developing a continuous monitoring action plan
DESCRIPTION
At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful. In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros: Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response. Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports. Assess system requirements in areas such as malware detection and event and incident management. Determine the need for upgrades and investment in new technologies.TRANSCRIPT
![Page 1: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/1.jpg)
Developing a Continuous Monitoring Action Plan
An InformationWeek Government Webcast Sponsored by
![Page 2: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/2.jpg)
Webcast Logistics
![Page 3: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/3.jpg)
Welcome!
John Foley
Editor
InformationWeek Government
![Page 4: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/4.jpg)
John Streufert
Deputy Chief Information Officer
Information Assurance
United States Department of State
Steve Johnston
CISSP, ITIL
Lead Federal Systems Engineer
Tripwire, Inc.
Today’s Presenters
![Page 5: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/5.jpg)
What Is Continuous Monitoring?
“Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
>>NIST SP 800-137
![Page 6: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/6.jpg)
Building It Into The IT Budget
“What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the FY 2012 budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports.”
>>Federal CIO Vivek Kundra, June 2010
![Page 7: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/7.jpg)
Continuous Monitoring Domains (NIST)
![Page 8: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/8.jpg)
CIA Invests In RedSeal Systems
"Continuous monitoring technologies will enable the U.S. intelligence community to effectively operate the complex, dynamic network defenses that protect critical information and systems.”
>>William Strecker, CTO, In-Q-Tel
![Page 9: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/9.jpg)
FISMA 2.0: A Continuous Monitoring
Case StudyJohn Streufert ( [email protected] )
Deputy Chief Information Officer for Information Security US Department of State
February 14, 2011
![Page 10: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/10.jpg)
Nature of Attacks
80% of attacks leverage known vulnerabilities and
configuration management setting weaknesses
10
![Page 11: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/11.jpg)
TICKETS
Malicious CodeUnauthorized Access
TYPE Threats Increasing
Year Tickets
2008 2104
2009 3085
2010 7,998
2%
1
51%
5%
39%
1%2%
Malicious Code
Unauthorized Access
Denial of Service
Improper Use
Scans/Probes/ At-tempted Access
Investigation
9%
9%2%
2008
2010
84%
![Page 12: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/12.jpg)
Case Study:1)Scan every 36-72 hours2)Find & Fix Top Issues Daily3) Personal results graded 4) Hold managers responsible
12
![Page 13: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/13.jpg)
How: 1. Narrow Aim
13
CAG ID Consensus Audit Guideline NIST-800-53 US CERT Report
1 Inventory of authorized and unauthorized hardware
CM 1, CM 2, CM 3, ‐ ‐ ‐CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐ + 6 %
+ 22 %2 Inventory of authorized and unauthorized software
CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐CM 8, CM 9, SA 7‐ ‐ ‐
5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ + 7 % 9 Controlled access based on
need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ 1 %
12Anti-malware
defenses
AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐
PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐
SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐
SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐
+ 60%
[11 months before Feb 09]
![Page 14: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/14.jpg)
2.Bad things by NumbersLittering vs. Chemical Dumping
L.A. Hotel Pays a
$200,000 fine because an employee dumps pool chemicals into a drain fumes fill a subway station
-- several people become ill March 23, 2010
14
![Page 15: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/15.jpg)
Cube and Divide by 100
![Page 16: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/16.jpg)
3. Calculate Grades A+ to F -
![Page 17: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/17.jpg)
4. Focus on Worst First
![Page 18: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/18.jpg)
Results First 12 Months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
18
Personal Computers and Servers
![Page 19: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/19.jpg)
Risk Scoring
in 2nd Year
![Page 20: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/20.jpg)
Operation Aurora Attack
20
2-Apr 4-Apr 6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-018 Patch
Coverage
Date
%
Appl
icab
le h
osts
Rep
ortin
g &
Pat
ched
Risk scoring moves State Dept from 20 - 85% patched
in six (6) days: April 3 – 9, 2010
Call a Problem 40x Worse
![Page 21: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/21.jpg)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-042 – August 2010Percent of applicable devices patched
Expected Value (Based on all reporting machines)
Lower Bound (Assumes all non-reporting machines are non-compliant)
Efficiency is Repeatable & Sustained
21
.
when charging 40 points0 - 84% in seven (7) days0 - 93% in 30 days
![Page 22: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/22.jpg)
13 25 36 60 93133
![Page 23: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/23.jpg)
1/3 of Remaining Risk Removed
237/1
5/2009
7/29/2
009
8/12/2
009
8/26/2
009
9/9/2
009
9/23/2
009
10/7/2
009
10/21/2
009
11/4/2
009
11/18/2
009
12/2/2
009
12/16/2
009
12/30/2
009
1/13/2
010
1/27/2
010
2/10/2
010
2/24/2
010
3/10/2
010
3/24/2
010
4/7/2
010
4/21/2
010
5/5/2
010
5/19/2
010
6/2/2
010
6/16/2
010
6/30/2
010
7/14/2
0100
20
40
60
80
100
120
140
160
180
200
DomesticForeign
[Year 2: PC’s/Servers]
![Page 24: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/24.jpg)
24
4/1/2010 5/1/2010 6/1/2010 7/1/2010 8/1/2010 8/31/2010 10/1/20100
20
40
60
80
100
120
140
160
180
200
DomesticPolynomial (Domestic)OverseasPolynomial (Overseas)
Time
Risk
Poi
nts w
here
10
Poin
ts =
1 m
ajor
Vul
nera
bilit
y pe
r mac
hine
[Year 2: PC’s/Servers]
![Page 25: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/25.jpg)
25
5/17/2009 7/6/2009 8/25/2009 10/14/2009 12/3/2009 1/22/2010 3/13/2010 5/2/2010 6/21/2010 8/10/20100
100
200
300
400
500
600
700
800
900 Benefit of Continuous Attention
Steady or Decreases
Increases
Projected
Polynomial (Projected)
Axis Title
Risk
PO
ints
whe
re 1
0 po
ints
= 1
maj
or v
ulne
rabi
lity
If corrective ac-tion stoppedhow quickly
would risk ac-cumulate?
More Risk Measured
Risk Problems Fixed
![Page 26: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/26.jpg)
Lessons Learned• When continuous monitoring augments
snapshots required by FISMA:– Mobilizing to lower risk is feasible & fast (11 mo)– Changes in 24 time zones with no direct contact– Cost: 15 FTE above technical management base
• This approach leverages the wider workforce• Security culture gains are grounded in
fairness, commitment and personal accountability for improvement
26
![Page 27: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/27.jpg)
Next Steps
![Page 28: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/28.jpg)
20 Year old commercial said
“The quality goes in, before the name goes on”
28
![Page 29: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/29.jpg)
29
Should we position our best solutions before or after accidents?
Cofferdam unit departing Wild West in Port Fourchon on the Chouest 280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com
![Page 30: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/30.jpg)
RISK
30
Threat
Vulnerabilities
Impact
![Page 31: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/31.jpg)
Continuous C&A Pilots
a. Inventory of Authorized Assets (CAG 1/2)
b. Configuration and Vulnerability Monitoring (CAG 3/4/10/12/13)
c. SCAP Content (automated & non-automated testing)
d. Boundary Defense (CAG 5/14)
e. Situational Awareness and Threat Analysisf. Applications (CAG 7)
g. Access Controls (CAG 6/8/9/11)
h. Data Loss Protection (CAG 15)31
Priority sequence: quick wins vs. long term:
![Page 32: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/32.jpg)
32
![Page 33: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/33.jpg)
Conclusions• Risk Scoring and Continuous Monitoring is
scalable to large complex public and private sector organizations
• Higher ROI for continuous monitoring of technical controls as a substitute for paper reports
• Summarized risk estimates could be fed to enterprise level reporting
33
![Page 34: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/34.jpg)
Continuous Monitoring: Best PracticesSteve Johnston, CISSP, ITIL, Lead Federal Systems EngineerTripwire, Inc.
![Page 35: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/35.jpg)
Enables dynamic security to respond to evolving threats
Provides details of your information systems Make risk based decisions Take control and remain in control of your infrastructure
Spirit of Continuous Monitoring
Provides continuous input to the C&A process
Moves the focus back to security
![Page 36: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/36.jpg)
Provide Detailed Reporting436
Establish Monitoring Frequency3
Determine Risk Threshold2
Categorize Assets1
![Page 37: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/37.jpg)
IT SECURITY & COMPLIANCE AUTOMATION37
Categorize logically and by criticality
• Is it a critical asset?
• Is it a medical system
• High, moderate or low severity?
• What kind of missions and programs do they support?
Benefits to Categorization
• Easier to make risk based decisions
• Homepage and Reporting views
• Risks are easier to determine knowing the mission the asset supports
Categorize Assets
![Page 38: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/38.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Intelligent information to make risk-based decisions
Configuration data, log data – correlated together
Set appropriate thresholds to policies and weights to control checks Example of Policy Thresholds
<50% Do Not Operational
<75% System should go through preplanning
<90% Operational
Test and control weights need to be set Weights affect the Risk scoring
Example:
HIGH - Administrator set blank password
LOW – Users are part of a remote desktop group
38
Determine Risk
Threshold
![Page 39: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/39.jpg)
IT SECURITY & COMPLIANCE AUTOMATION39
Determine Monitoring Frequency
Determine frequency by function and risk associated with each system and security control• System level frequency
• Security Control level frequency
• Application level frequency
![Page 40: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/40.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Example Continuous Monitoring Frequency
40
Mission critical controls
External facing devices
Events from critical systems
DB stored Procedures
Mission X Systems
Near Real-Time
Hypervisor Controls
Internal network devices
Directory Services
DB Schema
etc…
Periodic
Full Systems
Application data controls
New installs, patches, hot fixes
Event and Log Review
Daily / WeeklyFrequency
Device / Control
![Page 41: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/41.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Respond and provide feedback to the Authorizing Official or representative Incident Response Security Alerts Certification & Accreditation
Use the intelligent data feeds to make accurate risk based decisions
41
Provide Detailed Reports
![Page 42: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/42.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Example Feedback to the Authorized Official
42
Respond on Critical Control and Change Information
![Page 43: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/43.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Example Feedback to the Authorized Official
43
Provide actionable data What and WhereRespond to Critical Events
![Page 44: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/44.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Provide Feedback to Authorizing Official4
44
Establish Monitoring Frequency3
Determine Risk Threshold2
Categorize Assets1
![Page 45: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/45.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
About Tripwire
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 5,500 customers in more than 87 countries rely on Tripwire’s integrated solutions. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation.
Learn more at www.tripwire.com
![Page 46: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/46.jpg)
Q&A Session
Please Submit Your Question Now
![Page 47: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/47.jpg)
To View This or Other Events On-Demand Please Visit:
http://www.netseminar.com
For more information please visit:
http://www.tripwire.com
Resources
![Page 48: Developing a Continuous Monitoring Action Plan](https://reader036.vdocuments.mx/reader036/viewer/2022062706/5575ca71d8b42a312a8b5152/html5/thumbnails/48.jpg)
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!