SCM - AFCEA South Central Pennsylvania Chapter

possehastyMechanics

Nov 5, 2013 (3 years and 7 months ago)

142 views

Enclave Security:

Secure Configuration
Management (SCM)

David Hoon

DISA PEO
-
MA

SCM
PMO

http://www.disa.mil/scm


Unclassified

UNCLASSIFIED

UNCLASSIFIED

The information provided in this briefing is for general
information purposes only. It does not constitute a
commitment on behalf of the United States Government
to provide any of the capabilities, systems or equipment
presented and in no way obligates the United States
Government to enter into any future agreements with
regard to the same. The information presented may not
be disseminated without the express consent of the
United States Government

2

UNCLASSIFIED

UNCLASSIFIED

3

Agenda


SCM Introduction


SCM Lifecycle


SCM Objectives


SCM Community Model


Current Capability Framework


Governance Model


Capability
Program Map


NSA SCM R&D Focused Efforts


SCM
Programs


CMRS


DPMS


IAVM

UNCLASSIFIED

UNCLASSIFIED

4

Introduction


Security
-
focused Configuration Management (
SecCM
) is
defined as:

“the management and control of configurations for information
systems to enable security and facilitate the management of
information security risk.” (NIST SP 800
-
128)


PROGRAM OBJECTIVES:


The
DoD

SCM Program is the integration and optimization of enterprise IA applications, tools,
and data standards to support automated processes used to support risk management and
near
-
real time awareness.


Enable
Information System Monitoring as part of
DoD’s

Continuous Monitoring Strategy


supporting the initial data sets of assets, system configurations, and vulnerabilities (FISMA
reporting requirements).


PROGRAM CAPABILITIES:


Leverage inherent SCM capabilities used within CC/S/As


Provide pervasive enterprise capabilities and interfaced automated capabilities based on
common data standards to enhance and accelerate CC/S/As ability to:


Identify assets


Check system configuration compliance against policies and standards


Search for potential vulnerabilities


Act on known vulnerabilities for known risk posture for system/networks


Report status & share information with those that need to know



Configure assets securely; Maintain secure Configurations;
Provide continuous situational awareness to the right people

UNCLASSIFIED

UNCLASSIFIED

Why SCM?

The Enterprise Today:


Difficult to maintain secure configurations: high level of
effort, diminished return on investment


Disparate IA tool sets: proprietary capabilities,
disconnected and stand
-
alone configurations


Manual reporting: resource intensive, slow, and limits
trusted situational awareness


The Future Enterprise:


Automated, end
-
to
-
end security compliance process


Standardized and validated toolsets connected throughout
the enterprise


Continuous reporting to improve data integrity and validity


5

UNCLASSIFIED

UNCLASSIFIED

6

SCM Lifecycle

UNCLASSIFIED

UNCLASSIFIED

7


The SCM Program implements published standards, using validated
tools and employs standardized interfaces to realize essential Secure
Configuration capabilities.



Standards:
Secure Configuration Automation Protocol (SCAP). A NIST
-
developed,
industry
-
adopted set of standards supporting interoperability and automated data
exchange. Extended to include standard data formats for reporting asset and
summary information.



Tools:
Commercial
-
off
-
the
-
Shelf (COTS) and Government
-
off
-
the
-
Shelf (GOTS)
tools validated as conforming to SCAP standards.



Interfaces:
Leverage SCAP and emerging standards (Asset Report Format (ARF) /
ARF Summary Report (ASR)) to distribute asset data by defining data input and
output formats for SCAP
-
validated tools



Capabilities:
Content/Policy development; Asset Inventory/Discovery; Security
State Analysis/Risk Assessment; and Risk Mitigation

SCM Program Objectives

UNCLASSIFIED

UNCLASSIFIED

8

SCM OV
-
1

UNCLASSIFIED

UNCLASSIFIED

Near
-
Term SCM
Capability Framework

9

UNCLASSIFIED

UNCLASSIFIED



Automated STIGs


Automated STIG & IAVM Benchmarks (with OVAL) available:


Windows XP


Windows Vista


Windows 2003 Domain Controller & Member Server


Windows 2008 Domain Controller & Member Server


Windows 7


Windows 2008R2


Red Hat 5


Solaris 9 (x86 and
sparc
)


Solaris 10 (x86 and
sparc
)


HP
-
UX 11.23


HP
-
UX 11.31


AIX 5.3


AIX 6.1


Windows IAVM 2009, 2010, 2011, 2012 * PKI restricted


IE8


IE9

http://iase.disa.mil/stigs/scap/index.html



10

UNCLASSIFIED

UNCLASSIFIED

11

ESSG

CCWG

OWG


SCM

(CSIP, IAVM, Continuous Monitoring, Risk Scoring, C&A. Mission
Assurance)


TWG

Network
Scanning

TWG

Network
Mapping

TWG

Continuous
Monitoring

TWG

Risk Scoring

TWG

Policy and
Remediation

Enterprise
Acquisition
Approval

Enterprise
Capability
Release
Board

SCM CCB

Program CCB

UNCLASSIFIED

UNCLASSIFIED

12

SCM Capability Map

UNCLASSIFIED

UNCLASSIFIED

13

SCM Program Overlay

UNCLASSIFIED

UNCLASSIFIED

SCM R&D FOCUS AREAS (FY13
-

FY17
)



SCM
in Mobile Environment:
Develop SCM capabilities for mobile and wireless devices
.


Mobile Device Manager



Dynamic Policy Generation (supports BYOD)


Mobile Application Store



Automated
Remediation:
Develop remediation policies allowing centralized
control
and decentralized
execution of
remediation


COTS Remediation Tools



Remediation Standard


Group Policy Fixes


Policy
-
Driven Automated Course
-
of
-
Action (
ACoA
)



Collect
Configuration Data from Human Sensors:
Develop automated capabilities to collect IT asset and
configuration relevant data from human sensors (i.e., Open Checklist Interactive Language/OCIL, part of the
SCAP protocol suite
)


Certification and Accreditation


Non
-
Automated STIG Checks


Training


CCRI (Command Cyber Readiness Inspection) / CSIP (Cyber Security Inspection Process)



SCM in a Virtualized Environment:
Develop SCM capabilities for non
-
persistent and persistent IT
virtualization environments


Hypervisor


Virtual Desktop Environment


Streaming Application Server

14

UNCLASSIFIED

UNCLASSIFIED


FY12


Completed Combined Baseline
Criteria for Mobile Device Manager
(MDM)


MDM Tool Qualitative Market Analysis


Policy and Configuration Guidance
Market Analysis


CONOP for SCM in Mobile
Environment


MDM Security Capability Assessment


MDM
-
SCAP Middleware Application

SCM in Mobility PROGRESS & Way Forward


FY13


Market Analysis of MDM /
MAS


COTS Tool Evaluation and
Testing (MDM/MAS)


Standards development for
mobile assessment (OVAL)


Standards
-
based compliance
scanning of mobile devices


Integration with TNC concepts


Dynamic Policy Generation
(Supports BYOD)


Integration of MDM with
Continuous Monitoring
Solution

15

UNCLASSIFIED

UNCLASSIFIED


FY12


Work with NIST on Remediation
standard development (CRE & ERI)


Work with SPAWAR on the
development of the SPAWAR
Remediation Tool

Automated Remediation PROGRESS & Way Forward


FY13


Aggregated automated
remediation requirements


Automated Remediation CONOP


Market Analysis and evaluation of
Remediation COTS tools


Support further refinement of
Remediation standards


Create Remediation content to
support automated remediation


Refine STIG and IAVM automated
remediation approach


Integrate Remediation Content
into DISA Digital Policy
Management System


Remediation Event Management
capability


Support Proof of Concept of
Automated Remediation course of
action



16

UNCLASSIFIED

UNCLASSIFIED


FY12


OCIL Content for Windows 7


Lessons Learned for OCIL reference
implementation


Input to OCIL 2.0 standard


Pilot with
Telos

tool using OCIL

Automated human sensor PROGRESS & Way Forward


FY13


Market Analysis of current COTS
tools that leverage the OCIL data
standard


CONOP for OCIL to support
C&A, STIG Compliance,
Training, and, CSIP Use Cases


Draft requirements for Enterprise
OCIL solution


Create OCIL content to support
indentified use cases


Provide input to OCIL 3.0
standard


Pilot for using OCIL for C&A


Pilot for using OCIL for
CCRI/CSIP


Pilot for using OCIL STIG
Compliance

SCAP Protocol: OCIL (Open Checklist Interactive Language)

17

UNCLASSIFIED

UNCLASSIFIED


FY12


Collaborate with DISA and
CYBERCOMMAND to derive test cases
for evaluating security of virtual
environments


Procure and Establish Virtualization
Pilot Lab


Configure NSA IT Efficiencies
Environment in Lab


Install current DISA SCM Tools in Lab


Execute test cases to determine
security gaps with current DISA tools


Recommend approaches to resolve
security gaps

SCM in Virtualization PROGRESS & Way Forward


FY13


Complete Virtualization Pilot


Final SCM Use Case Execution


Gap Analysis Report


Recommendations Paper for
DISA


Hypervisor Scanning
Capability


STIG/SRG


Market Analysis of Tools


SCAP content


Standards updates (ARF/ASR)


Operational Prototype in L:ab


Non
-
Persistent Desktop
Scanning Capability


Approach to scanning non
-
persistent desktops/templates


Market Analysis of Tools


Operational Prototype in Lab

18

UNCLASSIFIED

UNCLASSIFIED

19


ACAS


CMRS/PRSM


DPMS


IAVM Service


VMS STIG Maintenance


Patch Repository


Severity Scoring


eMASS


ENMLDS


HBSS


Policy Auditor


OAM


APS


ACCM


Remediation Manager


VMS




SCM Programs

UNCLASSIFIED

UNCLASSIFIED

CMRS Technology Stack

20

UNCLASSIFIED

UNCLASSIFIED

CMRS Enterprise


End State

21

UNCLASSIFIED

UNCLASSIFIED

DPMS System View

22

UNCLASSIFIED

UNCLASSIFIED




What is Digital Policy Management
Service?


Author validated Machine
-
readable Content


Search for and Modify/Copy already created content


Content Distribute Capability (Machine
-
to
-
Machine
(M2M), Versioning)


Based on signatures; Marines gets Marines signed content,
Navy gets Navy signed content, everyone gets Authoritative
content


Collaboration


Content Sharing / Learning (e.g., Patch testing reciprocity)


Army can share custom content with Navy; Navy can share
custom content with Marines; CYBERCOM can share content
with everyone

23

UNCLASSIFIED

UNCLASSIFIED




Authoritative Sources of Content

Authoritative sources need to create
as well as

validate
content created by other sources (Army, Navy, etc.).
Content validated/signed by the respective
Authoritative source should be scored different in the
Enterprise Risk Scoring (ERS) capability



Types of Content:


SCAP Content


STIG (CCE)
(FSO)


IAVM
(FSO & CYBERCOM)


Malware (MAEC)
(CYBERCOM)


Custom HIPS, AV & other remediation
(CYBERCOM)

24

UNCLASSIFIED

UNCLASSIFIED

IAVM System Overview


Automates USCYBERCOM
vulnerability scoring and policy
generation processes



Includes CVSS
-
compliant scoring
engine



Provides real
-
time interfaces
with Symantec DeepSight, NVD,
and VMS



Supports SCAP standards
including CVE, CVSS, and CPE

System is live!

June 2012

25

UNCLASSIFIED

UNCLASSIFIED

IAVM System CONOPS

26

UNCLASSIFIED

UNCLASSIFIED

IAVM System Capabilities

Primary System Capabilities


PKI authentication & access
control


Symantec DeepSight web service
data feeds for real
-
time
vulnerability info


Vulnerability analyst
workspace/dashboard


Pre
-
populated IAVM template and
workflow


SCAP
-
compliant CVSS
vulnerability scoring engine


Web
-
based pre
-
coord
collaboration area to capture and
track feedback


Enhanced search
-

ability to
search across current and
historical IAVMs using multiple
parameters

27

UNCLASSIFIED

UNCLASSIFIED

QUESTIONS


SCM PMO

disa.meade.peo
-
ma.list.scm
-
pmo@mail.mil


www.disa.mil/scm



28