Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Automating Compliance with Security Content Automation

advertisement 
Automating Compliance with
Security Content Automation Protocol
presented by:
National Institute of Standards and Technology
Agenda
 
 
 
 
 
 
 
Information Security Current State
Security Content Automation Protocol Introduction
Current Stakeholders
Use Cases
Validation Program Background and Status
Possible Future Directions for SCAP
Summary
Current State Security Operations
Governance Body
• Compliance Management
• Vulnerability Management
• Configuration Management
• Asset Management
OCIO
Audit Team
• Compliance Management
• Vulnerability Management
• Configuration Management
• Asset Management
Vulnerability + Threat
• Increased annual vulnerabilities
• Increased zero day attacks
• Decreased exploit timelines
• Continued mis-configuration
• Continued exfiltration
• Continued weak links
Operations
Team
Product
Provider
Service
Provider
Standards
Body
What is SCAP?
How
What
Standardizing the format by which we
communicate
Protocol
Standardizing the information we
communicate
Content
CVE
OVAL
CVSS
CPE
SCAP
http://nvd.nist.gov
CCE
XCCDF
•  70 million hits per year
•  20 new vulnerabilities per day, over 6,000 per year
•  Mis-configuration cross references
•  Reconciles software flaws from US CERT and
MITRE repositories
•  Produces XML feed for NVD content
Convergent Evolution of Post-Compilation Software Maintenance
2008: NVD will become production-ready for SCAP
version 1.0
2007: OMB mandates use of SCAP validated tools for
assessing Federal Desktop Core Configuration
(FDCC)
2007: NCP legacy checklists become available
through NVD Web site
2007: NCP promotes SCAP as the preferred format
for all new checklists
2006-07: Announcements that the following
guidelines will be available in SCAP format:
DISA Security Technical Implementation Guides
(STIG)
JTF-GNO Information Assurance Vulnerability
Management (IAVM) alerts
RedHat Security Guides
2006: NVD becomes reference data for SCAP
2006: SCAP reaches Beta formulation with
publication of the NIST Draft Interagency
Report (IR) 7343
2005: iCAT becomes NVD
2002: NCP established through Cyber Security R&D
Act of 2002
1999: iCAT established
…
2008
2007
2006
2005
2004
SCAP
2003
NCP
2002
…
NVD
National Checklist Program Hosted at National
Vulnerability Database Website
How SCAP Works
Report
Checklist
XCCDF
Platform
CPE
Misconfiguration CCE
Specific Impact CVSS
Results
General Impact CVSS
Software
SoftwareFlaw
Flaw
CVE
Specific Impact CVSS
Results
General Impact CVSS
Commercial
Government
Tools
Test Procedures OVAL
Patches
OVAL
Linking Configuration to Compliance
Keyed on SP800-53
Security Controls
<Group id="IA-5" hidden="true">
<title>Authenticator Management</title>
<reference>ISO/IEC 17799: 11.5.2, 11.5.3</reference>
<reference>NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10,
15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3</reference>
<reference>GAO FISCAM: AC-3.2</reference>
<reference>DOD 8500.2: IAKM-1, IATS-1</reference>
<reference>DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference>
</Group>
Traceability to Mandates
<Rule id="minimum-password-length" selected="false"
weight="10.0">
<reference>CCE-100</reference>
<reference>DISA STIG Section 5.4.1.3</reference>
<reference>DISA Gold Disk ID 7082</reference>
<reference>PDI IAIA-12B</reference>
Traceability to Guidelines
<reference>800-68 Section 6.1 - Table A-1.4</reference>
<reference>NSA Chapter 4 - Table 1 Row 4</reference>
<requires idref="IA-5"/>
[pointer to OVAL test procedure] Rationale for security
</Rule>
configuration
Federal Risk Management Framework
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A
Monitor
Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
Categorize
Information System
Define criticality /sensitivity of
information system according to
potential impact of loss
FIPS 200 / SP 800-53
Select
Security
Controls
Select baseline (minimum) security controls to
protect the information system; apply tailoring
guidance as appropriate
SP 800-37
SP 800-53 / SP 800-30
Authorize
Supplement
Information System
Security Controls
Determine risk to agency operations, agency
assets, or individuals and, if acceptable,
authorize information system operation
Use risk assessment results to supplement the
tailored security control baseline as needed to
ensure adequate security and due diligence
SP 800-53A
Assess
Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-70
Implement
Security Controls
Implement security controls; apply
security configuration settings
SP 800-18
Document
Security Controls
Document in the security plan, the security
requirements for the information system and
the security controls planned or in place
Integrating IT and IT Security Through SCAP
Vulnerability Management
Common Vulnerability Enumeration
Common Platform Enumeration
Common Configuration Enumeration
eXtensible Checklist Configuration Description Format
Open Vulnerability and Assessment Language
Common Vulnerability Scoring System
CVE
Misconfiguration
OVAL
CVSS
Asset
Management
CPE
SCAP
CCE
XCCDF
Compliance Management
Configuration
Management
Agility in a Digital World
Organization One
Information
System
Organization Two
Business / Mission
Information Flow
System Security Plan
Security Assessment Report
Information
System
System Security Plan
Security Information
Security Assessment Report
Plan of Action and Milestones
Plan of Action and Milestones
Determining the risk to the first
organization’s operations and assets and
the acceptability of such risk
Determining the risk to the second
organization’s operations and assets and
the acceptability of such risk
The objective is to achieve visibility into prospective business/mission partners information
security programs BEFORE critical/sensitive communications begin…establishing levels of
security due diligence and trust.
Stakeholder and Contributor Landscape: Industry
Product Teams and Content Contributors
Ai Metrix
Stakeholder and Contributor Landscape: Federal Agencies
SCAP Infrastructure, Beta Tests, Use Cases, and Early Adopters
DHS
OMB
NSA
IC
OSD
DISA
DOJ
EPA
Army
NIST
DOS
Use Case: The Office of Secretary of Defense
Computer
Network
Data Pilot
CND Data
ModelDefense
Overview
Asset
Config
IP
CPE
Vuln
HW SW net
CPE CCE
CVSS
Remedy
CCE
Env Info
IP
CPE
location
IP MAC cert owner
EIN FQDN MAC location
Threat
Vulnerability
Category
IDs
CVE
CPE
CVE CCE CPE
IDs
Technique
IP
CPE
CVE
CCE
Event
DHCP Event NAT Event
IP
MAC
IP
Anomaly Evnt Flow Event
CEE
IP
Sig Event
CVE
Vuln CME
IP
CPE
CME
CVE
IP
CPE
CPE
Log Event
CEE
CEE
Event
IP/MAC
CPE
Incident
Event
Assessment
Actor
Exploit
Asset
Exploit
IP
Vuln CME
Actor
Use Case: The Office of Management and Budget
Federal Desktop Core Configuration
OMB 31 July 2007 Memo to CIOs: Establishment of Windows XP and VISTA Virtual
Machine and Procedures for Adopting the Federal Desktop Core Configurations
“As we noted in the June 1, 2007 follow-up policy memorandum
M-07-18, “Ensuring New Acquisitions Include Common Security
Configurations,” a virtual machine would be established “to
provide agencies and information technology providers’ access
to Windows XP and VISTA images.” The National Institute of
Standards and Technology (NIST), Microsoft, the Department of
Defense, and the Department of Homeland Security have now
established a website hosting the virtual machine images, which can
be found at: http://csrc.nist.gov/fdcc.”
“Your agency can now acquire information technology products that
are self-asserted by information technology providers as compliant
with the Windows XP & VISTA FDCC, and use NIST’s Security
Content Automation Protocol (S-CAP) to help evaluate
providers’ self-assertions. Information technology providers
must use S-CAP validated tools, as they become available, to
certify their products do not alter these configurations, and
agencies must use these tools when monitoring use of these
configurations.”
SCAP Validation Labs and Products
Validated Products:
• 5 vendors
• 6 products
• 7 capabilities-based validations
• 2 standards-based validations
Accredited Laboratories:
• Electronic Warfare Associates
(EWA) Canada
• ICSA Labs - an independent
division of Verizon Business
• Science Applications
International Corporation (SAIC)
• ATSEC Information Security
Corporation
• COACT Incorporated, CAFE
Laboratory
SCAP Validation In-Progress and Potential
Where Can SCAP Go?
 
 
 
Continue to reduce the boundary between written specifications
and action
Expand to implementation and remediation of vulnerabilities and
security configurations
Extend into additional security technologies (e.g., IDS/IPS,
firewall) and into other IT technologies (e.g., asset and
configuration management)
We are open to additional use cases
Summary
 
 
 
SCAP gives us a transparent, interoperable, repeatable,
and ultimately automated way to assess security software
flaws and misconfiguration in the enterprise
Efficiencies gained through SCAP give our IT security
teams additional cycles to address other important aspects
of IT security
By linking compliance to configuration, SCAP makes
compliance reporting a byproduct of good security,
allowing IT security teams to focus on securing the
enterprise
More Information
National Checklist Program
http://checklists.nist.gov
National Vulnerability Database
http://nvd.nist.gov or http://scap.nist.gov
• 
SCAP Checklists
• 
SCAP Capable Products
• 
SCAP Events
NIST FDCC Web Site
• 
FDCC SCAP Checklists
• 
FDCC Settings
• 
Virtual Machine Images
• 
Group Policy Objects
NIST SCAP Mailing Lists
http://fdcc.nist.gov
Scap-update@nist.gov
Scap-dev@nist.gov
Scap-content@nist.gov
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Steve Quinn
Peter Mell
(301) 975-6967
(301) 975-5572
stephen.quinn@nist.gov
mell@nist.gov
Karen Scarfone
(301) 975-8136
karen.scarfone@nist.gov
Matt Barrett
(301) 975-3390
matthew.barrett@nist.gov
Murugiah Souppaya
(301) 975-4758
murugiah.souppaya@nist.gov
Information and Feedback
Web: http://scap.nist.gov
Comments: scap-update@nist.gov
Additional Information
Current State: Compliance and Configuration Management
FISMA
HIPAA
SOX
DCID
COMSEC ‘97
DoD
ISO
SP 800-53
Title III
???
DCID6/3
NSA Req
DoD
IA Controls
17799/
27001
SP 800-68
Security
Agency
Guides
NSA
Guides
DISA STIGS
& Checklists
???
Vendor
3rd Party
Compliance
Management
Guide
Guide
Finite Set of Possible Known IT Risk Controls & Application Configuration Options
Agency Tailoring
Mgmt, Operational, Technical
Risk Controls
SP1
Windows
OS or
Application
XP
Version/
Role
SP2
Major Patch
Level
Enterprise
Mobile
Stand Alone
High
Moderate
Low
SSLF
Environment
Impact Rating
or MAC
/CONF
Millions of
settings to
manage
Configuration
Management
Current State: Vulnerability Trends
9,000
8,000
7,000
6,000
5,000
4,000
CERT/CC
NVD
OSVDB
Symantec
3,000
2,000
1,000
A 20-50%
increase over
previous years
0
2001
2002
2003
2004
2005
2006
• Decreased timeline in exploit development
• Increased prevalence of zero day exploits
• Three of the SANS Top 20 Internet Security Attack Targets 2006 were
categorized as “configuration weaknesses.” Many of the remaining 17 can be
partially mitigated via proper configuration.
Security Content Automation Protocol (SCAP)
Standardizing How We Communicate
Cisco, Qualys,
Symantec, Carnegie
Mellon University
CVE
Common
Vulnerability
Enumeration
Standard nomenclature and
dictionary of security related
software flaws
CCE
Common
Configuration
Enumeration
Standard nomenclature and
dictionary of software
misconfigurations
CPE
Common Platform
Enumeration
Standard nomenclature and
dictionary for product naming
XCCDF
eXtensible Checklist
Configuration
Description Format
Standard XML for specifying
checklists and for reporting
results of checklist evaluation
OVAL
Open Vulnerability
and Assessment
Language
Standard XML for test
procedures
CVSS
Common
Vulnerability Scoring
System
Standard for measuring the
impact of vulnerabilities
Existing Federal Content
Standardizing What We Communicate
 
 
 
 
 
 
 
In response to NIST being named in the
Cyber Security R&D Act of 2002
Encourages vendor development and
maintenance of security guidance
Currently hosts 114 separate guidance
documents for over 141 IT products
Translating this backlog of checklists into the
Security Content Automating Protocol
(SCAP)
Participating organizations: DISA, NSA,
NIST, Hewlett-Packard, CIS, ITAA, Oracle,
Sun, Apple, Microsoft, Citadel, LJK, Secure
Elements, ThreatGuard, MITRE Corporation,
G2, Verisign, Verizon Federal, Kyocera,
Hewlett-Packard, ConfigureSoft, McAfee,
etc.
 
 
 
 
Over 70 million hits per year
29,000 vulnerabilities
About 20 new vulnerabilities per day
Mis-configuration cross references to:
 
NIST SP 800-53 Security Controls (All
17 Families and 163 controls)
 
DoD IA Controls
 
DISA VMS Vulnerability IDs
 
Gold Disk VIDs
 
DISA VMS PDI IDs
 
NSA References
 
DCID
 
ISO 17799
Reconciles software flaws from:
 
US CERT Technical Alerts
 
US CERT Vulnerability Alerts
(CERTCC)
 
MITRE OVAL Software Flaw Checks
 
MITRE CVE Dictionary
Produces XML feed for NVD content
SCAP Validation Program Capabilities
Capability FDCC SCAP CVE CCE CPE XCCDF OVAL CVSS
FDCC Scanner
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Authenticated Configuration Scanner
X
Authenticated Vulnerability and Patch Scanner
X
X
X
Unauthenticated Vulnerability Scanner
X
X
X
X
Intrusion Detection/Prevention Systems
X
X
X
X
Patch Remediation
X
X
X
X
Mic-Configuration Remediation
X
X
X
Asset Management
X
X
X
Asset Database
X
X
X
Vulnerability Database
X
X
X
Mis-Configuration Database
X
X
X
Malware Tool
X
X
X
X
X
X
X
NOTE: Xs indicate some degree of testing, but not necessarily all-inclusive testing, for the indicated standard
NOTE: Grey font indicates capabilities that are not yet available for test
SCAP Value
Feature
Standardizes how computers communicate
vulnerability information – the protocol
Standardizes what vulnerability information
computers communicate – the content
Based on open standards
Uses configuration and asset management
standards
Applicable to many different Risk
Management Frameworks – Assess, Monitor,
Implement
Detailed traceability to multiple security
mandates and guidelines
Keyed on NIST SP 800-53 security controls
Benefit
Enables interoperability for products and services of various
manufacture
 
Enables repeatability across products and services of various
manufacture
 Reduces content-based variance in operational decisions and
actions
 
Harnesses the collective brain power of the masses for creation and
evolution
 Adapts to a wide array of use cases
 
Mobilizes asset inventory and configuration information for use in
vulnerability and compliance management
 
Reduces time, effort, and expense of risk management process
 
Automates portions of compliance demonstration and reporting
 Reduces chance of misinterpretation between Inspector General/
auditors and operations teams
 
Automates portions of FISMA compliance demonstration and
reporting
 
Related documents
a print entry form (Word).
a print entry form (Word).
PowerPoint Slides from this Seminar
PowerPoint Slides from this Seminar
PowerPoint Presentation - Japanese Workers and the Struggle for
PowerPoint Presentation - Japanese Workers and the Struggle for
7_Monitoring Controls
7_Monitoring Controls
Risk is the net negative impact of the exercise of a vulnerability
Risk is the net negative impact of the exercise of a vulnerability
Click to a copy of college transition suggested readings.
Click to a copy of college transition suggested readings.
recruitment-student-1
recruitment-student-1
Risk Likelihood, Risk Impact, and Risk Level Definitions
Risk Likelihood, Risk Impact, and Risk Level Definitions
Printable NIST information
Printable NIST information
Download
advertisement