answers to a Question from Which User Can

Choose

Define Actions to be Taken Resulting from a User's Answer

Enumerate Result Set

Used in Conjunction with eXtensible Configuration

Checklist Description Format (XCCDF)

SP 800-137

T h l i f A ti d


30/52

Technologies for Aggregation and

Analysis

Management Dashboards Meaningful And Easily Understandable Format

Provide Information Appropriate to Roles And Responsibilities

Security Information and Event Management (SIEM),

analysis of: Vulnerability Scanning Information,

Performance Data,

Network Monitoring,

System Audit Record (Log) Information

Audit Record Correlation And Analysis

SP 800-137


31/52

CAESARS FrameworkIR 7756


32/52

IR 7756


33/52

IR 7756


34/52

CM Documents

IR 7756


35/52

Department of States iPost

Custom Application Continuously Monitors

Uses Data from Various Monitoring Tools

Holistic View Of Risk

Leveraging Competitiveness

Encourage Risk Reduction


36/52

iPost Development Stages

Deploy Enterprise Monitoring Tools Aggregate Monitoring Data: iPost

Establish Risk Scoring Program

M it i T l D t S


37/52

Monitoring Tool Data SourcesComponent ID What is Scored Source

Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee)

Patch PAT Patches required by a host SMS (System Center)Security

Compliance

SCM Failures of a host to use required security settings McAfee Policy Auditor

Anti-Virus AVR Out of date anti-virus signature file SMS (System Center)

Unapproved OS UOS Unapproved operating systems AD

Cyber Security

AwarenessTraining

CSA Every user who has not passed the mandatory

awareness training within the last 365 days

DoS Training Database

SOE Compliance SOE Incomplete/invalid installations of any product in

the Standard Operating Environment (SOE) suite

SMS (System Center)

AD Computers ADC Computer account password ages exceeding

threshold

AD

AD Users ADU User account password ages exceeding threshold

(scores each user account, not each host)

AD

SMS Reporting SMS Incorrect functioning of the SMS client agent SMS (System Center)

Vulnerability

Reporting

VUR Missed vulnerability scans Foundstone (McAfee)

Security

ComplianceReporting

SCR Missed security compliance scans McAfee Policy Auditor


38/52


39/52

Risk Scoring


40/52

Remediation


41/52

CM Challenges

The Organization of the SP 800-53 Emerging CM Technologies

SCAP

OCIL

The Limitations of CAESARS Department of States iPost and Risk Scoring Program

Organization of Security


42/52

Organization of Security

Controls18 Families

198 Controls

892 Control Items(Parts/Enhancements)


43/52

Evident in USGCB


44/52

Mapping STIG to 800-53

Using Fishbone to Find Root


45/52

Using Fishbone to Find Root

Controls

Design/Test/AQ/

Infrastructure

Plan

PrepStaff

ValueProposition/

Operational Metric

A

Policy &Planning

10

8

9

PP

FixIssues byPriority

2

PP

AssignScores to

Delta

PP

RequirementsDefinition

11

PPFind

SystemicProblems

1

PPTrack

DesiredState

TrackActual

7

5

PP

PP

ID ScoreDeviations

4

PP

Manage &Operate

3

PP

6

PP

PP

Prepare Operate & Check Im prove Ef fec t iveness MeasurePlan, Engineer, & Prepare for Operations Operate, Monitor, & Improve


46/52

Th i i i f CAESARS


47/52


Lack of Interface Specifications Reliance on an Enterprise Service Bus

Incomplete Communication Payload Specifications

Lack of Specifications Describing Subsystem

Capabilities Lack of a Multi-CM Instance Capability

Lack of Multi-Subsystem Instance Capability

CM Database Integration with Security Baseline Content

Lack of Detail on the Required Asset Inventory

Requirement for Risk Measurement

GAO Report on Scope of iPost


48/52

GAO Report on Scope of iPost

Risk Scoring Program

(1)Addresses windows hosts but not other IT assets on itsmajor unclassified network

(2) Covers a set of 10 scoring components that includes

some, but not all, information system controls that are

intended to reduce risk(3) State could not demonstrate the extent to which scores

are based on risk factors such as threat, impact, or

likelihood of occurrence that are specific to its

computing environment

Minimum Security Controls (FIP 200) Controls Monitored by iPost


49/52

Minimum Security Controls (FIP 200) Controls Monitored by iPost

Access Control Security Compliance (AD Group check)

Awareness and Training Awareness Training

Audit and Accountability ReportingSecurity Assessment and Authorization

Configuration Management Patching, SOE, Reporting(Inventory)

Contingency Planning

Identification and Authentication AD Computers & Users

Incident ResponseMaintenance

Media Protection

Physical and Environmental Protection

Planning

Personnel SecurityRisk Assessment Vulnerabilities

System and Services Acquisition

System and Communications Protection

System and Information Integrity Patching, Antivirus

Challenges with Implementation


50/52

Challenges with Implementation

of iPost

(1) Overcoming limitations and technical issues with datacollection tools

(2) Identifying and notifying individuals with responsibility

for site-level security

(3) Implementing configuration management for iPost(4)Adopting a strategy for continuous monitoring of

controls

(5) Managing stakeholder expectations for continuous

monitoring activities

R iFITSI Obj ti


51/52

Review

FISMA Compliance

OMB Memorandums

DHS FISMs

NIST Standards & Guidelines

Evolution via Deltas

CM Tools & Technologies:

Guidelines: SP 800-137

Automation Domains, (SCAP, NVD)

CAESARS Framework & States iPost

CM Challenges The Organization of SP 800-53


Your Organizations ISCM

FITSI Objectives

1. Consistent Body if

Knowledge

2. Training Baseline

Overcome CM

Challenges withCollective

Contributions

Q&A


52/52

Q&A

Tina Kuligowski

[email protected]

[email protected]

571-229-0543
mailto:[email protected]:[email protected]:[email protected]:[email protected]