290 likes | 704 Vues
Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology Agenda Security Operations Today Information Security Automation Program Security Content Automation Protocol The Future of Vulnerability Management Next Steps 30,000 FT
E N D
Standardizing and Automating Security Operations Presented by: National Institute of Standards and Technology
Agenda • Security Operations Today • Information Security Automation Program • Security Content Automation Protocol • The Future of Vulnerability Management • Next Steps
30,000 FT FISMA Legislation High Level, Generalized, Information Security Requirements 15,000 FT Federal Information Processing Standards FIPS 199: Information System Security Categorization FIPS 200: Minimum Information Security Requirements Management-level Security Controls Technical-level Security Controls Operational-level Security Controls 5,000 FT Hands On FISMA Compliance Model Information System Security Configuration Settings NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance
Configuration Management and Compliance This Top-Down Schema Needs to be Managed from the Bottom-Up FISMA HIPAA SOX GLB INTEL COMSEC ‘97 DoD ISO Vendor 3rd Party SP 800-53 ??? ??? ??? DCID NSA Req DoD IA Controls 17799/ 27001 SP 800-68 ??? NSA Guides DISA STIGS & Checklists ??? Guide Guide Finite Set of Possible Known IT Risk Controls & Application Configuration Options Agency Tailoring Mgmt, Operational, Technical Risk Controls Millions of Settings to manage across the Agency High Enterprise Mobile Moderate SP1 Stand Alone Low XP Windows SSLF SP2 OS or Application Version/ Role Major Patch Level Environment Impact Rating or MAC/CONF
Vulnerability Trends A 20-50% increase over previous years • Decreased timeline in exploit development coupled with a decreased patch development timeline (highly variable across vendors) • Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized as “configuration weaknesses.” Many of the remaining 20 can be partially mitigated via proper configuration. • Increased prevalence of zero day exploits
State of the Vulnerability Management Industry • Product functionality is becoming more hearty as vendors acknowledge connections between security operations and a wide variety of IT systems (e.g., asset management, change/configuration management) • Some vendors understand the value of bringing together vulnerability management data across multiple vendors • Vendors driving differentiation through: • enumeration, • evaluation, • content, • measurement, and • reporting • Hinders information sharing and automation • Reduces reproducibility across vendors • Drives broad differences in prioritization and remediation
Security Operations Landscape • Manual platform-level configuration management across the enterprise is unwieldy at best • A large amount of time is being spent by security operations personnel demonstrating compliance to a wide variety of laws and mandates using a configuration that’s fairly unchanging • Increasing number of laws and mandates • Increasing number of vulnerabilities per annum • A vulnerability management industry which seeks differentiation through enumeration, evaluation, content, measurement, and reporting
Key Milestone • NIST,DISA,NSA Security Automation Conference • September 2006 • 300+ attendees • Keynote addresses by: • Richard Hale, DISA CIAO • Dennis Heretick, DOJ CISO • Tony Sager, NSA’s Vulnerability Analysis and Operations Group Chief
Information Security Automation Program • The ISAP is an Interagency & Interdepartmental initiative. • Becoming formalized through an MOA recognizing the need to: • Create and manage the evolution of a standards-based methodology for automating the implementation, monitoring, and adjustment of information system security. • Identify and reduce the number of known vulnerabilities and misconfigurations in government computing infrastructures over a shorter period of time. • Re-focus the vulnerability management industry on differentiation through product function. • Encourage innovation in the global market place.
Security Content Automation Protocol (SCAP)Standardizing our Enumeration, Evaluation, Measuring, and Reporting Cisco, Qualys, Symantec, Carnegie Mellon University
Vulnerability Management Asset Management Configuration Management Integrating IT and IT Security Through SCAP CVE Misconfiguration OVAL CVSS SCAP XCCDF CCE CPE
2.5 million hits per month 20 new vulnerabilities per day Cross references all publicly available U.S. Government vulnerability resources FISMA Security Controls (All 17 Families and 163 controls for reporting reasons) DoD IA Controls DISA VMS Vulnerability IDs Gold Disk VIDs DISA VMS PDI IDs NSA References DCID ISO 17799 Produces XML feed for NVD content In response to NIST being named in the Cyber Security R&D Act of 2002 Encourages vendor development and maintenance of security guidance Currently hosts 112 separate guidance documents for over 125 IT products Translating this backlog of checklists into the Security Content Automating Protocol (SCAP) Participating organizations: DISA, NSA, NIST, Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple, Microsoft, Citadel, LJK, Secure Elements, ThreatGuard, MITRE Corporation, G2, Verisign, Verizon Federal, Kyocera, Hewlett-Packard, ConfigureSoft, McAfee, etc. Existing Federal ProductsStandardizing our Content
Standardized Checklist Standardized Test Procedures Standardized Measurement and Reporting XCCDF OVAL CVSS XCCDF Compliance and Audit Report Change Control Process Metrics and Compliance Process CVE, CCE, CPE, XCCDF, OVAL, CVSS Metrics Report Standardized Change List Standardized Change Procedures Standardized Measurement and Reporting XCCDF OVRL CVSS XCCDF The Future of Vulnerability Management Operations Configuration Organization Guidelines (e.g., STIG) NIST Checklist Program Misconfiguration Software Flaws National Vulnerability Database Intelligence Feeds Vulnerability Alerts (e.g., IAVA)
Key Milestone OMB Windows Security Configuration Memo – 22 March 2007 M-07-11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf) • Acknowledges the role of NIST, DoD, and DISA in baselining security configurations for Windows XP and Vista, and directs departments and agencies to adopt the Vista security configuration • Acknowledges that we are ahead of the Vista OS deployment and encourages use of a “very small number of secure configurations” • Acknowledges that adoption increases security, increases network performance, and lowers operating costs • Mandates adoption of these security configurations by 1 February 2008, and requests draft implementation plans by 1 May 2007 • Corresponding OMB Memo to CIOs: Requires, “Implementing and automating enforcement of these configurations;” Excerpt from SANS FLASH Announcement: “The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money. The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now. Alan [Alan Paller, Director of Research, SANS Institute] PS. SANS hasn't issued a FLASH announcement in more than two years. [In other words,] this White House action matters.”
Next Steps Vendors • Continue adoption of all SCAP standards – be a keystone product • Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists • Put SCAP technologies on your roadmap and budget accordingly Service Providers • Continue using the content of NIST Checklist Program and National Vulnerability Database when authoring XCCDF checklists • Prepare to help the operations community reconcile multiple mandates into XCCDF checklists • Position yourself to integrate SCAP compliant products • Put SCAP and vulnerability management automation on your services roadmap and budget accordingly Operations Community • Interact with your vendors and service providers about SCAP, ask about their SCAP plans, ask about their SCAP readiness • Begin using the phrasing like “SCAP compliant” in your acquisition language • Put SCAP and vulnerability management automation on your roadmap and budget accordingly
Upcoming Events • 11 June 2007 Defense Network Centric Operations 2007 • Mid-Late Summer Security Automation Workshop • Vendor demonstrations • Federal operations use cases
Questions National Institute of Standards & Technology Information Technology Laboratory Computer Security Division
Error Report Problem: Air Pressure Loss Diagnosis Accuracy: All Sensors Reporting Diagnosis: Replace Gas Cap Expected Cost: $25.00 XML Made Simple XCCDF - eXtensible Car Care Description Format OVAL – Open Vehicle Assessment Language <Car> <Description> <Year> 1997 </Year> <Make> Ford </Make> <Model> Contour </Model> <Maintenance> <Check1> Gas Cap = On <> <Check2>Oil Level = Full <> </Maintenance> </Description> </Car> <Checks> <Check1> <Location> Side of Car <> <Procedure> Turn <> </Check1> <Check2> <Location> Hood <> </Procedure> … <> </Check2> </Checks>
XML Made Simple XCCDF - eXtensible Checklist Configuration Description Format OVAL – Open Vulnerability Assessment Language Standardized Checklist Standardized Test Procedures <Document ID> NIST SP 800-68 <Date> 04/22/06 </Date> <Version> 1 </Version> <Revision> 2 </Revision> <Platform> Windows XP <Check1> Password >= 8 <> <Check2> FIPS Compliant <> </Maintenance> </Description> </Car> <Checks> <Check1> <Registry Check> … <> <Value> 8 </Value> </Check1> <Check2> <File Version> … <> <Value> 1.0.12.4 </Value> </Check2> </Checks> Standardized Measurement and Reporting
Application to Automated ComplianceThe Connected Path Result 800-53 Security Control 800-68 Security Guidance API Call ISAP Produced Security Guidance in XML Format COTS Tool Ingest
Application to Automated ComplianceThe Connected Path Result 800-53 Security Control DoD IA Control RegQueryValue (lpHKey, path, value, sKey, Value, Op); If (Op == ‘>” ) if ((sKey < Value ) return (1); else return (0); AC-7 Unsuccessful Login Attempts 800-68 Security Guidance DISA STIG/Checklist NSA Guide AC-7: Account Lockout Duration AC-7: Account Lockout Threshold API Call ISAP Produced Security Guidance in XML Format lpHKey = “HKEY_LOCAL_MACHINE” Path = “Software\Microsoft\Windows\” Value = “5” sKey = “AccountLockoutDuration” Op = “>“ - <registry_test id="wrt-9999" comment=“Account Lockout Duration Set to 5" check="at least 5"> - <object> <hive>HKEY_LOCAL_MACHINE</hive> <key>Software\Microsoft\Windows</key> <name>AccountLockoutDuration</name> </object> - <data operation="AND"> <value operator=“greater than">5*</value> COTS Tool Ingest