Standardizing and Automating Security Operations

1
Standardizing and Automating Security Operations

• Presented by
• National Institute of Standards and Technology

2
Agenda

• Security Operations Today
• Information Security Automation Program
• Security Content Automation Protocol
• The Future of Vulnerability Management
• Next Steps

3
FISMA Compliance Model
Information System Security Configuration
Settings NIST, NSA, DISA, Vendors, Third Parties
(e.g., CIS) Checklists and Implementation Guidance
4
Configuration Management and Compliance
This Top-Down Schema Needs to be Managed from the
Bottom-Up
FISMA
HIPAA
SOX
GLB
INTEL
COMSEC 97
DoD
ISO
Vendor
3rd Party
SP 800-53
???
???
???
DCID
NSA Req
DoD IA Controls
17799/ 27001
Guide
SP 800-68
DISA STIGS Checklists
Guide
???
NSA Guides
???
Finite Set of Possible Known IT Risk Controls
Application Configuration Options
Agency Tailoring Mgmt, Operational, Technical
Risk Controls
Millions of Settings to manage across the Agency
High
Enterprise
Mobile
Moderate
SP1
Stand Alone
Low
XP
Windows
SSLF
SP2
OS or Application
Version/ Role
Major Patch Level
Environment
Impact Rating or MAC/CONF
5
Vulnerability Trends
A 20-50 increase over previous years

• Decreased timeline in exploit development coupled
  with a decreased patch development timeline
  (highly variable across vendors)
• Three of the SANS Top 20 Internet Security Attack
  Targets 2006 were categorized as configuration
  weaknesses. Many of the remaining 20 can be
  partially mitigated via proper configuration.
• Increased prevalence of zero day exploits

6
State of the Vulnerability Management Industry

• Product functionality is becoming more hearty as
  vendors acknowledge connections between security
  operations and a wide variety of IT systems
  (e.g., asset management, change/configuration
  management)
• Some vendors understand the value of bringing
  together vulnerability management data across
  multiple vendors
• Vendors driving differentiation through
• enumeration,
• evaluation,
• content,
• measurement, and
• reporting

Hinders information sharing and automation
Reduces reproducibility across vendors
Drives broad differences in prioritization and
remediation
7
Security Operations Landscape

• Manual platform-level configuration management
  across the enterprise is unwieldy at best
• A large amount of time is being spent by security
  operations personnel demonstrating compliance to
  a wide variety of laws and mandates using a
  configuration thats fairly unchanging
• Increasing number of laws and mandates
• Increasing number of vulnerabilities per annum
• A vulnerability management industry which seeks
  differentiation through enumeration, evaluation,
  content, measurement, and reporting

8
Key Milestone

• NIST,DISA,NSA Security Automation Conference
• September 2006
• 300 attendees
• Keynote addresses by
• Richard Hale, DISA CIAO
• Dennis Heretick, DOJ CISO
• Tony Sager, NSAs Vulnerability Analysis and
  Operations Group Chief

9
Information Security Automation Program

• The ISAP is an Interagency Interdepartmental
  initiative.
• Becoming formalized through an MOA recognizing
  the need to
• Create and manage the evolution of a
  standards-based methodology for automating the
  implementation, monitoring, and adjustment of
  information system security.
• Identify and reduce the number of known
  vulnerabilities and misconfigurations in
  government computing infrastructures over a
  shorter period of time.
• Re-focus the vulnerability management industry on
  differentiation through product function.
• Encourage innovation in the global market place.

10
Security Content Automation Protocol
(SCAP)Standardizing our Enumeration, Evaluation,
Measuring, and Reporting
CVE Common Vulnerabilities and Exposures Standard nomenclature and dictionary of security related software flaws
CCE Common Configuration Enumeration Standard nomenclature and dictionary of software misconfigurations
CPE Common Platform Enumeration Standard nomenclature and dictionary for product naming
XCCDF eXtensible Checklist Configuration Description Format Standard XML for specifying checklists and for reporting results of checklist evaluation
OVAL Open Vulnerability Assessment Language Standard XML for testing procedures
CVSS Common Vulnerability Scoring System Standard for measuring the impact of vulnerabilities
Cisco, Qualys, Symantec, Carnegie Mellon
University
11
Integrating IT and IT Security Through SCAP
CVE
Misconfiguration
OVAL CVSS
SCAP
XCCDF CCE
CPE
12
Existing Federal ProductsStandardizing our
Content

• 2.5 million hits per month
• 20 new vulnerabilities per day
• Cross references all publicly available U.S.
  Government vulnerability resources
• FISMA Security Controls (All 17 Families and 163
  controls for reporting reasons)
• DoD IA Controls
• DISA VMS Vulnerability IDs
• Gold Disk VIDs
• DISA VMS PDI IDs
• NSA References
• DCID
• ISO 17799
• Produces XML feed for NVD content

• In response to NIST being named in the Cyber
  Security RD Act of 2002
• Encourages vendor development and maintenance of
  security guidance
• Currently hosts 112 separate guidance documents
  for over 125 IT products
• Translating this backlog of checklists into the
  Security Content Automating Protocol (SCAP)
• Participating organizations DISA, NSA, NIST,
  Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple,
  Microsoft, Citadel, LJK, Secure Elements,
  ThreatGuard, MITRE Corporation, G2, Verisign,
  Verizon Federal, Kyocera, Hewlett-Packard,
  ConfigureSoft, McAfee, etc.

13
Security Content Automation Protocol (SCAP)
Enumeration Evaluation Measuring Reporting Content
CVE ? ?
CCE ? ?
CPE ? ?
XCCDF ? ? ?
OVAL ? ?
CVSS ? ?
14
The Future of Vulnerability Management Operations
Configuration
Organization Guidelines (e.g., STIG)
NIST Checklist Program
Misconfiguration Software Flaws
National Vulnerability Database
Intelligence Feeds
Vulnerability Alerts (e.g., IAVA)
Organization
Vendor
NIST
15
Key Milestone

• OMB Windows Security Configuration Memo 22
  March 2007
• M-07-11 Implementation of Commonly Accepted
  Security Configurations for Windows Operating
  Systems (http//www.whitehouse.gov/omb/memoranda/f
  y2007/m07-11.pdf)
• Acknowledges the role of NIST, DoD, and DISA in
  baselining security configurations for Windows XP
  and Vista, and directs departments and agencies
  to adopt the Vista security configuration
• Acknowledges that we are ahead of the Vista OS
  deployment and encourages use of a very small
  number of secure configurations
• Acknowledges that adoption increases security,
  increases network performance, and lowers
  operating costs
• Mandates adoption of these security
  configurations by 1 February 2008, and requests
  draft implementation plans by 1 May 2007
• Corresponding OMB Memo to CIOs Requires,
  Implementing and automating enforcement of these
  configurations

Excerpt from SANS FLASH Announcement The
benefits of this move are enormous common,
secure configurations can help slow bot-net
spreading, can radically reduce delays in
patching, can stop many attacks directly, and
organizations that have made the move report that
it actually saves money rather than costs money.
The initiative leverages the 65 billion in
federal IT spending to make systems safer for
every user inside government but will quickly be
adopted by organizations outside government. It
makes security patching much more effective and
IT user support much less expensive. It reflects
heroic leadership in starting to fight back
against cyber crime. Clay Johnson and Karen Evans
in the White House both deserve kudos from
everyone who cares about improving cyber security
now.                              
Alan Alan Paller, Director
of Research, SANS Institute PS. SANS hasn't
issued a FLASH announcement in more than two
years. In other words, this White House action
matters.
16
Next Steps

• Vendors
• Continue adoption of all SCAP standards be a
  keystone product
• Continue using the content of NIST Checklist
  Program and National Vulnerability Database when
  authoring XCCDF checklists
• Put SCAP technologies on your roadmap and budget
  accordingly
• Service Providers
• Continue using the content of NIST Checklist
  Program and National Vulnerability Database when
  authoring XCCDF checklists
• Prepare to help the operations community
  reconcile multiple mandates into XCCDF checklists
• Position yourself to integrate SCAP compliant
  products
• Put SCAP and vulnerability management automation
  on your services roadmap and budget accordingly
• Operations Community
• Interact with your vendors and service providers
  about SCAP, ask about their SCAP plans, ask about
  their SCAP readiness
• Begin using the phrasing like SCAP compliant in
  your acquisition language
• Put SCAP and vulnerability management automation
  on your roadmap and budget accordingly

17
Stakeholder and Contributor Landscape Federal
Agencies
DHS Providing funding
NSA Providing resources Applying the technology
DISA Providing resources, Integrating into Host Based System Security (HBSS) and Enterprise Security Solutions
OSD Incorporating into Computer Network Defense (CND) Data Strategy
DOJ Incorporating into FISMA Cyber Security Assessment and Management (CSAM) tool
Army Integrating Asset Vulnerability Tracking Resource (AVTR) with DoD and SCAP content, Contributing patch dictionary
DOS Incorporating into security posture by mapping SCAP to certification and accreditation process
18
Stakeholder and Contributor Landscape Industry
FFRDC, Supporter and Maintainer of 4 standards
Incorporating SCAP into their products
Provides SCAP-Compliant tools
Provides SCAP-Compliant tools
Provides Nessus (widely government-used) tool becoming SCAP compliant
Point solution provider Provides SCAP content
Point solution provider Provides SCAP content
Ai Metrix Provides a SCAP-Compliant tool
Provides a SCAP-Compliant tool
19
More Information
Security Content Automation Protocol (SCAP) SCAP Beta Web Site / Repository Deployed on October 20th Beta SCAP Files Available Windows Vista Misconfigurations DISA/NSA/NIST, Microsoft, Air Force policies Windows XP Misconfigurations/Software flaws NIST FISMA and DISA policies (SP 800-68 / Gold Disk) Windows Server 2003 Misconfigurations/Software flaws Microsoft and NIST FISMA policies Red Hat Enterprise Linux Misconfigurations/Software flaws Microsoft Office 2007 Internet Explorer 7 Symantec AV Beta SCAP Files Coming Soon Windows 2000 McAfee AV Lotus Notes Domino Server http//nvd.nist.gov/scap.cfm
National Vulnerability Database (NVD) http//nvd.nist.gov
National Checklist Program http//checklists.nist.gov
20
Upcoming Events

• 11 June 2007 Defense Network Centric Operations
  2007
• Mid-Late Summer Security Automation Workshop
• Vendor demonstrations
• Federal operations use cases

21
Questions
National Institute of Standards
Technology Information Technology
Laboratory Computer Security Division
22
Additional Application of SCAP
23
XML Made Simple
XCCDF - eXtensible Car Care Description Format
OVAL Open Vehicle Assessment Language
ltCargt ltDescriptiongt ltYeargt 1997 lt/Yeargt
ltMakegt Ford lt/Makegt ltModelgt Contour
lt/Modelgt ltMaintenancegt ltCheck1gt Gas Cap
On ltgt ltCheck2gtOil Level Full ltgt
lt/Maintenancegt lt/Descriptiongt lt/Cargt
ltChecksgt ltCheck1gt ltLocationgt Side of Car
ltgt ltProceduregt Turn ltgt lt/Check1gt
ltCheck2gt ltLocationgt Hood ltgt
lt/Proceduregt ltgt lt/Check2gt lt/Checksgt
24
XML Made Simple
XCCDF - eXtensible Checklist Configuration
Description Format
OVAL Open Vulnerability Assessment Language
Standardized Checklist
Standardized Test Procedures
ltDocument IDgt NIST SP 800-68 ltDategt 04/22/06
lt/Dategt ltVersiongt 1 lt/Versiongt ltRevisiongt
2 lt/Revisiongt ltPlatformgt Windows XP ltCheck1gt
Password gt 8 ltgt ltCheck2gt FIPS Compliant ltgt
lt/Maintenancegt lt/Descriptiongt lt/Cargt
ltChecksgt ltCheck1gt ltRegistry Checkgt ltgt
ltValuegt 8 lt/Valuegt lt/Check1gt
ltCheck2gt ltFile Versiongt ltgt ltValuegt
1.0.12.4 lt/Valuegt lt/Check2gt lt/Checksgt
Standardized Measurement and Reporting
25
Application to Automated ComplianceThe Connected
Path
Result
800-53 Security Control
800-68 Security Guidance
API Call
ISAP Produced Security Guidance in XML Format
COTS Tool Ingest
26
Application to Automated ComplianceThe Connected
Path
Result
800-53 Security Control DoD IA Control
RegQueryValue (lpHKey, path, value, sKey, Value,
Op) If (Op gt ) if ((sKey lt Value ) return
(1) else return (0)
AC-7 Unsuccessful Login Attempts
800-68 Security Guidance DISA STIG/Checklist NSA
Guide
AC-7 Account Lockout Duration AC-7 Account
Lockout Threshold
API Call
ISAP Produced Security Guidance in XML Format
lpHKey HKEY_LOCAL_MACHINE Path
Software\Microsoft\Windows\ Value 5 sKey
AccountLockoutDuration Op gt
- ltregistry_test id"wrt-9999" commentAccount
Lockout Duration Set to 5" check"at least 5"gt -
ltobjectgt   lthivegtHKEY_LOCAL_MACHINElt/hivegt  
ltkeygtSoftware\Microsoft\Windowslt/keygt  
ltnamegtAccountLockoutDurationlt/namegt  
lt/objectgt - ltdata operation"AND"gt   ltvalue
operatorgreater than"gt5lt/valuegt
COTS Tool Ingest