ConvoCourses

Cyber Security Compliance and IT Jobs

continuous monitoring risk scoring

security risk

by Leave a Comment

NIST SP 800-39, Manage Information Security Risk

NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization.  Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.

The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:

  1. Tier 1: Organization level
  2. Tier 2: Mission/Business Process level
  3. Tier 3: Information System level

Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.

In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

 

Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.

Security Risk Management Tier 2: Mission/Business Process 

Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.

 

Tier 3: Information System Security Risk management

From the information system perspective, tier 3 addresses the following tasks:

  1. Categorization of the information system
  2. Allocating the organizational security control
  3. Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:

  • Risk Framing
  • Risk Assessing
  • Risk Response
  • Risk Monitoring

Risk Assessment

NIST 800-30 goes into Risk Assessment process.  800-39 covers from a high level.  Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.  This is where Continuous monitoring comes in.

DIARMF – Continuous Monitoring

by 4 Comments

DIARMF Continuous Monitoring

What is DIARMF continuous monitoring?

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.  It is described in NIST SP 800-137.  Continuous monitoring is the last and very important ON-GOING 6th step in the DIARMF Security life cycle.

 The DoD’s current method of continuous monitoring (2014) is use of Continuous Monitoring and Risk Scoring (CMRS).  Its is a web based visual method of watched DoD Enterprise security controls that cover software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), (IAVM) vulnerability and patch compliance.  CMRS displays risk dashboards based on published HBSS and ACAS (more info at DISA).

HBSS (host based system security) is a DoD implemented suite of applications:

  • (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred
  • Asset Configuration Compliance Module (ACCM) – version 2, but 2.0.0.1129 is preferred
  • McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred
  • McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred
  • McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred
  • McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred
  • Antivirus (AV) – McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9
  • Operational Attribute Module (OAM) – version 2.0.1, but 2.0.5.1 is preferred
  • Asset Publishing Service (APS) – version 2.0.1 or 2.0.0.6, but 2.0.3 is preferred – configured to publish to CMRS
  • ACAS (Assured Compliance Assessment Solution) is Tenable Nessus an enterprise level vulnerability scanner.

These systems are implemented in accordance with United States Strategic Command (USSTRATCOM) Communications Tasking Order (CTO) 05-19 & 07-12 (Deployment of Host Based Security System (HBSS)).  The products and tools need for continuous monitoring change constantly but what is important is the concept.  Within a month of publishing this, the products listed will be different and new CTOs will be released, but the need for Continuous monitoring will remain.  KNOW the CONCEPT.

If you know DIACAP, then this Step is similar to Phase 5, Maintain Authorization to Operate except there is a HUGE focus on automation in real-time.  Automation is done with tools like security information & event management systems (SIEM) and security dashboards.

If the other steps of DIARMF are planning and building and checking the engine than continuous monitoring is keeping it running.  Continuous monitoring is part of the day to day tasks of security professionals.

Continuous monitoring has everything to do with the visibility of your network:

Configuration Management – track and manage changes with a configuration management or assets.  The organization monitors the security baseline my managing its inventory and only allowing approved major changes to the network.

Vulnerability monitoring – awareness vulnerabilities and response with a patch management program.

Network monitoring – incident handling & response of advanced persistent threat & active research of ongoing threats

Key Component of DIARMF Continuous Monitoring

Security Content Automation Protocol (SCAP)

 According to Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, March 2013, “A key component to this work is the NIST Security Content Automation Protocol (SCAP) and related programs, which are developed through close collaboration between government and industry partners”.

 SCAP is a common protocol that vulnerability, scanning and patching software can use to communicate vulnerability & technical controls information to each other quickly.  This protocol is used internationally, federally and commercially.

 Continuous Monitoring as a Service (CMaaS)

The Department of Homeland Security is coordinating a continuous monitoring service.  They want to create a Continuous Diagnostics and Mitigation (CDM) program for providing continuous monitoring sensors, diagnosis, mitigation tools, and Continuous Monitoring as a Service (CMaaS).

 With dashboards and automated crystal reports the data is visualized and in real-time to allow information security professionals to respond quickly to the highest priority incidents.

Continuous Monitoring Products

Federal law encourages the use of tools like security information & event managers (SIEM) that brings all the security information to one place into a security dashboard that allows graphs and visual imagery to quickly detect patterns across lots of data in real-time.  See the new FISMA and NIST SP 800-137 for more information.

 Tools like SIEMs, IPSs, IDSs, APT systems are what are used in the industry.  DoD units create partnerships with security companies like HP, McAfee, Symantec, Tenable, Ready7, Metasploit, Mandiant and others to create continuous monitoring solutions for their organizations.

 HP Enterprise Security Products

HP Enterprise Security address the following categories when looking at continuous monitoring:

  • Manage Assets

  • Manage Accounts

  • Manage Events

  • Security Lifecycle Management

The HP products covering this Items include, but are not limited to:

  • ArcSight Enterprise Security Manager
  • ArcSight Logger
  • HP Tipping Point

McAfee

McAfee has a suite of products to address continuous monitoring
  • McAfee Vulnerability Manager
  •  McAfee Enterprise Security Manager
  • McAfee Enterprise Log Manager
  • McAfee Global Threat Intelligence
  • McAfee ePO

Symantec

  • Symantec Control Compliance Suite
  • Symantec Control Compliance Suite
  • Virtualization Security Manager

Continuous monitoring controls

Realistically, all implemented and assessed controls are important to continuous monitoring since it is the process of actively checking all security controls.  But, there are some security controls families that are notable when it comes to continuous monitoring implementation.  These include “Security Assessment and Authorization”, “Configuration Management”, “Risk Assessment” and “Incident Response”.

 CA-7 Specifically mentions continuous monitoring:

 CA-7 CONTINUOUS MONITORING

Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:

a. A configuration management process for the information system and its constituent components;

b. A determination of the security impact of changes to the information system and environment of operation;

An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision making at the organization level (Tier 1), the mission/business processes level (Tier 2), and the information systems level (Tier 3).

Why is DIARMF Information Security Continuous Monitoring (ISCM) important?

For federal systems, continuous monitoring is not just important, it is the law.  DIARMF system MUST have continuous monitoring.

Continuous Monitoring is part of federal law Continuous monitoring is considered one of three top priority areas identified for improvement within Federal cybersecurity (Trusted Internet Connections, Continuous Monitoring and HSPD-12)

But what is continuous monitoring good for from a purely security perspective?

ISCM is having enhanced monitoring capabilities that allow information owners to have near real-time security awareness.  That means they know the status of on-going system changes, they know many of the systems vulnerabilities, and the status of security controls that have been implemented.

 DIARMF looks at Risk Management from the perspective of the entire organization, from upper management (Tier 1), to administration (Tier 2), to automation (Tier 3).

Tier 1, Upper management – endorses and/or delegate the creation of policies and strategies that mandates continuous monitoring from the top down.  Upper management should be involved with decisions regarding major configuration management review boards, high level/high risk security incidents.

Tier 2, Administration – works on the mission and business processes of continuous monitoring.  Administrators do correlation, analysis and reporting.

Tier 3, Automation – Information systems collects, and consolidates the data feeds needed for incident handling, correlation and analysis.

DIARMF – Re-Authorizations & Updates to documentation

During the course of configuration changes, security upgrades of operating systems and detection of security incidents it is necessary to have ongoing authorizations.

Continuous monitoring done correctly and actively will discover new threats, weakness and system infrastructure because these things constantly change and so the security posture changes.  Adjusting the system may require re-authorizations

Updates to Data & Documentation

With or without re-authorizations, the changes to the system detected by continuous monitoring require and update to the systems security controls documentation, vulnerability documentation and risk documentation.  This means System Security Plan together with Risk Assessment Report, Security Assessment Report, and POA&M should be tweaked.