Application Server Vendor Evaluation Checklist - PowerPoint

Document Sample
Application Server Vendor Evaluation Checklist - PowerPoint Powered By Docstoc
					Standardizing and Automating
     Security Operations
Presented by:
National Institute of Standards and Technology

   Security Operations Today
   Information Security Automation Program
   Security Content Automation Protocol
   The Future of Vulnerability Management
   Next Steps
                  FISMA Compliance Model

                                              FISMA Legislation
30,000 FT
                           High Level, Generalized, Information Security Requirements

                                Federal Information Processing Standards
15,000 FT                    FIPS 199: Information System Security Categorization
                             FIPS 200: Minimum Information Security Requirements

5,000 FT     Management-level                  Technical-level                 Operational-level
             Security Controls                Security Controls                Security Controls

Hands On                   Information System Security Configuration Settings
            NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance
              Configuration Management and Compliance
            This Top-Down Schema Needs to be Managed from the Bottom-Up

  FISMA       HIPAA       SOX         GLB      INTEL      COMSEC ‘97           DoD           ISO    Vendor   3rd Party

SP 800-53      ???        ???         ???      DCID        NSA Req             DoD         17799/
                                                                            IA Controls    27001

SP 800-68                                       ???          NSA        DISA STIGS           ???    Guide     Guide
                                                            Guides      & Checklists

   Finite Set of Possible Known IT Risk Controls & Application Configuration Options

                                                Agency Tailoring
                                            Mgmt, Operational, Technical
                                                   Risk Controls                          Millions of
                                            Enterprise               High                 Settings to
                                              Mobile             Moderate                  manage
                                            Stand Alone           Low                     across the
 Windows         XP                          SSLF                                          Agency
  OS or        Version/    Major Patch      Environment      Impact Rating
Application     Role          Level                          or MAC/CONF
Vulnerability Trends
                                                                           A 20-50%
                                                                           increase over
4,000                                                                      previous years
1,000                                                        Symantec
        2001       2002       2003       2004        2005       2006

          • Decreased timeline in exploit development coupled with a decreased patch
            development timeline (highly variable across vendors)
          • Three of the SANS Top 20 Internet Security Attack Targets 2006 were categorized
            as “configuration weaknesses.” Many of the remaining 20 can be partially
            mitigated via proper configuration.
          • Increased prevalence of zero day exploits
State of the Vulnerability Management Industry
   Product functionality is becoming more hearty as vendors
    acknowledge connections between security operations and a
    wide variety of IT systems (e.g., asset management,
    change/configuration management)
   Some vendors understand the value of bringing together
    vulnerability management data across multiple vendors
   Vendors driving differentiation through:
      enumeration,               Hinders information sharing and automation
      evaluation,                Reduces reproducibility across vendors
      content,
                                  Drives broad differences in
      measurement, and
                                  prioritization and remediation
      reporting
Security Operations Landscape
   Manual platform-level configuration management across the
    enterprise is unwieldy at best
   A large amount of time is being spent by security operations
    personnel demonstrating compliance to a wide variety of laws and
    mandates using a configuration that’s fairly unchanging
   Increasing number of laws and mandates
   Increasing number of vulnerabilities per annum
   A vulnerability management industry which seeks differentiation
    through enumeration, evaluation, content, measurement, and
Key Milestone

     NIST,DISA,NSA Security Automation Conference
         September 2006
         300+ attendees
         Keynote addresses by:
            Richard Hale, DISA CIAO

            Dennis Heretick, DOJ CISO

            Tony Sager, NSA’s Vulnerability Analysis and Operations

             Group Chief
        Information Security Automation Program

   The ISAP is an Interagency & Interdepartmental initiative.
   Becoming formalized through an MOA recognizing the need to:
       Create and manage the evolution of a standards-based methodology for
        automating the implementation, monitoring, and adjustment of information
        system security.
       Identify and reduce the number of known vulnerabilities and
        misconfigurations in government computing infrastructures over a shorter
        period of time.
       Re-focus the vulnerability management industry on differentiation through
        product function.
       Encourage innovation in the global market place.
        Security Content Automation Protocol (SCAP)
 Standardizing our Enumeration, Evaluation, Measuring, and Reporting

                                     Common                  Standard nomenclature and
                           CVE       Vulnerabilities and
                                                             dictionary of security related
                                                             software flaws
                                     Common                  Standard nomenclature and
                           CCE       Configuration
                                                             dictionary of software
                                     Common Platform         Standard nomenclature and
                           CPE       Enumeration             dictionary for product naming
                                     eXtensible Checklist    Standard XML for specifying
                           XCCDF     Description Format      checklists and for reporting
                                                             results of checklist evaluation
                                     Open Vulnerability
                                                             Standard XML for testing
                           OVAL      Assessment
                                     Language                procedures
                                                             Standard for measuring the
                           CVSS      Vulnerability Scoring
                                     System                  impact of vulnerabilities
    Cisco, Qualys,
Symantec, Carnegie
  Mellon University
  Integrating IT and IT Security Through SCAP
               Vulnerability Management

                        CVE               Misconfiguration


             CPE                       CCE
Asset                                        Configuration
Management                                   Management
                            Existing Federal Products
                                  Standardizing our Content

   In response to NIST being named in             2.5 million hits per month
    the Cyber Security R&D Act of 2002             20 new vulnerabilities per day
   Encourages vendor development and              Cross references all publicly available
    maintenance of security guidance                U.S. Government vulnerability
   Currently hosts 112 separate guidance               FISMA Security Controls (All 17
    documents for over 125 IT products                   Families and 163 controls for reporting
   Translating this backlog of checklists               reasons)
    into the Security Content Automating                DoD IA Controls
    Protocol (SCAP)                                     DISA VMS Vulnerability IDs
                                                         Gold Disk VIDs
   Participating organizations: DISA, NSA,          

                                                         DISA VMS PDI IDs
    NIST, Hewlett-Packard, CIS, ITAA,                

                                                         NSA References
    Oracle, Sun, Apple, Microsoft, Citadel,

    LJK, Secure Elements, ThreatGuard,

                                                        ISO 17799
    MITRE Corporation, G2, Verisign,
    Verizon Federal, Kyocera, Hewlett-             Produces XML feed for NVD content
    Packard, ConfigureSoft, McAfee, etc.
Security Content Automation Protocol (SCAP)
                Enumeration   Evaluation   Measuring   Reporting   Content

        CVE         ●                                                ●
        CCE         ●                                                ●
        CPE         ●                                                ●
        XCCDF                    ●                        ●          ●
        OVAL                     ●                                   ●
        CVSS                                  ●                      ●
The Future of Vulnerability Management Operations
                  Organization                                        Standardized   Standardized
                   Guidelines                                             Test       Measurement
                   (e.g., STIG)                                        Procedures    and Reporting
                                                   XCCDF              OVAL           CVSS
                   Program                                        Compliance
                                                                   and Audit
            Misconfiguration                                        Report
            Software Flaws               Change                                       Metrics and
                                         Control                                      Compliance
     CVE, CCE,      National             Process                                       Process
   CPE, XCCDF,                                                     Metrics
   OVAL, CVSS                                                      Report

                     Feeds                                            Standardized   Standardized
                                                                         Change      Measurement
                                                   Change List
                                                                       Procedures    and Reporting
                  Vulnerability                    XCCDF              OVRL           CVSS
                      Alerts                                                         XCCDF
                   (e.g., IAVA)
Key Milestone
     OMB Windows Security Configuration Memo – 22 March 2007
     M-07-11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems
          Acknowledges the role of NIST, DoD, and DISA in baselining security configurations for Windows XP and Vista, and
           directs departments and agencies to adopt the Vista security configuration
          Acknowledges that we are ahead of the Vista OS deployment and encourages use of a “very small number of
           secure configurations”
          Acknowledges that adoption increases security, increases network performance, and lowers operating costs
          Mandates adoption of these security configurations by 1 February 2008, and requests draft implementation plans by
           1 May 2007
    Corresponding OMB Memo to CIOs: Requires, “Implementing and automating enforcement of these
Excerpt from SANS FLASH Announcement:
“The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce
delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves
money rather than costs money. The initiative leverages the $65 billion in federal IT spending to make systems safer for every
user inside government but will quickly be adopted by organizations outside government. It makes security patching much more
effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime.
Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber
security now.

                                   Alan [Alan Paller, Director of Research, SANS Institute]
PS. SANS hasn't issued a FLASH announcement in more than two years. [In other words,] this White House action matters.”
Next Steps
     Continue adoption of all SCAP standards – be a keystone product
     Continue using the content of NIST Checklist Program and National Vulnerability
      Database when authoring XCCDF checklists
     Put SCAP technologies on your roadmap and budget accordingly
   Service Providers
     Continue using the content of NIST Checklist Program and National Vulnerability
      Database when authoring XCCDF checklists
     Prepare to help the operations community reconcile multiple mandates into XCCDF
     Position yourself to integrate SCAP compliant products
     Put SCAP and vulnerability management automation on your services roadmap and
      budget accordingly
   Operations Community
     Interact with your vendors and service providers about SCAP, ask about their SCAP
      plans, ask about their SCAP readiness
     Begin using the phrasing like “SCAP compliant” in your acquisition language
     Put SCAP and vulnerability management automation on your roadmap and budget
Stakeholder and Contributor Landscape: Federal Agencies
                   Providing funding
                   Providing resources
      NSA          Applying the technology

                   Providing resources, Integrating into Host Based System
      DISA         Security (HBSS) and Enterprise Security Solutions

                   Incorporating into Computer Network Defense (CND) Data
      OSD          Strategy

                   Incorporating into FISMA Cyber Security Assessment and
      DOJ          Management (CSAM) tool

                   Integrating Asset & Vulnerability Tracking Resource (AVTR)
      Army         with DoD and SCAP content, Contributing patch dictionary

                   Incorporating into security posture by mapping SCAP to
      DOS          certification and accreditation process
Stakeholder and Contributor Landscape: Industry
                             FFRDC, Supporter and Maintainer of 4 standards

                             Incorporating SCAP into their products

                             Provides SCAP-Compliant tools

                             Provides SCAP-Compliant tools
                             Provides Nessus (widely government-used) tool
                             becoming SCAP compliant
                             Point solution provider
                             Provides SCAP content

                             Point solution provider
                             Provides SCAP content
                   Ai Metrix Provides a SCAP-Compliant tool
                             Provides a SCAP-Compliant tool
More Information
     Security Content Automation Protocol (SCAP)                          
           SCAP Beta Web Site / Repository
           Deployed on October 20

           Beta SCAP Files Available:

                     Windows Vista
                            DISA/NSA/NIST, Microsoft, Air Force policies
                     Windows XP
                            Misconfigurations/Software flaws
                            NIST FISMA and DISA policies (SP 800-68 / Gold Disk)
                     Windows Server 2003
                            Misconfigurations/Software flaws
                            Microsoft and NIST FISMA policies
                     Red Hat Enterprise Linux
                            Misconfigurations/Software flaws
                  Microsoft Office 2007
                  Internet Explorer 7

                  Symantec AV

             Beta SCAP Files Coming Soon:
                  Windows 2000
                  McAfee AV

                  Lotus Notes Domino Server

     National Vulnerability Database (NVD)                                
     National Checklist Program                                           
Upcoming Events

   11 June 2007 Defense Network Centric Operations 2007
   Mid-Late Summer Security Automation Workshop
       Vendor demonstrations
       Federal operations use cases

    National Institute of Standards & Technology
         Information Technology Laboratory
             Computer Security Division
Additional – Application of SCAP
               XML Made Simple

XCCDF - eXtensible Car           OVAL – Open Vehicle
Care Description Format          Assessment Language
<Car>                           <Checks>
 <Description>                   <Check1>
  <Year> 1997 </Year>              <Location> Side of Car <>
  <Make> Ford </Make>              <Procedure> Turn <>
  <Model> Contour </Model>       </Check1>
 <Maintenance>                   <Check2>
  <Check1> Gas Cap = On <>         <Location> Hood <>              Error Report
  <Check2>Oil Level = Full <>      </Procedure> … <>       Problem:
 </Maintenance>                  </Check2>                 Air Pressure Loss

</Description>                  </Checks>                  Diagnosis Accuracy:
                                                              All Sensors Reporting
                                                              Replace Gas Cap

                                                              Expected Cost:
XML Made Simple
               XCCDF - eXtensible              OVAL – Open Vulnerability     Standardized
  Checklist    Checklist Configuration         Assessment Language            Procedures

               Description Format

               <Document ID> NIST SP 800-68   <Checks>
                <Date> 04/22/06 </Date>        <Check1>
                 <Version> 1 </Version>          <Registry Check> … <>
                 <Revision> 2 </Revision>        <Value> 8 </Value>
               <Platform> Windows XP           </Check1>
                 <Check1> Password >= 8 <>     <Check2>
                 <Check2> FIPS Compliant <>      <File Version> … <>
                </Maintenance>                   <Value> </Value>
               </Description>                  </Check2>
               </Car>                         </Checks>      Standardized
                                                            and Reporting
Application to Automated Compliance
The Connected Path

        800-53 Security Control            Result

       800-68 Security Guidance

                                          API Call

        ISAP Produced Security
        Guidance in XML Format

                                      COTS Tool Ingest
Application to Automated Compliance
The Connected Path

         800-53 Security Control                                   Result
             DoD IA Control
                                                  RegQueryValue (lpHKey, path, value, sKey,
    AC-7 Unsuccessful Login Attempts              Value, Op);
                                                  If (Op == „>” )
                                                  if ((sKey < Value )
        800-68 Security Guidance                  return (1); else
          DISA STIG/Checklist                     return (0);
               NSA Guide
    AC-7: Account Lockout Duration
    AC-7: Account Lockout Threshold
                                                                  API Call

                                                  lpHKey = “HKEY_LOCAL_MACHINE”
        ISAP Produced Security                    Path = “Software\Microsoft\Windows\”
        Guidance in XML Format                    Value = “5”
    - <registry_test id="wrt-9999"                sKey = “AccountLockoutDuration”
    comment=“Account Lockout Duration Set to      Op = “>“
    5" check="at least 5">
    - <object>
                                                           COTS Tool Ingest
    - <data operation="AND">
      <value operator=“greater than">5*</value>

Description: Application Server Vendor Evaluation Checklist document sample