Embed Size (px)
Citation preview
CND Data Strategy and Security Configuration Management
SEP 2008
Agenda• CND Data Strategy Pilot
• Build to Architecture/ProjectsEnterprise-w
ide Configuration
Data Collection Tools
Net-Centric
Transformation
Commercially A
vailable
Vulnerability &
Config
Assessment S
tandards
Automated Net-Centric
Compliance Reporting &
Configuration Management
Some SCAP Uses
• Vulnerability assessments (OVAL/CVE)
• Assess IAVA (patch) compliance (OVAL)
• Validate host level CTO implementation (OVAL/CCE/CPE)
• Search for artifacts indicating malicious activity
(XCCDF/OVAL)
• Collect software inventories (CPE)
• Perform automated C&A validation (XCCDF/OVAL/CCE/CPE)
• Verify correct application of security checklists
(XCCDF/OVAL/CCE/CPE)
• Assess user permissions and roles (XCCDF/OVAL)
CND Data Strategy Pilot
CND Data Strategy Pilot
Phase I & II
• Phase I of the CND Pilot will provide a DoD Service Oriented Architecture that enables the correlation of Asset data, Event data, DoD Policy and Security Content Automation Program (SCAP) vulnerability data.
• Phase II of the CND Pilot will add Incident, Certification and Accreditation information, Enterprise Service Management functionality, transition to select Net Centric Enterprise Services functionality, and incorporate additional asset, vulnerability, Event data.
Vulnerability WS Asset WS Event WSIAVM WS
CND User & Agent
EventAssetPolicyNVD
Service Discovery
CND Portal
Geocoding WS
Web Mapping WS
CVE CVE –– Software VulnerabilitySoftware Vulnerability CVE CVE -- EventsEvents
5
43
1
2
IAVM IAVM -- PolicyPolicy
CPE CPE –– Asset DescriptionAsset Description6
Vulnerabilities
DoD PolicyIT Assets
Events
Commercial Partners
Operating and Application
System, Vulnerability Scanners,
Asset Management vendors, etc….
Enterprise Tools
CVE CVE –– Software VulnerabilitySoftware Vulnerability
CVE CVE –– Software VulnerabilitySoftware Vulnerability
User Interface
What type of vulnerabilities?
How many assets affected?
Where are they located?
What patches and
guidance are available?
Notional Data
SCAP Evolution
• Fill gaps in existing SCAP CM standards
– Remediation language – link weak configurations
& vulnerabilities to standard remedies
– SCAP interfaces – automate assessment policies
& results sharing between SCAP tools
• Expand into AS&W and Risk Management
– Event and Incident sharing standards
– Network & Risk standards
Build-to Architecture/Projects
Tier 3
Base/Post/
Camp/Station
Host
ePO
Server
Tier 2
CC/S/A
Tier 1
DoD
Sys Admin
NIPRNet
HBSS Common Management Agent
HIPS
Module
Anti-Virus
Module
Assets
2500
INFOCON
Module
Active
Vulnerability
Scanner
T2
Asset Data
Repository
Rootkit
Detection
and
Eradication
Spyware
Module
FY09+ Modules Existing Modules
Others
CC/S/A FDCC exceptions,
CC/S/A Prohibited SW List,
Local INFOCON, IAVM
Supplement
ePO
ServerSCAP
Content
DoD
Config
Repository
VMS Configuration Management Repository
SCAP Content Generation
Configuration
Testbed
Configuration
Download/Generation
DoD FDCC exceptions
DoD Prohibited SW List
STIG, Patch, INFOCON
SCAP
Content
CC/S/A
Config
Repository
CC/S/A Configuration Management Repository
SCAP Content
Generation
ConfigurationTestbed
ConfigurationDownload/
Generation
T2 (Proxy)
Asset
Data
Repository
FDCC, SOX, FISMA,
HIPAA, Vendor Configs
National Vulnerability Database
Federal SCAP
Content
CCE/
CVE FeedsFederal Config
Repository
CND Capability To Be
Developed Under
Other initiatives
CM Capability
Existing Capability
Patches
Vendors
Asset Mgmt
Web Service
HBSS Host Management
ConsoleINFOCON
Manager
AV
Manager
HIPS
Manager
Spyware
Manager
Rootkit
Manager
Enhanced Configuration
Management and Computer Network
Defense
CIAC
OMB
NSA SecurityGuides DISA STIGS
Oversight Policy Sources & Configuration
Content For Secure Asset Configuration
Asset data
Asset data
Asset Configuration
Manager
Asset
Configuration
Compliance
Asset
Configuration
Modification
Module(s)
Asset
data
Co
nfig
con
ten
t
T2
Asset
Management
Asset data
Asset data
Passive
Network
Scanner
Unclassified
Tier 3
Base/Post/
Camp/Station
Host
ePO
Server
Tier 2
CC/S/A
Tier 1
DoD
Sys Admin
NIPRNet
VMS
Tier 2 CND
Service Provider
CD
ES
(
for
CM
)
En
terp
rise W
eb
Serv
ices B
us
SIPRNet
UDOP
Tier 1
HBSS Common Management Agent
HIPS
Module
Anti-Virus
Module
Assets
2500
INFOCON
Module
Active
Vulnerability
Scanner
(e.g., STAT,
ISS, SCCVI)
T2
Asset Data
Repository
Rootkit
Detection
and
Eradication
Spyware
Module
FY09+ Modules Existing Modules
Others
CC/S/A FDCC exceptions,
CC/S/A Prohibited SW List,
Local INFOCON, IAVM
Supplement
ePO
ServerSCAP
Content
DoD
Config
Repository
VMS Configuration Management Repository
SCAP Content Generation
Configuration
Testbed
Configuration
Download/Generation
DoD FDCC exceptions
DoD Prohibited SW List
STIG, Patch, INFOCON
SCAP
Content
CC/S/A
Config
Repository
CC/S/A Configuration Management Repository
SCAP Content
Generation
ConfigurationTestbed
ConfigurationDownload/
Generation
T2 (Proxy)
Asset
Data
Repository
T1
Aggregated
Asset
Data
Repository
FDCC, SOX, FISMA,
HIPAA, Vendor Configs
National Vulnerability Database
Federal SCAP
Content
CCE/
CVE FeedsFederal Config
Repository
CND Capability To Be
Developed Under
Other initiatives
CM Capability
Existing Capability
Patches
Vendors
optional
IAVM Publishing/
Reporting
Web Service
Asset Mgmt
Web Service
HBSS Host Management
ConsoleINFOCON
Manager
AV
Manager
HIPS
Manager
Spyware
Manager
Rootkit
Manager
Asset Mgmt
Web Service
JTF-GNO/NetDefense
JTF-GNO/
NetDefense
Enhanced Configuration
Management and Computer Network
Defense
CIAC
OMB
NSA SecurityGuides DISA STIGS
Oversight Policy Sources & Configuration
Content For Secure Asset Configuration
Asset data
Asset data
Asset Configuration
Manager
Asset
Configuration
Compliance
Asset
Configuration
Modification
Module(s)
Asset
data
Co
nfig
con
ten
t
T2
Asset
Management
Optional flow
Asset data
En
terp
rise W
eb
Serv
ices B
us
Asset data
Asset data
National Vulnerability Database (NVD) Redesign
NIST
How We Plan to Build
It
Vulnerability Management System (VMS) Redesign
DISA
Asset Configuration Compliance Module (ACCM)Enterprise Solutions Steering Group (ESSG)
Small Agency Pilot
NSA/ASD NII
IAVM
BusinessProcess
Re-engineering
ASD/NIICND UDOP
Enterprise Service Bus
(ESB)/ Cross
Domain
Solution (CDS)
DISA
Asset DataRepository
Development
DISA
Asset DataRepository
DevelopmentDISA
Passive
Network
Scanner
(e.g., Trickler)
SCCVIRecompete
ESSG
QDR
TricklerDISA/NSA
SCAP Standards Development
SCAP Standards Development
MITRE/NSA
SCAP Standards
DevelopmentMITRE/NSA
SCAP Standards DevelopmentMITRE/NSA
SCAP
Standards DevelopmentMITRE/NSA
SCAP Standards
CND Data Strategy PilotASD NII
External
Event Data
Navy
Tier 3
(Base/Post/Camp/Station)
Hos
t CommercialConfiguration Management
Agent (CMA)ConfigurationCompliance
SCAP
Configuration
Implementation
Asset
ManagementVuln
DB
Mis-Config
DB
AssetDB
ConfigurationControl
CommercialConfiguration Central Manager (CCM)
SCAP
Proprietary
Proprietary
ePOServer
Tier 2 Agency Configuration
Repository
SCAP
Content Generation& Test
Tier 1 DoD Configuration
Repository
Agency
SCAP
Content
CC/S/A FDCC exceptions
CC/S/A Prohibited SW List
Local INFOCON
IAVM Supplement
Vendors
DoD FDCC exceptions
DoD Prohibited SW List
STIG, Patch, INFOCON
Compliance Reporting &Asset Data
National VulnerabilityDatabase Federal SCAP
ContentCCE/
CVE Feeds
Asset
Configuration
ManagementSCAP Small Agency
Scope
Spiral 1 Increment 1
Patches
Sys Admin
NIPRNet
Common Management
Agent
ePO
Server
HIPS
Module
Anti-Virus
Module
Assets2500
INFOCON
Module
Capability To Be
Developed Under
Other initiatives
Pilot Capability
Existing Capability
DoD SCAPContent
Tier 3
(Base/Post/Camp/Station)
CCM
ePOServer
Tier 2
Agency Configuration
Repository
Tier 1 DoD Configuration
Repository
Vendors
National VulnerabilityDatabase Federal SCAP
ContentCCE/
CVE Feeds
Patches
Sys Admin
NIPRNet
DoD SCAPContent
Host
Hos
t
Queries for H/W & S/W CPE &CCE
What is my hardware
and software inventory?
CMA
Collects hardware & softwareCPE & CCE
1
0.1
3 6
5
Enters operational attributes(role/function/AOR)
Inventory query
Disseminates OVAL tests for
other attributes
Agency
SCAP
Content
Downloads OVAL definitions for
attributes (e.g., IP/MAC addresses)
2
Runs OVAL tests for
other attributes
Collects OVAL results for
Patch test
Provides unified view
4
Tier 3
(Base/Post/Camp/Station)
CCM
ePOServer
Tier 2
Agency Configuration
Repository
Tier 1 DoD Configuration
Repository
Vendors
National VulnerabilityDatabase Federal SCAP
ContentCCE/
CVE Feeds
Patches
Sys Admin
NIPRNet
DoD SCAPContent
Host
Hos
t
Analyzes results
IP address 192.168-0.0 vulnerableto CVE 2007-0940
IP address 192.168-252.0 not vulnerableto CVE 2007-0940
44 boxes
How many of the
Agency’s 100 boxes are impacted by this new vulnerability?
CMA
Runs OVAL tests
If capicom is installed andCapcom.dll exists and
Microsoft Windows
New Microsoft Windows 2000
Vulnerability discovered
NVD verifies vulnerability and
provides standard enumeration (CVE)
CVE data feed
12
3
4
57
10
11
9
Agency
SCAP
Content
Downloads SCAP definition/tests
CVE 2007-0940: Remote attacksexecute arbitrary code on Windows 2000
6
Downloads CVE 2007-0940
And OVAL definition
8
Disseminates CVE 2007-0940And OVAL definition
Collects OVAL results for
CVE 2007-0940
Tier 3
(Base/Post/Camp/Station)
CCM
ePOServer
Tier 2
Agency
ConfigurationRepository
Tier 1 DoD Configuration
Repository
Vendors
National VulnerabilityDatabase Federal SCAP
ContentCCE/
CVE Feeds
Patches
Sys Admin
NIPRNet
DoD SCAPContent
Host
Hos
t
Downloads DoD FDCC SCAP
checklistAnalyzes results
IP address 172.16. three settingsnot compliant
IP address 172.24. three settingsnot compliant 10 boxes not compliant
Are my Agency’s 100
boxes still compliant with the DoD FDCC installed last week?
CMA
Runs FDCC OVAL tests in checklist• account lockout duration setting
• account lockout threshold setting• password length setting
• etc
NVD specifies FDCC and
FDCC SCAP checklist0.1
2
3
1
6
4
DoD takes exceptions to FDCCAnd generates DoD FDCC and DoD FDCC SCAP checklist
0.2
Disseminates DoD FDCC SCAPChecklist to hosts
Host installs DoD FDCC
0.3
5Collects OVAL results for
DoD FDCC Checklist
Agency
SCAP
Content
Tier 3
(Base/Post/Camp/Station)
CCM
ePOServer
Tier 2
Agency Configuration
Repository
Tier 1 DoD Configuration
Repository
Vendors
National VulnerabilityDatabase Federal SCAP
ContentCCE/
CVE Feeds
Patches
Sys Admin
NIPRNet
DoD SCAPContent
Host
Hos
t
Downloads IAVA and OVAL definitionsAnalyzes results:
• IP address 169.254.01 patch installed• IP address 169.254.02 patch installed
• etc All boxes IAVA compliant
Are the Agency’s 100
boxes compliant with all applicable IAVAs?
CMA
Runs OVAL testst
• Patch kb834707 is installed
4 3
5
8
6
JTF-GNO issues IAVA; Writes OVALDefinitions for how to confirm patch has
been applied (e.g., Patch kb834707 is installed)
1
2Receives IAVA and OVAL definitions
Disseminates IAVA OVAL definitions5Collects OVAL results for
Patch test
Agency
SCAP
Content
Summary• Combining data strategy and configuration
management infrastructure to build an
enterprise capability
– Convert existing content and standards to
machine readable format
– Build local, component, and enterprise SA
security configuration
– Standards-based to support scalability and
vendor neutrality in the future
Backup Slides
XC
CD
F
Federal/Industry
Baseline Config
Policy Audit
FDCC
FISMA
HIPAA
SOX
Vendor Configs
Other best practice
XC
CD
F
DoD
Configuration
Policy AuditIAVM
CTO
STIG
DoD FDCC exceptions
Patch
DoD Allowed/Prohibited SW List
INFOCON
I&W Collection
XC
CD
F
CC/S/A
Configuration
Policy Audit
Enterprise Licensing
Local INFOCON
CC/S/A FDCC exceptions
IAVM Supplements
IAVM Exceptions
CC/S/A Allowed/Prohibited SW List
Comprehensive
Audit Policy
•OVAL
•CPE
•CVE
•CCI
•CCE
