Post on 03-Apr-2018
transcript
7/28/2019 FITSI-DC - Continuous Monitoring
1/52
Continuous Monitoring
The Evolution of FISMA Compliance
Tina Kuligowski
Tina.Kuligowski@Securible.com
7/28/2019 FITSI-DC - Continuous Monitoring
2/52
Overview
Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53)
OMB Memorandums (M-11-33, M-10-28)
DHS Federal Information Security Memorandums (FISM 11-02)
The Deltas
CM Tools & Technologies:
Guidelines: SP 800-137 Information Security Continuous Monitoring
Automation Domains, Tools and Technologies (SCAP, NVD)
CAESARS Framework & States iPost
CM Challenges
The Organization of the SP 800-53
The Limitations of CAESARS
GAO Report: Limitations of iPost and Risk Scoring Program
7/28/2019 FITSI-DC - Continuous Monitoring
3/52
Evolution of FISMA Compliance
800-37 r1 Deltas C&A vs RMF
Joint Task Force
Organization-wide RM Strategy
Risk Executive (function) [Tier 1] Information Security Architect [Tier 2]
Information System Security Engineer [Tier 3]
Risk Redefined
OMB 11-33 FISMA Reporting Instructions
DHS Cyberscope
7/28/2019 FITSI-DC - Continuous Monitoring
4/52
Traditional C&A Risk Management Framework
Phase Task Subtask Step Task
Initiation
1: Preparation. Information System Description 1.2 Information System Description
Security Categorization 1.1 Security Categorization
1.3 Information System RegistrationThreat Identification
Vulnerability Identification
Security Control Identification 2.1 Common Control Identification
2.2 Security Control Selection
3.1 Security Control Implementation3.2 Security Control Documentation
2.3 Monitoring Strategy
Initial Risk Determination
2: Notification Notification
Planning And Resources3: SSP Analysis,
Update, And
Acceptance.
Security Categorization Review
System Security Plan Analysis
System Security Plan Update
System Security Plan Acceptance 2.4 Security Plan Approval
7/28/2019 FITSI-DC - Continuous Monitoring
5/52
Traditional C&A Risk Management Framework
Phase Task Subtask Step Task
Certification
4: Security
Control
Assessment
Documentation Supporting Materials
Methods And Procedures 4.1 Assessment Preparation
Security Assessment 4.2 Security Control Assessment
Security Assessment Report 4.3 Security Assessment Report
5: Security
Certification
Documentation
Findings And Recommendations 4.4 Remediation Actions
System Security Plan Update
POAM Preparation 5.1 Plan of Action and Milestones
Accreditation Package Assembly 5.2 Security Authorization Package
Accreditation 6: Accreditation
Decision
Final Risk Determination 5.3 Risk Determination
Risk Acceptability 5.4 Risk Acceptance
7: Security
Accreditation
Documentation
Security Accreditation Package
Transmission
System Security Plan Update
ContinuousMon
itoring
8: Configuration
Management
Documentation Of Information System
Changes
6.1 Information System and Environment
Changes
Security Impact Analysis
9: Control
Monitoring
Security Control Selection 2.3 Monitoring Strategy (sorta)
Selected Security Control Assessment 6.2 Ongoing Security Control Assessments
10: Status
Reporting And
Documentation
System Security Plan Update 6.4 Key Updates
POAM Update 6.3 Ongoing Remediation Actions
Status Reporting 6.5 Security Status Reporting
RMF 6.6 Ongoing Risk Determination and AcceptanceRMF 6.7 Information System Removal and Decommissioning
7/28/2019 FITSI-DC - Continuous Monitoring
6/52
Joint Task Force
Transformation Initiative
ongoing effort to produce a unified information securityframework for the federal government.
Department
of Defense
Office of the
Director ofNational
Intelligence
Committee on
National Security
Systems
National
Institute ofStandards and
Technology
DITSCAP/
DIACAP
C&A Guidelines
NIACAP
DCID 6/3
SP 800-37 Risk Management Framework
SP 800-53r3 Security Controls SP 800-39 Managing Information Security Risk
DoD, ODNI , NSA(CNSS 1253),
ISO/IEC (27001)
Johns Hopkins APL
MITRE Corporation (NVD)
Booz Allen Hamilton
Collaboration
Among Public And
Private Sector
Entities
7/28/2019 FITSI-DC - Continuous Monitoring
7/52
Organization-wide
RM Strategy/ New Roles
Risk Executive (function)
Information Security Architect
Information System Security Engineer
7/28/2019 FITSI-DC - Continuous Monitoring
8/52
OMB 11-33 FISMA
Reporting Instructions
FAQ #9. Must the Department of Defense (DoD) and theOffice of the Director of National Intelligence (ODNI)
follow OMB policy and NIST guidelines?
Answer: Yes, for non-national security systems DOD and
ODNI are to incorporate OMB policy and NISTguidelines into their internal policies.
.
Note: NSA Uses CNSS1253, which looks very similarto a compilation of FIPS 199/200, references 800-
53, and provides a very FDCC/USGCB-like baseline
of configuration settings.
7/28/2019 FITSI-DC - Continuous Monitoring
9/52
Clarifying DHS Cybersecurity
Responsibilities (M-10-28)
Critical Infrastructure Protection US-CERT
Trusted Internet Connection Initiative
Primary Responsibility for the Operational Aspects of
Cybersecurity
[FISMA Reporting]
Instructions
New FISMA Reporting Metrics
Cyberscope
7/28/2019 FITSI-DC - Continuous Monitoring
10/52
DHS FISM 11-02 (aka OMB 11-33)
FISMA Reporting Instructions
FAQ #28. Is a security reauthorization still required every3 years or when an information system has undergone
significant change as stated in OMB Circular A-130?
Answer: No. Rather than enforcing a static, three-year
reauthorization process, agencies are expected toconduct ongoing authorizations of information systems
through the implementation of continuous monitoring
programs.
7/28/2019 FITSI-DC - Continuous Monitoring
11/52
FY2011 Reporting Metrics
13. Continuous Monitoring
13.1. What percentage of data from the following potentialdata feeds are being monitored at appropriate frequenciesand levels in the Agency: 13.1a.IDS/IPS
13.1b.AV/Anti--Malware/Anti--Spyware
13.1c.System Logs 13.1d.Application Logs
13.1e.Patch Status
13.1f.Vulnerability Scans
13.1g.DNS logging
13.1h.Configuration/Change Management system alerts 13.1i.Failed Logins for privileged accounts
13.1j. Physical security logs for access to restricted areas (e.g. datacenters)
7/28/2019 FITSI-DC - Continuous Monitoring
12/52
DHS Cyberscope
Monthly Data Feeds to DHS1. Inventory
2. Systems and Services
3. Hardware
4. Software5. External Connections
6. Security Training
7. Identity Management and
Access
Government-widebenchmarking on security
posture
Agency-specific interviews
7/28/2019 FITSI-DC - Continuous Monitoring
13/52
Risk Management RedefinedOODA Loop
SP800 137
7/28/2019 FITSI-DC - Continuous Monitoring
14/52
SP800-137 Inform at ion Secur i ty Con t inuousMonito r ing (ISCM) for Federal Info rmation Sys tems and
Organizat ions
Information security continuous monitoring (ISCM) isdefined as:
Maintaining Ongoing Awareness of Information Security,
Vulnerabilities, and Threats
Support Organizational Risk Management Decisions
Begins With Leadership Defining A Comprehensive ISCM
Strategy Encompassing
technology
processes
procedures operating environments
people
7/28/2019 FITSI-DC - Continuous Monitoring
15/52
Risk Management Strategy:
1. How the organization plans to assess,
respond to, and monitor risk2. Oversight required to ensure effectiveness
of RM strategy
Program Management
1. Defined by how business
processes are prioritized2. Types of information needed
to successfully execute those
business processes
Monitoring System Level
Controls and Security StatusReporting
1. Security Alerts
2. Security Incidents
3. Identified Threat
Activities
ISCM CriteriaSP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
16/52
Guidance: 800-137
Risk Tolerance Enterprise Architecture
Security Architecture
Security Configurations
Plans for Changes toEnterprise Architecture
Available Threat
Information
7/28/2019 FITSI-DC - Continuous Monitoring
17/52
The CM Process
Define an ISCM Strategy Establish an ISCM Program
Implement an ISCM Program
Determining Appropriate Response
Mitigating Risk
Review and Update the Monitoring Program
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
18/52
Role of Automation in ISCM
Consideration is given to ISCM tools that: Pull information from a variety of sources (Specifications,
Mechanisms, Activities, Individuals)
Use open specifications such as SCAP
Offer interoperability with other products (help desk, inventory
management, configuration management, and incident response
solutions)
Support compliance with applicable federal laws, regulations,
standards, and guidelines
Provide reporting with the ability to tailor output
Allow for data consolidation into Security Information and Event
Management (SIEM) tools and dashboard products.
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
19/52
Security Automation Domains
Vulnerability &PatchManagement
Event & IncidentManagement
Malware Detection
Asset Management Configuration
Management
Network
Management
License
Management
Information
Management
Software
Assurance
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
20/52
Automation
Domain Tools and Technologies NIST Guidelines
1 - Vulnerability
Management
Vulnerability scanners NIST SP 800-40 Creating a
Patch and Vulnerability
Management Program2 - Patch
Management
Patch management
tools
3 - Event
Management
Intrusion detection/
prevention systems and
logging mechanisms
NIST SP 800-92, Computer
Security Log Management
4 - Incident
ManagementNIST SP 800-94, Guide IDPS
5 - Malware
Detection
Antivirus/
Malware detection
mechanisms
NIST SP 800-83, Malware
Incident Prevention and
Handling
6 - Configuration
Management
SCAP, SEIM, Dashboards NIST SP 800-126r2 The
Technical Specification for
SCAP Version 1.2
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
21/52
Automation
Domain Tools and Technologies
7 - AssetManagement
System configuration, network management, andlicense management tools
8 - Network
Management
Host discovery, inventory, change control,
performance monitoring, and other network devicemanagement capabilities
9 - License
Management
License management tools
10 - Information
Management
Data Loss Prevention (DLP) Tools: network analysis
software, application firewalls, and intrusion
detection and prevention systems SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
22/52
Software Assurance TechnologiesSecurity Automation Domain #11
Software Assurance Automation Protocol (SwAAP -measure and enumerate software weaknesses):
CWE Common Weakness Enumeration
Dictionary of weaknesses that can lead to exploitable
vulnerabilities
CWSS Common Weakness Scoring System
Assigning risk scores to weaknesses
CAPEC Common Attack Pattern Enumeration & Classification
Catalog of attack patternsMAEC Malware Attribute Enumeration & Characterization
Standardized language about malware, based on
attributes such as behaviors and attack patterns
SP 800-137
DHS R ti M t i
7/28/2019 FITSI-DC - Continuous Monitoring
23/52
DHS Reporting Metrics
12. Software Assurance
12.1Provide the number of information systems,developed in-house or with commercial services,
deployed in the past 12 months.
12.1a.Provide the number of information systems above (12.1)
that were tested using automated source code testing tools.
12.1b.Provide the number of the information systems
above(12.1a) where the tools generated output compliant with:
12.1b (1).Common Vulnerabilities and Exposures (CVE)
12.1b (2).Common Weakness Enumeration (CWE)
12.1b (3).Common Vulnerability Scoring System (CVSS) 12.1b (4).Open Vulnerability and Assessment Language
(OVAL)
Source code testing tools are defined as tools that review source code line by line
to detect security vulnerabilities and provide guidance on how to correct
problems identified.
A t ti d R f D t
7/28/2019 FITSI-DC - Continuous Monitoring
24/52
Automation and Reference Data
Sources
Security Content Automation Protocol (SCAP) What Can Be Automated With SCAP
How to Implement SCAP
Partially Automated Controls
Reference Data Sources National Vulnerability Database (NVD)
Security Configuration Checklists
SP 800-137
NVD Primary Resources
7/28/2019 FITSI-DC - Continuous Monitoring
25/52
SCAP ProgramNVD Primary Resources1. Vulnerability Search Engine
2. National Checklist Program
3. SCAP Compatible Tools
4. SCAP Data Feeds (CVE, CCE,
CPE, CVSS, XCCDF, OVAL)5. Product Dictionary (CPE)
6. Impact Metrics (CVSS)
7. Common Weakness
Enumeration (CWE)
NVDData Feed
Scan
SP 800-137
http://www.netiq.com/http://www.symantec.com/business/control-compliance-suitehttp://www.telos.com/7/28/2019 FITSI-DC - Continuous Monitoring
26/52
SCAP: What Can Be Automated?
Vulnerability and Patch Scanners Authenticated
Unauthenticated
Baseline Configuration Scanners
Federal Desktop Core Configuration (FDCC) United States Government Configuration Baseline (USGCB)
SP 800-137
How to Implement SCAP with
7/28/2019 FITSI-DC - Continuous Monitoring
27/52
How to Implement SCAP with
SCAP-validated Tools
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
28/52
and SCAP-expressed Checklists
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
29/52
Partially Automated Controls
Open Checklist Interactive Language (OCIL) Define Questions (Boolean, Choice, Numeric, Or String)
Define Possible Answers to a Question from Which User Can
Choose
Define Actions to be Taken Resulting from a User's Answer
Enumerate Result Set
Used in Conjunction with eXtensible Configuration
Checklist Description Format (XCCDF)
SP 800-137
T h l i f A ti d
7/28/2019 FITSI-DC - Continuous Monitoring
30/52
Technologies for Aggregation and
Analysis
Management Dashboards Meaningful And Easily Understandable Format
Provide Information Appropriate to Roles And Responsibilities
Security Information and Event Management (SIEM),
analysis of: Vulnerability Scanning Information,
Performance Data,
Network Monitoring,
System Audit Record (Log) Information
Audit Record Correlation And Analysis
SP 800-137
7/28/2019 FITSI-DC - Continuous Monitoring
31/52
CAESARS FrameworkIR 7756
7/28/2019 FITSI-DC - Continuous Monitoring
32/52
IR 7756
7/28/2019 FITSI-DC - Continuous Monitoring
33/52
IR 7756
7/28/2019 FITSI-DC - Continuous Monitoring
34/52
CM Documents
IR 7756
7/28/2019 FITSI-DC - Continuous Monitoring
35/52
Department of States iPost
Custom Application Continuously Monitors
Uses Data from Various Monitoring Tools
Holistic View Of Risk
Leveraging Competitiveness
Encourage Risk Reduction
7/28/2019 FITSI-DC - Continuous Monitoring
36/52
iPost Development Stages
Deploy Enterprise Monitoring Tools Aggregate Monitoring Data: iPost
Establish Risk Scoring Program
M it i T l D t S
7/28/2019 FITSI-DC - Continuous Monitoring
37/52
Monitoring Tool Data SourcesComponent ID What is Scored Source
Vulnerability VUL Vulnerabilities detected on a host Foundstone (McAfee)
Patch PAT Patches required by a host SMS (System Center)Security
Compliance
SCM Failures of a host to use required security settings McAfee Policy Auditor
Anti-Virus AVR Out of date anti-virus signature file SMS (System Center)
Unapproved OS UOS Unapproved operating systems AD
Cyber Security
AwarenessTraining
CSA Every user who has not passed the mandatory
awareness training within the last 365 days
DoS Training Database
SOE Compliance SOE Incomplete/invalid installations of any product in
the Standard Operating Environment (SOE) suite
SMS (System Center)
AD Computers ADC Computer account password ages exceeding
threshold
AD
AD Users ADU User account password ages exceeding threshold
(scores each user account, not each host)
AD
SMS Reporting SMS Incorrect functioning of the SMS client agent SMS (System Center)
Vulnerability
Reporting
VUR Missed vulnerability scans Foundstone (McAfee)
Security
ComplianceReporting
SCR Missed security compliance scans McAfee Policy Auditor
7/28/2019 FITSI-DC - Continuous Monitoring
38/52
7/28/2019 FITSI-DC - Continuous Monitoring
39/52
Risk Scoring
7/28/2019 FITSI-DC - Continuous Monitoring
40/52
Remediation
7/28/2019 FITSI-DC - Continuous Monitoring
41/52
CM Challenges
The Organization of the SP 800-53 Emerging CM Technologies
SCAP
OCIL
The Limitations of CAESARS Department of States iPost and Risk Scoring Program
Organization of Security
7/28/2019 FITSI-DC - Continuous Monitoring
42/52
Organization of Security
Controls18 Families
198 Controls
892 Control Items(Parts/Enhancements)
7/28/2019 FITSI-DC - Continuous Monitoring
43/52
Evident in USGCB
7/28/2019 FITSI-DC - Continuous Monitoring
44/52
Mapping STIG to 800-53
Using Fishbone to Find Root
7/28/2019 FITSI-DC - Continuous Monitoring
45/52
Using Fishbone to Find Root
Controls
Design/Test/AQ/
Infrastructure
Plan
PrepStaff
ValueProposition/
Operational Metric
A
Policy &Planning
10
8
9
PP
FixIssues byPriority
2
PP
AssignScores to
Delta
PP
RequirementsDefinition
11
PPFind
SystemicProblems
1
PPTrack
DesiredState
TrackActual
7
5
PP
PP
ID ScoreDeviations
4
PP
Manage &Operate
3
PP
6
PP
PP
Prepare Operate & Check Im prove Ef fec t iveness MeasurePlan, Engineer, & Prepare for Operations Operate, Monitor, & Improve
7/28/2019 FITSI-DC - Continuous Monitoring
46/52
Th i i i f CAESARS
7/28/2019 FITSI-DC - Continuous Monitoring
47/52
The Limitations of CAESARS
Lack of Interface Specifications Reliance on an Enterprise Service Bus
Incomplete Communication Payload Specifications
Lack of Specifications Describing Subsystem
Capabilities Lack of a Multi-CM Instance Capability
Lack of Multi-Subsystem Instance Capability
CM Database Integration with Security Baseline Content
Lack of Detail on the Required Asset Inventory
Requirement for Risk Measurement
GAO Report on Scope of iPost
7/28/2019 FITSI-DC - Continuous Monitoring
48/52
GAO Report on Scope of iPost
Risk Scoring Program
(1)Addresses windows hosts but not other IT assets on itsmajor unclassified network
(2) Covers a set of 10 scoring components that includes
some, but not all, information system controls that are
intended to reduce risk(3) State could not demonstrate the extent to which scores
are based on risk factors such as threat, impact, or
likelihood of occurrence that are specific to its
computing environment
Minimum Security Controls (FIP 200) Controls Monitored by iPost
7/28/2019 FITSI-DC - Continuous Monitoring
49/52
Minimum Security Controls (FIP 200) Controls Monitored by iPost
Access Control Security Compliance (AD Group check)
Awareness and Training Awareness Training
Audit and Accountability ReportingSecurity Assessment and Authorization
Configuration Management Patching, SOE, Reporting(Inventory)
Contingency Planning
Identification and Authentication AD Computers & Users
Incident ResponseMaintenance
Media Protection
Physical and Environmental Protection
Planning
Personnel SecurityRisk Assessment Vulnerabilities
System and Services Acquisition
System and Communications Protection
System and Information Integrity Patching, Antivirus
Challenges with Implementation
7/28/2019 FITSI-DC - Continuous Monitoring
50/52
Challenges with Implementation
of iPost
(1) Overcoming limitations and technical issues with datacollection tools
(2) Identifying and notifying individuals with responsibility
for site-level security
(3) Implementing configuration management for iPost(4)Adopting a strategy for continuous monitoring of
controls
(5) Managing stakeholder expectations for continuous
monitoring activities
R iFITSI Obj ti
7/28/2019 FITSI-DC - Continuous Monitoring
51/52
Review
FISMA Compliance
OMB Memorandums
DHS FISMs
NIST Standards & Guidelines
Evolution via Deltas
CM Tools & Technologies:
Guidelines: SP 800-137
Automation Domains, (SCAP, NVD)
CAESARS Framework & States iPost
CM Challenges The Organization of SP 800-53
The Limitations of CAESARS
Your Organizations ISCM
FITSI Objectives
1. Consistent Body if
Knowledge
2. Training Baseline
Overcome CM
Challenges withCollective
Contributions
Q&A
7/28/2019 FITSI-DC - Continuous Monitoring
52/52
Q&A
Tina Kuligowski
Tina.Kuligowski@Securible.com
TinaKuligowski@gmail.com
571-229-0543
mailto:Tina.Kuligowski@Securible.commailto:TinaKuligowski@gmail.commailto:TinaKuligowski@gmail.commailto:Tina.Kuligowski@Securible.com