Agency Security Update Service (ASUS) Mike Bolger KSC CIO
ASUS Data Collection The ASUS Project collects Enterprise IT Security Data: »Patch Management – 80,000+ devices »Software Inventory – 80,000+ devices »Federal Desktop Core Configuration (FDCC) – 60,000+ devices »Network Vulnerability – 120,000+ devices »Network Inventory – 120,000+ devices Data is stored in IT Security Enterprise Data Warehouse (ITSEC-EDW) »Provides centralized “one-stop-shop” for IT Security Data 2 9/20/2015
Continuous Monitoring / Reporting 3 Example Data
Continuous Monitoring / Reporting 4 Interactive website provides searchable reports List of Vulnerabilities By Center Or Security Plan Drill down to a list of Workstation/server with vulnerabilities
Continuous Monitoring The Agency is focusing on expanded Continuous Monitoring in alignment to proposed FISMA changes »ASUS Team is currently providing Continuous Monitoring for: Patch Management Software Inventory Network Inventory Network Vulnerabilities »Developing automated methods to Continuously Monitor NIST Controls (IT System Security Plans) 5 9/20/2015
IT Security Risk-Based Reporting Continuous Monitoring will feed NASA IT Security Risk Score »Provide overall Risk score for a Security Plan, Center and the Agency »Helps focus workforce to problem areas »Puts focus on reducing risk, not just meeting metrics 6
Collaboration with other NASA projects ASUS Project is working to add IT Security Data Sources »Incident data from the NASA SOC »Antivirus data from ODIN »DHCP data from IPAM »Application data from Agency Data Center Consolidation (ADCC) The ASUS Project is a preventative tool in NASA’s IT Security arsenal 7 9/20/2015
Agency is moving to a new Patch Management Solution »Reached the potential of the PatchLink product »Selected product »Benefits: More robust Agent Scalable to meet NASA’s complex architecture Follows OVAL standards Provides additional functionality o “Agent on a USB Stick” o Network Inventory to locate machines missing an Agent Appliance – reduces costs and maintenance for the Agency Patch Management Solution 8 9/20/2015
Agency Data Center Consolidation (ADCC) Collaborating with the Agency Data Center Consolidation (ADCC) Project »OMB has come out with the “Federal Data Center Consolidation Initiative” »Goal is to reduce overall costs and energy consumption »ADCC is preparing to deploy an Inventory and Application Mapping tool in all NASA Data Centers –Application Mapping = tells us what is required to move a “service” (i.e. Tech Doc) »ASUS team will be providing the technical expertise to coordinate the deployment of the automated tool across the Agency 9 9/20/2015