Embed Size (px)
DESCRIPTION
At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful. In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros: Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response. Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports. Assess system requirements in areas such as malware detection and event and incident management. Determine the need for upgrades and investment in new technologies.
Citation preview
Developing a Continuous Monitoring Action Plan
An InformationWeek Government Webcast Sponsored by
Webcast Logistics
Welcome!
John Foley
Editor
InformationWeek Government
John Streufert
Deputy Chief Information Officer
Information Assurance
United States Department of State
Steve Johnston
CISSP, ITIL
Lead Federal Systems Engineer
Tripwire, Inc.
Today’s Presenters
What Is Continuous Monitoring?
“Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
>>NIST SP 800-137
Building It Into The IT Budget
“What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the FY 2012 budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports.”
>>Federal CIO Vivek Kundra, June 2010
Continuous Monitoring Domains (NIST)
CIA Invests In RedSeal Systems
"Continuous monitoring technologies will enable the U.S. intelligence community to effectively operate the complex, dynamic network defenses that protect critical information and systems.”
>>William Strecker, CTO, In-Q-Tel
FISMA 2.0: A Continuous Monitoring
Case StudyJohn Streufert ( [email protected] )
Deputy Chief Information Officer for Information Security US Department of State
February 14, 2011
Nature of Attacks
80% of attacks leverage known vulnerabilities and
configuration management setting weaknesses
10
TICKETS
Malicious CodeUnauthorized Access
TYPE Threats Increasing
Year Tickets
2008 2104
2009 3085
2010 7,998
2%
1
51%
5%
39%
1%2%
Malicious Code
Unauthorized Access
Denial of Service
Improper Use
Scans/Probes/ At-tempted Access
Investigation
9%
9%2%
2008
2010
84%
Case Study:1)Scan every 36-72 hours2)Find & Fix Top Issues Daily3) Personal results graded 4) Hold managers responsible
12
How: 1. Narrow Aim
13
CAG ID Consensus Audit Guideline NIST-800-53 US CERT Report
1 Inventory of authorized and unauthorized hardware
CM 1, CM 2, CM 3, ‐ ‐ ‐CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐ + 6 %
+ 22 %2 Inventory of authorized and unauthorized software
CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐CM 8, CM 9, SA 7‐ ‐ ‐
5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ + 7 % 9 Controlled access based on
need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ 1 %
12Anti-malware
defenses
AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐
PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐
SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐
SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐
+ 60%
[11 months before Feb 09]
2.Bad things by NumbersLittering vs. Chemical Dumping
L.A. Hotel Pays a
$200,000 fine because an employee dumps pool chemicals into a drain fumes fill a subway station
-- several people become ill March 23, 2010
14
Cube and Divide by 100
3. Calculate Grades A+ to F -
4. Focus on Worst First
Results First 12 Months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
18
Personal Computers and Servers
Risk Scoring
in 2nd Year
Operation Aurora Attack
20
2-Apr 4-Apr 6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-018 Patch
Coverage
Date
%
Appl
icab
le h
osts
Rep
ortin
g &
Pat
ched
Risk scoring moves State Dept from 20 - 85% patched
in six (6) days: April 3 – 9, 2010
Call a Problem 40x Worse
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-042 – August 2010Percent of applicable devices patched
Expected Value (Based on all reporting machines)
Lower Bound (Assumes all non-reporting machines are non-compliant)
Efficiency is Repeatable & Sustained
21
.
when charging 40 points0 - 84% in seven (7) days0 - 93% in 30 days
13 25 36 60 93133
1/3 of Remaining Risk Removed
237/1
5/2009
7/29/2
009
8/12/2
009
8/26/2
009
9/9/2
009
9/23/2
009
10/7/2
009
10/21/2
009
11/4/2
009
11/18/2
009
12/2/2
009
12/16/2
009
12/30/2
009
1/13/2
010
1/27/2
010
2/10/2
010
2/24/2
010
3/10/2
010
3/24/2
010
4/7/2
010
4/21/2
010
5/5/2
010
5/19/2
010
6/2/2
010
6/16/2
010
6/30/2
010
7/14/2
0100
20
40
60
80
100
120
140
160
180
200
DomesticForeign
[Year 2: PC’s/Servers]
24
4/1/2010 5/1/2010 6/1/2010 7/1/2010 8/1/2010 8/31/2010 10/1/20100
20
40
60
80
100
120
140
160
180
200
DomesticPolynomial (Domestic)OverseasPolynomial (Overseas)
Time
Risk
Poi
nts w
here
10
Poin
ts =
1 m
ajor
Vul
nera
bilit
y pe
r mac
hine
[Year 2: PC’s/Servers]
25
5/17/2009 7/6/2009 8/25/2009 10/14/2009 12/3/2009 1/22/2010 3/13/2010 5/2/2010 6/21/2010 8/10/20100
100
200
300
400
500
600
700
800
900 Benefit of Continuous Attention
Steady or Decreases
Increases
Projected
Polynomial (Projected)
Axis Title
Risk
PO
ints
whe
re 1
0 po
ints
= 1
maj
or v
ulne
rabi
lity
If corrective ac-tion stoppedhow quickly
would risk ac-cumulate?
More Risk Measured
Risk Problems Fixed
Lessons Learned• When continuous monitoring augments
snapshots required by FISMA:– Mobilizing to lower risk is feasible & fast (11 mo)– Changes in 24 time zones with no direct contact– Cost: 15 FTE above technical management base
• This approach leverages the wider workforce• Security culture gains are grounded in
fairness, commitment and personal accountability for improvement
26
Next Steps
20 Year old commercial said
“The quality goes in, before the name goes on”
28
29
Should we position our best solutions before or after accidents?
Cofferdam unit departing Wild West in Port Fourchon on the Chouest 280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com
RISK
30
Threat
Vulnerabilities
Impact
Continuous C&A Pilots
a. Inventory of Authorized Assets (CAG 1/2)
b. Configuration and Vulnerability Monitoring (CAG 3/4/10/12/13)
c. SCAP Content (automated & non-automated testing)
d. Boundary Defense (CAG 5/14)
e. Situational Awareness and Threat Analysisf. Applications (CAG 7)
g. Access Controls (CAG 6/8/9/11)
h. Data Loss Protection (CAG 15)31
Priority sequence: quick wins vs. long term:
32
Conclusions• Risk Scoring and Continuous Monitoring is
scalable to large complex public and private sector organizations
• Higher ROI for continuous monitoring of technical controls as a substitute for paper reports
• Summarized risk estimates could be fed to enterprise level reporting
33
Continuous Monitoring: Best PracticesSteve Johnston, CISSP, ITIL, Lead Federal Systems EngineerTripwire, Inc.
Enables dynamic security to respond to evolving threats
Provides details of your information systems Make risk based decisions Take control and remain in control of your infrastructure
Spirit of Continuous Monitoring
Provides continuous input to the C&A process
Moves the focus back to security
Provide Detailed Reporting436
Establish Monitoring Frequency3
Determine Risk Threshold2
Categorize Assets1
IT SECURITY & COMPLIANCE AUTOMATION37
Categorize logically and by criticality
• Is it a critical asset?
• Is it a medical system
• High, moderate or low severity?
• What kind of missions and programs do they support?
Benefits to Categorization
• Easier to make risk based decisions
• Homepage and Reporting views
• Risks are easier to determine knowing the mission the asset supports
Categorize Assets
IT SECURITY & COMPLIANCE AUTOMATION
Intelligent information to make risk-based decisions
Configuration data, log data – correlated together
Set appropriate thresholds to policies and weights to control checks Example of Policy Thresholds
<50% Do Not Operational
<75% System should go through preplanning
<90% Operational
Test and control weights need to be set Weights affect the Risk scoring
Example:
HIGH - Administrator set blank password
LOW – Users are part of a remote desktop group
38
Determine Risk
Threshold
IT SECURITY & COMPLIANCE AUTOMATION39
Determine Monitoring Frequency
Determine frequency by function and risk associated with each system and security control• System level frequency
• Security Control level frequency
• Application level frequency
IT SECURITY & COMPLIANCE AUTOMATION
Example Continuous Monitoring Frequency
40
Mission critical controls
External facing devices
Events from critical systems
DB stored Procedures
Mission X Systems
Near Real-Time
Hypervisor Controls
Internal network devices
Directory Services
DB Schema
etc…
Periodic
Full Systems
Application data controls
New installs, patches, hot fixes
Event and Log Review
Daily / WeeklyFrequency
Device / Control
IT SECURITY & COMPLIANCE AUTOMATION
Respond and provide feedback to the Authorizing Official or representative Incident Response Security Alerts Certification & Accreditation
Use the intelligent data feeds to make accurate risk based decisions
41
Provide Detailed Reports
IT SECURITY & COMPLIANCE AUTOMATION
Example Feedback to the Authorized Official
42
Respond on Critical Control and Change Information
IT SECURITY & COMPLIANCE AUTOMATION
Example Feedback to the Authorized Official
43
Provide actionable data What and WhereRespond to Critical Events
IT SECURITY & COMPLIANCE AUTOMATION
Provide Feedback to Authorizing Official4
44
Establish Monitoring Frequency3
Determine Risk Threshold2
Categorize Assets1
IT SECURITY & COMPLIANCE AUTOMATION
About Tripwire
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 5,500 customers in more than 87 countries rely on Tripwire’s integrated solutions. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation.
Learn more at www.tripwire.com
Q&A Session
Please Submit Your Question Now
To View This or Other Events On-Demand Please Visit:
http://www.netseminar.com
For more information please visit:
http://www.tripwire.com
Resources
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
