FITSI-DC - Continuous Monitoring
FITSI-DC - Continuous Monitoring
FITSI-DC - Continuous Monitoring
Overview
Evolution of FISMA Compliance
NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums (M-11-33, M-10-28) DHS Federal Information Security Memorandums (FISM 11-02) The Deltas
CM Challenges
The Organization of the SP 800-53 The Limitations of CAESARS GAO Report: Limitations of iPost and Risk Scoring Program
Traditional C&A Phase Task Subtask 1: Preparation. Information System Description Security Categorization Threat Identification Vulnerability Identification Security Control Identification Initiation
Risk Management Framework Step Task 1.2 Information System Description 1.1 Security Categorization 1.3 Information System Registration
2.1 Common Control Identification 2.2 Security Control Selection 3.1 Security Control Implementation 3.2 Security Control Documentation
3: SSP Analysis, Security Categorization Review Update, And System Security Plan Analysis Acceptance.
System Security Plan Update System Security Plan Acceptance 2.4 Security Plan Approval
Certification
Continuous Monitoring
Traditional C&A Subtask Documentation Supporting Materials Methods And Procedures Security Assessment Security Assessment Report Findings And Recommendations System Security Plan Update POAM Preparation Accreditation Package Assembly Final Risk Determination Risk Acceptability Security Accreditation Package Transmission System Security Plan Update Documentation Of Information System Changes Security Impact Analysis Security Control Selection Selected Security Control Assessment System Security Plan Update POAM Update
Risk Management Framework Step Task 4.1 4.2 4.3 4.4 5.1 5.2 5.3 5.4 Assessment Preparation Security Control Assessment Security Assessment Report Remediation Actions Plan of Action and Milestones Security Authorization Package Risk Determination Risk Acceptance
Accreditation
6.1 Information System and Environment Changes 2.3 6.2 6.4 6.3 Monitoring Strategy (sorta) Ongoing Security Control Assessments Key Updates Ongoing Remediation Actions
Status Reporting
SP 800-37 Risk Management Framework Committee on Department DITSCAP/ NIACAP National Security SP 800-53r3 Security Controls of Defense DIACAP Systems SP 800-39 Managing Information Security Risk
DoD, ODNI , NSA(CNSS 1253), Office(27001) of the National ISO/IEC Collaboration DCID 6/3 C&A Guidelines Director of Institute of Johns Hopkins APL Among Public And National Standards and Private Sector MITRE Corporation (NVD) Intelligence Technology Entities Booz Allen Hamilton
DHS Cyberscope
Monthly Data Feeds to DHS
1. 2. 3. 4. 5. 6. 7. Inventory Systems and Services Hardware Software External Connections Security Training Identity Management and Access
Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Information security continuous monitoring (ISCM) is defined as:
Maintaining Ongoing Awareness of Information Security, Vulnerabilities, and Threats Support Organizational Risk Management Decisions Begins With Leadership Defining A Comprehensive ISCM Strategy Encompassing technology processes procedures operating environments people
SP800-137
SP 800-137
ISCM Criteria
Risk Management Strategy: 1. How the organization plans to assess, respond to, and monitor risk 2. Oversight required to ensure effectiveness of RM strategy Program Management 1. Defined by how business processes are prioritized 2. Types of information needed to successfully execute those business processes
Monitoring System Level Controls and Security Status Reporting 1. Security Alerts 2. Security Incidents 3. Identified Threat Activities
Guidance: 800-137
Risk Tolerance Enterprise Architecture Security Architecture Security Configurations Plans for Changes to Enterprise Architecture Available Threat Information
The CM Process
Define an ISCM Strategy Establish an ISCM Program Implement an ISCM Program Determining Appropriate Response Mitigating Risk Review and Update the Monitoring Program
SP 800-137
SP 800-137
Automation Domain 1 - Vulnerability Management 2 - Patch Management 3 - Event Management 4 - Incident Management 5 - Malware Detection
Tools and Technologies NIST Guidelines Vulnerability scanners NIST SP 800-40 Creating a Patch and Vulnerability Management Program Patch management tools NIST SP 800-92, Computer Intrusion detection/ prevention systems and Security Log Management logging mechanisms NIST SP 800-94, Guide IDPS
NIST SP 800-83, Malware Antivirus/ Incident Prevention and Malware detection Handling mechanisms 6 - Configuration SCAP, SEIM, Dashboards NIST SP 800-126r2 The Technical Specification for Management SCAP Version 1.2 SP 800-137
Tools and Technologies System configuration, network management, and license management tools
Host discovery, inventory, change control, performance monitoring, and other network device management capabilities License management tools
Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems SP 800-137
Software Assurance Automation Protocol (SwAAP measure and enumerate software weaknesses): CWE Common Weakness Enumeration Dictionary of weaknesses that can lead to exploitable vulnerabilities CWSS Common Weakness Scoring System Assigning risk scores to weaknesses CAPEC Common Attack Pattern Enumeration & Classification Catalog of attack patterns MAEC Malware Attribute Enumeration & Characterization Standardized language about malware, based on attributes such as behaviors and attack patterns SP 800-137
SP 800-137
SCAP Program
Scan
NVD
Data Feed
SP 800-137
SP 800-137
SP 800-137
SP 800-137
SP 800-137
SP 800-137
IR 7756
CAESARS Framework
IR 7756
IR 7756
CM Documents
IR 7756
SOE ADC
AD Users
SMS Reporting Vulnerability Reporting Security Compliance Reporting
ADU
SMS VUR SCR
AD
SMS (System Center) Foundstone (McAfee) McAfee Policy Auditor
Risk Scoring
Remediation
CM Challenges
The Organization of the SP 800-53 Emerging CM Technologies
SCAP OCIL
The Limitations of CAESARS Department of States iPost and Risk Scoring Program
Evident in USGCB
Prepare
Effectiveness Measure
Requirements Definition
PP
PP
PP
11
7
PP
Assign Scores to Delta Track Actual
1
PP
A
Value Proposition/ Operational Metric
8
PP
5
PP
10
ID Score Deviations
PP
PP
4
Prep Staff
PP
PP
Minimum Security Controls (FIP 200) Access Control Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity
Controls Monitored by iPost Security Compliance (AD Group check) Awareness Training Reporting
Vulnerabilities
Patching, Antivirus
CM Challenges
The Organization of SP 800-53 The Limitations of CAESARS Your Organizations ISCM
Q&A