correlating security data using scap standards presentations/streufert_scap.pdfcorrelating security...
TRANSCRIPT
![Page 1: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/1.jpg)
1
Correlating Security Data
Using SCAP Standards
Panel Discussion:
Department Of State
&
Environmental Protection Agency
John Streufert, CISO Department of State
![Page 2: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/2.jpg)
2
Panel Members
Mary Stone Holland, Director, Office of Computer Security, Bureau of Diplomatic Security, DoS
Dr. George Moore, Chief Computer Scientist, Office of Information Assurance, Bureau of Information Resource Management, DoS
Marian Cody, CISO,Environmental Protection Agency
Paul Green, President & CEO, G2
Moderator: Calvin Reimer, Chief, Evaluation and Verification Division, Office of Computer Security, DoS
![Page 3: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/3.jpg)
3
Eight Strategies to Becoming
Best of Class Using SCAP Data
John Streufert
Chief Information Security Officer
US Department of State
September 19, 2007
![Page 4: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/4.jpg)
4
Why?
• Correlation of IT Security Data Yields
Fast Results – SCAP is the best tool yet
100%
25%
Risk
Months
1 2 3 4 5 6 7 8 9
USAID
![Page 5: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/5.jpg)
5
How?
1. Respond to the unique data needs of each customer
2. Build a support structure to help ISSO’s solve their problems
3. Use weighted percentages as incentives to correct the worst
problems first
4. Provide letter grades to assessable business units
5. Structure the “pre-game” warm up
6. Use bureaucratic jujitsu – focus on those with the most to lose
7. Organize public competitions for continuous improvement
8. Structure continuous improvement efforts in 90 day increments
![Page 6: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/6.jpg)
6
1. Respond to the unique data needs of each customer
• ISSO’s and system owners need highly detailed summaries of specific vulnerabilities SCAP can provide, but
• Ambassadors and Assistant Secretaries want to know their relative risk in comparison to the rest of the organization
Conclusion:
• Individual vulnerabilities need to be presented to the owner
• The relative risk needs to be aggregated and presented to highermanagement.
Reference: The One to One Field Book: The Complete Toolkit for Implementing a 1 to 1 Marketing Program, Don Peppers and Martha Rogers, Ph.D Currency-Doubleday Press (1999)
![Page 7: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/7.jpg)
7
2. Build a support structure to help ISSO’s solve
their problems
• When individual technicians see the a specific problem, the fastest overall change comes from showing them a way to fix it themselves. (SCAP Baseline Feature)
• The best experience USAID had was a scanning tool that had an automated link between a specific vulnerability and self-help for a solution.
![Page 8: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/8.jpg)
8
3. Use weighted percentages as an incentive to
correct the worst problems first
IT Security managers find a “target rich”environment of problems to fix.
USAID and State are structuring the use of SCAP scanning tools to highlight data on the worst problems first
Tweaking of SCAP uses weighted percentages and other math to lift up high risks and diminish lower risks
![Page 9: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/9.jpg)
9
4. Provide letter grades to assessable business
units
• The leadership of federal organizations
have come to associate status of IT
Security with letter grades and stoplight
charts used in the President’s
Management Agenda
• If SCAP data can be summarized, entire
business units can get continuous
feedback on their progress
![Page 10: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/10.jpg)
10
5. Structure a “pre-game” warm up
• ISSO’s are your customers -- angering them is counterproductive.
• False positives occur, and improperly assigned devices found in scanning take on-site technicians to sort out.
• Give time for the learning curve to work
• Do not share grades outside the immediate organization for at least six months.
![Page 11: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/11.jpg)
11
6. Use bureaucratic jujitsu – focus on those
with the most to lose
Throw the weight of the organization into the IT security problem
• Send the grades to the senior manager– Send a copy to the technical team
• “Sell” the change to the leaders by noting how IT security attacks can disrupt, damage and diminish the budgets of the primary mission
• At early phases, do not escalate problems until all local attempts to support improvement are tried
![Page 12: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/12.jpg)
12
7. Organize public competitions for continuous
improvement
• All best of class organizations promote
and reward leaders based on results
• “Good IT Security Culture” recognizes
leaders and “publicly encourages” those
who are lagging
• After six months compare all
organizations head to head
![Page 13: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/13.jpg)
13
8. Structure continuous improvement
efforts in 90 day increments
• Over several years this approach works has worked best:– Visualize the top 50 problems
– Select the top 5 with highest benefit to lower risk
– Organize teams to pursue those initiatives with a 90 day check point
– Reset the playing field for the next game
– Set aside some resources for long term improvements and training
![Page 14: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/14.jpg)
14
Standards Based SecurityThe EPA Story
Marian Cody
Chief Information Security Officer,
U.S. Environmental Protection Agency
Building a Culture of Compliance
![Page 15: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/15.jpg)
15
Challenges to Building a Culture Challenges to Building a Culture
of Compliance of Compliance
• Lots of standards
• Lots of IT devices
• Lots of organizations
• Lots of miles between physical locations
• Lots of different management styles
• Lots of compliance reporting
Management with limited understanding of
security control specifics
![Page 16: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/16.jpg)
16
EPAEPA’’s Strategys Strategy
Create an integrated suite of automated Create an integrated suite of automated
security solutions based on federal security solutions based on federal
(SCAP) standards.(SCAP) standards.
� Implemented at the hardware/software level
but viewable at the enterprise level
� Supported by PERFORMANCE Reporting
� Geared to MANAGEMENT
� Based on REAL data
� Reflecting REAL operational status
� Using REPEATABLE processes
![Page 17: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/17.jpg)
17
How Did We Do It?How Did We Do It?
• Selected an automated Compliance Tool
• Tested it ourselves to make sure it worked
• Began deployment amid great resistance
• Found success in two offices – within days their compliance issues were solved – which was shared with their peers
• Provided time and training to ease into the system – about 9 months
• Communicated first at the staff level
• Added Management Level Quarterly Scorecards
Red Yellow Green
![Page 18: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/18.jpg)
18
Explicit Scoring & PublishingExplicit Scoring & Publishing
• 90% + = Green
• 75-89% = Yellow
• >75% = Red
• Allowing success in
the face of operational realities
• Enhancing
communication despite technical complexity
• Fostering healthy
competition
![Page 19: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/19.jpg)
19
Did It Work?Did It Work?
NetWare/NDS Score
0
10
20
30
40
50
60
70
80
90
100
2001
q3
2002
Jan
2002
May
2002
q4
2003
q1
2003
q2
2003
q3
2003
q4
2004
q1
2004
q2
2004
q3
2004
q4
2005
q1
2005
q2
2005
q3
2005
q4
2006
q1
![Page 20: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/20.jpg)
20
Building a Culture of Building a Culture of
ComplianceCompliance• Automated Standards-
Based (SCAP) Tools:
– Regular and reliable
security checking
– Built on repeatable
processes
– Standard metrics
– Remediation information
– Results useful to
technicians and management alike
• Giving Management
– Regular, understandable
communications
– Greater understanding of risks
– Real data upon which to
make management
decisions
– Ability to provide technical
direction
![Page 21: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/21.jpg)
21
WhatWhat’’s Next? s Next?
• Expanding the scope of management
reporting to capture results from other
security management tools – e.g., patch
management, vulnerability scanning, and
anti-virus monitoring
• Interfacing test results into ASSERT
for Agency security reporting
• Converting to SCAP compliant tools
![Page 22: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/22.jpg)
22
Standards Based Security
the Department of State Story� History of Compliance Management at
DoS
� Bringing Agency-unique issues in to
focus
� Circumstances leading to SCAP
adoption
� Areas under repair
� On the horizon
MH
![Page 23: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/23.jpg)
23
Increased Accountability is Critical
to Improving IT Security
• The Honorable Karen Evans, noted
speaker here, shared the following with
Congress: “…agency program officials
must engage and be held accountable for
ensuring that the systems that support
their programs and operations are
secure.”
MH
![Page 24: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/24.jpg)
24
Department of State – Challenges &
Success of Compliance
Management
� Customized security configuration documents were comprehensive but hard to implement globally
� DS built a custom compliance scanning tool to validate settings and security
MH
![Page 25: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/25.jpg)
25
Bringing Agency-unique security
issues in to focus
� Global nature of our networks makes it important to standardize and an oversight challenge
� System Administration by local personnel makes it more important to “lock down” the configuration
� Roles & Responsibilities agreement to balance security responsibility among Security Oversight bureau and the CIO’s Information Assurance office
MH
![Page 26: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/26.jpg)
26
Circumstances Leading To
SCAP Adoption
� New Technology Arriving Faster Than We Can Produce Word Documents
� Realignment of Resource Use
� Updated Commercial Compliance & Vulnerability Scanning Tools
� SCAP Facilitates Network Security Perspective From Multiple Tools
MH
![Page 27: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/27.jpg)
27
Diversity of Data Sources� Inventory Sources
� Vulnerability Scanners
� Certification Information
� Patch & AntiVirus Status
� Each of these have different models and don’t store / report information the same way
� Need to identify “systems of systems”, groups of individual IT resources that have value together
GM
![Page 28: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/28.jpg)
28
Steps in Progress
� Advanced Security Scoring Method That Helps Prioritize Response And Ensures That Risk Is Measured & Reported Fairly
� Need For ‘Common Remediation Enumeration’ – What Repeatable Fixes Will Provide Measurable Results
� Security-enabled Console To Enable System Owners / Managers To Track Progress
� Migrating To FDCC-compliant Checklists
GM
![Page 29: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/29.jpg)
29
Transition To Better
Situational Awareness
Get Good Risk Info to the Right Managers to
Enable Remediation and Tracking
Contextual Analysis
Workflow Management
Database of Record
Vulnerability Scanning
Compliance Scanning
Intrusion Detection Systems
AntiVirus Monitoring
Active Directory Info
Patch Deployment Monitoring
Network Behavior Anomaly
On-Site Assessments
PG
![Page 30: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/30.jpg)
30
Transition To Better
Situational Awareness
Get Good Risk Info to the Right Managers to
Enable Remediation and Tracking
PG
![Page 31: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/31.jpg)
31
On the horizon
� Normalizing Inventory And Linking To Business Value� Facilitates Compliance Reporting
� Enables Continuous Monitoring Of Authorized Systems
� Helps Prioritize Incident Response
� Reconciling OVAL With 800-53 Based Assessments� After a SCAP-based scan is done, how much of
my review is complete?
PG
![Page 32: Correlating Security Data Using SCAP Standards presentations/streufert_scap.pdfCorrelating Security Data Using SCAP Standards Panel Discussion: ... Martha Rogers, Ph.D Currency-Doubleday](https://reader030.vdocuments.us/reader030/viewer/2022040523/5e86821f535cac742a1084c7/html5/thumbnails/32.jpg)
32
ContactsJohn Streufert, Chief Information Security Officer, Department of
State - [email protected]
Marian Cody, Chief Information Security Officer, Environmental Protection Agency - [email protected]
Mary Sue Holland, Director, Office of Computer Security, Bureau of Diplomatic Security, DoS - [email protected]
Dr. George Moore, Chief Computer Scientist, Office of Information Assurance, Bureau of Information Resource Management, DoS– [email protected]
Calvin Reimer, Chief, Evaluation and Verification Division, Office of Computer Security, DoS – [email protected]
Paul Green, President & CEO, G2 – [email protected]