Скачать презентацию Standardizing and Automating Security Operations Presented by National Скачать презентацию Standardizing and Automating Security Operations Presented by National

556f86b26ab9c2f4def049633196ac26.ppt

  • Количество слайдов: 26

Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology

Agenda n n n Security Operations Today Information Security Automation Program Security Content Automation Agenda n n n Security Operations Today Information Security Automation Program Security Content Automation Protocol The Future of Vulnerability Management Next Steps

FISMA Compliance Model 30, 000 FT 15, 000 FT Hands On FISMA Legislation High FISMA Compliance Model 30, 000 FT 15, 000 FT Hands On FISMA Legislation High Level, Generalized, Information Security Requirements Federal Information Processing Standards FIPS 199: Information System Security Categorization FIPS 200: Minimum Information Security Requirements Management-level Security Controls Technical-level Security Controls Operational-level Security Controls Information System Security Configuration Settings NIST, NSA, DISA, Vendors, Third Parties (e. g. , CIS) Checklists and Implementation Guidance

Configuration Management and Compliance This Top-Down Schema Needs to be Managed from the Bottom-Up Configuration Management and Compliance This Top-Down Schema Needs to be Managed from the Bottom-Up FISMA SP 800 -53 HIPAA SOX GLB INTEL COMSEC ‘ 97 Do. D ISO ? ? ? DCID NSA Req Do. D IA Controls 17799/ 27001 ? ? ? NSA Guides DISA STIGS & Checklists ? ? ? SP 800 -68 Vendor 3 rd Party Guide Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls SP 1 Windows OS or Application XP Version/ Role SP 2 Major Patch Level Enterprise Mobile Stand Alone High Moderate Low SSLF Environment Impact Rating or MAC/CONF Millions of Settings to manage across the Agency

Vulnerability Trends A 20 -50% increase over previous years • Decreased timeline in exploit Vulnerability Trends A 20 -50% increase over previous years • Decreased timeline in exploit development coupled with a decreased patch development timeline (highly variable across vendors) • Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as “configuration weaknesses. ” Many of the remaining 20 can be partially mitigated via proper configuration. • Increased prevalence of zero day exploits

State of the Vulnerability Management Industry n n n Product functionality is becoming more State of the Vulnerability Management Industry n n n Product functionality is becoming more hearty as vendors acknowledge connections between security operations and a wide variety of IT systems (e. g. , asset management, change/configuration management) Some vendors understand the value of bringing together vulnerability management data across multiple vendors Hinders information sharing and automation Vendors driving differentiation through: Reduces reproducibility across vendors n enumeration, Drives broad differences in n evaluation, prioritization and remediation n content, n measurement, and n reporting

Security Operations Landscape n n n Manual platform-level configuration management across the enterprise is Security Operations Landscape n n n Manual platform-level configuration management across the enterprise is unwieldy at best A large amount of time is being spent by security operations personnel demonstrating compliance to a wide variety of laws and mandates using a configuration that’s fairly unchanging Increasing number of laws and mandates Increasing number of vulnerabilities per annum A vulnerability management industry which seeks differentiation through enumeration, evaluation, content, measurement, and reporting

Key Milestone n NIST, DISA, NSA Security Automation Conference n n n September 2006 Key Milestone n NIST, DISA, NSA Security Automation Conference n n n September 2006 300+ attendees Keynote addresses by: n Richard Hale, DISA CIAO n Dennis Heretick, DOJ CISO n Tony Sager, NSA’s Vulnerability Analysis and Operations Group Chief

Information Security Automation Program § The ISAP is an Interagency & Interdepartmental initiative. § Information Security Automation Program § The ISAP is an Interagency & Interdepartmental initiative. § Becoming formalized through an MOA recognizing the need to: § Create and manage the evolution of a standards-based methodology for automating the implementation, monitoring, and adjustment of information system security. § Identify and reduce the number of known vulnerabilities and misconfigurations in government computing infrastructures over a shorter period of time. § Re-focus the vulnerability management industry on differentiation through product function. § Encourage innovation in the global market place.

Security Content Automation Protocol (SCAP) Standardizing our Enumeration, Evaluation, Measuring, and Reporting CVE Common Security Content Automation Protocol (SCAP) Standardizing our Enumeration, Evaluation, Measuring, and Reporting CVE Common Vulnerabilities and Exposures Standard nomenclature and dictionary of security related software flaws CCE Common Configuration Enumeration Standard nomenclature and dictionary of software misconfigurations CPE Common Platform Enumeration Standard nomenclature and dictionary for product naming XCCD F e. Xtensible Checklist Configuration Description Format OVAL Cisco, Qualys, Symantec, Carnegie Mellon University Open Vulnerability Assessment Language CVSS Common Vulnerability Scoring System Standard XML for specifying checklists and for reporting results of checklist evaluation Standard XML for testing procedures Standard for measuring the impact of

Integrating IT and IT Security Through SCAP Vulnerability Management CVE Misconfiguration OVAL CVSS SCAP Integrating IT and IT Security Through SCAP Vulnerability Management CVE Misconfiguration OVAL CVSS SCAP Asset Management CPE XCCDF CCE Configuration Management

Existing Federal Products Standardizing our Content n n n In response to NIST being Existing Federal Products Standardizing our Content n n n In response to NIST being named in the Cyber Security R&D Act of 2002 Encourages vendor development and maintenance of security guidance Currently hosts 112 separate guidance documents for over 125 IT products Translating this backlog of checklists into the Security Content Automating Protocol (SCAP) Participating organizations: DISA, NIST, Hewlett. Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, n n n 2. 5 million hits per month 20 new vulnerabilities per day Cross references all publicly available U. S. Government vulnerability resources n n n n n FISMA Security Controls (All 17 Families and 163 controls for reporting reasons) Do. D IA Controls DISA VMS Vulnerability IDs Gold Disk VIDs DISA VMS PDI IDs NSA References DCID ISO 17799 Produces XML feed for NVD content

Security Content Automation Protocol (SCAP) Enumerati Evaluation Measuring on Reporting Content CVE ● ● Security Content Automation Protocol (SCAP) Enumerati Evaluation Measuring on Reporting Content CVE ● ● CCE ● ● CPE ● ● XCCD F ● OVAL ● CVSS ● ● ●

The Future of Vulnerability Management Operations Configuration Organization Guidelines (e. g. , STIG) Standardized The Future of Vulnerability Management Operations Configuration Organization Guidelines (e. g. , STIG) Standardized Checklist XCCDF NIST Checklist Program Misconfiguration Software Flaws Metrics Report Database Intelligence Feeds Standardized Change List Vulnerability Alerts (e. g. , IAVA) XCCDF Organizati on Vendor NIST OVAL Compliance and Audit Report Change Control Process CVE, CCE, National CPE, XCCDF, Vulnerability OVAL, CVSS Standardized Test Procedures Standardized Change Procedures OVRL Standardized Measurement and Reporting CVSS XCCDF Metrics and Compliance Process Standardized Measurement and Reporting CVSS XCCDF

Key Milestone OMB Windows Security Configuration Memo – 22 March 2007 M-07 -11: Implementation Key Milestone OMB Windows Security Configuration Memo – 22 March 2007 M-07 -11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (http: //www. whitehouse. gov/omb/memoranda/fy 2007/m 07 -11. pdf) n n Acknowledges the role of NIST, Do. D, and DISA in baselining security configurations for Windows XP and Vista, and directs departments and agencies to adopt the Vista security configuration Acknowledges that we are ahead of the Vista OS deployment and encourages use of a “very small number of secure configurations” Acknowledges that adoption increases security, increases network performance, and lowers operating costs Mandates adoption of these security configurations by 1 February 2008, and requests draft implementation plans by 1 May 2007 Corresponding OMB Memo to CIOs: Requires, “Implementing and automating Excerpt from SANS FLASH Announcement: enforcement of these configurations; ” n “The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money. The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now. Alan [Alan Paller, Director of Research, SANS Institute] PS. SANS hasn't issued a FLASH announcement in more than two years. [In other words, ] this White House action matters. ”

Next Steps Vendors n Continue adoption of all SCAP standards – be a keystone Next Steps Vendors n Continue adoption of all SCAP standards – be a keystone product n Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists n Put SCAP technologies on your roadmap and budget accordingly Service Providers n Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists n Prepare to help the operations community reconcile multiple mandates into XCCDF checklists n Position yourself to integrate SCAP compliant products n Put SCAP and vulnerability management automation on your services roadmap and budget accordingly Operations Community n Interact with your vendors and service providers about SCAP, ask about their SCAP plans, ask about their SCAP readiness n Begin using the phrasing like “SCAP compliant” in your acquisition language n Put SCAP and vulnerability management automation on your roadmap and budget accordingly

Stakeholder and Contributor Landscape: Federal Agencies DHS Providing funding NSA Providing resources Applying the Stakeholder and Contributor Landscape: Federal Agencies DHS Providing funding NSA Providing resources Applying the technology DISA Providing resources, Integrating into Host Based System Security (HBSS) and Enterprise Security Solutions OSD Incorporating into Computer Network Defense (CND) Data Strategy DOJ Incorporating into FISMA Cyber Security Assessment and Management (CSAM) tool Army Integrating Asset & Vulnerability Tracking Resource (AVTR) with Do. D and SCAP content, Contributing patch dictionary DOS Incorporating into security posture by mapping SCAP to certification and accreditation process

Stakeholder and Contributor Landscape: Industry FFRDC, Supporter and Maintainer of 4 standards Incorporating SCAP Stakeholder and Contributor Landscape: Industry FFRDC, Supporter and Maintainer of 4 standards Incorporating SCAP into their products Provides SCAP-Compliant tools Provides Nessus (widely governmentused) tool becoming SCAP compliant Point solution provider Provides SCAP content Ai Metrix Provides a SCAP-Compliant tool

More Information Security Content Automation Protocol (SCAP) http: //nvd. nist. gov/scap. cf m SCAP More Information Security Content Automation Protocol (SCAP) http: //nvd. nist. gov/scap. cf m SCAP Beta Web Site / Repository th n Deployed on October 20 n Beta SCAP Files Available: n n Windows Vista Misconfigurations DISA/NIST, Microsoft, Air Force policies n n n Windows XP Misconfigurations/Software flaws NIST FISMA and DISA policies (SP 800 -68 / Gold Disk) n n n Windows Server 2003 n n n Misconfigurations/Software flaws Microsoft and NIST FISMA policies Red Hat Enterprise Linux n Misconfigurations/Software flaws Microsoft Office 2007 n. Internet Explorer 7 n. Symantec AV n n Beta SCAP Files Coming Soon: Windows 2000 n. Mc. Afee AV n. Lotus Notes Domino Server n National Vulnerability Database (NVD) http: //nvd. nist. gov National Checklist Program http: //checklists. nist. gov

Upcoming Events n n 11 June 2007 Defense Network Centric Operations 2007 Mid-Late Summer Upcoming Events n n 11 June 2007 Defense Network Centric Operations 2007 Mid-Late Summer Security Automation Workshop n n Vendor demonstrations Federal operations use cases

Questions National Institute of Standards & Technology Information Technology Laboratory Computer Security Division Questions National Institute of Standards & Technology Information Technology Laboratory Computer Security Division

Additional – Application of SCAP Additional – Application of SCAP

XML Made Simple XCCDF - e. Xtensible Care Description Format <Car> <Description> <Year> 1997 XML Made Simple XCCDF - e. Xtensible Care Description Format 1997 Ford Contour Gas Cap = On <> Oil Level = Full <> OVAL – Open Vehicle Assessment Language Side of Car <> Turn <> Error Report Hood <> … <> Problem: Air Pressure Loss Diagnosis Accuracy: All Sensors Reporting Diagnosis: Replace Gas Cap Expected Cost: $25. 00

XML Made Simple Standardized Checklist XCCDF - e. Xtensible Checklist Configuration Description Format <Document XML Made Simple Standardized Checklist XCCDF - e. Xtensible Checklist Configuration Description Format NIST SP 800 -68 04/22/06 1 2 Windows XP Password >= 8 <> FIPS Compliant <> OVAL – Open Vulnerability Assessment Language … <> 8 … <> 1. 0. 12. 4 Standardized Measurement and Reporting Standardized Test Procedures

Application to Automated Compliance The Connected Path 800 -53 Security Control Result 800 -68 Application to Automated Compliance The Connected Path 800 -53 Security Control Result 800 -68 Security Guidance API Call ISAP Produced Security Guidance in XML Format COTS Tool Ingest

Application to Automated Compliance The Connected Path 800 -53 Security Control Do. D IA Application to Automated Compliance The Connected Path 800 -53 Security Control Do. D IA Control AC-7 Unsuccessful Login Attempts 800 -68 Security Guidance DISA STIG/Checklist NSA Guide AC-7: Account Lockout Duration AC-7: Account Lockout Threshold ISAP Produced Security Guidance in XML Format - - HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows Account. Lockout. Duration - 5* Result Reg. Query. Value (lp. HKey, path, value, s. Key, Value, Op); If (Op == ‘>” ) if ((s. Key < Value ) return (1); else return (0); API Call lp. HKey = “HKEY_LOCAL_MACHINE” Path = “SoftwareMicrosoftWindows” Value = “ 5” s. Key = “Account. Lockout. Duration” Op = “>“ COTS Tool Ingest