Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Published byArnold Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having."— Presentation transcript:

1

2 Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having subject matter expertise in the implementation security compliance monitoring software.

3 Our Clients

4 Still True in 2006 “Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.” Gartner Group, May 6, 2002

5 1.What is Security Automation (XCCDF/OVAL)? Let’s Address Two Questions. 2.How can security automation improve the system security configuration lifecycle?

6 What is Security Automation?

7 Conceptual Analogy

8 Outsource In-House Conceptual Analogy

9 Outsource In-House a.) Troubleshoot/Analyze Conduct Testing Is there a problem? Cause of error condition? Is this check reporting correctly? b.) Document/Report Findings c.) Recommendations d.) Remediate Conceptual Analogy

10 Outsource In-House a.) Troubleshoot/Analyze Conduct Testing Is there a problem? Cause of error condition? Is this check reporting correctly? b.) Document/Report Findings c.) Recommendations d.) Remediate Standardize & Automate a.) Troubleshoot/Analyze Is there a problem? Cause of error condition? Is this check reporting correctly? More DATA Conceptual Analogy

11 BeforeAfter Error Report Problem: Air Pressure Loss Diagnosis Accuracy: All Sensors Reporting Expected Cost: $25.00 Diagnosis: Replace Gas Cap Conceptual Analogy

12 XML Made Simple XCCDF - eXtensible Car Care Description Format OVAL – Open Vehicle Assessment Language 1997 Ford Contour Gas Cap = On <> Oil Level = Full <> Side of Car <> Turn <> Hood <> … <>

13 XCCDF & OVAL Made Simple XCCDF - eXtensible Checklist Configuration Description Format OVAL – Open Vulnerability Assessment Language NIST SP 800-68 04/22/06 1 2 Windows XP Password >= 8 <> FIPS Compliant <> … <> 8 … <> 1.0.12.4

14 The Connected Path 800-53 Security Control 800-68 Security Guidance NVD Produced 800-68 in XML Format COTS Tool Ingest API Call Result

15 RegQueryValue (lpHKey, path, value, sKey, Value, Op); If (Op == ‘>” ) if ((sKey < Value ) return (1); else return (0); Result AC-7 Unsuccessful Login Attempts AC-7: Account Lockout Duration AC-7: Account Lockout Threshold - HKEY_LOCAL_MACHINE Software\Microsoft\Windows AccountLockoutDuration - 5* lpHKey = “HKEY_LOCAL_MACHINE” Path = “Software\Microsoft\Windows\” Value = “5” sKey = “AccountLockoutDuration” Op = “>“ 800-53 Security Control 800-68 Security Guidance NVD Produced 800-68 in XML Format COTS Tool Ingest API Call The Connected Path

16 For each OS/application Required technical security controls Low Level Checking Specification Security Specifications for Platforms And Application - Vulnerabilities - Required Configurations - Necessary Security Tools List of all known vulnerabilities Secure Configuration Guidance

17 How Does This Change the Lifecycle?

18 What Are My SSCL Goals? To facilitate easy-to-manage, consistent server compliance monitoring Evolve server security strategy from reactive to proactive Reduce attack surface and minimize operational risk Near-real-time, verifiable server compliance documentation These products will automate and change the way we validate and test our high-level requirements

19 Adopt & Adapt Compliance & Correction Develop & Deploy Review & Revise SSCL The System Security Configuration Lifecycle

20 Review existing industry and government configuration checklists and standards (CIS, NIST, NSA, Vendors, etc.) –Checklists are often prose documents or spreadsheets and are not machine readable Difficult to manage these files, AND, nearly impossible to compare “side-to-side” Adopt & Adapt

21 Customize standard/checklist based on compatibility and risk assessment –These are often conglomerations of various checklists creating N number of “custom” baselines When we account for operational issues we end up with NN variations. In the end, how does your “custom” implementation compare to the original standards? Adopt & Adapt

22 We now have a framework that provides traceability between our customized checklists and high level requirements. (e.g. 800.53, 8500) Educate our clients that a machine readable format for checklists allows us to spend less time on document management and more time focused on other activities in the lifecycle. NSAP Adopt & Adapt

23 Develop & Deploy Develop configuration scripts (address all standard OS’s and builds) based on standards/checklists from A&A Customize standard/checklist based on compatibility and risk assessment Incorporate standards/checklists into automated auditing toolset

24 A larger number of man hours can now be saved by using tools that accept the machine readable XCCDF format by directly importing the policies into the security tools Develop & Deploy NSAP We want to create build scripts that interpret standardized XML inputs and configure build scripts We can now convert the current organization’s custom checklists into standardized XML format. (XCCDF/OVAL) Learn how to express “customer specific checks” that are may not be included in CCE Develop & Deploy

25 Report and communicate results –In many cases this process is still paper- based, are the results produce 1000’s of pages of information. Compliance & Correction Analyze output from each of the scanning tools, in certain cases this includes manual cross referencing of findings Remediate (initial cycles will produce large amounts of remediation)

26 A machine readable format can support a seamless integration with XCCDF compatible tools. Using CCE, we now also have a common reference that allows us to map the configuration results between different security tools. Compliance & Correction We can develop scripts to compare the standardized XML output from each of the scanning tools. Now we begin the decision process of determining and implementing the appropriate remediation path. NSAP This can include the analysis of compensating controls. Compliance & Correction

27 What’s Available Today? NIST Windows XP Configuration Guide (SP 800-68) http://csrc.nist.gov/itsec/download_WinXP.html Policy statement represented in XCCDF Configuration checks represented in OVAL Covers: registry settings, file permission checks, password policies, account lockout policies, audit policies Download at: http://checklists.nist.gov/NIST-800-68-WinXPPro-XML- Alpha-rev1.ziphttp://checklists.nist.gov/NIST-800-68-WinXPPro-XML- Alpha-rev1.zip

28 So Why Should You Care? The adoption of this process will provide the first ever hard linkage between a high- level guidance document and specific security configuration settings. This could be the beginning of a process of connecting the dots between regulations and security settings.

Download ppt "Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
System Hardening … Made Easy Security Configuration Management Michael Betti, Sr. SE, Tripwire.

System Hardening … Made Easy Security Configuration Management Michael Betti, Sr. SE, Tripwire.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Peter Mell and Stephen Quinn Computer Security Division NIST

Peter Mell and Stephen Quinn Computer Security Division NIST
Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.

Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.

FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Vulnerability Assessments

Vulnerability Assessments

Similar presentations

Ads by Google