Continuous Monitoring: Getting Past Complexity & Reducing Risk
•Transferir como PPTX, PDF•
2 gostaram•1,675 visualizações
This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire. He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions. Numerous articles on Continuous Monitoring can be found here: http://www.tripwire.com/state-of-security/tag/continuous-diagnostics-and-mitigation/
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (16)
Semelhante a Continuous Monitoring: Getting Past Complexity & Reducing Risk
Semelhante a Continuous Monitoring: Getting Past Complexity & Reducing Risk (20)
Mais de Tripwire
Mais de Tripwire (20)
Último
Último (20)
Continuous Monitoring: Getting Past Complexity & Reducing Risk
- 1. Presented by Bryce G. Schroeder
- 3. Sr. Director of Systems Engineering Bryce leads the global presales engineering team at Tripwire. He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions. Prior to NetApp, Bryce served in senior leadership roles at Symantec, Sun Microsystems and Tektronix. Previous to that he bschroeder@tripwire.com held system admin and hardware and software design roles.
- 5. 2013 2011 2010 2007 2005 1997 Tripwire File System Monitoring Tripwire Enterprise Integrated Change Audit for Servers, Network Devices, DataBases & Active Directory Configuration Assessment Industry’s largest library of security, regulatory and operational policies Log and Security Event Management Integrated log and event management solution Thoma Bravo acquires Tripwire Accelerates Tripwire’s Creating Real Confidence vision Tripwire acquires nCircle Delivers the Industry’s most complete set of foundational security controls for the enterprise – SCM, VA, FIM, LM
- 6. 100 10 Million Foreign Intelligence organizations trying to hack into our military’s digital networks Cyber attacks daily at Department of Energy 100K’s Attack surface and amount of data is increasing 400%+ Increase of cyber attacks since 2006 80% Attacks leveraging known vulnerabilities & configuration setting weaknesses
- 7. NIST SP 800-137 • Defines base requirements for CM NIST SP 800-53 • Describes automated inspection items (controls) for security • Aids automated Security Configuration Management strategy NERC / FERC CIP • Requirements for Federal Energy Critical Infrastructure Protection ISO / IEC 27001 • Framework for continuous process improvement in information security FISMA / FISMA 2 • Includes CM for configuration management and control of components; impact analysis of changes to systems, and ongoing assessment of security controls
- 9.
- 10. Change is occurring Compliance Compliant State Periodic Audits required to reassess RISK change never stops Time
- 11. Continuous Compliance Compliance Compliant State Maintain that state Assess & Achieve desired state Time
- 12. • Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137) Start SP800-137 Monitor Security State Authorize Information System Categorize Information System Select Security Controls NIST Risk Management Framework SP800-37 Implement Security Controls Assess Security Controls
- 13. Front-End Security Start SP800-137 Monitor Security State Authorize Information System Categorize Information System NIST Risk Management Framework SP800-37 Implement Security Controls Assess Security Controls Back-End Security Select Security Controls
- 14. Start Monitor Security State Authorize Information System SP800-137 Categorize Information System Select Security Controls NIST Risk Management Framework SP800-37 Implement Security Controls Assess Security Controls
- 15. 1
- 16. 3
- 17. 4
- 18. 6
- 19. • Aligned with RMF (NIST 800-37) and CM requirements (NIST SP 800-137) Start SP800-137 Monitor Security State Authorize Information System Categorize Information System Select Security Controls NIST Risk Management Framework SP800-37 Implement Security Controls Assess Security Controls
- 21. Act on priorities from the Categorize Assets step Prioritize Monitor and alert based on relative value of Assets High, Moderate, Low impact DMZ, Mission X, Processing, etc… Categorize logically and by criticality Benefits of Categorization Easier to make risk-based decisions Risks are easier to determine knowing the mission the asset supports Enables rapid triage during incident response
- 22. Determine Risk Threshold Identify and apply your scoring methods OCTAVE, CAESARS, iPOST, iRAMP, etc. Map thresholds to policies and assign weights to control checks Example of Policy Thresholds <50% Do Not Operate <80% System should go through preplanning >80% Operational Assign weights for control test items - weights affect the Risk scoring Example: HIGH - Administrator set to blank or default password LOW – Users are part of a remote desktop group
- 24. Source: NIST SP 800-92
- 30. Configuration Quality: % of configurations compliant with target security standards (risk-aligned) i.e. >95% in High; >75% in Medium number of unauthorized changes with security impact (by area) patch compliance by target area based on risk level i.e. % of systems patched within 72 hours for High; within 1 week for Medium Control effectiveness: % of incidents detected by an automated control % of incidents resulting in loss mean time to discover security incidents % of changes that follow change process
Notas do Editor
- And of course, I recently completed this chart and a detailed sub-control mapping across our blended product line. What I like about this chart is the NSA rankings and how they rank with the first four CSC as well. This is impactful. When the NSA, SANS, and mappings to both NIST and ISO support working on the first four CSC to get you significantly down the road to improved cybersecurity – AND it aligns with 2013 FISMA metrics. It’s not a bad place to start.
- Another approach is what we call ‘Traditional Configuration Assessment,’ which can bring you up to compliance rapidly, but if changes happen after, you have no visibility or control of those changes, and it’s only when you do another scan where you will get back into compliance. And even the highest performing organizations do these ‘mega-scans’ once a month at best! The frequency of assessing IT configurations opens the door to risk and potential security breaches.
- When you’re looking for a continuous monitoring solution – you need to consider a solution that enables 4 very specific capabilities.
- Is it a critical asset? Medical system?
- You need intelligent information to make risk-based decisions.
- You cannot “turn on” continuously monitoring or real-time on everything. So you need to choose the frequency.
- You need to feed that information to your authorizing official
- Support the businessBe controllableIf you can't influence it, why report on it?Be quantitativeBe easy to collect and analyzeIf it takes 3 weeks to gather data you report on monthly, something is wrongToo hard to gather & interpretReporting too oftenSubject to trendingMetrics must be changeable - Things you report on will changeYour targets will change
- So those are some of the things are going right. But let's take a look at what isn't going as well.In organizations that are stuck or stall, here are some of the things that tend to slow them down.The 1st is the use of what I referred to as a boil the ocean approach. In other words trying to do too much across too broad of a landscape of your business. Rather than trying to solve every risk problem in the organization pick one or 2 key areas, that relate to one or 2 key business processes, and start there. Remember, non-technical executives tend to think of things in terms of revenue, costs, customer satisfaction, fulfillment, or other key processes in the business. Figure out what the most important process is, what the biggest risk is that's facing that particular area, then identify what you can do from an IT risk perspective to mitigate that risk. If you're successful, those early winds can make it a lot easier to move onto future phases of your projects.Another problem I've seen is when the discussion goes to granular or too geeky very quickly. Executives have short attention spans so keep it high level, and get to the point quickly.Closely related to this, is when there is no buy-in from other parts of the organization. This can be very frustrating because it often looks like a superhero in the IT organization trying to take on the rest of the organization, and force them to adopt a risk oriented focus. If you don't have by and, you're not ready to start executing.The most effective place to get support, is as high in the organization as you can manage. I mentioned tone at the top before. If you're trying to embark on a risk management project to get risk management adopted across your organization, make sure you have an executive sponsor. This is generally either the CEO or someone reporting to the CEO in your organization.We've talked a bit about this one already, but I've also seen ineffective metrics or a complete lack of metrics, stall risk management efforts. I'll get to that in a minute.Finally as I mentioned before, too many organizations are focused on cost as the primary focus of the risk management and security programs. This has got to change.
- Explain the roles and responsibilities of individuals in IT security, IT and the business organization have in implementing a continuous monitoring.
- Investigating and adopting a repeatable frameworkFAIR, OCTAVE, OVAL, CAESARS, ISO, etc.Applying risk ranking/scoring methodsEngaging cross-functional “steering committees” to examine various risksStrategic & Operational, Information Security, Financial, Employment Practices, Intellectual Property, Physical, Legal, Regulatory, etc.Prioritizing projects, actions, and investments to bias toward areas of highest risk and impactEstablishing Key Risk Indicators (KRI’s) and Key Risk Objectives (KRO’s) to measure progress