Information System Continuous Monitoring (ISCM) FITSP-A Module 7

Continuous monitoring is the backbone of true security. -Vivek Kundra Federal CIO Leadership

FITSP-A Exam Module Objectives Audit and Accountability Manage controls in a system that facilitate the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, and investigation of the system Security Assessments and Authorization Supervise processes that facilitate the monitoring of information system security controls on an ongoing basis to ensure the continued effectiveness of the controls System and Communication Protection Oversee processes that monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems System and Information Integrity Direct mechanisms that monitor information system security alerts and advisories that take appropriate actions in response

Continuous Monitoring Overview Section A: Continuous Monitoring Trends RMF Step 6 Monitor Security Controls Redefining Risk Management DHS CM Reporting Metrics Cyberscope Section B: CM Guidelines, SP 800-137 ISCM Fundamentals Organization-wide Approach Elements of Organization-wide CM Program Continuous Monitoring Process Section C: Automation Automation Domains SCAP & OCIL Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CEASARS) Section D: CM Implementation

CONTINUOUS MONITORING TRENDS Section A

RMF Step 6 Monitor Security Controls Information System And Environment Changes Ongoing Security Control Assessments Ongoing Remediation Actions Key Updates Security Status Reporting Ongoing Risk Determination And Acceptance Information System Removal And Decommissioning

Risk ManagementRedefined OODA Loop

DHS Cyberscope Monthly Data Feeds to DHS 1.Inventory 2.Systems and Services 3.Hardware 4.Software 5.External Connections 6.Security Training 7.Identity Management and Access Government-wide benchmarking on security posture Agency-specific interviews

DHS FY12 Reporting Metrics 1. Continuous Monitoring

Knowledge Check Name the components of the new risk management model. Name the reporting tool, which automates Agency FISMA reporting directly to the DHS. What 3 Continuous Monitoring metrics will DHS expect agencies to report for FY2012?

THE CM GUIDELINES SP 800-137 Section B

NIST SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as: Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats to support Organizational Risk Management Decisions Ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing: technology processes procedures operating environments people

ISCM Fundamentals Define the ISCM strategy Establish an ISCM program Implement the ISCM program Analyze and Report findings Respond to findings Review and Update ISCM strategy and program

Automated/Manual Data Feeds (Security-related Information, POAMs, SARs) Risk Management Strategy: 1.How the organization plans to assess, respond to, and monitor risk 2.Oversight required to ensure effectiveness of RM strategy Program Management 1.Defined by how business processes are prioritized 2.Types of information needed to successfully execute those business processes Monitoring System Level Controls and Security Status Reporting 1.Security Alerts 2.Security Incidents 3.Identified Threat Activities ISCM Criteria

The CM Process Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program

Interrelationships to the CM Process Risk Tolerance Enterprise Architecture Security Architecture Security Configurations Plans for Changes to Enterprise Architecture Available Threat Information

AUTOMATION Section C

Role of Automation in ISCM Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications, Mechanisms, Activities, Individuals) Use open specifications such as SCAP Offer interoperability with other products (help desk, inventory management, configuration management, and incident response solutions) Support compliance with applicable federal laws, regulations, standards, and guidelines Provide reporting with the ability to tailor output Allow for data consolidation into Security Information and Event Management (SIEM) tools and dashboard products. SP 800-137

Security Automation Domains Vulnerability & Patch Management Event & Incident Management Malware Detection Asset Management Configuration Management Network Management License Management Information Management Software Assurance SP 800-137

Software Assurance Technologies Security Automation Domain #11 Software Assurance Automation Protocol (SwAAP - measure and enumerate software weaknesses): SP 800-137

Knowledge Check What is the document that provides guidelines for developing a CM program? What is the first step in the CM Process? Name an automation specification, which is a dictionary of weaknesses that can lead to exploitable vulnerabilities? Data within the domains is captured, correlated, analyzed, and reported to present the security status of the organization that is represented by the domains monitored.

Automation and Reference Data Sources Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP How to Implement SCAP Partially Automated Controls Reference Data Sources National Vulnerability Database (NVD) Security Configuration Checklists

SCAP Program NVD Primary Resources 1.Vulnerability Search Engine 2.National Checklist Program 3.SCAP Compatible Tools 4.SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) 5.Product Dictionary (CPE) 6.Impact Metrics (CVSS) 7.Common Weakness Enumeration (CWE) NVD Data Feed Scan

SCAP: What Can Be Automated? Vulnerability and Patch Scanners Authenticated Unauthenticated Baseline Configuration Scanners Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB)

How to Implement SCAP with SCAP-validated Tools

and SCAP-expressed Checklists

Partially Automated Controls Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String) Define Possible Answers to a Question from Which User Can Choose Define Actions to be Taken Resulting from a User's Answer Enumerate Result Set Used in Conjunction with eXtensible Configuration Checklist Description Format (XCCDF)

Technologies for Aggregation and Analysis Management Dashboards Meaningful And Easily Understandable Format Provide Information Appropriate to Roles And Responsibilities Security Information and Event Management (SIEM), analysis of: Vulnerability Scanning Information, Performance Data, Network Monitoring, System Audit Record (Log) Information Audit Record Correlation And Analysis

CAESARS Framework

IR 7756

CM Documents

Knowledge Check Name the set of specifications used to standardize the communication of software flaws and security configurations. What is the name of the U.S. government repository of standards-based vulnerability management data represented using the SCAP specifications? Name an ISCM reference model that provides a foundation for a continuous monitoring reference model that aims to enable organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.

CM IMPLEMENTATION Section D

Monitoring Tool Data Sources ComponentIDWhat is ScoredSource VulnerabilityVULVulnerabilities detected on a hostFoundstone (McAfee) PatchPATPatches required by a hostSMS (System Center) Security Compliance SCMFailures of a host to use required security settingsMcAfee Policy Auditor Anti-VirusAVROut of date anti-virus signature fileSMS (System Center) Unapproved OSUOSUnapproved operating systemsAD Cyber Security Awareness Training CSAEvery user who has not passed the mandatory awareness training within the last 365 days DoS Training Database SOE ComplianceSOEIncomplete/invalid installations of any product in the Standard Operating Environment (SOE) suite SMS (System Center) AD ComputersADCComputer account password ages exceeding threshold AD AD UsersADUUser account password ages exceeding threshold (scores each user account, not each host) AD SMS ReportingSMSIncorrect functioning of the SMS client agentSMS (System Center) Vulnerability Reporting VURMissed vulnerability scansFoundstone (McAfee) Security Compliance Reporting SCRMissed security compliance scansMcAfee Policy Auditor

Risk Scoring

Remediation

CM Challenges The Organization of the SP 800-53 Emerging CM Technologies SCAP OCIL The Limitations of CAESARS Department of States iPost and Risk Scoring Program

CM DISCUSSION Section Optional

Organization of Security Controls 18 Families (appendix J adds 8 more control families) 198 228 Controls 892 1110 Control Items (Parts/Enhancements)

Control Catalog Redundancies Evident in USGCB

DoD Solution: Mapping STIG to 800-53

DoS Solution: Using Fishbone to Find Root Controls

DoS Solution: Proposed Structure of Security Control Catalog

The Limitations of CAESARS Lack of Interface Specifications Reliance on an Enterprise Service Bus Incomplete Communication Payload Specifications Lack of Specifications Describing Subsystem Capabilities Lack of a Multi-CM Instance Capability Lack of Multi-Subsystem Instance Capability CM Database Integration with Security Baseline Content Lack of Detail on the Required Asset Inventory Requirement for Risk Measurement

GAO Report on Scope of iPost Risk Scoring Program Addresses windows hosts but not other IT assets on its major unclassified network Covers a set of 10 scoring components that includes some, but not all, information system controls that are intended to reduce risk State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment

Minimum Security Controls (FIP 200)Controls Monitored by iPost Access ControlSecurity Compliance (AD Group check) Awareness and TrainingAwareness Training Audit and AccountabilityReporting Security Assessment and Authorization Configuration ManagementPatching, SOE, Reporting(Inventory) Contingency Planning Identification and AuthenticationAD Computers & Users Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk AssessmentVulnerabilities System and Services Acquisition System and Communications Protection System and Information IntegrityPatching, Antivirus

Challenges with Implementation of iPost Overcoming limitations and technical issues with data collection tools Identifying and notifying individuals with responsibility for site-level security Implementing configuration management for iPost Adopting a strategy for continuous monitoring of controls Managing stakeholder expectations for continuous monitoring activities

Continuous Monitoring Key Concepts & Vocabulary Role in the RMF Process RMF Step 6 Monitor Security Controls Characteristics of Continuous Monitoring organization-wide approach Elements of Organization-wide CM Program Continuous Monitoring Process Role of Automation Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CEASARS)

Questions?