continuous monitoring: diagnostics & mitigation [email protected] october 24, 2012
TRANSCRIPT
2
CXOs are accountable for IT security
BUT.
directly supervise onlya small part of the
systems actually in use.OBS
TACL
E
3
Nature of Attacks
80% of attacks leverage known vulnerabilities and
configuration management setting weaknesses
4
LOWERING RISK ACHIEVED BY:• Correcting for “tunnel vision” seen
in physiological studies of pilots
• Using math and statistics to accelerate corrective action
• Adapting market economics to daily risk calculation/priorities
• Automated patch distribution
5
WHILE NOT CHANGING:• Structure of departments or agencies• Decentralized technology management • Structure of security program
RATHER: Focus on Return on Investment (ROI) Integrate cyber security, operations, and top
to bottom work force decisions
6
“Attack Readiness” .
• What time is spent on• Faster action =
lower potential risk
7
Organizations, Major SystemsContractor Performance
8
AddressingInformation Overload
List Dominant Percentages of Risk
9
Results First 12 Months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
Personal Computers and Servers
10
1/3 of Remaining Risk Removed
7/15/2
009
7/31/2
009
8/16/2
009
9/1/2
009
9/17/2
009
10/3/2
009
10/19/2
009
11/4/2
009
11/20/2
009
12/6/2
009
12/22/2
009
1/7/2
010
1/23/2
010
2/8/2
010
2/24/2
010
3/12/2
010
3/28/2
010
4/13/2
010
4/29/2
010
5/15/2
010
5/31/2
010
6/16/2
010
7/2/2
0100
20
40
60
80
100
120
140
160
180
200
DomesticForeign
[Year 2: PC’s/Servers]
11
4/1/2010 5/1/2010 6/1/2010 7/1/2010 8/1/2010 8/31/2010 10/1/20100
20
40
60
80
100
120
140
160
180
200
DomesticPolynomial (Domestic)OverseasPolynomial (Overseas)
Time
Risk
Poi
nts
whe
re 1
0 Po
ints
= 1
maj
or V
ulne
rabi
lity
per
mac
hine [Year 2: PC’s/Servers]
12
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-042 – August 2010Percent of applicable devices patched
Expected Value (Based on all reporting machines)
Lower Bound (Assumes all non-reporting machines are non-compliant)
Efficiency is Repeatable & Sustained
.
when charging 40 points0 - 84% in seven (7) days0 - 93% in 30 days
13
Case Study Results• 89% reduction in risk after 12 months
– personal computers & servers• Mobilizing to patch worst IT security risks first
– Mitigation across 24 time zones – Patch coverage 84% in 7 days; 93% in 30 days
• Outcome: – Timely, targeted, prioritized information– Actionable– Increased return on investment compared to an
earlier implementation of FISMA
14
Lessons Learned• When continuous monitoring augments
snapshots required by FISMA:– Mobilizing to lower risk is feasible & fast (11 mo)– Changes in 24 time zones with no direct contact– Cost: 15 FTE above technical management base
• This approach leverages the wider workforce• Security culture gains are grounded in
fairness, commitment and personal accountability for improvement
Development Phase
Federal CIO and CISO Cyber Goals
• Protect information assets of the US gov’t– Availability, integrity and confidentiality
• Lower operational risk and exploitation of– national security systems
– .gov networks, major systems & cloud services• Increase situational awareness of cyber status• Improve ROI of federal cyber investments • Fulfill FISMA mandates
20 C
ritica
l Con
trol
s1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability (validated manually)9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Security Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response Capability (validated manually)19. Secure Network Engineering (validated manually)20. Penetration Tests and Red Team Exercises (validated manually)
Continuous Diagnosis and Mitigation (CDM)“Full Operational Capability” (FOC) / Desired State:
• Minimum Time to FOC for CDM: 3 years;• CDM Covers 80-100% of 800-53 controls;• Smaller attack surface/“risk” for .gov systems;• Weaknesses are found and fixed much faster;• Replaces much 800-53 assessment work ($440M)
– And most of the POA&M process ($1.05 B)
• Risk scores reflect: threat, vulnerability and impact – Used to make clear, informed risk-acceptance decisions
• Economies reduce total cost yet improve security.
Selection of First Year Priorities
• Implement CMWG focus areas for controls– NSA and CMWG collaboration put in pilots– Complete baseline survey of highest D/A risks
• Award task orders for sensors and services tailored to agency needs and risk profile
• Connect initial controls to dashboard– HW/SW asset management/white listing;
vulnerability; configuration settings; anti-malware
Use of DHS Appropriated Funds
• Strategic Sourcing to buy– Sensors (where missing)– A Federal Dashboard– Services to operate the sensors and dashboard in
the D/As• Labor to mentor and train D/As to use the
dashboard to reduce risk efficiently• Processes to support CMWG (continuous C&A)
Stakeholder Consultation
• DHS and CMWG will consult on program direction and reflect stakeholder concerns of:– CIO Council/ISIMC, ISPAB– NSS, EOP, NIST, NSA– D/As and components– Industry– FFRDCs– Others
22
Continuous Monitoring (CM) Contract Element
Beneficiary for FY13 Networks & COTS CM
Software ($202M)
Tools /Services as options for internal
use
Use diagnostic standards
but may or may not purchase
1. DashboardDHS pays for all government
Department and Agencies Security reporting
to Cyber Scope
Can Purchase off of federal contract:•.mil, Defense Industrial Base;• others who use federal $;• plus State, local gov’t
Cloud Service providers for direct support of government dedicated cloud clients with
cost embedded.CSP ‘s could buy dashboard.
2. Continuous Monitoring Tool Bundles
(Multiple Award)
DHS Pays for initial .gov Agencies
& Departments who choose diagnostic capabilities
Can Purchase off of federal contract:•.mil, Defense Industrial Base;• others who use federal $;• plus State, local gov’t
Cloud Service Providers offer direct support of government dedicated cloud clients with
cyber testing cost embedded.CSP ‘s could buy tools.
3. Continuous Monitoring as a Service (CMaaS)
DHS pays for initial .gov Agencies & Department who
may choose a diagnostic service provider
Department & Agencies (or others) pay for custom systems CM using internal C&A report money (diagnostics and feeds to Cyber Scope)
Department & Agency custom systems using
internal funds.CSP ‘s could buy CMaaS for use as 3rd party Assessors.
4. Continuous monitoring data integration
DHS pays to prepare .gov diagnostic reports &
CyberScope feeds
Department & Agencies (or others) pay Using DHS
published standards using internal funds
Using DHS published standards using internal
funds
$440
M/y
r
Cloud
1
2,5
3, 10, 114
9
18, 8
Change to “plan for events” and “respond to events”.
12, 15
13, 17
14, 16, 20
19
6,7 are assets:They require all the other capabilities applied to them. For an application, it’s HW, SW etc. must be managed, inside a boundary, configured and relatively free of vulnerabilities.
One delta would be the extra analysis SW needs
pre-operations.
a
bcde
i
h
g
jk
l mn
o
p
P1
P1
P1
P1P2
P2
P2
P2
P2
P3
P3
P3
P3/4
P3/4
P3/4