Presentation is loading. Please wait.

Presentation is loading. Please wait.

Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology."— Presentation transcript:

1 Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology

2 Agenda Security Operations Today Information Security Automation Program Security Content Automation Protocol The Future of Vulnerability Management Next Steps

3 Management-level Security Controls Operational-level Security Controls Technical-level Security Controls FISMA Legislation High Level, Generalized, Information Security Requirements Federal Information Processing Standards FIPS 199: Information System Security Categorization FIPS 200: Minimum Information Security Requirements Information System Security Configuration Settings NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance 30,000 FT 15,000 FT 5,000 FT Hands On FISMA Compliance Model

4 Finite Set of Possible Known IT Risk Controls & Application Configuration Options FISMA Configuration Management and Compliance HIPAASOXGLBINTELCOMSEC ‘97DoDISOVendor SP 800-53??? DCIDNSA Req DoD IA Controls 17799/ 27001 GuideSP 800-68 DISA STIGS & Checklists 3 rd Party Guide??? NSA Guides ??? Agency Tailoring Mgmt, Operational, Technical Risk Controls Windows XP SP1 SP2 Enterprise Mobile Stand Alone SSLF High Moderate Low OS or Application Version/ Role Major Patch Level EnvironmentImpact Rating or MAC/CONF Millions of Settings to manage across the Agency This Top-Down Schema Needs to be Managed from the Bottom-Up

5 Vulnerability Trends A 20-50% increase over previous years Decreased timeline in exploit development coupled with a decreased patch development timeline (highly variable across vendors) Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as “configuration weaknesses.” Many of the remaining 20 can be partially mitigated via proper configuration. Increased prevalence of zero day exploits

6 State of the Vulnerability Management Industry Product functionality is becoming more hearty as vendors acknowledge connections between security operations and a wide variety of IT systems (e.g., asset management, change/configuration management) Some vendors understand the value of bringing together vulnerability management data across multiple vendors Vendors driving differentiation through: enumeration, evaluation, content, measurement, and reporting Hinders information sharing and automation Reduces reproducibility across vendors Drives broad differences in prioritization and remediation

7 Security Operations Landscape Manual platform-level configuration management across the enterprise is unwieldy at best A large amount of time is being spent by security operations personnel demonstrating compliance to a wide variety of laws and mandates using a configuration that’s fairly unchanging Increasing number of laws and mandates Increasing number of vulnerabilities per annum A vulnerability management industry which seeks differentiation through enumeration, evaluation, content, measurement, and reporting

8 Key Milestone NIST,DISA,NSA Security Automation Conference September 2006 300+ attendees Keynote addresses by: Richard Hale, DISA CIAO Dennis Heretick, DOJ CISO Tony Sager, NSA’s Vulnerability Analysis and Operations Group Chief

9 Information Security Automation Program  The ISAP is an Interagency & Interdepartmental initiative.  Becoming formalized through an MOA recognizing the need to:  Create and manage the evolution of a standards-based methodology for automating the implementation, monitoring, and adjustment of information system security.  Identify and reduce the number of known vulnerabilities and misconfigurations in government computing infrastructures over a shorter period of time.  Re-focus the vulnerability management industry on differentiation through product function.  Encourage innovation in the global market place.

10 Security Content Automation Protocol (SCAP) Standardizing our Enumeration, Evaluation, Measuring, and Reporting CVE Common Vulnerabilities and Exposures Standard nomenclature and dictionary of security related software flaws CCE Common Configuration Enumeration Standard nomenclature and dictionary of software misconfigurations CPE Common Platform Enumeration Standard nomenclature and dictionary for product naming XCCDF eXtensible Checklist Configuration Description Format Standard XML for specifying checklists and for reporting results of checklist evaluation OVAL Open Vulnerability Assessment Language Standard XML for testing procedures CVSS Common Vulnerability Scoring System Standard for measuring the impact of vulnerabilities Cisco, Qualys, Symantec, Carnegie Mellon University

11 Asset Management Vulnerability Management Configuration Management Integrating IT and IT Security Through SCAP Misconfiguration CVE CPE XCCDF CCE SCAP OVAL CVSS

12 Existing Federal Products Standardizing our Content 2.5 million hits per month 20 new vulnerabilities per day Cross references all publicly available U.S. Government vulnerability resources FISMA Security Controls (All 17 Families and 163 controls for reporting reasons) DoD IA Controls DISA VMS Vulnerability IDs Gold Disk VIDs DISA VMS PDI IDs NSA References DCID ISO 17799 Produces XML feed for NVD content In response to NIST being named in the Cyber Security R&D Act of 2002 Encourages vendor development and maintenance of security guidance Currently hosts 112 separate guidance documents for over 125 IT products Translating this backlog of checklists into the Security Content Automating Protocol (SCAP) Participating organizations: DISA, NSA, NIST, Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, LJK, Secure Elements, ThreatGuard, MITRE Corporation, G2, Verisign, Verizon Federal, Kyocera, Hewlett- Packard, ConfigureSoft, McAfee, etc.

13 Security Content Automation Protocol (SCAP) EnumerationEvaluationMeasuringReportingContent CVE ●● CCE ●● CPE ●● XCCDF ●●● OVAL ●● CVSS ●●

14 The Future of Vulnerability Management Operations National Vulnerability Database Intelligence Feeds Organization Guidelines (e.g., STIG) Vulnerability Alerts (e.g., IAVA) NIST Checklist Program Configuration Misconfiguration Software Flaws Standardized Checklist Standardized Test Procedures Standardized Measurement and Reporting Change Control Process Metrics and Compliance Process Compliance and Audit Report Metrics Report Standardized Change List Standardized Change Procedures Standardized Measurement and Reporting Organization Vendor NIST XCCDFOVALCVSS XCCDF CVE, CCE, CPE, XCCDF, OVAL, CVSS XCCDFOVRLCVSS XCCDF

15 Key Milestone OMB Windows Security Configuration Memo – 22 March 2007 M-07-11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf)http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf Acknowledges the role of NIST, DoD, and DISA in baselining security configurations for Windows XP and Vista, and directs departments and agencies to adopt the Vista security configuration Acknowledges that we are ahead of the Vista OS deployment and encourages use of a “very small number of secure configurations” Acknowledges that adoption increases security, increases network performance, and lowers operating costs Mandates adoption of these security configurations by 1 February 2008, and requests draft implementation plans by 1 May 2007 Corresponding OMB Memo to CIOs: Requires, “Implementing and automating enforcement of these configurations;” Excerpt from SANS FLASH Announcement: “The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money. The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now. Alan [Alan Paller, Director of Research, SANS Institute] PS. SANS hasn't issued a FLASH announcement in more than two years. [In other words,] this White House action matters.”

16 Next Steps Vendors Continue adoption of all SCAP standards – be a keystone product Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists Put SCAP technologies on your roadmap and budget accordingly Service Providers Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists Prepare to help the operations community reconcile multiple mandates into XCCDF checklists Position yourself to integrate SCAP compliant products Put SCAP and vulnerability management automation on your services roadmap and budget accordingly Operations Community Interact with your vendors and service providers about SCAP, ask about their SCAP plans, ask about their SCAP readiness Begin using the phrasing like “SCAP compliant” in your acquisition language Put SCAP and vulnerability management automation on your roadmap and budget accordingly

17 DHS Providing funding NSA Providing resources Applying the technology DISA Providing resources, Integrating into Host Based System Security (HBSS) and Enterprise Security Solutions OSD Incorporating into Computer Network Defense (CND) Data Strategy DOJ Incorporating into FISMA Cyber Security Assessment and Management (CSAM) tool Army Integrating Asset & Vulnerability Tracking Resource (AVTR) with DoD and SCAP content, Contributing patch dictionary DOS Incorporating into security posture by mapping SCAP to certification and accreditation process Stakeholder and Contributor Landscape: Federal Agencies

18 Stakeholder and Contributor Landscape: Industry FFRDC, Supporter and Maintainer of 4 standards Incorporating SCAP into their products Provides SCAP-Compliant tools Provides Nessus (widely government-used) tool becoming SCAP compliant Point solution provider Provides SCAP content Point solution provider Provides SCAP content Ai Metrix Provides a SCAP-Compliant tool

19 More Information Security Content Automation Protocol (SCAP) SCAP Beta Web Site / Repository Deployed on October 20 th Beta SCAP Files Available: Windows Vista Misconfigurations DISA/NSA/NIST, Microsoft, Air Force policies Windows XP Misconfigurations/Software flaws NIST FISMA and DISA policies (SP 800-68 / Gold Disk) Windows Server 2003 Misconfigurations/Software flaws Microsoft and NIST FISMA policies Red Hat Enterprise Linux Misconfigurations/Software flaws Microsoft Office 2007 Internet Explorer 7 Symantec AV Beta SCAP Files Coming Soon: Windows 2000 McAfee AV Lotus Notes Domino Server http://nvd.nist.gov/scap.cfm National Vulnerability Database (NVD)http://nvd.nist.gov National Checklist Programhttp://checklists.nist.gov

20 Upcoming Events 11 June 2007 Defense Network Centric Operations 2007 Mid-Late Summer Security Automation Workshop Vendor demonstrations Federal operations use cases

21 National Institute of Standards & Technology Information Technology Laboratory Computer Security Division Questions

22 Additional – Application of SCAP

23 XML Made Simple XCCDF - eXtensible Car Care Description Format OVAL – Open Vehicle Assessment Language 1997 Ford Contour Gas Cap = On <> Oil Level = Full <> Side of Car <> Turn <> Hood <> … <> Error Report Problem: Air Pressure Loss Diagnosis Accuracy: All Sensors Reporting Expected Cost: $25.00 Diagnosis: Replace Gas Cap

24 XML Made Simple XCCDF - eXtensible Checklist Configuration Description Format OVAL – Open Vulnerability Assessment Language NIST SP 800-68 04/22/06 1 2 Windows XP Password >= 8 <> FIPS Compliant <> … <> 8 … <> 1.0.12.4 Standardized Checklist Standardized Test Procedures Standardized Measurement and Reporting

25 Application to Automated Compliance The Connected Path Result 800-53 Security Control 800-68 Security Guidance ISAP Produced Security Guidance in XML Format COTS Tool Ingest API Call

26 Result AC-7 Unsuccessful Login Attempts AC-7: Account Lockout Duration AC-7: Account Lockout Threshold - HKEY_LOCAL_MACHINE Software\Microsoft\Windows AccountLockoutDuration - 5* lpHKey = “HKEY_LOCAL_MACHINE” Path = “Software\Microsoft\Windows\” Value = “5” sKey = “AccountLockoutDuration” Op = “>“ 800-53 Security Control DoD IA Control 800-68 Security Guidance DISA STIG/Checklist NSA Guide ISAP Produced Security Guidance in XML Format COTS Tool Ingest API Call RegQueryValue (lpHKey, path, value, sKey, Value, Op); If (Op == ‘>” ) if ((sKey < Value ) return (1); else return (0); Application to Automated Compliance The Connected Path

Download ppt "Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology."

Similar presentations

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.

FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC Ed Bellis VP, CISO Orbitz Worldwide
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Peter Mell and Stephen Quinn Computer Security Division NIST

Peter Mell and Stephen Quinn Computer Security Division NIST
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.

FDCC 1 August 2007 Update Matt Barrett National Institute of Standards and Technology.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Similar presentations

Ads by Google