1 / 23

Continuous Monitoring: Diagnostics & Mitigation

Continuous Monitoring: Diagnostics & Mitigation. j ohn.streufert@hq.dhs.gov October 24, 2012. OBSTACLE. CXOs are accountable for IT security BUT . directly supervise only a small part of the systems actually in use. Nature of Attacks.

heman
Download Presentation

Continuous Monitoring: Diagnostics & Mitigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Continuous Monitoring: Diagnostics & Mitigation john.streufert@hq.dhs.gov October 24, 2012

  2. OBSTACLE CXOs are accountable for IT security BUT . directly supervise only a small part of the systems actually in use.

  3. Nature of Attacks 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses

  4. LOWERING RISK ACHIEVED BY: • Correcting for “tunnel vision” seen in physiological studies of pilots • Using math and statistics to accelerate corrective action • Adapting market economics to daily risk calculation/priorities • Automated patch distribution

  5. WHILE NOT CHANGING: • Structure of departments or agencies • Decentralized technology management • Structure of security program RATHER: • Focus on Return on Investment (ROI) • Integrate cyber security, operations, and top to bottom work force decisions

  6. “Attack Readiness” . • What time is spent on • Faster action = lower potential risk

  7. Organizations, Major Systems Contractor Performance

  8. AddressingInformation Overload List Dominant Percentages of Risk

  9. Results First 12 Months Personal Computers and Servers

  10. 1/3 of Remaining Risk Removed [Year 2: PC’s/Servers]

  11. . when charging 40 points 0- 84% in seven (7) days 0 - 93% in 30 days

  12. Case Study Results • 89% reduction in risk after 12 months • personal computers & servers • Mobilizing to patch worst IT security risks first • Mitigation across 24 time zones • Patch coverage 84% in 7 days; 93% in 30 days • Outcome: • Timely, targeted, prioritized information • Actionable • Increased return on investment compared to an earlier implementation of FISMA

  13. Lessons Learned • When continuous monitoring augments snapshots required by FISMA: • Mobilizing to lower risk is feasible & fast (11 mo) • Changes in 24 time zones with no direct contact • Cost: 15 FTE above technical management base • This approach leverages the wider workforce • Security culture gains are grounded in fairness, commitment and personal accountability for improvement

  14. Development Phase

  15. Federal CIO and CISO Cyber Goals • Protect information assets of the US gov’t • Availability, integrity and confidentiality • Lower operational risk and exploitation of • national security systems • .gov networks, major systems & cloud services • Increase situational awareness of cyber status • Improve ROI of federal cyber investments • Fulfill FISMA mandates

  16. 20 Critical Controls • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers • Continuous Vulnerability Assessment and Remediation • Malware Defenses • Application Software Security • Wireless Device Control • Data Recovery Capability (validated manually) • Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Limitation and Control of Network Ports, Protocols, and Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, and Analysis of Security Audit Logs • Controlled Access Based on the Need to Know • Account Monitoring and Control • Data Loss Prevention • Incident Response Capability (validated manually) • Secure Network Engineering (validated manually) • Penetration Tests and Red Team Exercises (validated manually)

  17. Continuous Diagnosis and Mitigation (CDM)“Full Operational Capability” (FOC) / Desired State: • Minimum Time to FOC for CDM: 3 years; • CDM Covers 80-100% of 800-53 controls; • Smaller attack surface/“risk” for .gov systems; • Weaknesses are found and fixed much faster; • Replaces much 800-53 assessment work ($440M) • And most of the POA&M process ($1.05 B) • Risk scores reflect: threat, vulnerability and impact • Used to make clear, informed risk-acceptance decisions • Economies reduce total cost yet improve security.

  18. Selection of First Year Priorities • Implement CMWG focus areas for controls • NSA and CMWG collaboration put in pilots • Complete baseline survey of highest D/A risks • Award task orders for sensors and services tailored to agency needs and risk profile • Connect initial controls to dashboard • HW/SW asset management/white listing; vulnerability; configuration settings; anti-malware

  19. Use of DHS Appropriated Funds • Strategic Sourcing to buy • Sensors (where missing) • A Federal Dashboard • Services to operate the sensors and dashboard in the D/As • Labor to mentor and train D/As to use the dashboard to reduce risk efficiently • Processes to support CMWG (continuous C&A)

  20. Stakeholder Consultation • DHS and CMWG will consult on program direction and reflect stakeholder concerns of: • CIO Council/ISIMC, ISPAB • NSS, EOP, NIST, NSA • D/As and components • Industry • FFRDCs • Others

  21. cdm.fns@hq.dhs.gov Cloud $440 M/yr

  22. Change to “plan for events” and “respond to events”. 19 18, 8 P3 P3/4 P3 P3/4 12, 15 P3/4 m P2 l n k j o P3 14, 16, 20 p i P2 h a b g P1 9 6,7 are assets: They require all the other capabilities applied to them. For an application, it’s HW, SW etc. must be managed, inside a boundary, configured and relatively free of vulnerabilities. One delta would be the extra analysis SW needs pre-operations. 1 e c P2 d P1 2,5 P2 P2 4 13, 17 P1 3, 10, 11 P1

More Related