Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Supporting Secure S ft O tiSoftware Operations
Robert A. Martin
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Sean BarnumMay 2011
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE MAY 2011 2. REPORT TYPE
3. DATES COVERED 00-00-2011 to 00-00-2011
4. TITLE AND SUBTITLE Supporting Secure Software Operations
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) MITRE Corporation,202 Burlington Road,Bedford,MA,01730-1420
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES Presented at the 23rd Systems and Software Technology Conference (SSTC), 16-19 May 2011, Salt LakeCity, UT. Sponsored in part by the USAF. U.S. Government or Federal Rights License
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as
Report (SAR)
18. NUMBEROF PAGES
32
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
Agenda
8:00-8:45am Software Security Knowledge about Applications Weaknesses
9:00-9:45am Software Security Knowledge about Attack Patterns Against ApplicationsApplicationsTraining in Software Security
10:15-11:00am Software Security Practicey11:15-12:00am Supporting Capabilities
Assurance CasesSecure Development & Secure Operations
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Secure Software Operations■ Where secure development use cases required foundational
knowledge and ways to package it and understand it within a static context, Secure Software Operations requires situational
& i t t ti f f d ti l k l d ithiawareness & interpretation of foundational knowledge within a dynamic context
■ Considering that secure operations is a key element of overall software assurance we need ways to:software assurance we need ways to:– Bridge the secure development and secure operations domains– Improve the analysis, characterization, collection, discovery &
knowledge sharing of malwareknowledge sharing of malware– Combine elements of the ecosystem as practical applications to
support secure software operations■ This portion of the tutorial will focus on resources/efforts■ This portion of the tutorial will focus on resources/efforts
focused at addressing these three needs
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED3
Secure Software Operations
■Bridge the secure development and secure Cyber Observable eXpression
(C bOX)p
operations domains■ Improve the analysis,
characterization collection
(CybOX)
Malware Attribute Enumeration characterization, collection, discovery & knowledge sharing of malwareC bi l t f th
a a e bu e u e a o& Characterization (MAEC)
■Combine elements of the ecosystem as practical applications to support secure software operations
Security Content Automation Protocol (SCAP) and other
Automation Protocolssoftware operations
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED4
Bridge the secure development and secure operations domains
Cyber Observable eXpression (CybOX)
The topic and content covered in this presentation was published as an article in the Sep/Oct 2010 issue of CrossTalk: The Journal of Defense Software Engineering
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Sep/Oct 2010 issue of CrossTalk: The Journal of Defense Software Engineering
Attack Patterns Bridge Secure Development and Operationsand Operations
Attack Patterns
Secure Development Secure Operations
Attack Patterns
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Secure Operations Knowledge Offers Unique Value to Secure Development■ Using attack patterns makes it possible for the secure
development domain to leverage significant value from secure operations knowledge, enabling them to:
Unique Value to Secure Development
– Understand the real-world frequency and success of various types of attacks.
– Identify and prioritize relevant attack patterns.y p p– Identify and prioritize the most critical weaknesses to avoid.– Identify new patterns and variations of attack.
■ Attack patterns enable those in the secure operations
Secure Development Knowledge Offers Unique Value to Secure Operations■ Attack patterns enable those in the secure operations
domain to provide appropriate context to the massive amounts of data analyzed to help answer the foundational secure operations questions.
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
p q
So, this all sounds great but how do we map these high-level attack
tt b t ti t th lpattern abstractions to the low-level operational world?
Cyber ObservablesThe Secret Sauce for Bridging the Abstract to the Concrete
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Cyber Observables Overview■ The Cyber Observables construct is intended to capture
and characterize events or properties that are observable in the operational domain.
■ These observable events or properties can be used to adorn the appropriate portions of the attack patterns in order to tie the logical pattern constructs to real-world evidence of their occurrence or presence.
■ This construct has the potential for being the most important bridge between the two domains, as it enables th li t f th l l l t i fthe alignment of the low-level aggregate mapping of observables that occurs in the operations domain to the higher-level abstractions of attacker methodology, motivation, and capability that exist in the developmentmotivation, and capability that exist in the development domain.
■ By capturing them in a structured fashion, the intent is to enable future potential for detailed automatable mapping
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
enable future potential for detailed automatable mapping and analysis heuristics.
A Brief History of Cyber Observables
■ September 2009: Concept introduced to CAPEC in Version 1.4 as future envisioned adornment to the structured Attack E ti FlExecution Flow
■ June 2010: Broader relevance to MSM recognized leading to CAPEC, MAEC & CEE teams collaborating to define one common structure to serve the common needscommon structure to serve the common needs
■ August 2010: Discussed with US-CERT at GFIRST 2010■ December 2010: Cyber Observables schema draft v0.4
completed■ December 2010: Discussions with Mandiant for
collaboration and alignment between Cyber Observables d M di t O IOCand Mandiant OpenIOC
■ January 2011: Discussed & briefed with MITRE CSOC■ February 2011: Discussed & briefed with NIST – EMAP and
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
US-CERT who also have a need for this construct and had begun to work on parallel solutions
Simplified Overview of Current Schema
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
---------------------- ~ observables:Me:asure -
-------------------~ __ ?_~_:_~-~~~~~~~~-~-~-~~-~---:-
-;:~~i~~-~-~-~~~ ~~~~~~iii. :J
r obse,yable"MeasureTw-;---------------------------------------------
-r_ ~~~~~-~~~~-~-=-:~-=-~=-~-~~~ ~~~~~~ -_$
I" """"" """"""""" """"""" ~
- ~~~~==~':~~l_e_s..:_~::'?~ifl!i~~-~ lobse-;::b~:~nType-------------- -~
E)iilttributes
I I I I I
~- ~ -~~:::r.'-:~~l;:;.~~:t?.~~~~i~~~~ -~ I L __________ _
1 .. 00
L----------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-~;~b~~;~;bi;;:E~~~-~-Obf~;~~~~~ lM
- ~-~~~~;~~~~~~~~~~~~~~~~~~e-c~h~n~~~~~ ~
·-~=-a-1 observables:Observable $ ~ ..... -a 0 .. 00
MITRE
observables:Oescription +
1..oo observables:Observables +
Generated by XMLSpy wWN.altova.com
■ Detect malicious activity from attack patterns
Cyber Observable Broader Use Cases■ Detect malicious activity from attack patterns■ Empower & guide incident management■ Identify new attack patterns■ Prioritize existing attack patterns based on tactical reality
■ Potential ability to analyze data from all types of tools and y y ypall vendors
■ Improved sharing among all cyber observable stakeholders■ Ability to metatag cyber observables for implicit sharing■ Ability to metatag cyber observables for implicit sharing
controls■ Enable automated signature rule generation
Enable new levels of meta analysis on operational cyber■ Enable new levels of meta-analysis on operational cyber observables
■ Potential ability to automatically apply mitigations specified in attack patterns
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
in attack patterns■ Etc….
Improve the analysis characterizationImprove the analysis, characterization, collection, discovery & knowledge sharing of malwaresharing of malwareMalware Attribute Enumeration & Characterization (MAEC)& Characterization (MAEC)
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Malware Attribute Enumeration and Characterization (MAEC)
■ Language for sharing
Characterization (MAEC)
structured information about malware – Grammar (Schema)– Vocabulary
(Enumerations)– Collection Format (Bundle)
ThreatsDetection
■ Focus on attributes and behaviors
■ Enable correlation,
Vulnerabilities
ResponsePlatforms ,integration, and automation
pPlatforms
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 14
MAEC Use Cases■ Operational
Tool
■ Analysis– Help Guide Analysis Process– Standardized Tool Output
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
– Standardized Tool Output– Malware Repositories
Page 15
Tool
MAEC Overview
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 16
High-level
Mid-level
Low-level
Semantics
MITRE
Mechanisms • • • . . • • • •
Behaviors • • . . . •
Abstracted
Actions
e.g. Persistence
e.g. Malicious Binary Instantiation
•••••• e.g. Create File: xyz.dll •••••• •••
• •• ••••• .........
Implementation Models
Dynamic Malware Analysis MAEC
■ Demonstrate the ability to■ Demonstrate the ability to generate MAEC XML descriptions from dynamic analysis toolsanalysis tools
■ Developed proof-of-concept translators for:
CW Sandbox (Sunbelt)– CW Sandbox (Sunbelt)– ASAT (MITRE)– Anubis– ThreatExpert
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 17
Test Case: CWSandbox Output -> MAEC
Raw CWSandbox Output
Python XSD
Bindings MAEC XML
MAEC
Bindings•MAEC Actions•MAEC Objects•MAEC Behaviors
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 18
MAEC XSD
Collaboration
R l t d M ki S it M bl Eff t■ Related Making Security Measurable Efforts– There is significant overlap between MAEC, CAPEC, and CEE in
describing observed actions, objects, and states.A h ’ ki d l i h ti– As such, we’re working on developing a common schematic structure of observables for use in these efforts:
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 19
MAEC Community: Discussion List
■ Request to join: http://maec.mitre.org/community/discussionlist.html
■ Archives available
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 20
MAEC Community: MAEC Development Group on Handshake
■ MITRE hosts a social
Group on Handshake
■ MITRE hosts a social networking collaboration environment: https://handshake.mitre.org
■ Supplement to mailing list to facilitate collaborative schema development
■ Malware Ontologies SIG Subgroup
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 21
Combine elements of the ecosystem asCombine elements of the ecosystem as practical applications to support secure software operationssoftware operationsSecurity Content Automation Protocol (SCAP) and other Automation Protocolsand other Automation Protocols
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Remembering the Acronyms• CPE (Platforms)What IT systems do I have in my enterprise?
• CVE (Vulnerabilities)What vulnerabilities do I need to worry about?
• CVSS (Scoring System)What vulnerabilities do I need to worry about • CVSS (Scoring System)yRIGHT NOW?
• CCE (Configurations)How can I configure my systems more securely?
• XCCDF (Configuration Checklists)How do I define a policy of secure fi ti ? XCCDF (Configuration Checklists)configurations?
• OVAL (Assessment Language)How can I be sure my systems conform to policy?
• OCIL (Interactive Language)How can I be sure the operation of my systems conforms to policy?conforms to policy?
• CWE (Weaknesses)What weaknesses in my software could be exploited?
• CAPEC (Attack Patterns)What attacks can exploit which weaknesses?
• CEE (Events)What should be logged, and how?
• ARF (Results)How can I aggregate assessment results?
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
• MAEC (Malware Attributes)How can we recognize malware?
Standardization Efforts leveraged by theSecurity Content Automation Protocol (SCAP)
• CPE (Platforms)What IT systems do I have in my enterprise?
• CVE (Vulnerabilities)What vulnerabilities do I need to worry about?
• CVSS (Scoring System)What vulnerabilities do I need to worry about • CVSS (Scoring System)yRIGHT NOW?
• CCE (Configurations)How can I configure my systems more securely?
• XCCDF (Configuration Checklists)How do I define a policy of secure fi ti ? XCCDF (Configuration Checklists)configurations?
• OVAL (Assessment Language)How can I be sure my systems conform to policy?
• OCIL (Interactive Language)How can I be sure the operation of my systems conforms to policy?conforms to policy?
• CWE (Weaknesses)What weaknesses in my software could be exploited?
• CAPEC (Attack Patterns)What attacks can exploit which weaknesses?
• CEE (Events)What should be logged, and how?
• ARF (Results)How can I aggregate assessment results?
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
• MAEC (Malware Attributes)How can we recognize malware?
SCAP – FDCC and USGCB
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
M-07-18
MEMORANDUM
FROM:
SUBJECI':
lbeOilice "Implemelll.l1ioo Sys!CmS," which and/or plans to cooillguratiOM by
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON. D.C. 20503
June 1, 2007
M-08-22
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE 0 ° \1ANA GE MENT AND BUDGET
W ASHING TON . 0 C 205-i}J
August I I. 2008
l\1.EMORANDUM FOR THE CHIEF INFORMAT ION OFFICERS
FROM: Karen s. Evan~:i."V.,LQ(Wv 1-J Admini~trator qltt E-Government and Information Technology
Su BJECT: Guidance on the Federal Desktop Core Configuration (FDCC)
In March 2007. OMB Memorandum M~7- l l announced the ''Implementation ofConunonly Accepled Security Configurations for Windows Operating Systems." directing agencies witll Windows XP " ' deployed and/or plan to u pgrade to the Vista " ' operating system to adopt tlle Federal Desktop Core Configuration (FDCC) security oonfiguratiOil< developed by tlle National Institute of Standards and Technology (NIST). tlle Department of Defense (DoD) aJld tlle Department of Homeland Security (DHS).
On June 20.2008, NIST published lhe updated Federal Desktop Core Configuration Major Version 1.0 senings release. Relative to the pre.,•ious version ofFOCC which was originally posted in July 2007. 40 settings have changed . Changes were derived from public conunent during the April and May 2008 public comment periods, aJ>alysis of the March 31 ,2008, Agency FDCC reports and subject matter expert.ise. FDCC Major Version 1.0 settings are a\•a.ilable at hnp://nvd.nist.gov/fdccldownload fdcc.cfm .
•'ederal Desktop Core Conll2urat1on Major Version I Jl
FDCC Major Version 1.0 is based on Microsoft Windows XP Service Pack (SP) 2 and Microsoft Windows Vista SP I. Although Security Content Automation Protocol (SCAP) Content has been engineered so that it will also operate 0 11 Windowi XP SP3. near-term \Vi11dows XP patch checking will be oriented toward Windows XP SP2. It is understood that many managed e.~vironments lhroughout lhe Federal government implement service packs shortly after their release. \\'bile ne.u-tenn Windows XP checking is based on Windows XP/SP2. we do not anticipate "''Y signifiCant measurement issues for Windows XP/SP3. KIST is currently working witlliT product vendors 10 develop additional SCAP Content based on lhe FDCC settings for olher platforms and appl ications.
To coincide with tbe release of fDCC Major Version 1.0. 11ew SCAP Conte.lt has also been made available. This SCAP Content is inclusive of the 40 FDCC settings changes. At !his time. lhe FDCC is comprised of settings located at http://fdcc.nisa.gov that CaJl be checked using the updated SCAP Content and SCAP-validated tools wilh FDCC Scanning capability as specified on the NIST website at http://n, ·d.nist .gov/scapproducts.cfm. Not all FDCC settings can be checked using autonu.ted scanning tools. NIST is coordinating the refinement of SCAP Content
NVDC>Ontai fW:
29632 eyE VL!In...-.bi!itin 150~
132~
2 150 U S CERT VYin Nqt§
31 7 1~
1)666 V uln« "'!le Prqdur!J
.._.. upcQot.d: 02/20/ 08 CVf:Publi~tion,..t•:
1 8 vulner.t>MOII!:I / d ..,.
ConfigurationGuidance
Knowledge Repositories SCAP-Based FDCC Guidance
Operations Security Management Processes
FDCC C li T lConfiguration
GuidanceAnalysis
FDCC Compliant Tools
Operational Enterprise Networks
E i IT
Enterprise IT Asset Management
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
CentralizedReporting
Enterprise ITChange Management
ConfigurationGuidance
Knowledge Repositories SCAP-Based FDCC Reporting
IRSDOE DHS WH
ARMY AIRNAVY DISA IC
IRS COMMERCEDOE DHS WH
FORCE
LABOR DOJEDUCATION HUD HHS
DOT TREASURYVA INTERIOR DOS
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDCentralized Reporting
VulnerabilityAlert
ConfigurationGuidance
AssetDefinition
Knowledge Repositories
ThreatAlert
IncidentReport
CPE/OVAL XCCDF/OVAL/CCE/CCSS
CVE/CWE/OVAL/CVSS/CWSS
CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/MAEC/CCSS/CWSS/
CVE/CWE/CVSS/CPE/CWSS/CCE/CCSS CVSS/CWSS OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARFCPE/CWSS/CAPEC/MAEC
AssetInventory
ConfigurationGuidanceAnalysis
VulnerabilityAnalysis
ThreatAnalysis
IntrusionDetection
IncidentManagement
CCE/CCSS/OVAL/ARF/
CVE/CWE/CVSS/ARF/
CVE/CWE/CVSS/ARF/CCE/CCSS/
CVE/CWE/CVSS/ARF/.CCE/OVAL/CCSS
CPE/OVAL/
OVAL/XCCDF/CCE/CCSS/CPE/ARF SCAP
Assessment
System &Software
AssuranceGuidance/
Operations Security Management Processes
OVAL/ARF/XCCDF/CPE
CCE/CCSS/ARF/CWSS/OVAL/CPE/XCCDF
CCE/CCSS/OVAL/CWSS/XCCDF/CPE/CAPEC/MAEC
/XCCDF/CPE/CAPEC/CWSS/MAEC/CEE
ARFCPE/ARF SCAP
Assessment of System
Development,Integration, &Sustainment
Activitiesand
Certification &
Requirements
CWE/CAPEC/SBVR/CWSS/MAEC
Operational Enterprise Networks
Certification &Accreditation
CWE/CAPEC/CWSS/MAEC/OVAL/OCIL/XCCDF/CCE/CPE/ARF/SAFES/SACM
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Centralized ReportingEnterprise ITChange Management
Development & SustainmentSecurity ManagementProcesses Enterprise IT Asset Management
TrustManagement
IdentityManagement
Other Automation Protocols Can Capture the Government Use Cases…■ Enterprise System Information Protocol (ESIP)
– For reporting of asset inventory information. Common Platform Enumeration (CPE), etc.
■ Threat Analysis Automation Protocol (TAAP)– For reporting and sharing structured threat information. Malware
Attribute Enumeration & Characterization (MAEC), Common Attack Pattern Enumeration & Classification (CAPEC), Common Platform Enumeration (CPE), Common Weakness Enumeration (CWE), Open Vulnerability and Assessment Language (OVAL), Common Configuration Enumeration (CCE), and Common Vulnerabilities and g ( ),Exposures (CVE).
■ Event Management Automation Protocol (EMAP)– For reporting of security events. Common Event Expression (CEE),For reporting of security events. Common Event Expression (CEE),
Malware Attribute Enumeration & Characterization (MAEC), and Common Attack Pattern Enumeration & Classification (CAPEC).
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Other Automation Protocols Can Capture the Government Use Cases…(concluded)
■ Incident Tracking and Assessment Protocol (ITAP)– For tracking, reporting, managing and sharing incident information. Open
Vulnerability and Assessment Language (OVAL), Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE), Common Vulnerability Scoring System (CVSS), Malware Attribute Enumeration & Characterization (MAEC), Common Attack Pattern Enumeration & Classification (CAPEC), Common Weakness Enumeration (CWE), Common Event Expression (CEE), Incident Object Description Exchange Format (IODEF), National Information Exchange Model (NIEM), and Cybersecurity Information Exchange Format (CYBEX).
■ Enterprise Remediation Automation Protocol (ERAP)■ Enterprise Remediation Automation Protocol (ERAP)– For automated remediation of mis-configuration & missing patches. Common
Remediation Enumeration (CRE), Extended Remediation Information (ERI), Open Vulnerability and Assessment Language (OVAL), Common Platform p y g g ( )Enumeration (CPE), and Common Configuration Enumeration (CCE).
■ Enterprise Compliance Automation Protocol (ECAP)– For reporting configuration compliance. Asset Reporting Format (ARF), Open
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
p g g p p g ( ), pChecklist Reporting Language (OCRL), etc.
VulnerabilityAlert
ConfigurationGuidance
AssetDefinition
Knowledge Repositories
ThreatAlert
IncidentReport
CPE/OVAL XCCDF/OVAL/CCE/CCSS
CVE/CWE/OVAL/CVSS/CWSS
CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/MAEC/CCSS/CWSS/
CVE/CWE/CVSS/CPE/CWSS/CCE/CCSS CVSS/CWSS OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARFCPE/CWSS/CAPEC/MAEC
AssetInventory
ConfigurationGuidanceAnalysis
VulnerabilityAnalysis
ThreatAnalysis
IntrusionDetection
IncidentManagement
CCE/CCSS/OVAL/ARF/
CVE/CWE/CVSS/ARF/
CVE/CWE/CVSS/ARF/CCE/CCSS/
CVE/CWE/CVSS/ARF/.CCE/OVAL/CCSS
CPE/OVAL/
OVAL/XCCDF/CCE/CCSS/CPE/ARF SCAP EMAPESIP ITAPTAAP
Assessment
System &Software
AssuranceGuidance/
Operations Security Management Processes
OVAL/ARF/XCCDF/CPE
CCE/CCSS/ARF/CWSS/OVAL/CPE/XCCDF
CCE/CCSS/OVAL/CWSS/XCCDF/CPE/CAPEC/MAEC
/XCCDF/CPE/CAPEC/CWSS/MAEC/CEE
ARFCPE/ARF SCAP EMAPESIP ITAPTAAP
Assessment of System
Development,Integration, &Sustainment
Activitiesand
Certification &
Requirements
CWE/CAPEC/SBVR/CWSS/MAEC
Operational Enterprise Networks
Certification &Accreditation
CWE/CAPEC/CWSS/MAEC/OVAL/OCIL/XCCDF/CCE/CPE/ARF/SAFES/SACM
SwAAPCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
Centralized ReportingEnterprise ITChange Management
Development & SustainmentSecurity ManagementProcesses Enterprise IT Asset Management
TrustManagement
IdentityManagement
ERAP ECAP
[makingsecuritymeasurable.mitre.org]
© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED
... MITRE. In oolabora!Jon with II"W"'menl. induslty, and academocsta<&f1olclon.ll lm!>n>v"'l tho meuun~bll)y a(
HCUnly through onumeraUng ba ..... MCUrity data. p!OY!d.ng standardized r.nuuiiU .. u means far acx:untloly IXlftV11Unaling tha onfomlatDn, and onccunoglng tho shomg a( tho or4onnallan w;th UIOrl by dowlopng repoa1tot1U
Tho-~and inruab'IGII listed here llava ,.,.., """""pta or ccmpolble approacheS to MITRE's Together al cl thoaa lllo<1a ore helpong lo m ... MQJnly moro meosu'llble by defining tho conoopbs thai nood to be moasu-ed. p!OY!dong lor higl1 fodohly axnmuruc:atDna abo.A tho ~MBSUromenls, and p!OY!d.ng "" sharing altho mNSUr&tMrlta and the delinlionl cl w'lallo .,.. ....
Making Security Measurable
http:/ /msm.mltre.org/
.. ,..... •.curttr ~*taN ... ma'*'-n tD thl foftowi"Q ......
· ~t:tu:yMen:~gllf"ee't • AssatSea.loty~e!'t
Common Wnerablhbel and Expoluret. tcvall) • ootr.tren
~yM:MntifMJ
C ~JE Common Weakneu Enumetr.lon ICWE"') • bsl ol ~'\ire :J' ............ typOS
CAPEC C<>rnmonAIIad<PenomE"""'...-anoCiefll1leal""'fCAPEC'• > • ~ ol OClf'M"'Cln anack pallema
:•:C Common ~Enumera!Jon fCPE""l- common ptattorm -llfotn
Cont«lo< '"""'"" Securl!y ICIS! Con!enou! Secu<''Y MeltiCO DeftnUJono ·set ol stardard rrecncs and data dehnlbons 11'\81 can be UWd aaoss organtZIIUOfW to collea and W\llyze data on seo.rity process pertcrrr.ance and outc:cmes
Tvr.'!nly MOIIItre!O!tlnt Conttoll and Met<'lct lOr Ett~ C't!MN' Oelenee n1 Ccnli'IUoUSFISMACompUnce • t\loentykey ICIIonsorsecur.ty '"cOflltt'b" ftal otgltiza!IJns muat taU to bfoc:k 01 mitigate knOwn and taa~ expected ottacl<s
SANS Too Twenty· SANS/fBI consensus hi of lh8 Twenly ~ <:nticllllnlamel Securiry ~lklies lhtt uses CVE-10510 ~ty lhe ISSues
M ,EC Mhn A.'1rblte Erunlraton anc1 Charlcwtzauon CMAEC r.l • --- JtandatdiNd language kw atlribule--DUed malWate Chltacten2alon
8encf'ltr.attc~-resourceskw aeabng ~~ &1t'UCIUtlCI. and eutomatat»t secumy gudance
OVAllnterpt!tflr- tree 10e11 tor COilecbng Information rcr teltf'IQ. ~out OVAL DeMiionl and ptesent.ng tHUits ot lhe tHis
Brd'lrr.-tt Edtcw"" - tree toolllal Erilanon MCS ~· cnta)Cn and eckbng or bBnchmitf1t docUments wrllen 10 XCCOf an;J OVAL
ftecon!tr.endatfon lr8CkefN • f.tee IOQI thlf faclilates lhe develoc:w'r.entol autornl., ...,., ... -Ex-Cot!ftgur!!!o? ~~~ Oe!crc!C""' F<otmM IXCCOfl · spooJicotJan language tcrun.tomo e_...,ol 58<Utty ctoedllsts. bef'clvM!I<s anoconfig..atJon~
CMn ChedchstlnranM:tNe l.nlu80! IOCILl • 51an0afdlzed LaroJage for expr~t~slng ana evauatng non-aJtcmatec:J seaxt1y c::tl8dt5
C9mr!>n V....,_;y Sa!t!ng Sy!:!m ICVSSl • _......,.,. flat<lOIWO)'I """'"'"""'..-tyondhllpS<Io<t•mno...-gencyanoprlotltyolreoponoe
Pok:y Languaoe lor Assellfrlent Rewtts Repot!nq fPlAAAl -18ngu8Qt tor r~ IT asset tssesttr«''l r85l.ltJ rrom 10011. dal8basH. and octer products
Aues.sment Rnultl FOI'I"Nt fAAft · open language IIOr uc:hlnglng p8f-Oe\ltoe assessment rewtts data between essessrreol tools. nset 4a:abases.. end Olhef ptOdJCU NIIT'8fl8Q6 asset nkltma1lon
AJ5es.5menl Sumrr!l'f Results tASRl -lenguage fof ·~ tf.mmartled &SStitmenl ftiUitl data
(J..IXL (JI/IoJ..fleoool!o!y·""""""''~(JI/IoJ..\IIAnentblhl)'. •t#••••••r Complinoe. lnvencory, and Palef'l Oeftnttionl
Natsonll \Unetabd"Y Database (NVQ) • u.s. >Mnetabil!y ~se tlese<l on eve II"'M integrates al ~kfy evaubte vulnerlbtl!ty resources and ref«ences
NIST Seouri!'t Contant~ l'!p!oool !SCAPI · secuntyconlenllor llkJIOml~ I8Chnlcal ccntrot COI"''¥llance actM!Iet., ..unerabllty d'ledang, and _ .............. Red Hat ReooatO!')' • OVAL Patc:n Dtinuons mtresponcbng to Red Hat Etra!a sewrlty advoK~MS
Nationol er-1101 P!o(nm Ropo!i!O!'I • U.S. _.,...,.,. reposllotyot ptdcly IValabfe MOJnty c::l'ledcbts."bMc:hnaaks
CeMif lot lntemec Sec:ur ty {CIS! Bendmatks-be~pntCIICe secuity conllguraoono ac:cepted tor""""*""" wort FISMA, Ole ISO Slall<lanl, CLB, SOot. HIPM, Wid FIRPA. end Olhlt regulatory Nql.llf8r'IW!tllot 1'\kltmiiltian 18CUI'ity
OISA ~ Tadvlicol lrrp!eme!!a!!on GU<!et ISTICSI· U,S. Delonoe lnfcrno81Jcn SyatemaAgenc¥1 (OISA) STICS era cxonl~ """""'"'tor 000 Wonnalion assurance and llriotma'Jon assur~tie<l d~ and syr.:lems.
Common FratflewotU tot Vtlnlf'lbii•N D-tdoture and Resoottt! fCVRFl • stat'ldaR:I
lonnat to< "'f'OM9 end """"1111 "'"""""""Y -....tJon '""""9 """''*' 0tg8110:allons
F-.. Des-<10!! Ccro Cot!'g!.!!t!on IFOCCl · OMB.,._aewtiy conllgurao.cn to< Mlctooolt 1._.111<1a 11110 XPopentllt'q i)"tem-
....,.0<1 States ()o.ootmo""'Con!!c!..n!t.M BM..,. I!JSCCBl · 58<Uttyc:on!guta!lon
.......... "" ll - de!>b)'ed """"' teoeral _..,...
Vlow Uho current collection of org~~nlutlono, octlvltln, and lnltl.Uveo.
Tm YltDSIIIIIa "IOIUdb"J'T>-e Uf .. R( Ccrpc:nJ!ton Cl 2010~ YlR[ ~ CY( ard()/AL .. ,......_, ~ .-.:1 b MaJtn; Soa.r~Me_,.,~ 1cJVCt. <X:£.CW(. CP£. CAP'£C, CU MAEC ~ Ealor Mel Ailaomf"Widllbc:lr> l'ldter 81W ~of~ JliTR£ ~. AIJotrw\fKIIRIWb ... tne~oflf'ler~WCMTW'II Ccwaclia; ~~MintO!ll
P. L..- Upct.lllod: Seplaorller 02. 2010