Proprietary and confidential information of stackArmor

MEETING SECURITY AND COMPLIANCE REQUIREMENTS USING AWS SERVICES

Security by DesignSession 2:

Continuous Monitoring and Management (CM)

About Jack Heyman

2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR

➢ Has worked with many Federal agencies, Fortune 500 companies and Accounting/Consulting firms.

➢ Teaches IT related courses on a nationwide basis.➢ Teaches CDM to most Federal agencies on behalf of Booz Allen Hamilton.➢ Holds several certifications such as CISA, CAP, CIPP, CGFM, and CPA.➢ Previously worked at PricewaterhouseCoopers for approximately 6 years.➢ Loves to travel and interact with people from all over the world.

➢ Spent time volunteering to help those in need.

Why do you care about CDM?

• CDM is a best practice developed by experts in security and IT systems management experts over a period of many years

• There are great lessons, practices and technologies that can be leveraged by security focused organizations without having to re-invent the wheel

• CDM is a great reference implementation and benchmark source to help Executive Management understand the need for continuous security monitoring and investments

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 3

Introduction to CDM

• Established by the Department of Homeland Security (DHS).

• In conjunction with OMB, NIST, and others.

• Will address aspects of other requirements (e.g. FISMA, Privacy laws, etc.).

• Better management of vulnerabilities, coordination of issues across agencies, as well as cost savings

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4

CDM Requirements

•New devices need to be identified within 72 hours.

•Weaknesses need to be identified and remediated within specified timelines.

•All agencies need to report up to DHS.

•DHS needs to be able to send communications and other correspondence with the ’subordinate’ agencies.

•All agencies (Executive branch), States, and other affected entities need to know their hardware, software, and be able to report timely.

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5

The CDM Tech Stack

• There are 5 tools to be deployed as part of complying with CDM:◦ ForeScout

◦ BigFix

◦ RES

◦ Splunk

◦ Dashboard (RSA Archer)

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6

✓Manages inventory.

✓Works with many technologies.

✓Can identify, alert, restrict, disable and more for endpoints on the network.

✓Can even locate non-IP addressable endpoints on the network.

ForeScout Overview

✓All internal IP addresses need to be configured.

✓Assets must be categorized correctly (e.g. Windows, etc.) and also the various segments and organizational units.

✓Specific ports needs to be open or listening in order for Forescout to report correctly (e.g. Port 135, 139, 445)

✓Assets that are unassigned or unclassified.

✓Firewalls must also not block the BigFix reporting.

✓Syslog communication

ForeScout Challenges

✓Applies patches and updates globally based on technology type.

✓Works with many technologies.

✓Subscribe to various checklists (e.g. CIS, USGCB, STIG, etc.) and ensure your endpoints are compliant with those respective checklists.

BigFix Overview

✓Can accommodate secure LDAP (port 636 must be open for this to work properly)

✓Specific ports must be open (e.g. 52311/bi-directional) or else BigFix won’t work properly✓ There are additional ports that should be open as well such as 52312, 52314, and 52315 (Web Reports,

Security and Compliance, and Inventory)

✓Firewalls must also not block the BigFix reporting.

✓Assigning Master operators to the same endpoints will likely result in errors (e.g one operator running a Fixletand the other operator running an opposing Fixlet).

✓Editing the Masthead (access to the URL where software is downloaded from).

✓Access to the database (DBA rights may be different from the BigFix endpoints).

✓Audit data is retained only for 10 days by default.

✓Syslog communication

BigFix Challenges

✓Homogenizes and anonymizes data for consistent reporting (e.g. individual Agency to DHS).

✓Identify only those audit events needed for reporting purposes.

✓Like Google but for searching data anywhere on the network.

✓Works with other technologies such as Nessus.

Splunk Overview

✓Access and configuration to the forwarders (those hardware items that forward data to the Splunkindexer) for analysis.

✓Maybe incomplete data was configured to be sent to the syslog servers.

✓Other access configurations such as:✓ Removing the use of LDAP.

✓ Limiting the number of jobs.

✓ Changing ports.

✓ Enabling SSL and/or email security.

✓Specific ports must be open (e.g. 8443, 8089, 8191, and 9996) or else Splunk won’t work properly

✓ 8443 – Splunk search page (port used for user login)

✓ 8089 – used by the search engine (used by the search head against the indexer - 9996)

✓ 8191 – used to store lookups for populating events with fields pulled from the Key Value (KV) store

✓ 9996/7 – used by the data gathering component to the indexer

Splunk Challenges

✓Reporting tool based on all data ingested by Splunk.

✓Run filters, queries and other analysis to identify in real-time any issues that may have arisen.

✓Facilitates preventive, detective, and corrective controls.

RSA Archer Overview

RSA Archer Questions

General

➢ How can I see a report of all devices grouped by operating system, technology, etc.?

➢ Can I see a pie chart of the various operating systems?

➢ Can I sort by Windows 2008 R2?

➢ Can I see the location of my hardware devices?

➢ What were the changes to my inventory since last month?

➢ Can I get a report of all Nessus vulnerabilities by technology and location?

➢ Which of my systems are FISMA reportable?

RSA Archer Questions

Forescout

➢ Is there a report to show me all unassigned hardware from Forescout?

➢ How about a report of all unclassified hardware from Forescout?

➢ Is there a report showing which hardware appliances are currently without BigFix installed?

➢ Can I see a report of all new hardware devices added in the last month?

➢ Were there any hardware devices that had their firewall rulesets changed to block Forescoutreporting?

➢ Are there any IP addresses that have not been assigned or configured?

➢ Is there a report showing which servers have had specific ports closed?

➢ What are the assets that are non-IP addressable assets that are tracked by Forescout but not BigFix?

RSA Archer Questions

BigFix

➢ How about a report that shows which applications have out of date patches?

➢ Is there a report showing which servers have had specific ports closed?

➢ Have there been any modifications to the Masthead within the BigFix installation?

➢ Have there been any new users created, deleted or modified with regard to the SQL database used for BigFix?

➢ Has auditing exceeded the 10 day setting and is now being overwritten?

RSA Archer Questions

Splunk

➢ Have there been any new forwarders configured in the last month?

➢ Has the threshold limitations changed in the last month for ingesting data?

➢ Were any new configurations deployed within the Splunk architecture (e.g. forwarders, indexers, index clusters)?

➢ Have the parameters concerning Splunk buckets changed or was data removed from the buckets?

➢ Was SSL disabled on the Splunk indexer?

➢ Have any of the Splunk ports been closed in the last month?

Learn more at www.stackArmor.com

Thank youwww.stackArmor.com

solutions@stackArmor.com

Security By Designhttps://www.stackArmor.com/SecurityByDesign