agency security update service (asus) mike bolger ksc cio
TRANSCRIPT
![Page 1: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/1.jpg)
Agency Security Update Service (ASUS)
Mike BolgerKSC CIO
![Page 2: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/2.jpg)
ASUS Data Collection
The ASUS Project collects Enterprise IT Security Data:» Patch Management – 80,000+ devices» Software Inventory – 80,000+ devices» Federal Desktop Core Configuration (FDCC) – 60,000+
devices» Network Vulnerability – 120,000+ devices» Network Inventory – 120,000+ devices
Data is stored in IT Security Enterprise Data Warehouse (ITSEC-EDW)» Provides centralized “one-stop-shop” for IT Security
Data
204/19/23
![Page 3: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/3.jpg)
Continuous Monitoring / Reporting
3
Example Data
![Page 4: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/4.jpg)
Continuous Monitoring / Reporting
4
Interactive website provides searchable reports
List ofVulnerabilitiesBy CenterOr SecurityPlan
Drill down to a list of Workstation/server withvulnerabilities
![Page 5: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/5.jpg)
Continuous Monitoring
The Agency is focusing on expanded Continuous Monitoring in alignment to proposed FISMA changes» ASUS Team is currently providing Continuous
Monitoring for:• Patch Management• Software Inventory• Network Inventory• Network Vulnerabilities
» Developing automated methods to Continuously Monitor NIST 800-53 Controls (IT System Security Plans)
504/19/23
![Page 6: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/6.jpg)
IT Security Risk-Based Reporting
Continuous Monitoring will feed NASA IT Security Risk Score» Provide overall Risk score for a Security Plan, Center
and the Agency» Helps focus workforce to problem areas» Puts focus on reducing risk, not just meeting metrics
6
Metric Reporting
Tells us that there IS avulnerability
Risk Based Reporting
Tells us how avulnerability couldAFFECT us if it was
exploited
![Page 7: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/7.jpg)
Collaboration with other NASA projects
ASUS Project is working to add IT Security Data Sources» Incident data from the NASA SOC» Antivirus data from ODIN» DHCP data from IPAM» Application data from Agency Data Center Consolidation
(ADCC)
The ASUS Project is a preventative tool in NASA’s IT Security arsenal
704/19/23
![Page 8: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/8.jpg)
Agency is moving to a new Patch Management Solution» Reached the potential of the PatchLink product» Selected product» Benefits:
• More robust Agent• Scalable to meet NASA’s complex architecture• Follows OVAL standards• Provides additional functionality
o “Agent on a USB Stick”o Network Inventory to locate machines missing an Agent
• Appliance – reduces costs and maintenance for the Agency
Patch Management Solution
804/19/23
![Page 9: Agency Security Update Service (ASUS) Mike Bolger KSC CIO](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649e665503460f94b61398/html5/thumbnails/9.jpg)
Agency Data Center Consolidation (ADCC)
Collaborating with the Agency Data Center Consolidation (ADCC) Project» OMB has come out with the “Federal Data Center
Consolidation Initiative”» Goal is to reduce overall costs and energy consumption» ADCC is preparing to deploy an Inventory and
Application Mapping tool in all NASA Data Centers– Application Mapping = tells us what is required to move a
“service” (i.e. Tech Doc)
» ASUS team will be providing the technical expertise to coordinate the deployment of the automated tool across the Agency
904/19/23