At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful. In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros: Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response. Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports. Assess system requirements in areas such as malware detection and event and incident management. Determine the need for upgrades and investment in new technologies.

1. Developing a Continuous Monitoring Action Plan An InformationWeek Government Webcast Sponsored by

2. Webcast Logistics

3. Welcome! John Foley Editor InformationWeek Government

4. Today’s Presenters John Streufert Deputy Chief Information Officer Information Assurance United States Department of State Steve Johnston CISSP, ITIL Lead Federal Systems Engineer Tripwire, Inc.

5. What Is Continuous Monitoring? “Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” >>NIST SP 800-137

6. Building It Into The IT Budget “What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the FY 2012 budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports.” >>Federal CIO Vivek Kundra, June 2010

7. Continuous Monitoring Domains (NIST)

8. CIA Invests In RedSeal Systems "Continuous monitoring technologies will enable the U.S. intelligence community to effectively operate the complex, dynamic network defenses that protect critical information and systems.” >>William Strecker, CTO, In-Q-Tel

9. FISMA 2.0: A Continuous MonitoringCase Study John Streufert ( DOSCISO@state.gov ) Deputy Chief Information Officer for Information Security US Department of State February 14, 2011

10. Nature of Attacks 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses 10

11. Threats Increasing 2% 5% Type Tickets 39% 2008 51% 1% 2% 1 9% 2% 9% 2010 84%

12. Case Study: Scan every 36-72 hours Find & Fix Top Issues Daily Personal results graded Hold managers responsible 12

13. How: 1. Narrow Aim 13 [11 months before Feb 09]

14. 2.Bad things by Numbers Chemical Dumping Littering vs. L.A. Hotel Pays a $200,000 fine because an employee dumps pool chemicals into a drain fumes fill a subway station -- several people become ill March 23, 2010 14

15. Cube and Divide by 100

16. 3. CalculateGrades A+ to F -

17. 4. Focus on Worst First

18. Results First 12 Months 18 Personal Computers and Servers

19. Risk Scoringin 2nd Year

20. Operation Aurora Attack 20 Call a Problem 40x Worse

21. 21 . when charging 40 points 0 - 84% in seven (7) days 0 - 93% in 30 days

22. 13 25 36 60 93 133

23. 1/3 of Remaining Risk Removed 23 [Year 2: PC’s/Servers]

24. 24

25. 25

26. Lessons Learned When continuous monitoring augments snapshots required by FISMA: Mobilizing to lower risk is feasible & fast (11 mo) Changes in 24 time zones with no direct contact Cost: 15 FTE above technical management base This approach leverages the wider workforce Security culture gains are grounded in fairness, commitment and personal accountability for improvement 26

27. Next Steps

28. 20 Year old commercial said “The quality goes in, before the name goes on” 28

29. 29 Should we position our best solutions before or after accidents? Cofferdam unit departing Wild West in Port Fourchon on the Chouest 280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com

30. RISK 30

31. Continuous C&A Pilots Priority sequence: quick wins vs. long term: Inventory of Authorized Assets (CAG 1/2) Configuration and Vulnerability Monitoring (CAG 3/4/10/12/13) SCAP Content (automated & non-automated testing) Boundary Defense (CAG 5/14) Situational Awareness and Threat Analysis Applications (CAG 7) Access Controls (CAG 6/8/9/11) Data Loss Protection (CAG 15) 31

32. 32

33. Conclusions Risk Scoring and Continuous Monitoring is scalable to large complex public and private sector organizations Higher ROI for continuous monitoring of technical controls as a substitute for paper reports Summarized risk estimates could be fed to enterprise level reporting 33

34. Continuous Monitoring: Best Practices Steve Johnston, CISSP, ITIL, Lead Federal Systems EngineerTripwire, Inc.

36. Take control and remain in control of your infrastructureSpirit of Continuous Monitoring

37. 1 Categorize Assets 2 Determine Risk Threshold 3 Establish Monitoring Frequency 4 Provide Detailed Reporting 36

38. Categorize logically and by criticality Is it a critical asset? Is it a medical system High, moderate or low severity? What kind of missions and programs do they support? Benefits to Categorization Easier to make risk based decisions Homepage and Reporting views Risks are easier to determine knowing the mission the asset supports 37 Categorize Assets

40. <50% Do Not Operational

41. <75% System should go through preplanning

42. <90% Operational

43. Test and control weights need to be set

44. Weights affect the Risk scoring

45. Example:

46. HIGH - Administrator set blank password

47. LOW – Users are part of a remote desktop groupDetermine Risk Threshold 38

48. 39 Determine frequency by function and risk associated with each system and security control System level frequency Security Control level frequency Application level frequency Determine Monitoring Frequency

50. External facing devices

51. Events from critical systems

52. DB stored Procedures

53. Mission X Systems

54. Full Systems

55. Application data controls

56. New installs, patches, hot fixes

57. Event and Log Review

58. Hypervisor Controls

59. Internal network devices

60. Directory Services

61. DB Schema

62. etc…Device / Control

64. Security Alerts

65. Certification & AccreditationUse the intelligent data feeds to make accurate risk based decisions Provide Detailed Reports 41

66. Example Feedback to the Authorized Official Respond on Critical Control and Change Information 42

67. Example Feedback to the Authorized Official Provide actionable data What and Where Respond to Critical Events 43

68. 1 Categorize Assets 2 Determine Risk Threshold 3 Establish Monitoring Frequency 4 Provide Feedback to Authorizing Official 44

69. About Tripwire Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 5,500 customers in more than 87 countries rely on Tripwire’s integrated solutions. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com

70. Q&A Session Please Submit Your Question Now

71. Resources To View This or Other Events On-Demand Please Visit: http://www.netseminar.com For more information please visit: http://www.tripwire.com

72. THANK YOU!