Automating Crosswalk between
SP 800, 20 Critical Controls, and Australian
Government DSD’s 35 Mitigating Strategies
Ahmed Abdel-Aziz and Robert Sorensen
February, 2012
SANS Technology Institute
M.Sc. in Information Security Engineering
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
Provide guidance that GIAC Enterprises can use to
be in compliance with the most recognized
information security frameworks…
• NIST SP 800 Documents
• SANS’ Consensus Audit Guidelines (CAG)
• Australian Government Defence Signals Directorate’s
(DSD) top 35 Strategies
…while looking for opportunities to automate
controls and provide information back to
management in a meaningful format.
SP 800, 20 Critical Controls, and
DSD’s 35 Mitigating Strategies
•
Federal Information Security Management Act (FISMA) – authorized by Title III
of E-Government Act of 2002.
•
National Institute of Standards and Technology (NIST) tasked to develop,
document, and implement security standards (FISMA Implementation Project)
•
•
Special Publication (SP) 800-53
•
Federal Information Process Standard (FIPS) 200
SANS’, US defense base, federal agencies, and private organizations defined
most critical controls to protect information and information systems.
•
•
Consensus Audit Guidelines – 20 Critical controls
Australian Government Defence Signals Directorate
•
DSD’s Top 35 Mitigating Strategies
SP 800, 20 Critical Controls, and
DSD’s 35 Mitigating Strategies
The SANS’ 20 Critical Controls are meant to reinforce and prioritize
some of the most important elements of the guidelines, standards,
and requirements put forth in other US government documentation,
such as NIST Special Publication 800-53 .
These guidelines do not conflict with such recommendations. In
fact, the guidelines set forth are a proper subset of the
recommendations of NIST SP 800-53, designed so that organizations
can focus on a specific set of actions associated with current threats
and computer attacks they face every day.
The DSD’s 35 Mitigating Strategies focus on individual tasks
organizations can undertake to improve their security stance. They
are a focused subset of the 20 Critical Controls.
APT-Focused Security Strategy
Risk-Based Approach
•
Initially implement subset of 20 Critical Controls to address
GIAC Enterprises’ highest risks first (APT-related risks)
•
“Offense informs defense” concept suggests that 4
controls are best geared to address APT-related risks
•
•
•
•
Controlled Access based on the Need-to-Know (Control 15)
Continuous Vulnerability Assessment and Remediation (Control 4)
Malware Defenses (Control 5)
Data Loss Prevention (DLP) (Control 17)
Automation Approach: Controls 15 & 17
(Focus on the Data)
Sensitive
Regulatory Data
Sensitive
Corporate Data
Credit card data
Privacy data (PII)
Health care information
Intellectual property
Control Data-at-Rest
Financial information
Trade secrets
Control Data-in-Motion
Control Data-in-Use
Automation Approach: Controls 15 & 17
(Automating Data Classification and Policy Definition)
+
Business
Managers
Step 2
Create DLP Policy &
check for feasibility
DLP
Admin
End
Users
Step 1
Identify files &
set business rules

Step 3
DLP Policy is routed
for approval
Step 4
Approved
DLP
policy
Policy applied across the organization
Automation Approach: Controls 15 & 17
(Automating the Control of Data-in-Motion)
Process to Reach Automation (Data-in-Motion)
?
RISK
DISCOVER
(Data-in-Motion)
EDUCATE
(Data-in-Motion)
ENFORCE
(Data-in-Motion)
Risk Across: web protocols,
e-mails, IM, generic TCP/IP
protocols
Users Just-in-Time
Encryption, Blocking,
etc.
(Monitor Only)
Understand Risk
TIME
(Monitor & Educate)
Reduce Risk
(Automate Action)
Automation Approach: Controls 15 & 17
(Automating the Control of Data-at-Rest)
SharePoint
Business
Users
Apply DRM
Databases
Encrypt
NAS/SAN
Data Loss
Prevention (DLP
Risk Remediation
Manager (RRM)
Delete / Shred
Change Permissions
File
Servers
File Activity
Tools
GRC
Systems
Policy Exception
Endpoints
Discover Sensitive Data
Manage Remediation
Workflow
Apply
Controls
Automation Approach: Controls 4 & 5
(Prevention and Mitigation of APTs/Understanding the Attack Vector)
Automation Approach: Controls 4 & 5
(Risk Assessment/Continuous Monitoring)
Risk Assessment
Vulnerability Scanning
Automation Approach: Controls 4 & 5
(Automating Continuous Vulnerability Assessment and Remediation)
Automation Approach: Controls 4 & 5
(Automating Continuous Monitoring of Malware
and Malware Callbacks)
Reducing risk of data loss through malware infections
•Implement basic and necessary malware protection – HIPS, AV,
AntiSpam, etc.
•Train and educate users concerning social engineering tactics.
•Use of advanced technology – Virtual inspection of executable
malware in real-time to identify and block command and control
communications.
Recommended Action Plan
1)
2)
3)
4)
5)
6)
Conduct gap assessment to compare GIAC Enterprises’s
current security stance to detailed critical controls
Implement “quick win” critical controls to address gaps
Implement controls numbers 4 & 5 using previous
automation approaches
Implement controls numbers 15 & 17 using previous
automation approaches
Analyze and understand how remaining controls (beyond
quck wins, and controls 4, 5, 15, 17) can be deployed
Plan for deployment, over the longer term, of the
“advanced controls”, giving priority to controls 4, 5, 15, 17