John Streufert - Security Innovation Network

Report
Continuous Monitoring:
Diagnostics & Mitigation
john.streufert@hq.dhs.gov
October 24, 2012
OBSTACLE
CXOs are accountable
for IT security
BUT
.
directly supervise only
a small part of the
systems actually in use.
2
Nature of Attacks
80% of attacks leverage
known vulnerabilities and
configuration management
setting weaknesses
3
LOWERING RISK ACHIEVED BY:
• Correcting for “tunnel vision” seen
in physiological studies of pilots
• Using math and statistics to
accelerate corrective action
• Adapting market economics to
daily risk calculation/priorities
• Automated patch distribution
4
WHILE NOT CHANGING:
• Structure of departments or agencies
• Decentralized technology management
• Structure of security program
RATHER:
 Focus on Return on Investment (ROI)
 Integrate cyber security, operations, and
top to bottom work force decisions
5
“Attack Readiness”
.
• What time is spent on
• Faster action =
lower potential risk
6
Organizations, Major Systems
Contractor Performance
7
Addressing
Information Overload
List Dominant Percentages of Risk
8
Results First 12 Months
1,200.0
Personal Computers and Servers
1,000.0
Domestic Sites
800.0
Foreign Sites
600.0
89%
Reduction
400.0
90%
Reduction
200.0
0.0
6/1/2008
7/21/2008
9/9/2008
10/29/2008 12/18/2008
2/6/2009
3/28/2009
5/17/2009
7/6/2009
8/25/2009
9
1/3 of Remaining Risk Removed
200
180
[Year 2: PC’s/Servers]
160
140
120
100
80
60
40
20
Domestic
Foreign
0
10
Risk Points where 10 Points = 1 major Vulnerability per machine
200
[Year 2: PC’s/Servers]
180
160
Domestic
Overseas
140
Poly. (Domestic)
120
Poly. (Overseas)
100
80
60
40
20
0
4/1/2010
5/1/2010
6/1/2010
7/1/2010
8/1/2010
8/31/2010
10/1/2010
Time
11
Efficiency is Repeatable & Sustained
100%
90%
80%
Expected Value (Based on all reporting
machines)
70%
Lower Bound (Assumes all non-reporting
machines are non-compliant)
MS10-042 – August 2010
Percent of applicable devices patched
60%
50%
.
40%
when charging 40 points
0 - 84% in seven (7) days
0 - 93% in 30 days
30%
20%
10%
9/12/2010
9/11/2010
9/10/2010
9/9/2010
9/8/2010
9/7/2010
9/6/2010
9/5/2010
9/4/2010
9/3/2010
9/2/2010
9/1/2010
8/31/2010
8/30/2010
8/29/2010
8/28/2010
8/27/2010
8/26/2010
8/25/2010
8/24/2010
8/23/2010
8/22/2010
8/21/2010
8/20/2010
8/19/2010
8/18/2010
8/17/2010
8/16/2010
8/15/2010
8/14/2010
8/13/2010
8/12/2010
0%
12
Case Study Results
• 89% reduction in risk after 12 months
– personal computers & servers
• Mobilizing to patch worst IT security risks first
– Mitigation across 24 time zones
– Patch coverage 84% in 7 days; 93% in 30 days
• Outcome:
– Timely, targeted, prioritized information
– Actionable
– Increased return on investment compared to an
earlier implementation of FISMA
13
Lessons Learned
• When continuous monitoring augments
snapshots required by FISMA:
– Mobilizing to lower risk is feasible & fast (11 mo)
– Changes in 24 time zones with no direct contact
– Cost: 15 FTE above technical management base
• This approach leverages the wider workforce
• Security culture gains are grounded in
fairness, commitment and personal
accountability for improvement
14
Development Phase
Federal CIO and CISO Cyber Goals
• Protect information assets of the US gov’t
– Availability, integrity and confidentiality
• Lower operational risk and exploitation of
– national security systems
– .gov networks, major systems & cloud
services
• Increase situational awareness of cyber status
• Improve ROI of federal cyber investments
• Fulfill FISMA mandates
20 Critical Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
20. Penetration Tests and Red Team Exercises (validated manually)
Continuous Diagnosis and Mitigation (CDM)
“Full Operational Capability” (FOC) / Desired State:
•
•
•
•
•
Minimum Time to FOC for CDM: 3 years;
CDM Covers 80-100% of 800-53 controls;
Smaller attack surface/“risk” for .gov systems;
Weaknesses are found and fixed much faster;
Replaces much 800-53 assessment work ($440M)
– And most of the POA&M process ($1.05 B)
• Risk scores reflect: threat, vulnerability and impact
– Used to make clear, informed risk-acceptance decisions
• Economies reduce total cost yet improve security.
Selection of First Year Priorities
• Implement CMWG focus areas for controls
– NSA and CMWG collaboration put in pilots
– Complete baseline survey of highest D/A risks
• Award task orders for sensors and services
tailored to agency needs and risk profile
• Connect initial controls to dashboard
– HW/SW asset management/white listing;
vulnerability; configuration settings; anti-malware
Use of DHS Appropriated Funds
• Strategic Sourcing to buy
– Sensors (where missing)
– A Federal Dashboard
– Services to operate the sensors and dashboard in
the D/As
• Labor to mentor and train D/As to use the
dashboard to reduce risk efficiently
• Processes to support CMWG (continuous C&A)
Stakeholder Consultation
• DHS and CMWG will consult on program
direction and reflect stakeholder concerns of:
– CIO Council/ISIMC, ISPAB
– NSS, EOP, NIST, NSA
– D/As and components
– Industry
– FFRDCs
– Others
cdm.fns@hq.dhs.gov
Beneficiary for FY13
Networks & COTS CM
Software ($202M)
Tools /Services
as options for
internal use
Use diagnostic
standards
but may or may not
purchase
Can Purchase off of federal
contract:
•.mil, Defense Industrial Base;
• others who use federal $;
• plus State, local gov’t
Cloud Service providers for
direct support of government
dedicated cloud clients with
cost embedded.
CSP ‘s could buy dashboard.
Can Purchase off of federal
contract:
•.mil, Defense Industrial Base;
• others who use federal $;
• plus State, local gov’t
Cloud Service Providers offer
direct support of government
dedicated cloud clients with
cyber testing cost embedded.
CSP ‘s could buy tools.
1.
Dashboard
DHS pays for all government
Department and Agencies
Security reporting
to Cyber Scope
2.
Continuous
Monitoring Tool
Bundles
(Multiple Award)
DHS Pays for
initial .gov Agencies
& Departments who choose
diagnostic capabilities
Continuous
Monitoring as a
Service (CMaaS)
DHS pays for initial .gov
Agencies & Department who
may choose a diagnostic
service provider
Continuous
monitoring
data integration
DHS pays to prepare .gov
diagnostic reports &
CyberScope feeds
3.
4.
Department & Agencies
(or others) pay for custom
systems CM using internal
C&A report money
(diagnostics and feeds to Cyber
Scope)
$440 M/yr
Continuous
Monitoring (CM)
Contract Element
Cloud
Department & Agencies (or
others) pay Using DHS
published standards using
internal funds
Department & Agency
custom systems using
internal funds.
CSP ‘s could buy CMaaS for
use as 3rd party Assessors.
Using DHS published
standards using internal
funds
22
Change to “plan for
events” and “respond to
events”.
19
18, 8
P3
P3/4
P3
P3/4
12, 15
P3/4
P2
m
l
k
n
j
o
h
6,7 are assets:
They require all the
other capabilities applied
to them. For an
application, it’s HW, SW
etc. must be managed,
inside a boundary,
configured and relatively
free of vulnerabilities.
One delta would be the
extra analysis SW needs
pre-operations.
a
b
g
9
e
P2
d
1
c
P1
2,5
P2
4
P2
P1
14, 16, 20
p
i
P2
P3
3, 10, 11
P1
13, 17
P1

similar documents