This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire.
He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions.
Numerous articles on Continuous Monitoring can be found here:
http://www.tripwire.com/state-of-security/tag/continuous-diagnostics-and-mitigation/
3. Sr. Director of Systems Engineering
Bryce leads the global presales engineering team
at Tripwire. He has over 29 years of IT
architectural and security expertise solving
Enterprise challenges. Bryce joined Tripwire from
NetApp where he led a team of Architects and
Systems Engineering in enterprise Cloud
infrastructure solutions. Prior to NetApp, Bryce
served in senior leadership roles at Symantec, Sun
Microsystems and Tektronix. Previous to that he
bschroeder@tripwire.com held system admin and hardware and software
design roles.
4.
5. 2013
2011
2010
2007
2005
1997
Tripwire
File System
Monitoring
Tripwire
Enterprise
Integrated
Change Audit for
Servers, Network
Devices, DataBases & Active
Directory
Configuration
Assessment
Industry’s
largest library
of security,
regulatory and
operational
policies
Log and
Security Event
Management
Integrated log
and event
management
solution
Thoma Bravo
acquires
Tripwire
Accelerates
Tripwire’s
Creating Real
Confidence
vision
Tripwire acquires
nCircle
Delivers the
Industry’s most
complete set of
foundational
security controls
for the enterprise –
SCM, VA, FIM, LM
6. 100
10 Million
Foreign Intelligence organizations trying
to hack into our military’s digital networks
Cyber attacks daily at Department of Energy
100K’s
Attack surface and amount of data is increasing
400%+
Increase of cyber attacks since 2006
80%
Attacks leveraging known vulnerabilities & configuration
setting weaknesses
7. NIST SP 800-137
• Defines base requirements for CM
NIST SP 800-53
• Describes automated inspection items (controls) for security
• Aids automated Security Configuration Management strategy
NERC / FERC CIP
• Requirements for Federal Energy Critical Infrastructure
Protection
ISO / IEC 27001
• Framework for continuous process improvement in
information security
FISMA / FISMA 2
• Includes CM for configuration management and control of
components; impact analysis of changes to systems, and
ongoing assessment of security controls
12. • Aligned with RMF (NIST 800-37) and CM requirements
(NIST SP 800-137)
Start
SP800-137
Monitor Security
State
Authorize
Information System
Categorize
Information System
Select Security
Controls
NIST
Risk Management
Framework
SP800-37
Implement Security
Controls
Assess Security
Controls
19. • Aligned with RMF (NIST 800-37) and CM requirements
(NIST SP 800-137)
Start
SP800-137
Monitor Security
State
Authorize
Information System
Categorize
Information System
Select Security
Controls
NIST
Risk Management
Framework
SP800-37
Implement Security
Controls
Assess Security
Controls
20.
21. Act on priorities from the Categorize Assets step
Prioritize
Monitor and alert based on relative value of
Assets
High, Moderate, Low impact
DMZ, Mission X, Processing, etc…
Categorize logically and by criticality
Benefits of Categorization
Easier to make risk-based decisions
Risks are easier to determine knowing
the mission the asset supports
Enables rapid triage during incident response
22. Determine
Risk
Threshold
Identify and apply your scoring methods
OCTAVE, CAESARS, iPOST, iRAMP, etc.
Map thresholds to policies
and assign weights to control checks
Example of Policy Thresholds
<50% Do Not Operate
<80% System should go through preplanning
>80% Operational
Assign weights for control test items - weights affect the
Risk scoring
Example:
HIGH - Administrator set to blank or default password
LOW – Users are part of a remote desktop group
30. Configuration Quality:
% of configurations compliant with target security standards (risk-aligned)
i.e. >95% in High; >75% in Medium
number of unauthorized changes with security impact (by area)
patch compliance by target area based on risk level
i.e. % of systems patched within 72 hours for High; within 1 week for Medium
Control effectiveness:
% of incidents detected by an automated control
% of incidents resulting in loss
mean time to discover security incidents
% of changes that follow change process
And of course, I recently completed this chart and a detailed sub-control mapping across our blended product line. What I like about this chart is the NSA rankings and how they rank with the first four CSC as well. This is impactful. When the NSA, SANS, and mappings to both NIST and ISO support working on the first four CSC to get you significantly down the road to improved cybersecurity – AND it aligns with 2013 FISMA metrics. It’s not a bad place to start.
Another approach is what we call ‘Traditional Configuration Assessment,’ which can bring you up to compliance rapidly, but if changes happen after, you have no visibility or control of those changes, and it’s only when you do another scan where you will get back into compliance. And even the highest performing organizations do these ‘mega-scans’ once a month at best! The frequency of assessing IT configurations opens the door to risk and potential security breaches.
When you’re looking for a continuous monitoring solution – you need to consider a solution that enables 4 very specific capabilities.
Is it a critical asset? Medical system?
You need intelligent information to make risk-based decisions.
You cannot “turn on” continuously monitoring or real-time on everything. So you need to choose the frequency.
You need to feed that information to your authorizing official
Support the businessBe controllableIf you can't influence it, why report on it?Be quantitativeBe easy to collect and analyzeIf it takes 3 weeks to gather data you report on monthly, something is wrongToo hard to gather & interpretReporting too oftenSubject to trendingMetrics must be changeable - Things you report on will changeYour targets will change
So those are some of the things are going right. But let's take a look at what isn't going as well.In organizations that are stuck or stall, here are some of the things that tend to slow them down.The 1st is the use of what I referred to as a boil the ocean approach. In other words trying to do too much across too broad of a landscape of your business. Rather than trying to solve every risk problem in the organization pick one or 2 key areas, that relate to one or 2 key business processes, and start there. Remember, non-technical executives tend to think of things in terms of revenue, costs, customer satisfaction, fulfillment, or other key processes in the business. Figure out what the most important process is, what the biggest risk is that's facing that particular area, then identify what you can do from an IT risk perspective to mitigate that risk. If you're successful, those early winds can make it a lot easier to move onto future phases of your projects.Another problem I've seen is when the discussion goes to granular or too geeky very quickly. Executives have short attention spans so keep it high level, and get to the point quickly.Closely related to this, is when there is no buy-in from other parts of the organization. This can be very frustrating because it often looks like a superhero in the IT organization trying to take on the rest of the organization, and force them to adopt a risk oriented focus. If you don't have by and, you're not ready to start executing.The most effective place to get support, is as high in the organization as you can manage. I mentioned tone at the top before. If you're trying to embark on a risk management project to get risk management adopted across your organization, make sure you have an executive sponsor. This is generally either the CEO or someone reporting to the CEO in your organization.We've talked a bit about this one already, but I've also seen ineffective metrics or a complete lack of metrics, stall risk management efforts. I'll get to that in a minute.Finally as I mentioned before, too many organizations are focused on cost as the primary focus of the risk management and security programs. This has got to change.
Explain the roles and responsibilities of individuals in IT security, IT and the business organization have in implementing a continuous monitoring.
Investigating and adopting a repeatable frameworkFAIR, OCTAVE, OVAL, CAESARS, ISO, etc.Applying risk ranking/scoring methodsEngaging cross-functional “steering committees” to examine various risksStrategic & Operational, Information Security, Financial, Employment Practices, Intellectual Property, Physical, Legal, Regulatory, etc.Prioritizing projects, actions, and investments to bias toward areas of highest risk and impactEstablishing Key Risk Indicators (KRI’s) and Key Risk Objectives (KRO’s) to measure progress