What is DIARMF continuous monitoring?
Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. It is described in NIST SP 800-137. Continuous monitoring is the last and very important ON-GOING 6th step in the DIARMF Security life cycle.
The DoD’s current method of continuous monitoring (2014) is use of Continuous Monitoring and Risk Scoring (CMRS). Its is a web based visual method of watched DoD Enterprise security controls that cover software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), (IAVM) vulnerability and patch compliance. CMRS displays risk dashboards based on published HBSS and ACAS (more info at DISA).
HBSS (host based system security) is a DoD implemented suite of applications:
- (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred
- Asset Configuration Compliance Module (ACCM) – version 2, but 184.108.40.2069 is preferred
- McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred
- McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred
- McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred
- McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred
- Antivirus (AV) – McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9
- Operational Attribute Module (OAM) – version 2.0.1, but 220.127.116.11 is preferred
- Asset Publishing Service (APS) – version 2.0.1 or 18.104.22.168, but 2.0.3 is preferred – configured to publish to CMRS
- ACAS (Assured Compliance Assessment Solution) is Tenable Nessus an enterprise level vulnerability scanner.
These systems are implemented in accordance with United States Strategic Command (USSTRATCOM) Communications Tasking Order (CTO) 05-19 & 07-12 (Deployment of Host Based Security System (HBSS)). The products and tools need for continuous monitoring change constantly but what is important is the concept. Within a month of publishing this, the products listed will be different and new CTOs will be released, but the need for Continuous monitoring will remain. KNOW the CONCEPT.
If you know DIACAP, then this Step is similar to Phase 5, Maintain Authorization to Operate except there is a HUGE focus on automation in real-time. Automation is done with tools like security information & event management systems (SIEM) and security dashboards.
If the other steps of DIARMF are planning and building and checking the engine than continuous monitoring is keeping it running. Continuous monitoring is part of the day to day tasks of security professionals.
Continuous monitoring has everything to do with the visibility of your network:
Configuration Management – track and manage changes with a configuration management or assets. The organization monitors the security baseline my managing its inventory and only allowing approved major changes to the network.
Vulnerability monitoring – awareness vulnerabilities and response with a patch management program.
Network monitoring – incident handling & response of advanced persistent threat & active research of ongoing threats
Key Component of DIARMF Continuous Monitoring
Security Content Automation Protocol (SCAP)
According to Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, March 2013, “A key component to this work is the NIST Security Content Automation Protocol (SCAP) and related programs, which are developed through close collaboration between government and industry partners”.
SCAP is a common protocol that vulnerability, scanning and patching software can use to communicate vulnerability & technical controls information to each other quickly. This protocol is used internationally, federally and commercially.
Continuous Monitoring as a Service (CMaaS)
The Department of Homeland Security is coordinating a continuous monitoring service. They want to create a Continuous Diagnostics and Mitigation (CDM) program for providing continuous monitoring sensors, diagnosis, mitigation tools, and Continuous Monitoring as a Service (CMaaS).
With dashboards and automated crystal reports the data is visualized and in real-time to allow information security professionals to respond quickly to the highest priority incidents.
Continuous Monitoring Products
Federal law encourages the use of tools like security information & event managers (SIEM) that brings all the security information to one place into a security dashboard that allows graphs and visual imagery to quickly detect patterns across lots of data in real-time. See the new FISMA and NIST SP 800-137 for more information.
Tools like SIEMs, IPSs, IDSs, APT systems are what are used in the industry. DoD units create partnerships with security companies like HP, McAfee, Symantec, Tenable, Ready7, Metasploit, Mandiant and others to create continuous monitoring solutions for their organizations.
HP Enterprise Security Products
HP Enterprise Security address the following categories when looking at continuous monitoring:
Security Lifecycle Management
The HP products covering this Items include, but are not limited to:
- ArcSight Enterprise Security Manager
- ArcSight Logger
- HP Tipping Point
McAfee has a suite of products to address continuous monitoring
- McAfee Vulnerability Manager
- McAfee Enterprise Security Manager
- McAfee Enterprise Log Manager
- McAfee Global Threat Intelligence
- McAfee ePO
- Symantec Control Compliance Suite
- Symantec Control Compliance Suite
- Virtualization Security Manager
Continuous monitoring controls
Realistically, all implemented and assessed controls are important to continuous monitoring since it is the process of actively checking all security controls. But, there are some security controls families that are notable when it comes to continuous monitoring implementation. These include “Security Assessment and Authorization”, “Configuration Management”, “Risk Assessment” and “Incident Response”.
CA-7 Specifically mentions continuous monitoring:
CA-7 CONTINUOUS MONITORING
Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. A configuration management process for the information system and its constituent components;
b. A determination of the security impact of changes to the information system and environment of operation;
An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision making at the organization level (Tier 1), the mission/business processes level (Tier 2), and the information systems level (Tier 3).
Why is DIARMF Information Security Continuous Monitoring (ISCM) important?
For federal systems, continuous monitoring is not just important, it is the law. DIARMF system MUST have continuous monitoring.
Continuous Monitoring is part of federal law Continuous monitoring is considered one of three top priority areas identified for improvement within Federal cybersecurity (Trusted Internet Connections, Continuous Monitoring and HSPD-12)
But what is continuous monitoring good for from a purely security perspective?
ISCM is having enhanced monitoring capabilities that allow information owners to have near real-time security awareness. That means they know the status of on-going system changes, they know many of the systems vulnerabilities, and the status of security controls that have been implemented.
DIARMF looks at Risk Management from the perspective of the entire organization, from upper management (Tier 1), to administration (Tier 2), to automation (Tier 3).
Tier 1, Upper management – endorses and/or delegate the creation of policies and strategies that mandates continuous monitoring from the top down. Upper management should be involved with decisions regarding major configuration management review boards, high level/high risk security incidents.
Tier 2, Administration – works on the mission and business processes of continuous monitoring. Administrators do correlation, analysis and reporting.
Tier 3, Automation – Information systems collects, and consolidates the data feeds needed for incident handling, correlation and analysis.
DIARMF – Re-Authorizations & Updates to documentation
During the course of configuration changes, security upgrades of operating systems and detection of security incidents it is necessary to have ongoing authorizations.
Continuous monitoring done correctly and actively will discover new threats, weakness and system infrastructure because these things constantly change and so the security posture changes. Adjusting the system may require re-authorizations
Updates to Data & Documentation
With or without re-authorizations, the changes to the system detected by continuous monitoring require and update to the systems security controls documentation, vulnerability documentation and risk documentation. This means System Security Plan together with Risk Assessment Report, Security Assessment Report, and POA&M should be tweaked.
Really good write up,
Quick question, or rather questions. What would be the DHS and Non-DoD version of DIARMF. Also what is the process for breach/vulnerability notification.
Rob Elamb says
What would be the DHS and Non-DoD version of DIARMF: the non-dod process would be the NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
As for, breach/vulnerability notifications, I would check out NIST incident handling: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Hope this helps.
Where would something like ExtraHop fit in (www.extrahop.com)? It’s a real-time monitoring solution for east/west/north/south traffic traversing the data center, with network+application layer visibility. It’s a data capture and analysis device, with it’s output being structured wire data (vs. Logs). It’s primarily used for troubleshooting but has caught on within the infosec community since it can trend on activity, alert on deviations from the trend, and provide real-time insights into all of the various tiers (web, database, storage) within a complex data center.
Would it fall into the real-time operational monitoring part of the lifecycle plan?
Bruce Brown says
Hello, I think it would be part of continuous monitoring because it could potentially identify something like a denial of service attack or deviations in availability of services. Continuous Monitoring covers so much ground.