Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009.

Published byElijah Leonard Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009."— Presentation transcript:

1 Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009

2 Problem Today’s state—CIOs of large enterprises cannot: See their IT assets—they don’t know what they have Tell which systems comply with policy Makes reporting, enforcement impossible Change configurations quickly in reaction to changing threats or vendor updates 2 IT organizations cannot effectively manage complex environments

3 Root Cause Today’s enterprise IT capabilities are: Complex Dynamic Vulnerable Fragmented in use of automated management 3 Processes and tools are immature

4 CIOs are concerned about enterprise IT management Cost of poorly managed IT is growing rapidly Cyber attacks are exploiting weak enterprise management – Weakest link becomes enterprise “Achilles Heel” – Cyber exploitation now a National Security issue High quality IT support requires effective enterprise management 4 SCAP enables effective enterprise IT management and security

5 Goal—Well-Managed Enterprise Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost 5

6 Solution Elements Governance Technology Discipline 6

7 Governance Define management and security policies and properties to be implemented in enterprise IT environments Accelerate evolution to a disciplined environment –Federal Desktop Core Configuration (FDCC)--Establishes initial configuration discipline –20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines—Counter most significant threats with measurable controls –NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls 7

8 Technology Use tools that are Security Content Automation Protocol (SCAP)-enabled Automate management of configuration, asset management, and security properties –Continuously assess, report, enforce endpoint compliance –React quickly to changing situations (e.g., vendor patches, new configurations, revised policy) Achieve cross-vendor integration, interoperability 8 SCAP enables tool integration and interoperability for disciplined enterprise IT management

9 Discipline Verify compliance with enterprise IT policies: Continuously verify effectiveness of controls by leveraging automation and trend metrics Also employ metrics for operational effectiveness and cost Use Auditors and Red Teams to independently validate discipline Ensure visible accountability for those who violate policies 9

10 Leveraging SCAP for Enterprise IT Management 10

11 Current SCAP Standards 11 CVE CVSS OVAL CCE CPE XCCDF Software vulnerability management Configuration management Compliance management Asset management SCAP supports foundational IT management functions

12 Specific SCAP Standards 12 CVE CVSS OVAL CCE CPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools

13 Mature Standards Illustrate Possibilities Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities –36,000+ vulnerabilities agreed upon over the last 10 years –245 products, 138 organizations, 25 countries Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments 13 Industry has adopted SCAP standards for individual needs

14 SCAP Gaining Momentum Federal Desktop Core Configuration (FDCC/SCAP) –Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only establishes standard configurations for hardware suppliers, it also addresses security for those that develop software” Open Vulnerability Assessment Language (OVAL) –McAfee: “The ability to…describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve [vendor] offerings” NIST issues SCAP content for FISMA compliance –Steve Quinn (NIST): “[SCAP is] an automated approach to help agencies make the jump from security policies and mandates to secure systems.” 14

15 Product Interoperability The Problem Different vendor products give different answers CIOs can’t integrate across vendors The Solution SCAP standard ‘OVAL’ introduced to enable integration Red Hat adopted OVAL; found it increased value of their advisories to customers Other vendors have followed (e.g., Symantec) 15 OVAL provides the “glue” for SCAP-compliant tools leading to interoperability

16 Enterprise IT Management Using SCAP DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP –SCAP shows which systems are vulnerable; enables rapid, prioritized response (e.g., rush patching); provides follow-up reporting –Tony Sager (NSA): “We do it all now with SCAP- compatible tools.” Organizations beginning to see SCAP benefits for other enterprise applications 16

17 Leadership is needed now 17 Shape technology to serve the public interest

18 Recommended Actions How Federal government can provide leadership: 1.Require SCAP-validated tools 2.Educate IT staff in how SCAP can be used for enterprise IT management 3.Deploy SCAP-validated tools; evolve to automated enterprise IT management 4.Share lessons learned with IT managers and vendors – More use cases—not just security – More transparent integration 18

19 SCAP can transform individual tools into integrated parts of an Enterprise IT Management Capability 19 Capabilities Tools SCAP

20 Enterprise IT Management Roadmap 20 Capability Cost

21 Contact Information 21 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com

22 Strategic Roadmap Controlled configuration for Windows Controlled configuration for major operating systems and applications Standardized application white and black listing Adaptive configurations based on threat Faster vulnerability impact/patch level assessment Standardized remediation, configuration control Today 2010 2011 OVAL adoption 2012 22 More secure, more automated Real-time management More secure, automated, real time

Download ppt "Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009."

Similar presentations

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.
Windows Server Deployment and Management With System Center.

Windows Server Deployment and Management With System Center.
Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Www.mobilevce.com © 2005 Mobile VCE Securing the Future: Device & Service Security Stephen Hope, FT R&D UK Ltd on behalf of Nigel Jefferies, Vodafone Chair.

© 2005 Mobile VCE Securing the Future: Device & Service Security Stephen Hope, FT R&D UK Ltd on behalf of Nigel Jefferies, Vodafone Chair.
Lumension: Because Hope is no Strategy Andreas Müller Regional Sales Manager D/A/CH.

Lumension: Because Hope is no Strategy Andreas Müller Regional Sales Manager D/A/CH.
Security Controls – What Works

Security Controls – What Works
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
Federal Student Aid Technical Architecture Initiatives Sandy England

Federal Student Aid Technical Architecture Initiatives Sandy England
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan www.gilligangroupinc.com National Summit on.

Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan National Summit on.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Information System Continuous Monitoring (ISCM)

Information System Continuous Monitoring (ISCM)
Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.

Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.

Similar presentations

Ads by Google