Download presentation
1
Secure Configuration Management (SCM)
Enclave Security: Secure Configuration Management (SCM) David Hoon DISA PEO-MA SCM PMO Unclassified
2
The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government 2
3
Agenda SCM Introduction SCM Lifecycle SCM Objectives
SCM Community Model Current Capability Framework Governance Model Capability Program Map NSA SCM R&D Focused Efforts SCM Programs CMRS DPMS IAVM
4
Introduction Security-focused Configuration Management (SecCM) is defined as: “the management and control of configurations for information systems to enable security and facilitate the management of information security risk.” (NIST SP ) PROGRAM OBJECTIVES: The DoD SCM Program is the integration and optimization of enterprise IA applications, tools, and data standards to support automated processes used to support risk management and near-real time awareness. Enable Information System Monitoring as part of DoD’s Continuous Monitoring Strategy – supporting the initial data sets of assets, system configurations, and vulnerabilities (FISMA reporting requirements). PROGRAM CAPABILITIES: Leverage inherent SCM capabilities used within CC/S/As Provide pervasive enterprise capabilities and interfaced automated capabilities based on common data standards to enhance and accelerate CC/S/As ability to: Identify assets Check system configuration compliance against policies and standards Search for potential vulnerabilities Act on known vulnerabilities for known risk posture for system/networks Report status & share information with those that need to know Configure assets securely; Maintain secure Configurations; Provide continuous situational awareness to the right people
5
Why SCM? The Enterprise Today: The Future Enterprise:
Difficult to maintain secure configurations: high level of effort, diminished return on investment Disparate IA tool sets: proprietary capabilities, disconnected and stand-alone configurations Manual reporting: resource intensive, slow, and limits trusted situational awareness The Future Enterprise: Automated, end-to-end security compliance process Standardized and validated toolsets connected throughout the enterprise Continuous reporting to improve data integrity and validity
6
SCM Lifecycle
7
SCM Program Objectives
The SCM Program implements published standards, using validated tools and employs standardized interfaces to realize essential Secure Configuration capabilities. Standards: Secure Configuration Automation Protocol (SCAP). A NIST-developed, industry-adopted set of standards supporting interoperability and automated data exchange. Extended to include standard data formats for reporting asset and summary information. Tools: Commercial-off-the-Shelf (COTS) and Government-off-the-Shelf (GOTS) tools validated as conforming to SCAP standards. Interfaces: Leverage SCAP and emerging standards (Asset Report Format (ARF) / ARF Summary Report (ASR)) to distribute asset data by defining data input and output formats for SCAP-validated tools Capabilities: Content/Policy development; Asset Inventory/Discovery; Security State Analysis/Risk Assessment; and Risk Mitigation
8
SCM OV-1
9
Near-Term SCM Capability Framework
10
Automated STIGs Windows XP Windows Vista
Automated STIG & IAVM Benchmarks (with OVAL) available: Windows XP Windows Vista Windows 2003 Domain Controller & Member Server Windows 2008 Domain Controller & Member Server Windows 7 Windows 2008R2 Red Hat 5 Solaris 9 (x86 and sparc) Solaris 10 (x86 and sparc) HP-UX 11.23 HP-UX 11.31 AIX 5.3 AIX 6.1 Windows IAVM 2009, 2010, 2011, 2012 * PKI restricted IE8 IE9
11
SCM Governance Model ESSG CCWG OWG – SCM
(CSIP, IAVM, Continuous Monitoring, Risk Scoring, C&A. Mission Assurance) TWG Network Scanning Network Mapping Continuous Monitoring Risk Scoring Policy and Remediation Enterprise Acquisition Approval Enterprise Capability Release Board SCM CCB Program CCB
12
SCM Capability Map
13
SCM Program Overlay
14
SCM R&D FOCUS AREAS (FY13 - FY17)
SCM in Mobile Environment: Develop SCM capabilities for mobile and wireless devices. Mobile Device Manager Dynamic Policy Generation (supports BYOD) Mobile Application Store Automated Remediation: Develop remediation policies allowing centralized control and decentralized execution of remediation COTS Remediation Tools Remediation Standard Group Policy Fixes Policy-Driven Automated Course-of-Action (ACoA) Collect Configuration Data from Human Sensors: Develop automated capabilities to collect IT asset and configuration relevant data from human sensors (i.e., Open Checklist Interactive Language/OCIL, part of the SCAP protocol suite) Certification and Accreditation Non-Automated STIG Checks Training CCRI (Command Cyber Readiness Inspection) / CSIP (Cyber Security Inspection Process) SCM in a Virtualized Environment: Develop SCM capabilities for non-persistent and persistent IT virtualization environments Hypervisor Virtual Desktop Environment Streaming Application Server The above focus areas are what was determine through the SCM POM process for R&D. The focus portion shows the major technology areas where the efforts will focus for FY13-FY17 An overview of the focus areas 5 Year Roadmap is covered in the SCM 5 Year Strategy Document An overview of the FY13 plans for each focus area is covered in each SCM Focus Area Project Plan. The focus areas have been defined as follows: SCM in Mobile Environment Automated Remediation Collect Configuration Data from Human Sensors SCM in Virtualized Environment 14
15
SCM in Mobility PROGRESS & Way Forward
FY13 Market Analysis of MDM / MAS COTS Tool Evaluation and Testing (MDM/MAS) Standards development for mobile assessment (OVAL) Standards-based compliance scanning of mobile devices Integration with TNC concepts Dynamic Policy Generation (Supports BYOD) Integration of MDM with Continuous Monitoring Solution FY12 Completed Combined Baseline Criteria for Mobile Device Manager (MDM) MDM Tool Qualitative Market Analysis Policy and Configuration Guidance Market Analysis CONOP for SCM in Mobile Environment MDM Security Capability Assessment MDM-SCAP Middleware Application Above are the major progress made in FY12 and planned activities for FY13 for SCM In a Mobile Environment 15
16
Automated Remediation PROGRESS & Way Forward
FY13 Aggregated automated remediation requirements Automated Remediation CONOP Market Analysis and evaluation of Remediation COTS tools Support further refinement of Remediation standards Create Remediation content to support automated remediation Refine STIG and IAVM automated remediation approach Integrate Remediation Content into DISA Digital Policy Management System Remediation Event Management capability Support Proof of Concept of Automated Remediation course of action FY12 Work with NIST on Remediation standard development (CRE & ERI) Work with SPAWAR on the development of the SPAWAR Remediation Tool Above are the major progress made in FY12 and planned activities for FY13 for Automated Remediation 16
17
Automated human sensor PROGRESS & Way Forward
SCAP Protocol: OCIL (Open Checklist Interactive Language) FY13 Market Analysis of current COTS tools that leverage the OCIL data standard CONOP for OCIL to support C&A, STIG Compliance, Training, and, CSIP Use Cases Draft requirements for Enterprise OCIL solution Create OCIL content to support indentified use cases Provide input to OCIL 3.0 standard Pilot for using OCIL for C&A Pilot for using OCIL for CCRI/CSIP Pilot for using OCIL STIG Compliance FY12 OCIL Content for Windows 7 Lessons Learned for OCIL reference implementation Input to OCIL 2.0 standard Pilot with Telos tool using OCIL Above are the major progress made in FY12 and planned activities for FY13 for Automated Human Sensor 17
18
SCM in Virtualization PROGRESS & Way Forward
FY13 Complete Virtualization Pilot Final SCM Use Case Execution Gap Analysis Report Recommendations Paper for DISA Hypervisor Scanning Capability STIG/SRG Market Analysis of Tools SCAP content Standards updates (ARF/ASR) Operational Prototype in L:ab Non-Persistent Desktop Scanning Capability Approach to scanning non-persistent desktops/templates Operational Prototype in Lab FY12 Collaborate with DISA and CYBERCOMMAND to derive test cases for evaluating security of virtual environments Procure and Establish Virtualization Pilot Lab Configure NSA IT Efficiencies Environment in Lab Install current DISA SCM Tools in Lab Execute test cases to determine security gaps with current DISA tools Recommend approaches to resolve security gaps Uses NSA’s IT Efficiency Environment which is representative of DoD IT Efficiency environment and tests current DISA tools to determine gaps. 18
19
SCM Programs ACAS CMRS/PRSM DPMS IAVM Service VMS STIG Maintenance
Patch Repository Severity Scoring eMASS ENMLDS HBSS Policy Auditor OAM APS ACCM Remediation Manager VMS
20
26 October 2010 CMRS Technology Stack 20
21
CMRS Enterprise – End State
21
22
DPMS System View 22
23
What is Digital Policy Management Service?
Author validated Machine-readable Content Search for and Modify/Copy already created content Content Distribute Capability (Machine-to-Machine (M2M), Versioning) Based on signatures; Marines gets Marines signed content, Navy gets Navy signed content, everyone gets Authoritative content Collaboration Content Sharing / Learning (e.g., Patch testing reciprocity) Army can share custom content with Navy; Navy can share custom content with Marines; CYBERCOM can share content with everyone 23
24
Authoritative Sources of Content
Authoritative sources need to create as well as validate content created by other sources (Army, Navy, etc.). Content validated/signed by the respective Authoritative source should be scored different in the Enterprise Risk Scoring (ERS) capability Types of Content: SCAP Content STIG (CCE) (FSO) IAVM (FSO & CYBERCOM) Malware (MAEC) (CYBERCOM) Custom HIPS, AV & other remediation (CYBERCOM) 24
25
IAVM System Overview Automates USCYBERCOM vulnerability scoring and policy generation processes Includes CVSS-compliant scoring engine Provides real-time interfaces with Symantec DeepSight, NVD, and VMS Supports SCAP standards including CVE, CVSS, and CPE Benefits include: Decrease window of exposure by reducing the time required to assess and score vulnerabilities, and to generate and distribute the IAVM policy content. More accurate scoring through application of CVSS standards and collaborative scoring process System is live! June 2012 25
26
IAVM System CONOPS 26
27
IAVM System Capabilities
Primary System Capabilities PKI authentication & access control Symantec DeepSight web service data feeds for real-time vulnerability info Vulnerability analyst workspace/dashboard Pre-populated IAVM template and workflow SCAP-compliant CVSS vulnerability scoring engine Web-based pre-coord collaboration area to capture and track feedback Enhanced search - ability to search across current and historical IAVMs using multiple parameters 27
28
QUESTIONS SCM PMO disa.meade.peo-ma.list.scm-pmo@mail.mil
28
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.