Automating enterprise it management by leveraging security content automation protocol scap
Download
1 / 22

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol SCAP - PowerPoint PPT Presentation


  • 243 Views
  • Uploaded on

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP). John M. Gilligan www.gilligangroupinc.com May , 2009. Problem. Today’s state—CIOs of large enterprises cannot: See their IT assets—they don’t know what they have

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Automating Enterprise IT Management by Leveraging Security Content Automation Protocol SCAP' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Automating enterprise it management by leveraging security content automation protocol scap

Automating Enterprise IT Managementby LeveragingSecurity Content Automation Protocol (SCAP)

John M. Gilligan

www.gilligangroupinc.com

May, 2009


Problem
Problem

Today’s state—CIOs of large enterprises cannot:

  • See their IT assets—they don’t know what they have

  • Tell which systems comply with policy

    • Makes reporting, enforcement impossible

  • Change configurations quickly in reaction to changing threats or vendor updates

IT organizations cannot effectively manage complex environments


Root cause
Root Cause

Today’s enterprise IT capabilities are:

  • Complex

  • Dynamic

  • Vulnerable

  • Fragmented in use of automated management

Processes and tools are immature


Cios are concerned about enterprise it management
CIOs are concerned about enterprise IT management

  • Cost of poorly managed IT is growing rapidly

  • Cyber attacks are exploiting weak enterprise management

    • Weakest link becomes enterprise “Achilles Heel”

    • Cyber exploitation now a National Security issue

  • High quality IT support requires effective enterprise management

SCAP enables effective enterprise IT management and security


Goal well managed enterprise
Goal—Well-Managed Enterprise

  • Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so

  • Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost


Solution elements
Solution Elements

  • Governance

  • Technology

  • Discipline


Governance
Governance

  • Define management and security policies and properties to be implemented in enterprise IT environments

  • Accelerate evolution to a disciplined environment

    • Federal Desktop Core Configuration (FDCC)--Establishes initial configuration discipline

    • 20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines—Counter most significant threats with measurable controls

    • NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls


Technology
Technology

  • Use tools that are Security Content Automation Protocol (SCAP)-enabled

    • Automate management of configuration, asset management, and security properties

      • Continuously assess, report, enforce endpoint compliance

      • React quickly to changing situations (e.g., vendor patches, new configurations, revised policy)

    • Achieve cross-vendor integration, interoperability

SCAP enables tool integration and interoperability for disciplined enterprise IT management


Discipline
Discipline

Verify compliance with enterprise IT policies:

  • Continuously verify effectiveness of controls by leveraging automation and trend metrics

    • Also employ metrics for operational effectiveness and cost

  • Use Auditors and Red Teams to independently validate discipline

  • Ensure visible accountability for those who violate policies



Current scap standards
Current SCAP Standards

Software vulnerability management

CVE

CVSS

OVAL

Asset

management

Configuration

management

CPE

CCE

XCCDF

Compliance management

SCAP supports foundational IT management functions


Specific scap standards
Specific SCAP Standards

Software vulnerability management

Identifies vulnerabilities

CVE

Scores vulnerability severity

CVSS

Criteria to check presence of

vulnerabilities, configurations, assets

OVAL

Asset

management

Configuration

management

CPE

CCE

Identifies packages and platforms

XCCDF

Identifies configuration controls

Language to express configuration guidance

for both automatic and manual vetting

Compliance management

SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools


Mature standards illustrate possibilities
Mature Standards Illustrate Possibilities

  • Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities

    • 36,000+ vulnerabilities agreed upon over the last 10 years

    • 245 products, 138 organizations, 25 countries

  • Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments

Industry has adopted SCAP standards for individual needs


Scap gaining momentum
SCAP Gaining Momentum

  • Federal Desktop Core Configuration (FDCC/SCAP)

    • Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only establishes standard configurations for hardware suppliers, it also addresses security for those that develop software”

  • Open Vulnerability Assessment Language (OVAL)

    • McAfee: “The ability to…describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve [vendor] offerings”

  • NIST issues SCAP content for FISMA compliance

    • Steve Quinn (NIST): “[SCAP is] an automated approach to help agencies make the jump from security policies and mandates to secure systems.”


Product interoperability
Product Interoperability

The Problem

  • Different vendor products give different answers

  • CIOs can’t integrate across vendors

    The Solution

  • SCAP standard ‘OVAL’ introduced to enable integration

    • Red Hat adopted OVAL; found it increased value of their advisories to customers

    • Other vendors have followed (e.g., Symantec)

OVAL provides the “glue” for SCAP-compliant tools leading to interoperability


Enterprise it management using scap
Enterprise IT Management Using SCAP

  • DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP

    • SCAP shows which systems are vulnerable; enables rapid, prioritized response (e.g., rush patching); provides follow-up reporting

    • Tony Sager (NSA): “We do it all now with SCAP-compatible tools.”

  • Organizations beginning to see SCAP benefits for other enterprise applications


Leadership is needed now
Leadership is needed now

Shape technology to serve the public interest


Recommended actions
Recommended Actions

How Federal government can provide leadership:

  • Require SCAP-validated tools

  • Educate IT staff in how SCAP can be used for enterprise IT management

  • Deploy SCAP-validated tools; evolve to automated enterprise IT management

  • Share lessons learned with IT managers and vendors

    • More use cases—not just security

    • More transparent integration


Scap can transform individual tools into integrated parts of an enterprise it management capability
SCAP can transform individual tools into integrated parts of an Enterprise IT Management Capability


Enterprise it management roadmap
Enterprise IT Management Roadmap an Enterprise IT Management Capability

Capability

Cost


Contact information
Contact Information an Enterprise IT Management Capability

John M. Gilligan

[email protected]

703-503-3232

www.gilligangroupinc.com


Strategic roadmap
Strategic Roadmap an Enterprise IT Management Capability

More secure, more automated

  • Controlled configuration for Windows

  • Controlled configuration for major operating systems and applications

  • Standardized application white and black listing

  • Adaptive configurations based on threat

  • Faster vulnerability impact/patch level assessment

  • Standardized remediation, configuration control

  • Today

  • 2010

  • 2010

  • 2011

  • OVAL adoption

  • 2012

Real-time management

More secure, automated, real time


ad