Information System Continuous Monitoring (ISCM) FITSP-A Module
7
Slide 2
Slide 3
Continuous monitoring is the backbone of true security. -Vivek
Kundra Federal CIO Leadership
Slide 4
FITSP-A Exam Module Objectives Audit and Accountability Manage
controls in a system that facilitate the creation, protection, and
retention of information system audit records to the extent needed
to enable the monitoring, analysis, and investigation of the system
Security Assessments and Authorization Supervise processes that
facilitate the monitoring of information system security controls
on an ongoing basis to ensure the continued effectiveness of the
controls System and Communication Protection Oversee processes that
monitor, control, and protect organizational communications (i.e.,
information transmitted or received by organizational information
systems) at the external boundaries and key internal boundaries of
the information systems System and Information Integrity Direct
mechanisms that monitor information system security alerts and
advisories that take appropriate actions in response
Slide 5
Continuous Monitoring Overview Section A: Continuous Monitoring
Trends RMF Step 6 Monitor Security Controls Redefining Risk
Management DHS CM Reporting Metrics Cyberscope Section B: CM
Guidelines, SP 800-137 ISCM Fundamentals Organization-wide Approach
Elements of Organization-wide CM Program Continuous Monitoring
Process Section C: Automation Automation Domains SCAP & OCIL
Continuous Asset Evaluation, Situational Awareness and Risk Scoring
(CEASARS) Section D: CM Implementation
Slide 6
CONTINUOUS MONITORING TRENDS Section A
Slide 7
RMF Step 6 Monitor Security Controls Information System And
Environment Changes Ongoing Security Control Assessments Ongoing
Remediation Actions Key Updates Security Status Reporting Ongoing
Risk Determination And Acceptance Information System Removal And
Decommissioning
Slide 8
Slide 9
Slide 10
Slide 11
Risk ManagementRedefined OODA Loop
Slide 12
DHS Cyberscope Monthly Data Feeds to DHS 1.Inventory 2.Systems
and Services 3.Hardware 4.Software 5.External Connections
6.Security Training 7.Identity Management and Access
Government-wide benchmarking on security posture Agency-specific
interviews
Knowledge Check Name the components of the new risk management
model. Name the reporting tool, which automates Agency FISMA
reporting directly to the DHS. What 3 Continuous Monitoring metrics
will DHS expect agencies to report for FY2012?
Slide 15
THE CM GUIDELINES SP 800-137 Section B
Slide 16
NIST SP800-137 Information Security Continuous Monitoring
(ISCM) for Federal Information Systems and Organizations
Information security continuous monitoring (ISCM) is defined as:
Maintaining Ongoing Awareness of Information Security,
Vulnerabilities, and Threats to support Organizational Risk
Management Decisions Ongoing monitoring of information security
across an organization begins with leadership defining a
comprehensive ISCM strategy encompassing: technology processes
procedures operating environments people
Slide 17
ISCM Fundamentals Define the ISCM strategy Establish an ISCM
program Implement the ISCM program Analyze and Report findings
Respond to findings Review and Update ISCM strategy and
program
Slide 18
Automated/Manual Data Feeds (Security-related Information,
POAMs, SARs) Risk Management Strategy: 1.How the organization plans
to assess, respond to, and monitor risk 2.Oversight required to
ensure effectiveness of RM strategy Program Management 1.Defined by
how business processes are prioritized 2.Types of information
needed to successfully execute those business processes Monitoring
System Level Controls and Security Status Reporting 1.Security
Alerts 2.Security Incidents 3.Identified Threat Activities ISCM
Criteria
Slide 19
The CM Process Define an ISCM Strategy Establish an ISCM
Program Implement an ISCM Program Determining Appropriate Response
Mitigating Risk Review and Update the Monitoring Program
Slide 20
Slide 21
Interrelationships to the CM Process Risk Tolerance Enterprise
Architecture Security Architecture Security Configurations Plans
for Changes to Enterprise Architecture Available Threat
Information
Slide 22
AUTOMATION Section C
Slide 23
Role of Automation in ISCM Consideration is given to ISCM tools
that: Pull information from a variety of sources (Specifications,
Mechanisms, Activities, Individuals) Use open specifications such
as SCAP Offer interoperability with other products (help desk,
inventory management, configuration management, and incident
response solutions) Support compliance with applicable federal
laws, regulations, standards, and guidelines Provide reporting with
the ability to tailor output Allow for data consolidation into
Security Information and Event Management (SIEM) tools and
dashboard products. SP 800-137
Knowledge Check What is the document that provides guidelines
for developing a CM program? What is the first step in the CM
Process? Name an automation specification, which is a dictionary of
weaknesses that can lead to exploitable vulnerabilities? Data
within the domains is captured, correlated, analyzed, and reported
to present the security status of the organization that is
represented by the domains monitored.
Slide 29
Automation and Reference Data Sources Security Content
Automation Protocol (SCAP) What Can Be Automated With SCAP How to
Implement SCAP Partially Automated Controls Reference Data Sources
National Vulnerability Database (NVD) Security Configuration
Checklists
Slide 30
SCAP Program NVD Primary Resources 1.Vulnerability Search
Engine 2.National Checklist Program 3.SCAP Compatible Tools 4.SCAP
Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) 5.Product Dictionary
(CPE) 6.Impact Metrics (CVSS) 7.Common Weakness Enumeration (CWE)
NVD Data Feed Scan
Slide 31
SCAP: What Can Be Automated? Vulnerability and Patch Scanners
Authenticated Unauthenticated Baseline Configuration Scanners
Federal Desktop Core Configuration (FDCC) United States Government
Configuration Baseline (USGCB)
Slide 32
How to Implement SCAP with SCAP-validated Tools
Slide 33
and SCAP-expressed Checklists
Slide 34
Partially Automated Controls Open Checklist Interactive
Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or
String) Define Possible Answers to a Question from Which User Can
Choose Define Actions to be Taken Resulting from a User's Answer
Enumerate Result Set Used in Conjunction with eXtensible
Configuration Checklist Description Format (XCCDF)
Slide 35
Technologies for Aggregation and Analysis Management Dashboards
Meaningful And Easily Understandable Format Provide Information
Appropriate to Roles And Responsibilities Security Information and
Event Management (SIEM), analysis of: Vulnerability Scanning
Information, Performance Data, Network Monitoring, System Audit
Record (Log) Information Audit Record Correlation And Analysis
Slide 36
CAESARS Framework
Slide 37
Slide 38
IR 7756
Slide 39
CM Documents
Slide 40
Knowledge Check Name the set of specifications used to
standardize the communication of software flaws and security
configurations. What is the name of the U.S. government repository
of standards-based vulnerability management data represented using
the SCAP specifications? Name an ISCM reference model that provides
a foundation for a continuous monitoring reference model that aims
to enable organizations to aggregate collected data from across a
diverse set of security tools, analyze that data, perform scoring,
enable user queries, and provide overall situational
awareness.
Slide 41
CM IMPLEMENTATION Section D
Slide 42
Slide 43
Slide 44
Monitoring Tool Data Sources ComponentIDWhat is ScoredSource
VulnerabilityVULVulnerabilities detected on a hostFoundstone
(McAfee) PatchPATPatches required by a hostSMS (System Center)
Security Compliance SCMFailures of a host to use required security
settingsMcAfee Policy Auditor Anti-VirusAVROut of date anti-virus
signature fileSMS (System Center) Unapproved OSUOSUnapproved
operating systemsAD Cyber Security Awareness Training CSAEvery user
who has not passed the mandatory awareness training within the last
365 days DoS Training Database SOE ComplianceSOEIncomplete/invalid
installations of any product in the Standard Operating Environment
(SOE) suite SMS (System Center) AD ComputersADCComputer account
password ages exceeding threshold AD AD UsersADUUser account
password ages exceeding threshold (scores each user account, not
each host) AD SMS ReportingSMSIncorrect functioning of the SMS
client agentSMS (System Center) Vulnerability Reporting VURMissed
vulnerability scansFoundstone (McAfee) Security Compliance
Reporting SCRMissed security compliance scansMcAfee Policy
Auditor
Slide 45
Risk Scoring
Slide 46
Remediation
Slide 47
CM Challenges The Organization of the SP 800-53 Emerging CM
Technologies SCAP OCIL The Limitations of CAESARS Department of
States iPost and Risk Scoring Program
Slide 48
CM DISCUSSION Section Optional
Slide 49
Organization of Security Controls 18 Families (appendix J adds
8 more control families) 198 228 Controls 892 1110 Control Items
(Parts/Enhancements)
Slide 50
Control Catalog Redundancies Evident in USGCB
Slide 51
DoD Solution: Mapping STIG to 800-53
Slide 52
DoS Solution: Using Fishbone to Find Root Controls
Slide 53
DoS Solution: Proposed Structure of Security Control
Catalog
Slide 54
The Limitations of CAESARS Lack of Interface Specifications
Reliance on an Enterprise Service Bus Incomplete Communication
Payload Specifications Lack of Specifications Describing Subsystem
Capabilities Lack of a Multi-CM Instance Capability Lack of
Multi-Subsystem Instance Capability CM Database Integration with
Security Baseline Content Lack of Detail on the Required Asset
Inventory Requirement for Risk Measurement
Slide 55
GAO Report on Scope of iPost Risk Scoring Program Addresses
windows hosts but not other IT assets on its major unclassified
network Covers a set of 10 scoring components that includes some,
but not all, information system controls that are intended to
reduce risk State could not demonstrate the extent to which scores
are based on risk factors such as threat, impact, or likelihood of
occurrence that are specific to its computing environment
Slide 56
Minimum Security Controls (FIP 200)Controls Monitored by iPost
Access ControlSecurity Compliance (AD Group check) Awareness and
TrainingAwareness Training Audit and AccountabilityReporting
Security Assessment and Authorization Configuration
ManagementPatching, SOE, Reporting(Inventory) Contingency Planning
Identification and AuthenticationAD Computers & Users Incident
Response Maintenance Media Protection Physical and Environmental
Protection Planning Personnel Security Risk
AssessmentVulnerabilities System and Services Acquisition System
and Communications Protection System and Information
IntegrityPatching, Antivirus
Slide 57
Challenges with Implementation of iPost Overcoming limitations
and technical issues with data collection tools Identifying and
notifying individuals with responsibility for site-level security
Implementing configuration management for iPost Adopting a strategy
for continuous monitoring of controls Managing stakeholder
expectations for continuous monitoring activities
Slide 58
Continuous Monitoring Key Concepts & Vocabulary Role in the
RMF Process RMF Step 6 Monitor Security Controls Characteristics of
Continuous Monitoring organization-wide approach Elements of
Organization-wide CM Program Continuous Monitoring Process Role of
Automation Continuous Asset Evaluation, Situational Awareness and
Risk Scoring (CEASARS)