US Government repository of publicly available ... - ISSA Baltimore

heavyweightuttermostMechanics

Nov 5, 2013 (4 years and 2 days ago)

88 views

Security Automation


May 26th, 2010

Security Automation: the challenge




“Tower of Babel”


Too much proprietary,
incompatible
information


Costly


Error prone


Difficult to scale



Inefficient


Resources spent on
“security hygiene”


Vulnerability
management


Configuration
management


Patch management


Compliance
management


2

Web Sites

Guidance
Documents

Assessment
Tools

Management
Tools

Alerts &
Advisories

Reporting
Tools

Security Automation: the solution




Standardization:


Same Object, Same
Name


Reporting


Automation:


Efficiency


Accuracy


Resources re
-
tasked to
harder problems:


Incident response


Infrastructure
enhancement




3

Web Sites

Assessment
Tools

Management
Tools

Alerts &
Advisories

Reporting
Tools

Guidance
Documents

What are we achieving with
Security Automation?

Minimize Effort



Reducing the time and effort of manual assessment and remediation



Providing a more comprehensive assessment of system state

Increase Standardization and Interoperability



Enabling fast and accurate correlation within the enterprise and
across organizations/agencies; Reporting



Shortening decision cycles by rapidly communicating:



Requirements (What/How to check)



Results (What was found)



Allowing diverse tool suites and repositories to share data



Fostering shared situational awareness by enabling and facilitating
data sharing, analysis, and aggregation

What are we achieving with Security
Automation and Standardization?

Standard data, economy of scale, and reuse



Standardized security content can be
developed once and used by many



Common definitions for vulnerabilities,
software, and policy statements

Speed



Rapidly identify vulnerabilities and
improperly configured systems and
communicate the degree of associated risk



Zero day malware detection

Security Content Automation
Protocol (SCAP)



SCAP is a suite of specifications that together enable standardization
and automation of vulnerability management, measurement, and
technical policy compliance checking along with enhanced product and
database integration capabilities with machine readable reporting.



In other words, “the plumbing”

Security Content Automation Protocol (SCAP)


Community developed


Machine readable XML


Reporting


Representing security
checklists


Detecting machine state


Community developed


Product names


Vulnerabilities


Configuration settings

Languages

Means of providing

instructions


Enumerations

Convention for

identifying and naming

Metrics

Risk scoring

framework


Community developed


Transparent


Metrics


Base


Temporal


Environmental

Business Systems

Vulnerability

Checks

Infrastructure

Fixes

Assets

Event Language

Patterns

Sharable Policy

System
Characteristics

Standard Names & Reference
Conventions

Controls

Policy

Reporting Layer and Data Interface

Weaknesses

Threats

Lessons
Learned

Attack

Patterns

Technical Alerts & Signatures

Bulletins and Advisories


Situational

Awareness



Continuous

Monitoring


Automated

Compliance

Mgmt

Notional Security Data Model

Reportable IT Systems

OVAL

OCIL

Inventoried, Trusted Connections

OVRL

Assets

Event

Language

Patterns

XCCDF

System
Characteristics

Controls

Policy

Reporting Layer and Data Interface (TBD, e.g. XBRL, etc)

TBD

Signatures

CAPEC

Technical Bulletins

Bulletins and Advisories


Situational

Awareness



Continuous

Monitoring


Automated

Compliance

Mgmt

TBD

CRE

CEE

CERE

CCE

CVE

CRE

TBD

CCI

CCSS

CPE

TBD

Specifications
-
Based Security Automation

Security Automation Partners
and Resources

Partners


US Government


National Institute of Standards and Technology (NIST)


National Security Agency (NSA)


Department of Homeland Security (DHS)


Defense Information Systems Agency (DISA)


Foreign Government


Japan
-

JVN/IPA

-

Japan Vulnerability Notes / Information Technology
Promotion Agency


Spain


INTECO

-

Instituto Nacional de Tecnologías de la Comunicación


Private Sector


Apple, Microsoft, Red Hat, Sun Microsystems


Security product vendors


National Vulnerability Database


NVD is the U.S. government repository of public vulnerability
management information.


Provides standardized reference for software vulnerabilities.


Over 39,000 CVE entries with the NVD Analysis Team
evaluating over 6,000 vulnerabilities a year


Product dictionary containing 18,000 unique product names


Used by government, industry and academia


Machine
-
readable data feeds


Spanish and Japanese language translation


http://nvd.nist.gov


National Checklist Program

U.S. Government repository of publicly
available security checklists




Eases compliance management



Checklists cover 178 products



SCAP content



Checklist contributors include



Government organizations



Vendors



Non
-
profit organizations



Part 39 of the Federal Acquisition
Regulation (FAR)



http://checklists.nist.gov

Content Tools



eSCAPe


Creation of new and/or customized configuration
policies



Puts the power of SCAP into the hands of
existing staff; reduces cost/barrier of entry


Government wide, department level, or agency
specific



Quickly generate specific assessment criteria
for vulnerabilities or presence of malware



Pushed out to SCAP enabled products




Content Validation



Ensures all content published to NCP is formatted
correctly

SCAP Validation Program


Provides product conformance testing for
Security Content Automation Protocol (SCAP)


National Voluntary Laboratory Accreditation
Program


Independent testing laboratories


Reports validated by NIST


http://scap.nist.gov/validation.cfm

(Validation
Program)


http://scap.nist.gov/scapproducts.cfm

(Validated Products)

NIST SCAP Product Validation
Program

http://nvd.nist.gov/scapproducts.cfm

Looking Ahead


Remediation capabilities


Rapidly deploy corrective action


Shutting down services, locking out accounts, etc…


Network Event Management


Event Management Automation Protocol (EMAP)

Conclusion

Security Automation:




Improves efficiency




Promotes interoperability of data and security tools




Enables standardized reporting across multiple views




Provides enhanced situational awareness