Reducing Maintenance Complexity of User-centric Web Portrayal Services
Continuous Monitoring: Getting Past Complexity & Reducing Risk
-
Upload
tripwire -
Category
Technology
-
view
1.090 -
download
4
description
Transcript of Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity &
Reducing RiskPresented by Bryce G. Schroeder
Continuous Monitoring: Getting Past Complexity &
Reducing RiskPresented by Bryce G. Schroeder
November 2013
About the SpeakerBryce SchroederSr. Director of Systems EngineeringBryce leads the global presales engineering team at Tripwire. He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior leadership roles at Symantec, Sun Microsystems and Tektronix. Previous to that he held system admin and hardware and software design roles.
4
$150M+Annualsales
400+employees
$Profitable
7000+customers
in 96 countries
Remain small enough to be nimble, innovative; Large enough to be the long-term leader in the SVM market
5
Tripwire Evolution
1997Tripwire File System Monitoring
2005
Tripwire EnterpriseIntegrated Change Audit for Servers, Network Devices, Data-Bases & Active Directory
2007
Configuration AssessmentIndustry’s largest library of security, regulatory and operational policies
2010Log and Security Event ManagementIntegrated logand event management solution
2013
Tripwire acquires nCircleDelivers the Industry’s most complete set of foundational security controls for the enterprise –SCM, VA, FIM, LM
2011Thoma Bravo acquires Tripwire Accelerates Tripwire’sCreating Real Confidencevision
7
Cyber Security is Evolving
10 Million Cyber attacks daily at Department of Energy
100K’s Attack surface and amount of data is increasing
400%+ Increase of cyber attacks since 2006
Foreign Intelligence organizations trying to hack into our military’s digital networks100
80% Attacks leveraging known vulnerabilities & configuration setting weaknesses
8
Regulations Requiring Continuous Monitoring (CM)
NIST SP 800-137 • Defines base requirements for CMNIST SP 800-53 • Describes automated inspection items (controls) for security
• Aids automated Security Configuration Management strategy
NERC / FERC CIP • Requirements for Federal Energy Critical Infrastructure Protection
ISO / IEC 27001 • Framework for continuous process improvement in information security
FISMA / FISMA 2 • Includes CM for configuration management and control of components; impact analysis of changes to systems, and ongoing assessment of security controls
9
Compliance ≠ Security
Security Requires Adaptive Defenses Visibility across entire infrastructure – not silos of data
Precursors of a compromise are in the network but not visible Accurate data to assess risk
Intelligent information – not more data Security automation to minimize effort and expedite response Align monitoring and effort with risk and the changing threat landscape
10
Enables dynamic security to respond to evolving threats
Provides details of your information systems Make risk based decisions Take control and remain in control of your infrastructure
Spirit of Continuous Monitoring
Provides continuous input and situational awareness
Moves the focus back to Security
11
Achieving a Compliant State… Periodically
Periodic Audits required to reassess
Time
Compliant State
Com
plia
nce
RISK change never stops
Change is occurring
12
Achieve & Maintain a Compliant State… Continuously
Time
Compliant State
Com
plia
nce
Continuous Compliance
Assess & Achievedesired state
Maintainthat state
13
Continuous Monitoring & Risk Management Framework
Categorize Information SystemMonitor Security
State
Authorize Information System
NISTRisk Management
FrameworkSP800-37
Select Security Controls
Implement Security Controls
Assess Security Controls
Start
• Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137)
SP800-137
14
Front-End Security
Back-End Security
Categorize Information SystemMonitor Security
State
Authorize Information System
NISTRisk Management
FrameworkSP800-37
Select Security Controls
Implement Security Controls
Assess Security Controls
Start
SP800-137
15
Our focus for today
Categorize Information SystemMonitor Security
State
Authorize Information System
NISTRisk Management
FrameworkSP800-37
Select Security Controls
Implement Security Controls
Assess Security Controls
Start
SP800-137
16
Goal: Prioritize and Document Systems Document the role / purpose of each system
Tie back to specific project, mission, business objective Rank systems according to risk Document system ownership and applicable policies
Agency and individuals Security authorization and authorization termination dates
Categorize Information Systems1
17
Goal: Create Defensible Control Capabilities Establish & document operational requirements, standards, guidelines Align to common controls and standards as applicable Align controls with system risk categorization from Step 1 Establish segregated approval workflows and detective controls Implement Security Configuration Management Remember “Defense in Depth”
Implement Security Controls3
18
Goal: Ensure Effectiveness of Security Controls Validate that controls are in place, effective, and operating as expected Assess security controls continuously Reduce and act upon configuration
drift Identify and address variance Leverage Scoring and Thresholds to drive your response and re-planning
activities
Assess Security Controls4
19
Goal: Adaptive Security in Changing Conditions Continuous Monitoring of Systems, Devices and Applications
Configuration, Security State, System State, modifications to surrounding environment
Evaluation of Context – changes in risks, threat landscape, mission objectives, vulnerabilities, etc.
Provide the AO with actionable info and context for decisions Drive prioritized remediation actions
Monitor Security Controls – Continuous Monitoring6
20
Continuous Monitoring & Risk Management Framework
Categorize Information SystemMonitor Security
State
Authorize Information System
NISTRisk Management
FrameworkSP800-37
Select Security Controls
Implement Security Controls
Assess Security Controls
Start
• Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137)
SP800-137
21
Continuous Monitoring Step 4:
Detailed Reporting
Step 3:Determine Monitoring Frequency
Step 1: Prioritize
Step 2: Determine Risk
Threshold
22
Act on priorities from the Categorize Assets step
Monitor and alert based on relative value of Assets High, Moderate, Low impact DMZ, Mission X, Processing, etc… Categorize logically and by criticality
Benefits of Categorization Easier to make risk-based decisions Risks are easier to determine knowing
the mission the asset supports Enables rapid triage during incident response
Prioritize
23
Identify and apply your scoring methodsOCTAVE, CAESARS, iPOST, iRAMP, etc.
Map thresholds to policies and assign weights to control checks Example of Policy Thresholds
<50% Do Not Operate <80% System should go through preplanning >80% Operational
Assign weights for control test items - weights affect the Risk scoring Example:
HIGH - Administrator set to blank or default password LOW – Users are part of a remote desktop group
Determine Risk
Threshold
24
Start with your PolicyDetermine frequency of monitoring System Level Frequency Security Control Level Frequency Application Level Frequency
Determine the frequency by function and risk associated with each system and security control
Determine Monitoring Frequency
25
How Often?
Source: NIST SP 800-92
26
Respond and provide feedback to the Authorizing Official or representative Incident Response Security Alerts Certification & Accreditation
Use the intelligent data feeds to make accurate risk based decisionsCreate feedback loop to adapt and improve security and risk posture
Provide Detailed Reports
27
Benefits of This Approach
Leverages automation to reduce time & effort for audit and oversight
Provides assurance that controls are implemented properly and stay that way
Enables accountability for proper results Provides objective data for gap analysis, remediation
planning, and budget priorities Enables benchmarking across entities
28
Don’t Forget The Cloud
The Cloud Security Alliance and NIST SP 800-114 call for concerted continuous monitoring of the cloudMonitor and evaluate the chain of dependency in the cloudAlign cloud infrastructure with risk model for physical
infrastructureEnsure you understand your Cloud Service Provider’s (CSP)
security capabilities and responsibilities vs. your ownEnsure regular review of reports, policies, and incidents
29
Continuous Monitoring Does Not Replace Regulations Continuous monitoring augments/enhances
Compliance & Audit (C&A), but doesn’t replace it Many aspects still require human intervention and
analysis:Policy analysisIntegrated risk assessmentsNon-technical controlsProcess review
31
What and How Should I Measure?
Leverage existing work CAESARS (Continuous Asset Evaluation, Situational Awareness, and
Risk Scoring)www.dhs.gov/xlibrary/assets/fns-caesars.pdf
iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of Statewww.cio.ca.gov/OIS/Government/events/documents/
Scoring_Guide.doc
32
Other Metrics ExamplesConfiguration Quality:
% of configurations compliant with target security standards (risk-aligned) i.e. >95% in High; >75% in Medium
number of unauthorized changes with security impact (by area) patch compliance by target area based on risk level
i.e. % of systems patched within 72 hours for High; within 1 week for Medium
Control effectiveness: % of incidents detected by an automated control % of incidents resulting in loss mean time to discover security incidents % of changes that follow change process
33
Report On Status & Progress vs. Goals
34
Focus At A Higher Level
35
Points To Remember
Continuous Monitoring is not a “checkbox activity” Continuous Monitoring is an integral part of effective
Security and Risk Management Continuous Monitoring is adaptable to enable you to
focus on the highest risk first
36
Where Do Organizations Fail?
“Boil the ocean” approaches No “Tone at the Top” Ineffective metrics Lack of automation
37
Technology Can Help - Preventive Controls
Create & Communicate Policies and Procedures Reduce Privileged Access Malware Detection and Prevention Establish & Enforce System Hardening Standards
38
Technology Can Help - Detective Controls
Security Configuration Management Vulnerability Management Database Activity Monitoring File Integrity Monitoring Log Monitoring
40
Recommended Steps For Implementing Continuous Monitoring1. Anchor to a specific risk framework or approach
NIST 800-37, Factor Analysis of Information Risk (FAIR), CAESARS
2. Develop and use risk ranking / scoring methods3. Prioritize projects, actions, and investments to bias toward areas of
highest risk and impact4. Establishing Key Risk Indicators (KRI’s) and Key Risk Objectives
(KRO’s) to measure progress5. Define monitoring & alerting frequency and thresholds based on risk6. Continuously re-evaluate status & progress, communicate results,
and refine your approach
tripwire.com | @TripwireInc
THANK YOU!
www.tripwire.com/state-of-security@TripwireInc