AWARE ScoringAWARE Scoring Summary Scoring Area Description Shown on Federal Dashboard Weight Metric...
Transcript of AWARE ScoringAWARE Scoring Summary Scoring Area Description Shown on Federal Dashboard Weight Metric...
For Official Use Only
AWARE Scoring Agency-Wide Adaptive Risk Enumeration
FITSC 2018
Department of Homeland Security, CDM PMO
November 7, 2018
For Official Use Only
Generic Risk Scoring Concept
Source: https://arch.idmanagement.gov/
For Official Use Only
Background
iPost
• Department of State
Security Posture Dashboard Reporting (SPDR)
• Department of Justice
Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS)
• Department of Homeland Security
CDM Dashboard Risk Scoring currently
utilizes Archer’s out-of-the-box scoring
For Official Use Only
Base Metric [Vulnerability]
The Common Vulnerability Scoring System (CVSS) provides an open
framework for communicating the characteristics and impacts of IT
vulnerabilities.
CVSS Value Scaled CVSS
Value
10.0 10.0
9.0 7.29
8.0 5.12
7.0 3.43
6.0 2.16
5.0 1.25
4.0 0.64
3.0 0.27
2.0 0.08
1.0 0.01
Scaled Base CVSS
[Vulnerability] X
Age [Decay] X
Weight [Threat, Impact] X
Tolerance [Grace Period] =
AWARE Score
For Official Use Only
Scoring Factors
For Official Use Only
Aging (Control Decay)
Developed in iPost
Extended in SPDR with policy variables (n days to double)
Kept in AWARE to encourage timely remediation of
vulnerabilities
Measured from the publication date of the Common
Vulnerabilities and Exposures (CVE)
Current default is 90 days to double score
for base CVEs
Source: https://arch.idmanagement.gov/
For Official Use Only
Current Aging Facts
Vulnerabilities are all aged logarithmically
FVAs are aged more aggressively than non-FVAs
Configuration settings are not aged
Unapproved hardware is not aged
Future scoring areas may or may not use aging, which is
part of the general AWARE formula:
𝑆𝑐𝑜𝑟𝑒 = 𝐵𝑎𝑠𝑒 𝑆𝑐𝑜𝑟𝑒 ∗ 𝐴𝑔𝑖𝑛𝑔 𝐹𝑎𝑐𝑡𝑜𝑟 ∗ 𝑊𝑒𝑖𝑔ℎ𝑡𝑖𝑛𝑔 𝐹𝑎𝑐𝑡𝑜𝑟 ∗(𝐼𝑚𝑝𝑎𝑐𝑡 𝐹𝑎𝑐𝑡𝑜𝑟)
For Official Use Only
General Principles of Risk Aging
Opportunity Risk
If there is risk at all, it usually gets worse over time simply because
an adversary has more time to exploit it.
In certain cases, other factors (see later slide) may come into play that
arrest or even reverse this increase.
Bounded Risk
As risk increases, there remains a bound (saturation point),
beyond which the amount of increased risk is no longer accepted
as credible or useful.
Stages of Aging
External events may occur during aging that justify/require
changing the way a risk is aged.
For Official Use Only
Weight [Impact]
Two independent factors proposed for AWARE
Federal Vulnerability Action (FVA)
• Weight factor on a CVE due to a heightened threat level for that CVE
• Commercial threat tool identifies critical ratings
High Value Factor (HVF)
• Weight factor that occurs on endpoints in FISMA systems with a Federal Information Processing Standards 199 (FIPS 199) impact of “High”
For Official Use Only
Allowable Tolerance [Grace period]
Intended to give agencies a number of days to test and deploy patches
and/or mitigate vulnerabilities before the agency’s federal score is
impacted
Begins when vulnerability is added to Agency Dashboard
Scores not shown to Federal Dashboard if within allowable tolerance period
Actual Score (With) Anticipated Score (Without)
All metrics used, including the Allowable
Tolerance Metric
All metrics used except the Allowable
Tolerance Metric
Considered to be the baseline federal score Provides an indication of what the scores
would be if they were not shielded by
Allowable Tolerance periods
For Official Use Only
AWARE Scoring Summary Scoring
Area Description
Shown on
Federal
Dashboard
Weight
Metric
• High Value Factor: 1.5
• FVA Factor: 2.0 Yes
VUL
• Base Metric: Scaled CVSS base score
• Age Metric: Logarithmic aging, doubles in 90 days (7 days default for
FVAs)
• Weight Metric: High Value Factor (if applicable and in addition to 2.0 for
FVAs)
• Allowable Tolerance Period: 30 days (7 days for FVAs as default)
Yes
CSM
• Base Metric (STIG): [.72, .36, .12] for [CAT I, CAT II, CAT III]
• Age Metric: 1
• Weight Metric: High Value Factor, if applicable
• Allowable Tolerance: 30
Yes
UAH
• Base Metric: 10
• Age Metric: 1
• Weight Metric: None
• Allowable Tolerance: 7 days
Yes
For Official Use Only
Mission Operations
Capability Area Capability Set Mission Operations Capability Functionality
What is on the
network? (Phase 1) Manage Assets
Hardware Inventory,
Software Inventory,
Configuration Settings,
Vulnerabilities/Anti-virus
Who is on the
network? (Phase 2)
Manage Accounts for People and
Services
Trust in People Granted Access
Security Related Behavior
Credentials & Authentication
Privilege and Account Access
What is happening on
the network? (Phase
3)
Manage Events
Network/Physical Access Control, (deferred to Phase 3)
Prepare for Incidents and Contingencies
Respond to Incidents and Contingencies
Ongoing Assessment
Manage Security Lifecycle /
Design and Build in Security
Requirements, Policy and Planning
Quality Management
Supply Chain Risk Management (SCRM)
Manage Security Lifecycle /
Operate, Monitor and Improve
Operational Security
Generic Audit/ Monitoring
Ongoing Authorization
How is data
protected? (Phase 4) Manage Data Protection
Manage Data Protection
CDM Operational Requirements ~ Capability Areas
12
For Official Use Only 13
For Official Use Only
Benchmark Quality Ratings
• Binary scoring (met/unmet), compliance checks (pass/fail), or control measurement (80%) lack
context and are difficult to translate into the overall risk picture.
• Benchmarking assists mission owners and operators with:
• Gain an independent perspective about performance across groups
• Clearly identify specific areas of need (trigger assessments & control testing)
• Validate assumptions
• Prioritize improvement opportunities
• Set performance expectations
• Monitor performance and manage change
1
4
For Official Use Only
How will you use AWARE scoring?
15
For Official Use Only
16
Improving Risk Posture
The traditional view holds that
even a modest investment
in security raises the bar for all attackers
Source: Original content Attack Surface
For Official Use Only
Managing Relative Performance
Outcomes
• Transparency & improvement
• Improved situational awareness
• Comparison between similar peers
• Social and group pressure
• Results Sharing
• Comparisons over time
Impacts
• Reduced attack surface
• Hierarchical pressure
• Better / faster risk decisions
• Measurable control