Continuous Monitoring
1
Proprietary Information of SecureInfo® Corporation © 2011 All Rights Reserved
Agenda
• Current State of Continuous Monitoring
• Continuous Monitoring Defined
• FedRAMP Status
• Continuous Monitoring Solutions
• Top 10 Lessons Learned
2
FISMA Continuous Monitoring Today
1. “Annual” systems inventory
2. “Annual” testing
3. C&A every “three” years
4. Weaknesses “Quarterly”
5. Train “once a year”
(awareness)
3
3
Continuous Monitoring Tomorrow
7. Incident Reporting
6. Configuration Management
5. “Daily” weakness updates
4. C&A technical controls x 72
3. Daily not “Annual” testing
2. Inventory improvements
1. “Daily” awareness training
4
4
Strong Demand for Ideas
Continuous Monitoring /
RMF Webinar
Dr. Ron Ross, NIST
Senior Computer Scientist at NIST
Principal Architect, Risk Management Framework
Dr. Ross leads the FISMA implementation project which includes the
development of security standards and guidelines.
Matt Coose, DHS
Director of FNS (Federal Network Security)
Mr. Coose leads the Federal Network Security organization within NCSD
and works across the federal government to improve the cyber security
posture of federal systems and networks.
Robert C. West, DHS
Chief Information Security Officer
Mr. West was selected as the first CISO of the Department of Homeland
Security and continues to lead the Department’s information security
organization and programs.
5
– SecureInfo sponsored and
moderated
– 400+ attendees from
public/private sector
– Closed all available seats in
less than a month
Continuous Monitoring Defined
Source: NIST 800-137 IPD
6
Continuous Monitoring Domains
 All controls are NOT required
 Define your own frequencies of
monitoring controls.
 800-137 provides guidance on
controls by domains
7
Continuous Monitoring Simplified
8
Assessment Data
Compliance Data
Asset Data
Rules Engine
correlates data to
standards
Drill down into
Scorecards &
Reports
NIST 800-53
Or your own
If 5 out of 10
requirements are
compliant, your score
is 50%
My Tasks
FedRAMP
A government-wide initiative to provide
Federal Agencies
joint authorizations and continuous security
monitoring services
…
• Unified government-wide risk
management
Risk Management
• Agencies would leverage
-Authorization
FedRAMP authorizations
-Continuous
Monitoring
FedRAMP
-Federal Security
Requirements
…
Outsourced Systems
9
Source: FedRAMP Exec Briefing
Recommendations to FedRAMP
• (116 controls) Recommended Controls to be represented via Continuous
Monitoring for Low impact cloud systems are:
• 1. CM-6 Configuration Settings
• 2. CM-8 Information System Component Inventory
• 3. RA-5 Vulnerability Scanning
• 4. SI-2 Flaw Remediation
• 5. SI-3 Malicious Code Protection
• (297 controls) Recommended Controls to be represented via Continuous
Monitoring for Moderate impact cloud systems are:
• 1. AU-2 Auditable Events
• 7. SI-2 Flaw Remediation
• 2. CM-6 Configuration Settings
• 8. SI-3 Malicious Code Protection
• 3. CM-8 Information System Component Inventory
• 9. SC-7 Boundary Protection
• 4. IR-5 Incident Monitoring
• 5. IR-6 Incident Reporting
• 6. RA-5 Vulnerability Scanning
10
CAESARS
11
Continuous Asset Evaluation,
Situational Awareness, and Risk
Scoring Reference Architecture Report
iPOST
Remedy
CiscoWorks
HP OpenView
Tavve PreView
Microsoft SMS
Niksun NetOmni
Tenable Security Center
NetIQ AppManager & SecurityManager
12
In Commerical Sector: Microsoft
Source: Global Foundation Services Information Security Management in the Cloud
13
14
Top 10 Lessons Learned
1. Identify a pilot group/department to use that represents
a good cross section of your organization
2. Validate systems of record for your data sources
3. Verify data accuracy and “cleanliness” for analysis and
reporting purposes
4. Develop questionnaires that are consumable in less
than 15 minutes
5. Identify common keys for your data source linkages
15
Top 10 Lessons Learned Continued
6. Use Web Services and common data formats as much
as possible (reduce batch jobs)
7. Define your key performance indicators & report metrics
that are trackable automatically
8. Baseline pilot and enterprise deployments & tracking
variances in parallel
9. Request review from peers at other organizations &
form an internal steering committee of key stakeholders
10. Have a backup plan to generate the data manually
should an issue arise with your automated system.
16
Questions
17
Contact Information
Yong-Gon Chon
SVP & Chief Technology Officer
SecureInfo Corporation
703-245-9753 work
703-981-2624 mobile
703-245-8442 fax
www.secureinfo.com
18