ConvoCourses

Cyber Security Compliance and IT Jobs

DIARMF - Continuous Monitoring

security risk

by Leave a Comment

NIST SP 800-39, Manage Information Security Risk

NIST SP 800-39 deals entirely with fixing the challenge of security risk in an organization.  Chapter 2 of 800-39 discusses the basics of security risk management & chapter 3 goes into the process of applying security risk management across and organization.

The Fundamentals of Security Risk Management (Chapter 2, 800-39)
The philosophy security risks and how to manage information security at multiple levels of an organization are discussed in Chpt 2 of NIST SP 800-39. The three layers of security risk are:

  1. Tier 1: Organization level
  2. Tier 2: Mission/Business Process level
  3. Tier 3: Information System level

Tier 1: Organization Level security risk management
Tier 1 addresses security risk from the organizations perspective. This include the implementation of the first component of security risk management which is called risk framing.

In tier 1 or security risk management, the management of the organization establishes governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

 

Security Risk framing provides context for all the security risk activities within an organization, which affects the risk tasks of tier 1 & 2. The result of risk framing is Security Risk Management Strategy.

Security Risk Management Tier 2: Mission/Business Process 

Tier 2 Security risk management tasks include: 1) defining the mission processes. 2) Prioritize the mission process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, critical/sensitivity of the information and the information flows both internal and external of the information.

 

Tier 3: Information System Security Risk management

From the information system perspective, tier 3 addresses the following tasks:

  1. Categorization of the information system
  2. Allocating the organizational security control
  3. Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive security risk management program. The tasks discussed include:

  • Risk Framing
  • Risk Assessing
  • Risk Response
  • Risk Monitoring

Risk Assessment

NIST 800-30 goes into Risk Assessment process.  800-39 covers from a high level.  Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk.

Risk Response
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

Risk identification is key to risk response. Risk types include:
Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Risk avoidance– Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk.

Risk mitigation-adding management, technical, administrative safeguards to minimize identified risks to the system.
Risk share & transfer- Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance
companies).

Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.  This is where Continuous monitoring comes in.

risk management framework steps

by Leave a Comment

The risk management framework steps are detailed in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

The DoD has recently adopted the Risk Management Framework steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.

risk management framework steps
risk management framework steps

risk management framework – Step 1. Categorize

The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60.

Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.

 

risk management framework – Step 2. Select

With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system.

More on DIARMF – Select

risk management framework – Step 3. Implement

Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.

More on DIARMF – Implement

risk management framework – Step 4. Assess

The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization.

More on DIARMF – Assess

risk management framework – Step 5. Authorize

Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official.

In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.

 

More on DIARMF – Authorization

risk management framework – Step 6. Continuous Monitoring

After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this. 

More on DIARMF – Continuous Monitoring

DIARMF – Continuous Monitoring

by 4 Comments

DIARMF Continuous Monitoring

What is DIARMF continuous monitoring?

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.  It is described in NIST SP 800-137.  Continuous monitoring is the last and very important ON-GOING 6th step in the DIARMF Security life cycle.

 The DoD’s current method of continuous monitoring (2014) is use of Continuous Monitoring and Risk Scoring (CMRS).  Its is a web based visual method of watched DoD Enterprise security controls that cover software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), (IAVM) vulnerability and patch compliance.  CMRS displays risk dashboards based on published HBSS and ACAS (more info at DISA).

HBSS (host based system security) is a DoD implemented suite of applications:

  • (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred
  • Asset Configuration Compliance Module (ACCM) – version 2, but 2.0.0.1129 is preferred
  • McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred
  • McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred
  • McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred
  • McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred
  • Antivirus (AV) – McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9
  • Operational Attribute Module (OAM) – version 2.0.1, but 2.0.5.1 is preferred
  • Asset Publishing Service (APS) – version 2.0.1 or 2.0.0.6, but 2.0.3 is preferred – configured to publish to CMRS
  • ACAS (Assured Compliance Assessment Solution) is Tenable Nessus an enterprise level vulnerability scanner.

These systems are implemented in accordance with United States Strategic Command (USSTRATCOM) Communications Tasking Order (CTO) 05-19 & 07-12 (Deployment of Host Based Security System (HBSS)).  The products and tools need for continuous monitoring change constantly but what is important is the concept.  Within a month of publishing this, the products listed will be different and new CTOs will be released, but the need for Continuous monitoring will remain.  KNOW the CONCEPT.

If you know DIACAP, then this Step is similar to Phase 5, Maintain Authorization to Operate except there is a HUGE focus on automation in real-time.  Automation is done with tools like security information & event management systems (SIEM) and security dashboards.

If the other steps of DIARMF are planning and building and checking the engine than continuous monitoring is keeping it running.  Continuous monitoring is part of the day to day tasks of security professionals.

Continuous monitoring has everything to do with the visibility of your network:

Configuration Management – track and manage changes with a configuration management or assets.  The organization monitors the security baseline my managing its inventory and only allowing approved major changes to the network.

Vulnerability monitoring – awareness vulnerabilities and response with a patch management program.

Network monitoring – incident handling & response of advanced persistent threat & active research of ongoing threats

Key Component of DIARMF Continuous Monitoring

Security Content Automation Protocol (SCAP)

 According to Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, March 2013, “A key component to this work is the NIST Security Content Automation Protocol (SCAP) and related programs, which are developed through close collaboration between government and industry partners”.

 SCAP is a common protocol that vulnerability, scanning and patching software can use to communicate vulnerability & technical controls information to each other quickly.  This protocol is used internationally, federally and commercially.

 Continuous Monitoring as a Service (CMaaS)

The Department of Homeland Security is coordinating a continuous monitoring service.  They want to create a Continuous Diagnostics and Mitigation (CDM) program for providing continuous monitoring sensors, diagnosis, mitigation tools, and Continuous Monitoring as a Service (CMaaS).

 With dashboards and automated crystal reports the data is visualized and in real-time to allow information security professionals to respond quickly to the highest priority incidents.

Continuous Monitoring Products

Federal law encourages the use of tools like security information & event managers (SIEM) that brings all the security information to one place into a security dashboard that allows graphs and visual imagery to quickly detect patterns across lots of data in real-time.  See the new FISMA and NIST SP 800-137 for more information.

 Tools like SIEMs, IPSs, IDSs, APT systems are what are used in the industry.  DoD units create partnerships with security companies like HP, McAfee, Symantec, Tenable, Ready7, Metasploit, Mandiant and others to create continuous monitoring solutions for their organizations.

 HP Enterprise Security Products

HP Enterprise Security address the following categories when looking at continuous monitoring:

  • Manage Assets

  • Manage Accounts

  • Manage Events

  • Security Lifecycle Management

The HP products covering this Items include, but are not limited to:

  • ArcSight Enterprise Security Manager
  • ArcSight Logger
  • HP Tipping Point

McAfee

McAfee has a suite of products to address continuous monitoring
  • McAfee Vulnerability Manager
  •  McAfee Enterprise Security Manager
  • McAfee Enterprise Log Manager
  • McAfee Global Threat Intelligence
  • McAfee ePO

Symantec

  • Symantec Control Compliance Suite
  • Symantec Control Compliance Suite
  • Virtualization Security Manager

Continuous monitoring controls

Realistically, all implemented and assessed controls are important to continuous monitoring since it is the process of actively checking all security controls.  But, there are some security controls families that are notable when it comes to continuous monitoring implementation.  These include “Security Assessment and Authorization”, “Configuration Management”, “Risk Assessment” and “Incident Response”.

 CA-7 Specifically mentions continuous monitoring:

 CA-7 CONTINUOUS MONITORING

Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:

a. A configuration management process for the information system and its constituent components;

b. A determination of the security impact of changes to the information system and environment of operation;

An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision making at the organization level (Tier 1), the mission/business processes level (Tier 2), and the information systems level (Tier 3).

Why is DIARMF Information Security Continuous Monitoring (ISCM) important?

For federal systems, continuous monitoring is not just important, it is the law.  DIARMF system MUST have continuous monitoring.

Continuous Monitoring is part of federal law Continuous monitoring is considered one of three top priority areas identified for improvement within Federal cybersecurity (Trusted Internet Connections, Continuous Monitoring and HSPD-12)

But what is continuous monitoring good for from a purely security perspective?

ISCM is having enhanced monitoring capabilities that allow information owners to have near real-time security awareness.  That means they know the status of on-going system changes, they know many of the systems vulnerabilities, and the status of security controls that have been implemented.

 DIARMF looks at Risk Management from the perspective of the entire organization, from upper management (Tier 1), to administration (Tier 2), to automation (Tier 3).

Tier 1, Upper management – endorses and/or delegate the creation of policies and strategies that mandates continuous monitoring from the top down.  Upper management should be involved with decisions regarding major configuration management review boards, high level/high risk security incidents.

Tier 2, Administration – works on the mission and business processes of continuous monitoring.  Administrators do correlation, analysis and reporting.

Tier 3, Automation – Information systems collects, and consolidates the data feeds needed for incident handling, correlation and analysis.

DIARMF – Re-Authorizations & Updates to documentation

During the course of configuration changes, security upgrades of operating systems and detection of security incidents it is necessary to have ongoing authorizations.

Continuous monitoring done correctly and actively will discover new threats, weakness and system infrastructure because these things constantly change and so the security posture changes.  Adjusting the system may require re-authorizations

Updates to Data & Documentation

With or without re-authorizations, the changes to the system detected by continuous monitoring require and update to the systems security controls documentation, vulnerability documentation and risk documentation.  This means System Security Plan together with Risk Assessment Report, Security Assessment Report, and POA&M should be tweaked.