standardizing and automating security operations l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Standardizing and Automating Security Operations PowerPoint Presentation
Download Presentation
Standardizing and Automating Security Operations

Loading in 2 Seconds...

play fullscreen
1 / 26

Standardizing and Automating Security Operations - PowerPoint PPT Presentation


  • 341 Views
  • Uploaded on

Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology Agenda Security Operations Today Information Security Automation Program Security Content Automation Protocol The Future of Vulnerability Management Next Steps 30,000 FT

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Standardizing and Automating Security Operations' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
standardizing and automating security operations

Standardizing and Automating Security Operations

Presented by:

National Institute of Standards and Technology

agenda
Agenda
  • Security Operations Today
  • Information Security Automation Program
  • Security Content Automation Protocol
  • The Future of Vulnerability Management
  • Next Steps
slide3

30,000 FT

FISMA Legislation

High Level, Generalized, Information Security Requirements

15,000 FT

Federal Information Processing Standards

FIPS 199: Information System Security Categorization

FIPS 200: Minimum Information Security Requirements

Management-level Security Controls

Technical-level

Security Controls

Operational-level Security Controls

5,000 FT

Hands On

FISMA Compliance Model

Information System Security Configuration Settings

NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance

configuration management and compliance
Configuration Management and Compliance

This Top-Down Schema Needs to be Managed from the Bottom-Up

FISMA

HIPAA

SOX

GLB

INTEL

COMSEC ‘97

DoD

ISO

Vendor

3rd Party

SP 800-53

???

???

???

DCID

NSA Req

DoD

IA Controls

17799/

27001

SP 800-68

???

NSA

Guides

DISA STIGS

& Checklists

???

Guide

Guide

Finite Set of Possible Known IT Risk Controls & Application Configuration Options

Agency Tailoring

Mgmt, Operational, Technical

Risk Controls

Millions of Settings to manage across the Agency

High

Enterprise

Mobile

Moderate

SP1

Stand Alone

Low

XP

Windows

SSLF

SP2

OS or Application

Version/ Role

Major Patch Level

Environment

Impact Rating or MAC/CONF

vulnerability trends
Vulnerability Trends

A 20-50% increase over previous years

  • Decreased timeline in exploit development coupled with a decreased patch development timeline (highly variable across vendors)
  • Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as “configuration weaknesses.” Many of the remaining 20 can be partially mitigated via proper configuration.
  • Increased prevalence of zero day exploits
state of the vulnerability management industry
State of the Vulnerability Management Industry
  • Product functionality is becoming more hearty as vendors acknowledge connections between security operations and a wide variety of IT systems (e.g., asset management, change/configuration management)
  • Some vendors understand the value of bringing together vulnerability management data across multiple vendors
  • Vendors driving differentiation through:
    • enumeration,
    • evaluation,
    • content,
    • measurement, and
    • reporting
  • Hinders information sharing and automation
  • Reduces reproducibility across vendors
  • Drives broad differences in prioritization and remediation
security operations landscape
Security Operations Landscape
  • Manual platform-level configuration management across the enterprise is unwieldy at best
  • A large amount of time is being spent by security operations personnel demonstrating compliance to a wide variety of laws and mandates using a configuration that’s fairly unchanging
  • Increasing number of laws and mandates
  • Increasing number of vulnerabilities per annum
  • A vulnerability management industry which seeks differentiation through enumeration, evaluation, content, measurement, and reporting
key milestone
Key Milestone
  • NIST,DISA,NSA Security Automation Conference
    • September 2006
    • 300+ attendees
    • Keynote addresses by:
      • Richard Hale, DISA CIAO
      • Dennis Heretick, DOJ CISO
      • Tony Sager, NSA’s Vulnerability Analysis and Operations Group Chief
information security automation program
Information Security Automation Program
  • The ISAP is an Interagency & Interdepartmental initiative.
  • Becoming formalized through an MOA recognizing the need to:
    • Create and manage the evolution of a standards-based methodology for automating the implementation, monitoring, and adjustment of information system security.
    • Identify and reduce the number of known vulnerabilities and misconfigurations in government computing infrastructures over a shorter period of time.
    • Re-focus the vulnerability management industry on differentiation through product function.
    • Encourage innovation in the global market place.
slide10
Security Content Automation Protocol (SCAP)Standardizing our Enumeration, Evaluation, Measuring, and Reporting

Cisco, Qualys, Symantec, Carnegie Mellon University

integrating it and it security through scap

Vulnerability Management

Asset

Management

Configuration

Management

Integrating IT and IT Security Through SCAP

CVE

Misconfiguration

OVAL

CVSS

SCAP

XCCDF

CCE

CPE

existing federal products standardizing our content
2.5 million hits per month

20 new vulnerabilities per day

Cross references all publicly available U.S. Government vulnerability resources

FISMA Security Controls (All 17 Families and 163 controls for reporting reasons)

DoD IA Controls

DISA VMS Vulnerability IDs

Gold Disk VIDs

DISA VMS PDI IDs

NSA References

DCID

ISO 17799

Produces XML feed for NVD content

In response to NIST being named in the Cyber Security R&D Act of 2002

Encourages vendor development and maintenance of security guidance

Currently hosts 112 separate guidance documents for over 125 IT products

Translating this backlog of checklists into the Security Content Automating Protocol (SCAP)

Participating organizations: DISA, NSA, NIST, Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, LJK, Secure Elements, ThreatGuard, MITRE Corporation, G2, Verisign, Verizon Federal, Kyocera, Hewlett-Packard, ConfigureSoft, McAfee, etc.

Existing Federal ProductsStandardizing our Content
the future of vulnerability management operations

Standardized

Checklist

Standardized

Test

Procedures

Standardized

Measurement

and Reporting

XCCDF

OVAL

CVSS

XCCDF

Compliance

and Audit

Report

Change

Control

Process

Metrics and

Compliance

Process

CVE, CCE,

CPE, XCCDF,

OVAL, CVSS

Metrics

Report

Standardized

Change List

Standardized

Change

Procedures

Standardized

Measurement

and Reporting

XCCDF

OVRL

CVSS

XCCDF

The Future of Vulnerability Management Operations

Configuration

Organization

Guidelines

(e.g., STIG)

NIST

Checklist

Program

Misconfiguration

Software Flaws

National

Vulnerability

Database

Intelligence

Feeds

Vulnerability

Alerts

(e.g., IAVA)

key milestone15
Key Milestone

OMB Windows Security Configuration Memo – 22 March 2007

M-07-11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf)

    • Acknowledges the role of NIST, DoD, and DISA in baselining security configurations for Windows XP and Vista, and directs departments and agencies to adopt the Vista security configuration
    • Acknowledges that we are ahead of the Vista OS deployment and encourages use of a “very small number of secure configurations”
    • Acknowledges that adoption increases security, increases network performance, and lowers operating costs
    • Mandates adoption of these security configurations by 1 February 2008, and requests draft implementation plans by 1 May 2007
  • Corresponding OMB Memo to CIOs: Requires, “Implementing and automating enforcement of these configurations;”

Excerpt from SANS FLASH Announcement:

“The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money. The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.

                              Alan [Alan Paller, Director of Research, SANS Institute]

PS. SANS hasn't issued a FLASH announcement in more than two years. [In other words,] this White House action matters.”

next steps
Next Steps

Vendors

  • Continue adoption of all SCAP standards – be a keystone product
  • Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists
  • Put SCAP technologies on your roadmap and budget accordingly

Service Providers

  • Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists
  • Prepare to help the operations community reconcile multiple mandates into XCCDF checklists
  • Position yourself to integrate SCAP compliant products
  • Put SCAP and vulnerability management automation on your services roadmap and budget accordingly

Operations Community

  • Interact with your vendors and service providers about SCAP, ask about their SCAP plans, ask about their SCAP readiness
  • Begin using the phrasing like “SCAP compliant” in your acquisition language
  • Put SCAP and vulnerability management automation on your roadmap and budget accordingly
upcoming events
Upcoming Events
  • 11 June 2007 Defense Network Centric Operations 2007
  • Mid-Late Summer Security Automation Workshop
    • Vendor demonstrations
    • Federal operations use cases
questions
Questions

National Institute of Standards & Technology

Information Technology Laboratory

Computer Security Division

xml made simple

Error Report

Problem:

Air Pressure Loss

Diagnosis Accuracy:

All Sensors Reporting

Diagnosis:

Replace Gas Cap

Expected Cost:

$25.00

XML Made Simple

XCCDF - eXtensible Car Care Description Format

OVAL – Open Vehicle Assessment Language

<Car>

<Description>

<Year> 1997 </Year>

<Make> Ford </Make>

<Model> Contour </Model>

<Maintenance>

<Check1> Gas Cap = On <>

<Check2>Oil Level = Full <>

</Maintenance>

</Description>

</Car>

<Checks>

<Check1>

<Location> Side of Car <>

<Procedure> Turn <>

</Check1>

<Check2>

<Location> Hood <>

</Procedure> … <>

</Check2>

</Checks>

xml made simple24
XML Made Simple

XCCDF - eXtensible Checklist Configuration Description Format

OVAL – Open Vulnerability Assessment Language

Standardized

Checklist

Standardized

Test

Procedures

<Document ID> NIST SP 800-68

<Date> 04/22/06 </Date>

<Version> 1 </Version>

<Revision> 2 </Revision>

<Platform> Windows XP

<Check1> Password >= 8 <>

<Check2> FIPS Compliant <>

</Maintenance>

</Description>

</Car>

<Checks>

<Check1>

<Registry Check> … <>

<Value> 8 </Value>

</Check1>

<Check2>

<File Version> … <>

<Value> 1.0.12.4 </Value>

</Check2>

</Checks>

Standardized

Measurement

and Reporting

application to automated compliance the connected path
Application to Automated ComplianceThe Connected Path

Result

800-53 Security Control

800-68 Security Guidance

API Call

ISAP Produced Security Guidance in XML Format

COTS Tool Ingest

application to automated compliance the connected path26
Application to Automated ComplianceThe Connected Path

Result

800-53 Security Control

DoD IA Control

RegQueryValue (lpHKey, path, value, sKey, Value, Op);

If (Op == ‘>” )

if ((sKey < Value )

return (1); else

return (0);

AC-7 Unsuccessful Login Attempts

800-68 Security Guidance

DISA STIG/Checklist

NSA Guide

AC-7: Account Lockout Duration

AC-7: Account Lockout Threshold

API Call

ISAP Produced Security Guidance in XML Format

lpHKey = “HKEY_LOCAL_MACHINE”

Path = “Software\Microsoft\Windows\”

Value = “5”

sKey = “AccountLockoutDuration”

Op = “>“

- <registry_test id="wrt-9999" comment=“Account Lockout Duration Set to 5" check="at least 5">

- <object>

  <hive>HKEY_LOCAL_MACHINE</hive>

  <key>Software\Microsoft\Windows</key>

  <name>AccountLockoutDuration</name>

  </object>

- <data operation="AND">

  <value operator=“greater than">5*</value>

COTS Tool Ingest