Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009.

Slides:

Advertisements

Similar presentations

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

Advertisements

Windows Server Deployment and Management With System Center.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

© 2005 Mobile VCE Securing the Future: Device & Service Security Stephen Hope, FT R&D UK Ltd on behalf of Nigel Jefferies, Vodafone Chair.

Lumension: Because Hope is no Strategy Andreas Müller Regional Sales Manager D/A/CH.

Security Controls – What Works

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

Federal Student Aid Technical Architecture Initiatives Sandy England

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Boost your network security with NETASQ Vulnerability Manager.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan National Summit on.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

Information System Continuous Monitoring (ISCM)

Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Windows XP Migration Jumpstart Offering Offering Datasheet The Challenges With less than one year until the end of support for Windows XP, customer are.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Information System Continuous Monitoring (ISCM) FITSP-A Module 7.

Optimize ITIL ® Implementations With processes automation ITIL is a Registered Trademark by the OGC Dimitri Mizernik

Security and Privacy Services Cloud computing point of view October 2012.

Lessons Learned in Smart Grid Cyber Security

Agency Security Update Service (ASUS) Mike Bolger KSC CIO.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Automating STIGs: The Transition to CCI and SRG

SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Understanding Technology Stakeholders: Their Progress and Challenges John M. Gilligan Software Assurance Forum November 4, 2009.

Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Enterprise Cybersecurity Strategy

Align Business and Information Technology – with SOA Pradeep Nair Director – Software Group (IBM India/SA)

CSCE 548 Secure Software Development Security Operations.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

2006 Infrastructure Projects Four Themes: Storage – room to grow Security – reacting to threats Virtual Systems – increased efficiency Service Management.

Data Center Management Microsoft System Center. Objective: Drive Cost of Data Center Management 78% Maintenance 22% New Issue:Issue: 78% of IT budgets.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Infrastructure for the People-Ready Business. Presentation Outline POINT B: Pro-actively work with your Account manager to go thru the discovery process.

C C Introduction to Tivoli Endpoint Manager 8.2 Joe Saylor Tivoli Endpoint Manager Solutions Architect.

GRC: Aligning Policy, Risk and Compliance

1 Evolution and Revolution: Windows 7 and Desktop Virtualization Changing the Desktop Support Landscape Denise Harrison, CIO and Vice President.

FDCC Shelly Bird Architect Microsoft Public Sector Services.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Mobile Security Solution Solution Overview Check Point Mobile Threat Prevention is an innovative approach to mobile security that detects and stops advanced.

CMMI Certification - By Global Certification Consultancy.

Kevin Watson and Ammar Ammar IT Asset Visibility.

Agenda Enterprise Situational Awareness Active Defense

CIM Modeling for E&U - (Short Version)

Hybrid Management and Security

Compliance with hardening standards

Speaker’s Name, SAP Month 00, 2017

Security Automation Standards Landscape

Transforming IT Management

JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS

MAZARS’ CONSULTING PRACTICE

GRC - A Strategic Approach

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Microsoft Data Insights Summit

Presentation transcript:

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009

Problem Today’s state—CIOs of large enterprises cannot: See their IT assets—they don’t know what they have Tell which systems comply with policy Makes reporting, enforcement impossible Change configurations quickly in reaction to changing threats or vendor updates 2 IT organizations cannot effectively manage complex environments

Root Cause Today’s enterprise IT capabilities are: Complex Dynamic Vulnerable Fragmented in use of automated management 3 Processes and tools are immature

CIOs are concerned about enterprise IT management Cost of poorly managed IT is growing rapidly Cyber attacks are exploiting weak enterprise management – Weakest link becomes enterprise “Achilles Heel” – Cyber exploitation now a National Security issue High quality IT support requires effective enterprise management 4 SCAP enables effective enterprise IT management and security

Goal—Well-Managed Enterprise Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost 5

Solution Elements Governance Technology Discipline 6

Governance Define management and security policies and properties to be implemented in enterprise IT environments Accelerate evolution to a disciplined environment –Federal Desktop Core Configuration (FDCC)--Establishes initial configuration discipline –20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines—Counter most significant threats with measurable controls –NIST Special Publication (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls 7

Technology Use tools that are Security Content Automation Protocol (SCAP)-enabled Automate management of configuration, asset management, and security properties –Continuously assess, report, enforce endpoint compliance –React quickly to changing situations (e.g., vendor patches, new configurations, revised policy) Achieve cross-vendor integration, interoperability 8 SCAP enables tool integration and interoperability for disciplined enterprise IT management

Discipline Verify compliance with enterprise IT policies: Continuously verify effectiveness of controls by leveraging automation and trend metrics Also employ metrics for operational effectiveness and cost Use Auditors and Red Teams to independently validate discipline Ensure visible accountability for those who violate policies 9

Leveraging SCAP for Enterprise IT Management 10

Current SCAP Standards 11 CVE CVSS OVAL CCE CPE XCCDF Software vulnerability management Configuration management Compliance management Asset management SCAP supports foundational IT management functions

Specific SCAP Standards 12 CVE CVSS OVAL CCE CPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools

Mature Standards Illustrate Possibilities Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities –36,000+ vulnerabilities agreed upon over the last 10 years –245 products, 138 organizations, 25 countries Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments 13 Industry has adopted SCAP standards for individual needs

SCAP Gaining Momentum Federal Desktop Core Configuration (FDCC/SCAP) –Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only establishes standard configurations for hardware suppliers, it also addresses security for those that develop software” Open Vulnerability Assessment Language (OVAL) –McAfee: “The ability to…describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve [vendor] offerings” NIST issues SCAP content for FISMA compliance –Steve Quinn (NIST): “[SCAP is] an automated approach to help agencies make the jump from security policies and mandates to secure systems.” 14

Product Interoperability The Problem Different vendor products give different answers CIOs can’t integrate across vendors The Solution SCAP standard ‘OVAL’ introduced to enable integration Red Hat adopted OVAL; found it increased value of their advisories to customers Other vendors have followed (e.g., Symantec) 15 OVAL provides the “glue” for SCAP-compliant tools leading to interoperability

Enterprise IT Management Using SCAP DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP –SCAP shows which systems are vulnerable; enables rapid, prioritized response (e.g., rush patching); provides follow-up reporting –Tony Sager (NSA): “We do it all now with SCAP- compatible tools.” Organizations beginning to see SCAP benefits for other enterprise applications 16

Leadership is needed now 17 Shape technology to serve the public interest

Recommended Actions How Federal government can provide leadership: 1.Require SCAP-validated tools 2.Educate IT staff in how SCAP can be used for enterprise IT management 3.Deploy SCAP-validated tools; evolve to automated enterprise IT management 4.Share lessons learned with IT managers and vendors – More use cases—not just security – More transparent integration 18

SCAP can transform individual tools into integrated parts of an Enterprise IT Management Capability 19 Capabilities Tools SCAP

Enterprise IT Management Roadmap 20 Capability Cost

Contact Information 21 John M. Gilligan

Strategic Roadmap Controlled configuration for Windows Controlled configuration for major operating systems and applications Standardized application white and black listing Adaptive configurations based on threat Faster vulnerability impact/patch level assessment Standardized remediation, configuration control Today OVAL adoption More secure, more automated Real-time management More secure, automated, real time