Information System Continuous Monitoring (ISCM)

FITSP-M Module 7

“Continuous monitoring is the backbone of true security.”

-Vivek Kundra Federal CIO

Leadership

FITSP-M Exam Module Objectives

Audit and Accountability– Manage controls in a system that facilitate the creation, protection, and

retention of information system audit records to the extent needed to enable the monitoring, analysis, and investigation of the system

Security Assessments and Authorization– Supervise processes that facilitate the monitoring of information system

security controls on an ongoing basis to ensure the continued effectiveness of the controls

System and Communication Protection– Oversee processes that monitor, control, and protect organizational

communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems

System and Information Integrity– Direct mechanisms that monitor information system security alerts and

advisories that take appropriate actions in response

Continuous Monitoring Overview

Section A: Continuous Monitoring Trends– RMF Step 6 – Monitor Security Controls– Redefining Risk Management– DHS CM Reporting Metrics– Cyberscope

Section B: CM Guidelines, SP 800-137– ISCM Fundamentals– Organization-wide Approach – Elements of Organization-wide CM Program– Continuous Monitoring Process

Section C: Automation – Automation Domains– SCAP & OCIL– Continuous Asset Evaluation, Situational Awareness and Risk Scoring

(CEASARS)

Section D: CM Implementation

CONTINUOUS MONITORING TRENDS

Section A

RMF Step 6 – Monitor Security Controls

Information System And Environment Changes Ongoing Security Control Assessments Ongoing Remediation Actions Key Updates Security Status Reporting Ongoing Risk Determination And Acceptance Information System Removal And Decommissioning

Risk Management Redefined

OODA Loop

DHS Cyberscope Monthly Data Feeds to DHS

1. Inventory

2. Systems and Services

3. Hardware

4. Software

5. External Connections

6. Security Training

7. Identity Management and Access

Government-wide benchmarking on security posture

Agency-specific interviews

DHS FY12 Reporting Metrics1. Continuous Monitoring

Knowledge Check

Name the components of the new risk management model.

Name the reporting tool, which automates Agency FISMA reporting directly to the DHS.

What 3 Continuous Monitoring metrics will DHS expect agencies to report for FY2012?

THE CM GUIDELINESSP 800-137

Section B

NIST SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information

Systems and Organizations

Information security continuous monitoring (ISCM) is defined as:

– Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats

– Support Organizational Risk Management Decisions– Begins With Leadership Defining A Comprehensive ISCM

Strategy Encompassing • technology• processes• procedures• operating environments• people

ISCM Fundamentals

Define the ISCM strategy Establish an ISCM program Implement the ISCM program Analyze and Report findings Respond to findings Review and Update ISCM strategy and program

TIER 1

TIER 2

TIER 3

Organization

Mission/Business Processes

Information Systems

Auto

mat

ed/M

anua

l Dat

a Fe

eds

(Sec

urity

-rela

ted

Info

rmati

on, P

OAM

s, SA

Rs)

DATA

TOOLS

DATA

TOOLS

Risk Management Strategy: 1. How the organization plans to assess,

respond to, and monitor risk2. Oversight required to ensure effectiveness

of RM strategy

Program Management1. Defined by how business

processes are prioritized 2. Types of information needed

to successfully execute those business processes

Monitoring System Level Controls and Security Status Reporting

1. Security Alerts2. Security Incidents3. Identified Threat

Activities

ISCM Criteria

The CM Process

Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program

Interrelationships to the CM Process

• Risk Tolerance• Enterprise Architecture • Security Architecture• Security Configurations• Plans for Changes to

Enterprise Architecture• Available Threat

Information

AUTOMATIONSection C

Role of Automation in ISCM

Consideration is given to ISCM tools that:– Pull information from a variety of sources (Specifications,

Mechanisms, Activities, Individuals)– Use open specifications such as SCAP– Offer interoperability with other products (help desk, inventory

management, configuration management, and incident response solutions)

– Support compliance with applicable federal laws, regulations, standards, and guidelines

– Provide reporting with the ability to tailor output Allow for data consolidation into Security Information and Event

Management (SIEM) tools and dashboard products.

SP 800-137

Security Automation Domains

Vulnerability & Patch Management

Event & Incident Management

Malware Detection Asset Management Configuration

Management

Network Management

License Management

Information Management

Software Assurance

SP 800-137

Automation Domain Tools and Technologies NIST Guidelines

1 - Vulnerability Management

Vulnerability scanners NIST SP 800-40 Creating a Patch and Vulnerability Management Program2 - Patch

ManagementPatch management tools

3 - Event Management

Intrusion detection/prevention systems and logging mechanisms

NIST SP 800-92, Computer Security Log Management

4 - Incident Management

NIST SP 800-94, Guide IDPS

5 - Malware Detection

Antivirus/Malware detection mechanisms

NIST SP 800-83, Malware Incident Prevention and Handling

6 - Configuration Management

SCAP, SEIM, Dashboards NIST SP 800-126r2 The Technical Specification for SCAP Version 1.2

SP 800-137

Automation Domain Tools and Technologies

7 - Asset Management

System configuration, network management, and license management tools

8 - Network Management

Host discovery, inventory, change control, performance monitoring, and other network device management capabilities

9 - License Management

License management tools

10 - Information Management

Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems

SP 800-137

Software Assurance TechnologiesSecurity Automation Domain #11

Software Assurance Automation Protocol (SwAAP -measure and enumerate software weaknesses):

CWE Common Weakness Enumeration Dictionary of weaknesses that can lead to exploitable vulnerabilities

CWSS Common Weakness Scoring System Assigning risk scores to weaknesses

CAPEC Common Attack Pattern Enumeration & Classification Catalog of attack patterns

MAEC Malware Attribute Enumeration & Characterization Standardized language about malware, based on attributes such as behaviors and attack patterns

SP 800-137

Knowledge Check

What is the document that provides guidelines for developing a CM program?

What is the first step in the CM Process? Name an automation specification, which is a dictionary

of weaknesses that can lead to exploitable vulnerabilities?

What is defined as an information security area that includes a grouping of tools, technologies, and data? Data within the domains is captured, correlated, analyzed, and reported to present the security status of the organization that is represented by the domains monitored.

Automation and Reference Data Sources

Security Content Automation Protocol (SCAP)– What Can Be Automated With SCAP– How to Implement SCAP– Partially Automated Controls

Reference Data Sources– National Vulnerability Database (NVD)– Security Configuration Checklists

SCAP ProgramNVD Primary Resources1. Vulnerability Search Engine 2. National Checklist Program 3. SCAP Compatible Tools 4. SCAP Data Feeds (CVE, CCE,

CPE, CVSS, XCCDF, OVAL) 5. Product Dictionary (CPE) 6. Impact Metrics (CVSS) 7. Common Weakness

Enumeration (CWE)

NVDData Feed

Scan

SCAP: What Can Be Automated?

Vulnerability and Patch Scanners– Authenticated– Unauthenticated

Baseline Configuration Scanners– Federal Desktop Core Configuration (FDCC)– United States Government Configuration Baseline (USGCB)

How to Implement SCAP with SCAP-validated Tools

… and SCAP-expressed Checklists

Partially Automated Controls

Open Checklist Interactive Language (OCIL)– Define Questions (Boolean, Choice, Numeric, Or String) – Define Possible Answers to a Question from Which User Can

Choose – Define Actions to be Taken Resulting from a User's Answer – Enumerate Result Set

Used in Conjunction with eXtensible Configuration Checklist Description Format (XCCDF)

Technologies for Aggregation and Analysis

Management Dashboards– Meaningful And Easily Understandable Format – Provide Information Appropriate to Roles And Responsibilities

Security Information and Event Management (SIEM), analysis of:– Vulnerability Scanning Information, – Performance Data, – Network Monitoring, – System Audit Record (Log) Information– Audit Record Correlation And Analysis

CAESARS Framework

IR 7756

CM Documents

Knowledge Check

Name the set of specifications used to standardize the communication of software flaws and security configurations.

What is the name of the U.S. government repository of standards-based vulnerability management data represented using the SCAP specifications?

What is the name of the program designed to test the ability of products to use the features and functionality available through SCAP and its component standards?

Name an ISCM reference model that provides a foundation for a continuous monitoring reference model that aims to enable organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.

CM IMPLEMENTATIONSection D

Monitoring Tool Data SourcesComponent ID What is Scored Source

Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee)Patch PAT Patches required by a host SMS (System Center)Security Compliance

SCM Failures of a host to use required security settings McAfee Policy Auditor

Anti-Virus AVR Out of date anti-virus signature file SMS (System Center)Unapproved OS UOS Unapproved operating systems AD

Cyber Security Awareness Training

CSA Every user who has not passed the mandatory awareness training within the last 365 days

DoS Training Database

SOE Compliance SOE Incomplete/invalid installations of any product in the Standard Operating Environment (SOE) suite

SMS (System Center)

AD Computers ADC Computer account password ages exceeding threshold

AD

AD Users ADU User account password ages exceeding threshold (scores each user account, not each host)

AD

SMS Reporting SMS Incorrect functioning of the SMS client agent SMS (System Center)

Vulnerability Reporting

VUR Missed vulnerability scans Foundstone (McAfee)

Security Compliance Reporting

SCR Missed security compliance scans McAfee Policy Auditor

Risk Scoring

Remediation

CM Challenges

The Organization of the SP 800-53 Emerging CM Technologies

– SCAP– OCIL

The Limitations of CAESARS Department of State’s iPost and Risk Scoring Program

CM DISCUSSION Section Optional

Organization of Security Controls

18 Families198 Controls

892 Control Items (Parts/Enhancements)

Control Catalog Redundancies Evident in USGCB

DoD Solution: Mapping STIG to 800-53

DoS Solution: Using Fishbone to Find Root Controls

Design/Test/AQ/

Infrastructure

Plan

PrepStaff

Value Proposition/

Operational Metric

A

Policy &Planning

10

8

9

PP

FixIssues by Priority

2

PP

AssignScores to

DeltaPP

RequirementsDefinition

11

PPFind

Systemic Problems

1

PPTrack

DesiredState

TrackActual

7

5

PP

PP

ID ScoreDeviations

4

PP

Manage &Operate

3

PP

6

PP

PP

Prepare Operate & Check Improve Effectiveness Measure

Plan, Engineer, & Prepare for Operations Operate, Monitor, & Improve

DoS Solution: Proposed

Structure of Security Control Catalog

The Limitations of CAESARS

Lack of Interface Specifications Reliance on an Enterprise Service Bus Incomplete Communication Payload Specifications Lack of Specifications Describing Subsystem

Capabilities Lack of a Multi-CM Instance Capability Lack of Multi-Subsystem Instance Capability CM Database Integration with Security Baseline Content Lack of Detail on the Required Asset Inventory Requirement for Risk Measurement

GAO Report on Scope of iPost Risk Scoring Program

Addresses windows hosts but not other IT assets on its major unclassified network

Covers a set of 10 scoring components that includes some, but not all, information system controls that are intended to reduce risk

State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment

Minimum Security Controls (FIP 200) Controls Monitored by iPostAccess Control Security Compliance (AD Group check)

Awareness and Training Awareness TrainingAudit and Accountability ReportingSecurity Assessment and AuthorizationConfiguration Management Patching, SOE, Reporting(Inventory)Contingency PlanningIdentification and Authentication AD Computers & UsersIncident ResponseMaintenanceMedia ProtectionPhysical and Environmental ProtectionPlanningPersonnel SecurityRisk Assessment VulnerabilitiesSystem and Services AcquisitionSystem and Communications Protection

System and Information Integrity Patching, Antivirus

Challenges with Implementation of iPost

Overcoming limitations and technical issues with data collection tools

Identifying and notifying individuals with responsibility for site-level security

Implementing configuration management for iPost Adopting a strategy for continuous monitoring of controls Managing stakeholder expectations for continuous

monitoring activities

Continuous Monitoring Key Concepts & Vocabulary

Role in the RMF Process RMF Step 6 – Monitor Security Controls Characteristics of Continuous Monitoring organization-wide approach Elements of Organization-wide CM Program Continuous Monitoring Process Role of Automation Continuous Asset Evaluation, Situational Awareness and

Risk Scoring (CEASARS)

Questions?