1. Automating Enterprise IT Management
by Leveraging
Security Content Automation Protocol
(SCAP)
John M. Gilligan
www.gilligangroupinc.com
May, 2009
2. Problem
Today’s state—CIOs of large enterprises cannot:
• See their IT assets—they don’t know what
they have
• Tell which systems comply with policy
• Makes reporting, enforcement impossible
• Change configurations quickly in reaction to
changing threats or vendor updates
2
IT organizations cannot effectively manage
complex environments
3. Root Cause
Today’s enterprise IT capabilities are:
• Complex
• Dynamic
• Vulnerable
• Fragmented in use of automated management
3
Processes and tools are immature
4. CIOs are concerned about enterprise
IT management
• Cost of poorly managed IT is growing rapidly
• Cyber attacks are exploiting weak enterprise
management
– Weakest link becomes enterprise “Achilles Heel”
– Cyber exploitation now a National Security issue
• High quality IT support requires effective
enterprise management
4
SCAP enables effective enterprise IT
management and security
5. Goal—Well-Managed Enterprise
• Every device in an enterprise is known,
actively managed, and configured as securely
as necessary all the time, and the right
people know this is so or not so
• Integrated and automated enterprise
management tools increase operational
effectiveness and security without increased
cost
5
7. Governance
• Define management and security policies and properties
to be implemented in enterprise IT environments
• Accelerate evolution to a disciplined environment
– Federal Desktop Core Configuration (FDCC)--Establishes
initial configuration discipline
– 20 Critical Controls for Effective Cyber Defense: Consensus
Audit Guidelines—Counter most significant threats with
measurable controls
– NIST Special Publication 800-53 (Information Security;
Recommended Security Controls for Federal Information
Systems)—Establish comprehensive disciplined management
and security policies and controls
7
8. Technology
• Use tools that are Security Content Automation
Protocol (SCAP)-enabled
• Automate management of configuration, asset
management, and security properties
– Continuously assess, report, enforce endpoint compliance
– React quickly to changing situations (e.g., vendor patches,
new configurations, revised policy)
• Achieve cross-vendor integration, interoperability
8
SCAP enables tool integration and interoperability for
disciplined enterprise IT management
9. Discipline
Verify compliance with enterprise IT policies:
• Continuously verify effectiveness of controls by
leveraging automation and trend metrics
• Also employ metrics for operational effectiveness
and cost
• Use Auditors and Red Teams to independently
validate discipline
• Ensure visible accountability for those who
violate policies
9
12. Specific SCAP Standards
12
CVE
CVSS
OVAL
CCECPE
XCCDF
Software vulnerability management
Configuration
management
Compliance management
Asset
management
Identifies vulnerabilities
Scores vulnerability severity Criteria to check presence of
vulnerabilities, configurations, assets
Identifies configuration controls
Language to express configuration guidance
for both automatic and manual vetting
Identifies packages
and platforms
SCAP enables enterprise-wide, cross-vendor interoperability and
aggregation of data produced by separate tools
13. Mature Standards Illustrate Possibilities
• Common Vulnerabilities and Exposures (CVE): industry
standard for identifying vulnerabilities
– 36,000+ vulnerabilities agreed upon over the last 10 years
– 245 products, 138 organizations, 25 countries
• Common Vulnerability Scoring System (CVSS): Payment
Card Industry (PCI) uses to judge compliance of
organizations that process card payments
13
Industry has adopted SCAP standards for individual needs
14. SCAP Gaining Momentum
• Federal Desktop Core Configuration (FDCC/SCAP)
– Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not
only establishes standard configurations for hardware
suppliers, it also addresses security for those that develop
software”
• Open Vulnerability Assessment Language (OVAL)
– McAfee: “The ability to…describe vulnerabilities on a
system and exchange that information between tools is
doing a great deal to improve [vendor] offerings”
• NIST issues SCAP content for FISMA compliance
– Steve Quinn (NIST): “[SCAP is] an automated approach to
help agencies make the jump from security policies and
mandates to secure systems.”
14
15. Product Interoperability
The Problem
• Different vendor products give different answers
• CIOs can’t integrate across vendors
The Solution
• SCAP standard ‘OVAL’ introduced to enable integration
• Red Hat adopted OVAL; found it increased value of their
advisories to customers
• Other vendors have followed (e.g., Symantec)
15
OVAL provides the “glue” for SCAP-compliant
tools leading to interoperability
16. Enterprise IT Management Using SCAP
• DoD Computer Network Defense (CND) data
sharing pilot demonstrating enterprise
management using SCAP
– SCAP shows which systems are vulnerable; enables
rapid, prioritized response (e.g., rush patching);
provides follow-up reporting
– Tony Sager (NSA): “We do it all now with SCAP-
compatible tools.”
• Organizations beginning to see SCAP benefits for
other enterprise applications
16
18. Recommended Actions
How Federal government can provide leadership:
1. Require SCAP-validated tools
2. Educate IT staff in how SCAP can be used for
enterprise IT management
3. Deploy SCAP-validated tools; evolve to
automated enterprise IT management
4. Share lessons learned with IT managers and
vendors
– More use cases—not just security
– More transparent integration 18
19. SCAP can transform individual tools
into integrated parts of an Enterprise
IT Management Capability
19
Capabilities
Tools
SCAP
22. Strategic Roadmap
• Controlled configuration for Windows
• Controlled configuration for major
operating systems and applications
• Standardized application white and
black listing
• Adaptive configurations based on threat
• Faster vulnerability impact/patch level
assessment
• Standardized remediation, configuration
control
• Today
• 2010
• 2010
• 2011
• OVAL
adoption
• 2012
22
More secure, more automated
Real-time management
More secure, automated, real time