Enclave Security: Secure Configuration Management (SCM)

David HoonDISA PEO-MASCM PMOhttp://www.disa.mil/scm

Unclassified

UNCLASSIFIED

UNCLASSIFIED

The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government

2

UNCLASSIFIED

UNCLASSIFIED3

Agenda

• SCM Introduction• SCM Lifecycle• SCM Objectives• SCM Community Model• Current Capability Framework• Governance Model• Capability Program Map• NSA SCM R&D Focused Efforts• SCM Programs

• CMRS• DPMS• IAVM

UNCLASSIFIED

UNCLASSIFIED4

IntroductionSecurity-focused Configuration Management (SecCM) is

defined as:“the management and control of configurations for information systems to enable security and facilitate the management of information security risk.” (NIST SP 800-128)

PROGRAM OBJECTIVES: The DoD SCM Program is the integration and optimization of enterprise IA applications, tools, and

data standards to support automated processes used to support risk management and near-real time awareness.

Enable Information System Monitoring as part of DoD’s Continuous Monitoring Strategy – supporting the initial data sets of assets, system configurations, and vulnerabilities (FISMA reporting requirements).

PROGRAM CAPABILITIES: Leverage inherent SCM capabilities used within CC/S/As Provide pervasive enterprise capabilities and interfaced automated capabilities based on common

data standards to enhance and accelerate CC/S/As ability to: Identify assets Check system configuration compliance against policies and standards Search for potential vulnerabilities Act on known vulnerabilities for known risk posture for system/networks Report status & share information with those that need to knowConfigure assets securely; Maintain secure Configurations;

Provide continuous situational awareness to the right people

UNCLASSIFIED

UNCLASSIFIED

Why SCM?

The Enterprise Today:• Difficult to maintain secure configurations: high level of

effort, diminished return on investment• Disparate IA tool sets: proprietary capabilities,

disconnected and stand-alone configurations• Manual reporting: resource intensive, slow, and limits

trusted situational awareness

The Future Enterprise:• Automated, end-to-end security compliance process• Standardized and validated toolsets connected throughout

the enterprise• Continuous reporting to improve data integrity and validity

5

UNCLASSIFIED

UNCLASSIFIED6

SCM Lifecycle

UNCLASSIFIED

UNCLASSIFIED7

• The SCM Program implements published standards, using validated tools and employs standardized interfaces to realize essential Secure

Configuration capabilities.

• Standards: Secure Configuration Automation Protocol (SCAP). A NIST-developed, industry-adopted set of standards supporting interoperability and automated data exchange. Extended to include standard data formats for reporting asset and summary information.

• Tools: Commercial-off-the-Shelf (COTS) and Government-off-the-Shelf (GOTS) tools validated as conforming to SCAP standards.

• Interfaces: Leverage SCAP and emerging standards (Asset Report Format (ARF) / ARF Summary Report (ASR)) to distribute asset data by defining data input and output formats for SCAP-validated tools

• Capabilities: Content/Policy development; Asset Inventory/Discovery; Security State Analysis/Risk Assessment; and Risk Mitigation

SCM Program Objectives

UNCLASSIFIED

UNCLASSIFIED8

SCM OV-1

UNCLASSIFIED

UNCLASSIFIED

Near-Term SCM Capability Framework

9

UNCLASSIFIED

UNCLASSIFIED

Automated STIGs Automated STIG & IAVM Benchmarks (with OVAL) available:

• Windows XP• Windows Vista• Windows 2003 Domain Controller & Member Server• Windows 2008 Domain Controller & Member Server• Windows 7 • Windows 2008R2• Red Hat 5• Solaris 9 (x86 and sparc)• Solaris 10 (x86 and sparc)• HP-UX 11.23• HP-UX 11.31• AIX 5.3• AIX 6.1• Windows IAVM 2009, 2010, 2011, 2012 * PKI restricted• IE8• IE9

http://iase.disa.mil/stigs/scap/index.html10

UNCLASSIFIED

UNCLASSIFIED11

ESSG

CCWG

OWG – SCM(CSIP, IAVM, Continuous Monitoring, Risk Scoring, C&A. Mission Assurance)

TWGNetwork Scanning

TWGNetwork Mapping

TWGContinuous Monitoring

TWGRisk Scoring

TWGPolicy and

Remediation

Enterprise Acquisition Approval

Enterprise Capability Release

Board

SCM CCB

Program CCB

SCM Governance Model

UNCLASSIFIED

UNCLASSIFIED12

SCM Capability Map

UNCLASSIFIED

UNCLASSIFIED13

SCM Program Overlay

UNCLASSIFIED

UNCLASSIFIED

SCM R&D FOCUS AREAS (FY13 - FY17) SCM in Mobile Environment: Develop SCM capabilities for mobile and wireless devices.

Mobile Device Manager Dynamic Policy Generation (supports BYOD) Mobile Application Store

Automated Remediation: Develop remediation policies allowing centralized control and decentralized execution of remediation COTS Remediation Tools Remediation Standard Group Policy Fixes Policy-Driven Automated Course-of-Action (ACoA)

Collect Configuration Data from Human Sensors: Develop automated capabilities to collect IT asset and configuration relevant data from human sensors (i.e., Open Checklist Interactive Language/OCIL, part of the SCAP protocol suite) Certification and Accreditation Non-Automated STIG Checks Training CCRI (Command Cyber Readiness Inspection) / CSIP (Cyber Security Inspection Process)

SCM in a Virtualized Environment: Develop SCM capabilities for non-persistent and persistent IT virtualization environments Hypervisor Virtual Desktop Environment Streaming Application Server

14

UNCLASSIFIED

UNCLASSIFIED

• FY12– Completed Combined Baseline

Criteria for Mobile Device Manager (MDM)

– MDM Tool Qualitative Market Analysis– Policy and Configuration Guidance

Market Analysis– CONOP for SCM in Mobile

Environment– MDM Security Capability Assessment– MDM-SCAP Middleware Application

SCM in Mobility PROGRESS & Way Forward

FY13Market Analysis of MDM / MASCOTS Tool Evaluation and Testing (MDM/MAS)Standards development for mobile assessment (OVAL)Standards-based compliance scanning of mobile devicesIntegration with TNC conceptsDynamic Policy Generation (Supports BYOD)Integration of MDM with Continuous Monitoring Solution

15

UNCLASSIFIED

UNCLASSIFIED

• FY12– Work with NIST on Remediation

standard development (CRE & ERI)– Work with SPAWAR on the

development of the SPAWAR Remediation Tool

Automated Remediation PROGRESS & Way Forward

FY13Aggregated automated remediation requirementsAutomated Remediation CONOPMarket Analysis and evaluation of Remediation COTS tools Support further refinement of Remediation standardsCreate Remediation content to support automated remediationRefine STIG and IAVM automated remediation approachIntegrate Remediation Content into DISA Digital Policy Management SystemRemediation Event Management capabilitySupport Proof of Concept of Automated Remediation course of action

16

UNCLASSIFIED

UNCLASSIFIED

• FY12– OCIL Content for Windows 7– Lessons Learned for OCIL reference

implementation– Input to OCIL 2.0 standard– Pilot with Telos tool using OCIL

Automated human sensor PROGRESS & Way Forward

FY13Market Analysis of current COTS tools that leverage the OCIL data standardCONOP for OCIL to support C&A, STIG Compliance, Training, and, CSIP Use CasesDraft requirements for Enterprise OCIL solutionCreate OCIL content to support indentified use cases Provide input to OCIL 3.0 standardPilot for using OCIL for C&A Pilot for using OCIL for CCRI/CSIP Pilot for using OCIL STIG Compliance

SCAP Protocol: OCIL (Open Checklist Interactive Language)

17

UNCLASSIFIED

UNCLASSIFIED

• FY12– Collaborate with DISA and

CYBERCOMMAND to derive test cases for evaluating security of virtual environments

– Procure and Establish Virtualization Pilot Lab

– Configure NSA IT Efficiencies Environment in Lab

– Install current DISA SCM Tools in Lab– Execute test cases to determine

security gaps with current DISA tools– Recommend approaches to resolve

security gaps

SCM in Virtualization PROGRESS & Way Forward

FY13Complete Virtualization Pilot

Final SCM Use Case ExecutionGap Analysis ReportRecommendations Paper for DISA

Hypervisor Scanning CapabilitySTIG/SRGMarket Analysis of ToolsSCAP contentStandards updates (ARF/ASR)Operational Prototype in L:ab

Non-Persistent Desktop Scanning Capability

Approach to scanning non-persistent desktops/templatesMarket Analysis of ToolsOperational Prototype in Lab

18

UNCLASSIFIED

UNCLASSIFIED19

• ACAS• CMRS/PRSM• DPMS

– IAVM Service– VMS STIG Maintenance– Patch Repository– Severity Scoring

• eMASS• ENMLDS• HBSS

– Policy Auditor– OAM– APS– ACCM

• Remediation Manager• VMS

SCM Programs

UNCLASSIFIED

UNCLASSIFIED

CMRS Technology Stack

20

UNCLASSIFIED

UNCLASSIFIED

CMRS Enterprise – End State

21

UNCLASSIFIED

UNCLASSIFIED

DPMS System View

22

UNCLASSIFIED

UNCLASSIFIED

What is Digital Policy Management Service?

• Author validated Machine-readable Content• Search for and Modify/Copy already created content

• Content Distribute Capability (Machine-to-Machine (M2M), Versioning)

• Based on signatures; Marines gets Marines signed content, Navy gets Navy signed content, everyone gets Authoritative content

• Collaboration• Content Sharing / Learning (e.g., Patch testing reciprocity)

• Army can share custom content with Navy; Navy can share custom content with Marines; CYBERCOM can share content with everyone

23

UNCLASSIFIED

UNCLASSIFIED

Authoritative Sources of Content

Authoritative sources need to create as well as validate content created by other sources (Army, Navy, etc.). Content validated/signed by the respective Authoritative source should be scored different in the Enterprise Risk Scoring (ERS) capability

• Types of Content:• SCAP Content

• STIG (CCE) (FSO)

• IAVM (FSO & CYBERCOM)

• Malware (MAEC) (CYBERCOM)

• Custom HIPS, AV & other remediation (CYBERCOM)24

UNCLASSIFIED

UNCLASSIFIED

IAVM System Overview

• Automates USCYBERCOM vulnerability scoring and policy generation processes

• Includes CVSS-compliant scoring engine

• Provides real-time interfaces with Symantec DeepSight, NVD, and VMS

• Supports SCAP standards including CVE, CVSS, and CPE

System is live!June 2012

25

UNCLASSIFIED

UNCLASSIFIED

IAVM System CONOPS

26

UNCLASSIFIED

UNCLASSIFIED

IAVM System CapabilitiesPrimary System Capabilities

PKI authentication & access control

Symantec DeepSight web service data feeds for real-time vulnerability info

Vulnerability analyst workspace/dashboard

Pre-populated IAVM template and workflow

SCAP-compliant CVSS vulnerability scoring engine

Web-based pre-coord collaboration area to capture and track feedback

Enhanced search - ability to search across current and historical IAVMs using multiple parameters

Primary System Capabilities

PKI authentication & access control

Symantec DeepSight web service data feeds for real-time vulnerability info

Vulnerability analyst workspace/dashboard

Pre-populated IAVM template and workflow

SCAP-compliant CVSS vulnerability scoring engine

Web-based pre-coord collaboration area to capture and track feedback

Enhanced search - ability to search across current and historical IAVMs using multiple parameters

27

UNCLASSIFIED

UNCLASSIFIED

QUESTIONS

SCM PMOdisa.meade.peo-ma.list.scm-pmo@mail.mil

www.disa.mil/scm

28