automating enterprise it management by leveraging security content automation protocol (scap)
Post on 12-Feb-2017
103 Views
Preview:
TRANSCRIPT
Automating Enterprise IT Managementby Leveraging
Security Content Automation Protocol (SCAP)
John M. Gilligan
May, 2009
1
Problem
Today’s state—CIOs of large enterprises cannot:• See their IT assets—they don’t know what
they have• Tell which systems comply with policy
• Makes reporting, enforcement impossible• Change configurations quickly in reaction to
changing threats or vendor updates
2
IT organizations cannot effectively manage complex environments
Root Cause
Today’s enterprise IT capabilities are:• Complex• Dynamic• Vulnerable• Fragmented in use of automated management
3
Processes and tools are immature
CIOs are concerned about enterprise IT management
• Cost of poorly managed IT is growing rapidly• Cyber attacks are exploiting weak enterprise
management– Weakest link becomes enterprise “Achilles Heel”– Cyber exploitation now a National Security issue
• High quality IT support requires effective enterprise management
4
SCAP enables effective enterprise IT management and security
Goal—Well-Managed Enterprise
• Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so
• Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost
5
Solution Elements
• Governance• Technology• Discipline
6
Governance
• Define management and security policies and properties to be implemented in enterprise IT environments
• Accelerate evolution to a disciplined environment– Federal Desktop Core Configuration (FDCC)--Establishes initial
configuration discipline– 20 Critical Controls for Effective Cyber Defense: Consensus Audit
Guidelines—Counter most significant threats with measurable controls
– NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls
7
Technology
• Use tools that are Security Content Automation Protocol (SCAP)-enabled• Automate management of configuration, asset
management, and security properties– Continuously assess, report, enforce endpoint compliance– React quickly to changing situations (e.g., vendor patches,
new configurations, revised policy)• Achieve cross-vendor integration, interoperability
8
SCAP enables tool integration and interoperability for disciplined enterprise IT management
Discipline
Verify compliance with enterprise IT policies:• Continuously verify effectiveness of controls by
leveraging automation and trend metrics• Also employ metrics for operational effectiveness and
cost• Use Auditors and Red Teams to independently
validate discipline• Ensure visible accountability for those who
violate policies9
Leveraging SCAP for Enterprise IT Management
10
Current SCAP Standards
11
CVECVSS
OVALCCECPE
XCCDF
Software vulnerability management
Configurationmanagement
Compliance management
Assetmanagement
SCAP supports foundational IT management functions
Specific SCAP Standards
12
CVECVSS
OVAL
CCECPE
XCCDF
Software vulnerability management
Configurationmanagement
Compliance management
Assetmanagement
Identifies vulnerabilitiesScores vulnerability severity Criteria to check presence of
vulnerabilities, configurations, assets
Identifies configuration controls
Language to express configuration guidancefor both automatic and manual vetting
Identifies packages and platforms
SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools
Mature Standards Illustrate Possibilities
• Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities– 36,000+ vulnerabilities agreed upon over the last 10 years– 245 products, 138 organizations, 25 countries
• Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments
13
Industry has adopted SCAP standards for individual needs
SCAP Gaining Momentum
• Federal Desktop Core Configuration (FDCC/SCAP)– Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only
establishes standard configurations for hardware suppliers, it also addresses security for those that develop software”
• Open Vulnerability Assessment Language (OVAL)– McAfee: “The ability to…describe vulnerabilities on a system
and exchange that information between tools is doing a great deal to improve [vendor] offerings”
• NIST issues SCAP content for FISMA compliance– Steve Quinn (NIST): “[SCAP is] an automated approach to help
agencies make the jump from security policies and mandates to secure systems.” 14
Product InteroperabilityThe Problem• Different vendor products give different answers• CIOs can’t integrate across vendorsThe Solution• SCAP standard ‘OVAL’ introduced to enable integration
• Red Hat adopted OVAL; found it increased value of their advisories to customers
• Other vendors have followed (e.g., Symantec)
15
OVAL provides the “glue” for SCAP-compliant tools leading to interoperability
Enterprise IT Management Using SCAP
• DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP– SCAP shows which systems are vulnerable; enables
rapid, prioritized response (e.g., rush patching); provides follow-up reporting
– Tony Sager (NSA): “We do it all now with SCAP-compatible tools.”
• Organizations beginning to see SCAP benefits for other enterprise applications
16
Leadership is needed now
17
Shape technology to serve the public interest
Recommended Actions
How Federal government can provide leadership:1. Require SCAP-validated tools2. Educate IT staff in how SCAP can be used for
enterprise IT management3. Deploy SCAP-validated tools; evolve to automated
enterprise IT management4. Share lessons learned with IT managers and
vendors– More use cases—not just security– More transparent integration 18
SCAP can transform individual tools into integrated parts of an Enterprise
IT Management Capability
19
Capabilities
Tools
Enterprise IT Management Roadmap
20
Capability
Cost
Contact Information
21
John M. Gilligan
jgilligan@gilligangroupinc.com703-503-3232
www.gilligangroupinc.com
Strategic Roadmap
• Controlled configuration for Windows• Controlled configuration for major
operating systems and applications• Standardized application white and black
listing• Adaptive configurations based on threat• Faster vulnerability impact/patch level
assessment• Standardized remediation, configuration
control
• Today• 2010
• 2010• 2011• OVAL
adoption• 2012
22
More secure, more automated
Real-time management
More secure, automated, real time
top related