Continuous Monitoring (ISCM)

fanaticalpumaMechanics

Nov 5, 2013 (3 years and 10 months ago)

190 views

Information System
Continuous Monitoring (ISCM)

FITSP
-
M

Module 7

“Continuous monitoring is the
backbone of true security.”



-
Vivek

Kundra




Federal CIO


Leadership

FITSP
-
M Exam Module Objectives


Audit and Accountability


Manage controls in a system that facilitate the creation, protection, and
retention of information system audit records to the extent needed to enable
the monitoring, analysis, and investigation of the system


Security Assessments and Authorization


Supervise processes that facilitate the monitoring of information system
security controls on an ongoing basis to ensure the continued effectiveness
of the controls


System and Communication Protection


Oversee processes that monitor, control, and protect organizational
communications (i.e., information transmitted or received by organizational
information systems) at the external boundaries and key internal boundaries
of the information systems


System and Information Integrity


Direct mechanisms that monitor information system security alerts and
advisories that take appropriate actions in response


Continuous Monitoring Overview


Section A: Continuous Monitoring Trends


RMF Step 6


Monitor Security Controls


Redefining Risk Management


DHS CM Reporting Metrics


Cyberscope


Section B: CM Guidelines, SP 800
-
137


ISCM Fundamentals


Organization
-
wide Approach


Elements of Organization
-
wide CM Program


Continuous Monitoring Process


Section C: Automation


Automation Domains


SCAP & OCIL


Continuous Asset Evaluation, Situational Awareness and Risk
Scoring (CEASARS)


Section D: CM Implementation

CONTINUOUS MONITORING
TRENDS

Section A

RMF Step 6


Monitor Security
Controls


Information System And Environment Changes


Ongoing Security Control Assessments


Ongoing Remediation Actions


Key Updates


Security Status Reporting


Ongoing Risk Determination And Acceptance


Information System Removal And Decommissioning

Risk Management

Redefined

OODA
Loop

DHS Cyberscope


Monthly Data Feeds to DHS

1.
Inventory

2.
Systems and Services

3.
Hardware

4.
Software

5.
External Connections

6.
Security Training

7.
Identity Management and
Access


Government
-
wide
benchmarking on security
posture


Agency
-
specific interviews

DHS FY12 Reporting Metrics

1. Continuous Monitoring

Knowledge Check


Name the components of the new risk management
model.


Name the reporting
tool, which automates Agency
FISMA reporting directly to the DHS.


What 3 Continuous Monitoring metrics will DHS expect
agencies to report for FY2012?


THE CM GUIDELINES

SP 800
-
137

Section B


NIST SP800
-
137

Information Security Continuous Monitoring (ISCM) for
Federal Information Systems and Organizations

Information security continuous monitoring (ISCM) is
defined as:


Maintaining Ongoing Awareness of Information Security,
Vulnerabilities, and Threats


Support Organizational Risk Management Decisions


Begins With Leadership Defining A Comprehensive ISCM
Strategy Encompassing


technology


processes


procedures


operating environments


people

ISCM Fundamentals


Define the ISCM strategy


Establish an ISCM program


Implement the ISCM program


Analyze and Report findings


Respond to findings


Review and Update ISCM strategy and program


Risk Management Strategy:

1.
How the organization plans to assess,
respond to, and monitor risk

2.
Oversight required to ensure effectiveness
of RM strategy

Program Management

1.
Defined by how business
processes are prioritized

2.
Types of information needed
to successfully execute those
business processes

Monitoring System Level
Controls and Security Status
Reporting

1.
Security Alerts

2.
Security Incidents

3.
Identified Threat
Activities

ISCM Criteria

The CM Process


Define an ISCM Strategy


Establish an ISCM Program


Implement an ISCM Program


Determining Appropriate Response


Mitigating Risk


Review and Update the Monitoring Program


Interrelationships to the CM
Process


Risk Tolerance


Enterprise Architecture


Security Architecture


Security Configurations


Plans
f
or Changes to
Enterprise Architecture


Available Threat
Information

AUTOMATION

Section C

Role of Automation in ISCM


Consideration is given to ISCM tools that:


Pull information from a variety of sources (Specifications,
Mechanisms, Activities, Individuals)


Use open specifications such as SCAP


Offer interoperability with other products (help desk, inventory
management, configuration management, and incident response
solutions)


Support compliance with applicable federal laws, regulations,
standards, and guidelines


Provide reporting with the ability to tailor output


Allow for data consolidation into Security Information and Event
Management (SIEM) tools and dashboard products.

SP 800
-
137

Security Automation Domains


Vulnerability &
Patch
Management


Event & Incident
Management


Malware Detection


Asset Management


Configuration
Management




Network
Management


License
Management


Information
Management


Software
Assurance



SP 800
-
137

Automation
Domain

Tools and Technologies

NIST Guidelines

1
-

Vulnerability
Management

Vulnerability scanners

NIST SP 800
-
40 Creating a
Patch and Vulnerability
Management
Program

2
-

Patch
Management

Patch management
tools

3
-

Event
Management

Intrusion detection
/

prevention
systems and
logging mechanisms

NIST SP 800
-
92,
Computer
Security Log Management

4
-

Incident
Management

NIST SP 800
-
94, Guide
IDPS

5
-

Malware
Detection

Antivirus
/

Malware
detection
mechanisms

NIST SP 800
-
83,
Malware
Incident Prevention and
Handling

6
-

Configuration
Management

SCAP
, SEIM, Dashboards

NIST SP 800
-
126r2 The
Technical Specification for
SCAP Version 1.2


SP 800
-
137

Automation
Domain

Tools and Technologies

7
-

Asset
Management

System configuration, network management, and
license management tools

8
-

Network
Management

Host discovery, inventory, change control,
performance monitoring, and other network device
management capabilities

9
-

License
Management

License management tools

10
-

Information
Management

Data Loss Prevention (DLP) Tools: network analysis
software, application firewalls, and intrusion
detection and prevention systems

SP 800
-
137

Software Assurance Technologies

Security Automation Domain #11


Software Assurance Automation Protocol (
SwAAP

-
measure and enumerate software weaknesses):

CWE

Common Weakness Enumeration

Dictionary
of weaknesses that can lead to exploitable
vulnerabilities

CWSS

Common Weakness Scoring System

Assigning
risk scores to weaknesses

CAPEC

Common Attack Pattern Enumeration & Classification

Catalog
of attack patterns

MAEC

Malware Attribute Enumeration & Characterization

Standardized language about malware, based on
attributes such as behaviors and attack patterns

SP 800
-
137

Knowledge Check


What is the document that provides guidelines for
developing a CM program?


What is the first step in the CM Process?


Name an
automation
specification, which is a
dictionary
of weaknesses that can lead to exploitable
vulnerabilities?


What is defined as
an information security area that
includes a grouping of tools, technologies, and
data?


Data
within the domains is captured, correlated, analyzed, and reported
to present the security status of the organization that is represented by the
domains monitored
.



Automation and Reference Data
Sources


Security Content Automation Protocol (SCAP)


What Can Be Automated With SCAP


How to Implement SCAP


Partially Automated Controls


Reference Data Sources


National Vulnerability Database (NVD)


Security Configuration Checklists

SCAP Program

NVD Primary Resources

1.
Vulnerability Search Engine

2.
National Checklist Program

3.
SCAP Compatible Tools

4.
SCAP Data Feeds (CVE, CCE,
CPE, CVSS, XCCDF, OVAL)

5.
Product Dictionary (CPE)

6.
Impact Metrics (CVSS)

7.
Common Weakness
Enumeration (CWE)

NVD

Data Feed

Scan

SCAP: What Can Be Automated?


Vulnerability and Patch Scanners


Authenticated


Unauthenticated


Baseline Configuration Scanners


Federal Desktop Core Configuration (FDCC)


United States Government Configuration Baseline (USGCB)

How to Implement SCAP with
SCAP
-
validated Tools

… and SCAP
-
expressed Checklists

Partially Automated Controls


Open Checklist Interactive Language (OCIL)


Define Questions (Boolean, Choice, Numeric, Or String)


Define Possible Answers to a Question from Which User Can
Choose


Define Actions to be Taken Resulting from a User's Answer


Enumerate Result Set


Used in Conjunction with
eXtensible

Configuration
Checklist Description Format (XCCDF)


Technologies
f
or Aggregation and
Analysis


Management Dashboards


Meaningful And Easily Understandable Format


Provide Information Appropriate to Roles And Responsibilities


Security Information and Event Management (SIEM),
analysis of:


Vulnerability Scanning Information,


Performance Data,


Network Monitoring,


System Audit Record (Log) Information


Audit Record Correlation And Analysis


CAESARS

Framework

IR 7756

CM Documents

Knowledge Check


Name the set of specifications
used to standardize the
communication of software flaws and security configurations.


What is the name of the
U.S. government repository of
standards
-
based vulnerability management data represented
using the SCAP
specifications?


What is the name of the program designed
to test the ability of
products to use the features and functionality available
through SCAP and its component
standards?


Name an ISCM reference model that provides
a foundation
for a continuous monitoring reference model that aims to
enable organizations to aggregate collected data from across
a diverse set of security tools, analyze that data, perform
scoring, enable user queries, and provide overall situational
awareness.




CM IMPLEMENTATION

Section D

Monitoring Tool Data Sources

Component

ID

What is Scored

Source

Vulnerability

VUL

Vulnerabilities detected on a host

Foundstone

(McAfee)

Patch

PAT

Patches required by a host

SMS (System Center)

Security
Compliance

SCM

Failures of a host to use required security settings

McAfee Policy
Auditor

Anti
-
Virus

AVR

Out of date anti
-
virus signature file

SMS (System Center)

Unapproved OS

UOS

Unapproved operating systems

AD

Cyber Security
Awareness
Training

CSA

Every user who has not passed the mandatory
awareness training within the last 365 days

DoS Training Database

SOE Compliance

SOE

Incomplete/invalid installations of any product in
the Standard Operating Environment (SOE) suite

SMS (System Center)

AD Computers

ADC

Computer account password ages exceeding
threshold

AD

AD Users

ADU

User account password ages exceeding threshold
(scores each user account, not each host)

AD

SMS Reporting

SMS

Incorrect functioning of the SMS client agent

SMS (System Center)

Vulnerability
Reporting

VUR

Missed vulnerability scans

Foundstone

(McAfee)

Security
Compliance
Reporting

SCR

Missed security compliance scans

McAfee Policy
Auditor

Risk Scoring

Remediation

CM Challenges


The Organization of the SP 800
-
53


Emerging CM Technologies


SCAP


OCIL


The Limitations of CAESARS


Department of State’s iPost and Risk Scoring Program


CM DISCUSSION

Section Optional

Organization of
Security Controls

18 Families

198 Controls

892

Control Items
(Parts/Enhancements)

Control Catalog Redundancies
Evident in USGCB

DoD

Solution:


Mapping STIG to 800
-
53

DoS

Solution:

Using Fishbone to Find Root Controls

Design/
Test/
AQ/
Infrastructure
Plan
Prep
Staff
Value
Proposition/
Operational Metric
A
Policy &
Planning
10
8
9
PP
Fix
Issues by
Priority
2
PP
Assign
Scores to
Delta
PP
Requirements
Definition
11
PP
Find
Systemic
Problems
1
PP
Track
Desired
State
Track
Actual
7
5
PP
PP
ID Score
Deviations
4
PP
Manage &
Operate
3
PP
6
PP
PP
Prepare
Operate & Check
Improve
Effectiveness Measure
Plan, Engineer, & Prepare for Operations
Operate, Monitor, & Improve
DoS

Solution:
Proposed
Structure of
Security
Control
Catalog

The Limitations of CAESARS


Lack of Interface Specifications


Reliance on an Enterprise Service Bus


Incomplete Communication Payload Specifications


Lack of Specifications Describing Subsystem
Capabilities


Lack of a Multi
-
CM Instance Capability


Lack of Multi
-
Subsystem Instance Capability


CM Database Integration with Security Baseline Content


Lack of Detail on the Required Asset Inventory


Requirement for Risk Measurement

GAO Report on Scope of
iPost

Risk Scoring Program


Addresses windows hosts but not other IT assets on its
major unclassified network


Covers a set of 10 scoring components that includes
some, but not all, information system controls that are
intended to reduce risk


State could not demonstrate the extent to which scores
are based on risk factors such as threat, impact, or
likelihood of occurrence that are specific to its computing
environment


Minimum Security
Controls (FIP

200)

Controls Monitored by iPost

Access Control

Security Compliance (AD Group check)

Awareness and Training

Awareness
Training

Audit and Accountability

Reporting

Security Assessment and Authorization

Configuration Management

Patching,
SOE, Reporting(Inventory)

Contingency Planning

Identification and Authentication

AD Computers & Users

Incident Response

Maintenance

Media Protection

Physical and Environmental Protection

Planning

Personnel Security

Risk Assessment

Vulnerabilities

System and Services Acquisition

System and Communications Protection

System and Information Integrity

Patching, Antivirus

Challenges with Implementation of
iPost


Overcoming limitations and technical issues with data
collection tools


Identifying and notifying individuals with responsibility for
site
-
level security


Implementing configuration management for
iPost


Adopting a strategy for continuous monitoring of controls


Managing stakeholder expectations for continuous
monitoring activities

Continuous Monitoring

Key Concepts & Vocabulary


Role in the RMF Process


RMF Step 6


Monitor Security Controls


Characteristics of Continuous Monitoring


organization
-
wide approach


Elements of Organization
-
wide CM Program


Continuous Monitoring Process


Role of Automation


Continuous Asset Evaluation, Situational Awareness and
Risk Scoring (CEASARS)

Questions?