Continuous Monitoring: Getting Past Complexity &

Reducing RiskPresented by Bryce G. Schroeder

Continuous Monitoring: Getting Past Complexity &

Reducing RiskPresented by Bryce G. Schroeder

November 2013

About the SpeakerBryce SchroederSr. Director of Systems EngineeringBryce leads the global presales engineering team at Tripwire. He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior leadership roles at Symantec, Sun Microsystems and Tektronix. Previous to that he held system admin and hardware and software design roles.

bschroeder@tripwire.com

4

$150M+Annualsales

400+employees

$Profitable

7000+customers

in 96 countries

Remain small enough to be nimble, innovative; Large enough to be the long-term leader in the SVM market

5

Tripwire Evolution

1997Tripwire File System Monitoring

2005

Tripwire EnterpriseIntegrated Change Audit for Servers, Network Devices, Data-Bases & Active Directory

2007

Configuration AssessmentIndustry’s largest library of security, regulatory and operational policies

2010Log and Security Event ManagementIntegrated logand event management solution

2013

Tripwire acquires nCircleDelivers the Industry’s most complete set of foundational security controls for the enterprise –SCM, VA, FIM, LM

2011Thoma Bravo acquires Tripwire Accelerates Tripwire’sCreating Real Confidencevision

7

Cyber Security is Evolving

10 Million Cyber attacks daily at Department of Energy

100K’s Attack surface and amount of data is increasing

400%+ Increase of cyber attacks since 2006

Foreign Intelligence organizations trying to hack into our military’s digital networks100

80% Attacks leveraging known vulnerabilities & configuration setting weaknesses

8

Regulations Requiring Continuous Monitoring (CM)

NIST SP 800-137 • Defines base requirements for CMNIST SP 800-53 • Describes automated inspection items (controls) for security

• Aids automated Security Configuration Management strategy

NERC / FERC CIP • Requirements for Federal Energy Critical Infrastructure Protection

ISO / IEC 27001 • Framework for continuous process improvement in information security

FISMA / FISMA 2 • Includes CM for configuration management and control of components; impact analysis of changes to systems, and ongoing assessment of security controls

9

Compliance ≠ Security

Security Requires Adaptive Defenses Visibility across entire infrastructure – not silos of data

Precursors of a compromise are in the network but not visible Accurate data to assess risk

Intelligent information – not more data Security automation to minimize effort and expedite response Align monitoring and effort with risk and the changing threat landscape

10

Enables dynamic security to respond to evolving threats

Provides details of your information systems Make risk based decisions Take control and remain in control of your infrastructure

Spirit of Continuous Monitoring

Provides continuous input and situational awareness

Moves the focus back to Security

11

Achieving a Compliant State… Periodically

Periodic Audits required to reassess

Time

Compliant State

Com

plia

nce

RISK change never stops

Change is occurring

12

Achieve & Maintain a Compliant State… Continuously

Time

Compliant State

Com

plia

nce

Continuous Compliance

Assess & Achievedesired state

Maintainthat state

13

Continuous Monitoring & Risk Management Framework

Categorize Information SystemMonitor Security

State

Authorize Information System

NISTRisk Management

FrameworkSP800-37

Select Security Controls

Implement Security Controls

Assess Security Controls

Start

• Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137)

SP800-137

14

Front-End Security

Back-End Security

Categorize Information SystemMonitor Security

State

Authorize Information System

NISTRisk Management

FrameworkSP800-37

Select Security Controls

Implement Security Controls

Assess Security Controls

Start

SP800-137

15

Our focus for today

Categorize Information SystemMonitor Security

State

Authorize Information System

NISTRisk Management

FrameworkSP800-37

Select Security Controls

Implement Security Controls

Assess Security Controls

Start

SP800-137

16

Goal: Prioritize and Document Systems Document the role / purpose of each system

Tie back to specific project, mission, business objective Rank systems according to risk Document system ownership and applicable policies

Agency and individuals Security authorization and authorization termination dates

Categorize Information Systems1

17

Goal: Create Defensible Control Capabilities Establish & document operational requirements, standards, guidelines Align to common controls and standards as applicable Align controls with system risk categorization from Step 1 Establish segregated approval workflows and detective controls Implement Security Configuration Management Remember “Defense in Depth”

Implement Security Controls3

18

Goal: Ensure Effectiveness of Security Controls Validate that controls are in place, effective, and operating as expected Assess security controls continuously Reduce and act upon configuration

drift Identify and address variance Leverage Scoring and Thresholds to drive your response and re-planning

activities

Assess Security Controls4

19

Goal: Adaptive Security in Changing Conditions Continuous Monitoring of Systems, Devices and Applications

Configuration, Security State, System State, modifications to surrounding environment

Evaluation of Context – changes in risks, threat landscape, mission objectives, vulnerabilities, etc.

Provide the AO with actionable info and context for decisions Drive prioritized remediation actions

Monitor Security Controls – Continuous Monitoring6

20

Continuous Monitoring & Risk Management Framework

Categorize Information SystemMonitor Security

State

Authorize Information System

NISTRisk Management

FrameworkSP800-37

Select Security Controls

Implement Security Controls

Assess Security Controls

Start

• Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137)

SP800-137

21

Continuous Monitoring Step 4:

Detailed Reporting

Step 3:Determine Monitoring Frequency

Step 1: Prioritize

Step 2: Determine Risk

Threshold

22

Act on priorities from the Categorize Assets step

Monitor and alert based on relative value of Assets High, Moderate, Low impact DMZ, Mission X, Processing, etc… Categorize logically and by criticality

Benefits of Categorization Easier to make risk-based decisions Risks are easier to determine knowing

the mission the asset supports Enables rapid triage during incident response

Prioritize

23

Identify and apply your scoring methodsOCTAVE, CAESARS, iPOST, iRAMP, etc.

Map thresholds to policies and assign weights to control checks Example of Policy Thresholds

<50% Do Not Operate <80% System should go through preplanning >80% Operational

Assign weights for control test items - weights affect the Risk scoring Example:

HIGH - Administrator set to blank or default password LOW – Users are part of a remote desktop group

Determine Risk

Threshold

24

Start with your PolicyDetermine frequency of monitoring System Level Frequency Security Control Level Frequency Application Level Frequency

Determine the frequency by function and risk associated with each system and security control

Determine Monitoring Frequency

25

How Often?

Source: NIST SP 800-92

26

Respond and provide feedback to the Authorizing Official or representative Incident Response Security Alerts Certification & Accreditation

Use the intelligent data feeds to make accurate risk based decisionsCreate feedback loop to adapt and improve security and risk posture

Provide Detailed Reports

27

Benefits of This Approach

Leverages automation to reduce time & effort for audit and oversight

Provides assurance that controls are implemented properly and stay that way

Enables accountability for proper results Provides objective data for gap analysis, remediation

planning, and budget priorities Enables benchmarking across entities

28

Don’t Forget The Cloud

The Cloud Security Alliance and NIST SP 800-114 call for concerted continuous monitoring of the cloudMonitor and evaluate the chain of dependency in the cloudAlign cloud infrastructure with risk model for physical

infrastructureEnsure you understand your Cloud Service Provider’s (CSP)

security capabilities and responsibilities vs. your ownEnsure regular review of reports, policies, and incidents

29

Continuous Monitoring Does Not Replace Regulations Continuous monitoring augments/enhances

Compliance & Audit (C&A), but doesn’t replace it Many aspects still require human intervention and

analysis:Policy analysisIntegrated risk assessmentsNon-technical controlsProcess review

31

What and How Should I Measure?

Leverage existing work CAESARS (Continuous Asset Evaluation, Situational Awareness, and

Risk Scoring)www.dhs.gov/xlibrary/assets/fns-caesars.pdf

iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of Statewww.cio.ca.gov/OIS/Government/events/documents/

Scoring_Guide.doc

32

Other Metrics ExamplesConfiguration Quality:

% of configurations compliant with target security standards (risk-aligned) i.e. >95% in High; >75% in Medium

number of unauthorized changes with security impact (by area) patch compliance by target area based on risk level

i.e. % of systems patched within 72 hours for High; within 1 week for Medium

Control effectiveness: % of incidents detected by an automated control % of incidents resulting in loss mean time to discover security incidents % of changes that follow change process

33

Report On Status & Progress vs. Goals

34

Focus At A Higher Level

35

Points To Remember

Continuous Monitoring is not a “checkbox activity” Continuous Monitoring is an integral part of effective

Security and Risk Management Continuous Monitoring is adaptable to enable you to

focus on the highest risk first

36

Where Do Organizations Fail?

“Boil the ocean” approaches No “Tone at the Top” Ineffective metrics Lack of automation

37

Technology Can Help - Preventive Controls

Create & Communicate Policies and Procedures Reduce Privileged Access Malware Detection and Prevention Establish & Enforce System Hardening Standards

38

Technology Can Help - Detective Controls

Security Configuration Management Vulnerability Management Database Activity Monitoring File Integrity Monitoring Log Monitoring

40

Recommended Steps For Implementing Continuous Monitoring1. Anchor to a specific risk framework or approach

NIST 800-37, Factor Analysis of Information Risk (FAIR), CAESARS

2. Develop and use risk ranking / scoring methods3. Prioritize projects, actions, and investments to bias toward areas of

highest risk and impact4. Establishing Key Risk Indicators (KRI’s) and Key Risk Objectives

(KRO’s) to measure progress5. Define monitoring & alerting frequency and thresholds based on risk6. Continuously re-evaluate status & progress, communicate results,

and refine your approach

tripwire.com | @TripwireInc

THANK YOU!

www.tripwire.com/state-of-security@TripwireInc