M g E g E ! n c d T s l Improve and maintain the · Never before has so much information been available to so many people through so much media. On the flipside, never before have

Brought to you by

ISBN: 978-1-118-77582-0Not for resale

Continuous Monitoring

Open the book and find:

• Information on IT security and continuous monitor-ing basics

• Government agencies that assist the IT community with security

• Processes and controls that mitigate risks to your IT infrastructure

• Critical risk areas

• Continuous monitoring solutions and products

Continuous monitoring is a must for the security of your agency’s data and Information Technology infrastructure. This book discusses continuous monitoring and how this process will reduce your agency’s or department’s data and IT risks. You find out how to increase the security of your data and IT assets and infrastructure by using federal and industry best practices and solutions.

•Understandtherisks —threatstoyourdataandITenterprisechangeconstantly;understandingyourenvironmentand criticalriskareasiskey

•Understandtheprocess—howanagency/departmentsecuresitsdataandITenviron- mentiscritical;implementingaprocessdesignedforpublicandprivatesectorsboostsuserandcustomerconfidenceinyouragency’s/department’sabilitytosecureitself

•Understandthesolution—manage yourdataandITenterpriseandmeet governmentpolicies,audit,andreportingrequirementswithaviable,repeatabletestedprocess

Improve and maintain the security of your IT infrastructure!

• About the continuous monitoring process and its benefits

• How to view risk management and security controls to improve IT security

• How to implement continuous monitoring

Learn:

Dan Wilson, CISSP

Go to Dummies.com® for videos, step-by-step examples,

how-to articles, or to shop!

SymantecandDLTSolutionsSpecialEditionMakingEverythingEas

ier!™

These materials are © 2014 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

by Dan Wilson, CISSP

Continuous Monitoring

Symantec and DLT Solutions Special Edition


LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM.

Continuous Monitoring For Dummies®, Symantec and DLT Solutions Special EditionPublished by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com

Copyright © 2014 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc., and may not be used without written permission. Symantec and the Symantec logo are registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. DLT Solutions is a trade-mark of DLT Solutions, LLC. Under the laws of the United States these trademarks may only be used with express written permission from Symantec and DLT Solutions, LLC respectively. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN 978-1-118-77582-0 (pbk); ISBN 978-1-118-77601-8 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Senior Project Editor: Zoë Wykes

Acquisitions Editor: Amy Fandrei

Editorial Manager: Rev Mengle

Business Development Representative: Sue Blessing

Custom Publishing Project Specialist: Michael Sullivan

Project Coordinator: Melissa Cossell

Technical reviewer from DLT: Elmars (Marty) Laksberg

Content contributor from Symantec: Kenneth Durbin

Publisher’s AcknowledgmentsSome of the people who helped bring this book to market include the following:


http://www.wiley.com

http://www.wiley.com/go/permissions

http://www.wiley.com/go/permissions

http://www.wiley.com/go/custompub

mailto://BrandedRights&[email protected]

http://Dummies.com

mailto://[email protected]

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

About This Book ........................................................................ 2Icons Used in This Book ............................................................ 2

Chapter 1: Security and Risk: The Basics for IT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Your Critical Assets ................................................................... 4Security Agencies and Departmental Foundations ............... 5

Chapter 2: Risk Management and Continuous Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Looking at Risk Management .................................................... 7Understanding Continuous Monitoring .................................. 9Continuous Diagnostics and Mitigation ................................ 11Continuous Asset Evaluation, Situational Awareness,

and Risk Scoring (CAESARS)............................................... 12

Chapter 3: Implementing CM . . . . . . . . . . . . . . . . . . . . . . .13The Implementation Process.................................................. 13

Essentials in understanding CM .................................. 14Using the CAESARS architecture ................................. 15

Risk Management and the CAESARS Subsystems ................ 16The Benefits and Challenges .................................................. 18

Chapter 4: Ten Things to Like about Continuous Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19


Continuous Monitoring For Dummies, Special Edition iv


Introduction

W e live in interesting times. Some of you may view them as akin to an ancient Chinese curse, and some will

view them as the inevitable and positive changes that great technologies bring to an uncertain world. Never before has so much information been available to so many people through so much media. On the flipside, never before have so many people revealed so much information about their personal and professional lives and associations. Almost everything we do and how we interact with the world has a foundation and a strong dependency on data and the technologies that manage it. Data and information security are really about making people, governments, and businesses secure so that we can transact the business of our lives. When you reduce it down to its core, you’ll see that creating and maintaining secure IT infrastructures is critical to your everyday living, now more than ever.

One way to secure that information is to use continuous monitoring — an important assessment process you can use to protect and manage your critical enterprise assets, infrastructures, and data. Continuous monitoring employs well-designed and tested methods, procedures, and auto-mated tools that government agencies and businesses can use to detect, identify, and defend against the daily, near-continuous assault on enterprise assets, infrastructures, and data.

Protecting your infrastructure assets is a difficult and com-plex undertaking that agencies can’t do alone. Symantec is part of a community that works to create solutions on your behalf. Without these products and services, we all would be extremely vulnerable to the cyber attacks made by the same people who strive to make “living in interesting times” a curse rather than an opportunity.


Continuous Monitoring For Dummies, Special Edition 2

About This BookThis book consists of four short chapters with the primary focus on dot.gov environments. Its purpose is to inform you about how you can make your enterprise infrastructure more secure by using the continuous monitoring process and solu-tions discussed within.

Icons Used in This BookThis book contains some helpful icons to identify information of special interest. Here’s what you can expect.

If you don’t take away anything else from any given section, do pay particular attention to this material.

This icon points out technical information that you don’t have to read, but it’s there for the taking.

Here, you find an interesting fact, a tidbit of information to help you understand something, or how to make something easier.


Chapter 1

Security and Risk: The Basics for IT Systems

In This Chapter▶ Identifying IT assets

▶ Talking about security agencies and concepts

T oday’s IT systems have never been more vulnerable. Every day it seems as though the media has a report about some

government agency or commercial business being exploited or compromised, suffering from a distributed denial-of-service (DDoS) attack, or experiencing something far worse, like the damage and theft of sensitive information. The game, if one wants to call it that, has changed.

Threats range from the seemingly harmless curiosity seekers to professional criminal and military organizations that are trained, resourced, and experienced in assaulting a target’s IT infrastructure. The relentless targeting of federal and state agencies is alarming for sure, but the onslaught brought against the United States government’s IT infrastructure presents a serious danger to the country’s security and economy. This threat is getting serious attention in the media, and government budgets are directing more dollars toward cybersecurity — which is now widely viewed as one of the most important threats against our nation.

Luckily, for anyone managing IT systems and those who must manage these threats, intelligent and capable people are pro-viding tools and solutions that enable us to meet these threats head on. This chapter talks about identifying the assets within your IT infrastructure and organizations that provide security assistance and are part of the continuous monitoring process.



Your Critical AssetsThe United States federal, state, and municipal IT infrastruc-tures maintain and manage vital, crucial assets. These crucial assets are what most, if not all, of our citizens rely on to keep our defense, judicial, and economic (to name a few) services and institutions running properly. These assets give our coun-try a huge advantage over other competing nations — both friendly and unfriendly — in the world. Assuring that our citizens, elected officials, military, civil servants, and con-tractors have robust and reliable systems, and that they can manage data and information that meets the highest degree of integrity and reliability, goes a long way toward ensuring that our government can make informed decisions and function effectively. The assets that need to be monitored include

✓ Hardware: PCs, servers, network devices, smartphones, storage devices, removable media, memory sticks, cabling/fiber, printers, and monitors.

✓ Software: Operating systems, firmware, commercial applications, and government-developed custom applica-tions.

✓ Services: In-house and vendor support services and skill sets that provide hardware and software updates and support. These services augment and support the IT infrastructure.

Be aware of the security practices and classification of any outside service the agency uses. If the vendor doesn’t meet the same or greater security standards and practices that are required by the agency, then that agency is placing itself at risk. For example, consider remote storage services that main-tain the offsite backups of your data. Learn how the vendor protects your data. If possible, visit the vendor site that is providing the service and maintain a close professional rela-tionship with their services and management team(s). Keep in mind that vulnerability in an external entity that an agency relies on can cause just as much damage as an in-house vulnerability.

The reality is that everyone, at all levels, should be conscious about our government’s IT infrastructure. That’s why assets should also include


Chapter 1: Security and Risk: The Basics for IT Systems 5 ✓ Personnel: An agency’s staff possesses knowledge, skill

sets, and abilities that are extremely important to an organization’s IT security program. The amount of “care and feeding” that the agency provides to the staff can make the difference between success and failure in meet-ing and maintaining the required security posture.

✓ Culture: Developing and supporting an agency’s aggres-sive culture and attitude toward security is one of the most important goals on which IT management can focus.

If our critical infrastructure’s systems are poorly protected against an assault and our systems begin to fail, people will begin to lose confidence in them — which can lead to disrup-tions that will impact us all. That’s how critical and dependent we are on today’s IT infrastructure.

Security Agencies and Departmental Foundations

You need to be familiar with how certain agencies and depart-ments implement risk management, of which continuous moni-toring is key. Continuous monitoring focuses on activities such as identifying your IT infrastructure’s assets and performing configuration management and vulnerability management (see Chapter 3 for more detail). The following organizations define core concepts and practices that heavily influence and guide how public and private sector security professionals and ven-dors create and maintain resilient products, services, and ulti-mately highly secure and auditable IT infrastructures:

✓ National Institute of Standards and Technology (NIST): A non-regulatory federal agency within the U.S. Department of Commerce. NIST produces publications that are required to be used by federal and state agencies and departments. These standards are also used by the IT industry to promote better security and other services. Visit www.nist.gov.

✓ Defense Information Systems Agency (DISA): A combat support agency that serves the Department of Defense (DoD) and supports the DoD IT infrastructure. The agency also publishes documentation and guidelines for maintaining a secure IT infrastructure. DISA also initiates


http://www.nist.gov

Continuous Monitoring For Dummies, Special Edition 6IT security audits to ensure that an organization is com-pliant. Visit their website at www.disa.mil.

✓ Department of Homeland Security (DHS): Publishes alerts and documents that help to secure the federal cybernet-works and assists in securing the overall cyberspace in which we operate. Go to www.dhs.gov for more about DHS.

In addition to the work performed and the guidance provided by these agencies, the Information Security Triad represents the goals for nearly all the efforts for achieving a resilient and secure IT infrastructure. The Triad forms the foundation for an agency’s policies, guidelines, and procedures. The Federal Information Security Management Act (FISMA) Public Law 107-347 provides the following definitions (see Figure 1-1):

✓ Confidentiality: Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

✓ Integrity: Guarding against improper information modi-fication or destruction, including ensuring information nonrepudiation and authenticity.

✓ Availability: Ensuring timely and reliable access to and use of information.

Figure 1-1: The CIA Triad identifies the core goals of IT security.Information courtesy of John Manuel


http://www.disa.mil

http://www.dhs.gov

Chapter 2

Risk Management and Continuous Monitoring

In This Chapter▶ Institutionalizing risk management

▶ Taking a look at the continuous monitoring process

▶ Introducing CDM and CAESARS

W hether you do business in the private or public sector, you’re always exposed to some degree of risk — which

in this book refers to the potential for loss of data, damage that human activities cause to your IT infrastructure and assets, system failure, or natural occurrences like good old Mother Nature. Through risk analysis, planning, and the use of mitigation processes and tools, you can go a long way toward managing the various and numerous risks to your data, IT infrastructure, and associated assets.

This chapter discusses some of these risks and how you can help to reduce them by using continuous monitoring.

Looking at Risk ManagementRisks to your data and IT infrastructure come in many forms. Consider the following:

✓ Human factors, which can be as simple as losing a mobile device or laptop, creating an exposure to loss of sensitive data or an exploit into the system

✓ Physical damage due to storms or fires


Continuous Monitoring For Dummies, Special Edition 8 ✓ Loss of data and/or data corruption due to poor or non-

existent policies

✓ Theft or corruption of data

✓ Normal equipment breakdowns

✓ Application errors caused by poor configuration or patch management that can render systems vulnerable to threats

Identifying data and enterprise IT assets and classifying the risks associated with each one is difficult. Even so, manage-ment must define their company’s security policies and guidelines. They must also cultivate a culture that follows the security procedures so that the organization is compliant and can function effectively if a risk event actually occurs.

The sooner the security and other IT management teams become aware of an adverse event that impacts the organiza-tion, the sooner they can address and mitigate the damage or the potential for damage.

Risk management must begin at the top. If senior manage-ment isn’t committed to creating the policies and providing the funding that supports a team of professionals to identify and implement sound policies, guidelines, and procedures, the entire business and enterprise IT infrastructure are at risk. Identifying potential risks and mitigating them must be taken seriously by everyone involved in managing the IT organiza-tion. Everyone must know that without fail senior manage-ment supports these policies and functions.

Here are a few important terms that you need to know in regard to risk management:

✓ Security policy. A security policy is basically a high-level document that states senior management’s goals and objectives for protecting business assets. Such a policy is more abstract than concrete and must be widely dis-tributed because it helps to create and support a culture that makes security a priority.

✓ Security guidelines. These guidelines are recommenda-tions. They appear in the form of white papers and what may be considered current industry and federal best practices.


Chapter 2: Risk Management and Continuous Monitoring 9 The dot.gov Top-Level Domain (TLD) is owned and

managed by the United States General Services Administration. This domain is targeted for use by agencies within the United States government. The Department of Defense owns and uses the dot.mil TLD. Interestingly enough, government entities take advantage of other TLDs and use them for their websites. You can’t always assume that all federal, state, local, and military agencies will always use the TLD set aside for their orga-nization. For example, the U.S. Army has a website called www.goarmy.com.

✓ Security procedures. These are the details of how the organization meets the high-level security policies. Procedures tell you what to do to satisfy policy.

Management will likely have a business requirement that calls for all data to be stored securely. The security guideline recommends the use of encryption. The security procedure states that purchasing a product to accomplish this goal will satisfy the policy. Vendors market equipment that will encrypt your data prior to backing it up to remote storage media that gets stored offsite while it’s under the control of an external service. This feature allows your organization to have a higher degree of data protection and integrity. Vendors also market storage devices like SANs (Storage Area Networks) that will encrypt the data stored on the SAN. The data that resides or “rests” on the storage device is often referred to as data at rest and encrypting it will satisfy your agency’s or department’s security policy.

Understanding Continuous Monitoring

The everyday threats and changing technologies in the IT industry have necessitated major changes in how our military, federal, state, and local government agencies manage the risks to our IT infrastructure. Your role as IT users, managers, devel-opers, and administrators requires that you deal with increas-ing amounts of data, complex algorithms and technologies, and a seemingly never-ending wave of threats and attempts at subverting your policies, procedures, and technical controls.


http://www.goarmy.com

Continuous Monitoring For Dummies, Special Edition 10Never before has it been so critical to have well-designed systems and tried-and-tested security policies, procedures, and technical controls in place. The environment is just too complex and too large to manage all the assets within the IT infrastructure “by hand.”

Add to this the fact that the government is requiring more accountability and reporting by both government agencies and corporations, and that’s where continuous monitoring reveals its tremendous value.

NIST Special Publication 800-137 says this about continuous monitoring:

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organiza-tional risk management decisions.

Symantec offers continuous monitoring solutions that ease and reliably automate the heavy lifting involved in implement-ing the continuous monitoring process. Periodic monitoring of environments is no longer sustainable using ad hoc and incon-sistent practices that do not account for dynamic changes in your IT and organizational priorities. Symantec’s continuous monitoring solutions move to fill the gaps in analysis by estab-lishing reliable processes for collection, reporting, and system prioritization. Your staff likely has their hands full working with their customers’ needs, so picking a solution that is easily configured and reliably manages your IT infrastruc-ture’s security needs will benefit your organization greatly.

Generally speaking, you take the following steps to implement continuous monitoring:

1. Define the strategy that meets your agency’s toler-ance for risk.

2. Establish the criteria by which your agency will mea-sure itself.

3. Implement your program by automating the col-lection, analyzing the data, and generating useful reports.


Chapter 2: Risk Management and Continuous Monitoring 11 4. Analyze the information and determine what it’s

telling you about your environment.

5. Respond to the results by mitigating, accepting, transferring, or avoiding/rejecting the risk findings.

6. Review and update the continuous monitoring process to meet the security policies and goals of your agency.

Continuous Diagnostics and Mitigation

The Continuous Diagnostics and Mitigation (CDM) program is a Department of Homeland Security (DHS) initiative to help protect the nation’s IT security infrastructure. DHS is respon-sible for securing unclassified federal civilian government networks; basically, it focuses on the dot.gov domain.

According to DHS, “The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, under-stand the relative risks and threats, and help system person-nel to identify and mitigate flaws at near-network speed.”

As of this writing, Congress has appropriated funds for dot.gov agencies to use the CDM program. Be sure to verify that your agency qualifies and can take advantage of the CDM program’s products, services, and solutions.

Per published DHS guidelines, the CDM process works as follows:

1. Agencies install and/or update their diagnostic sen-sors and the agency-installed sensors begin perform-ing automated searches for known cyber flaws.

2. Results are fed into enterprise-level dashboards that produce customized reports, alerting IT managers to the most critical cyber risks, enabling them to readily identify which network security issues to address first, thus enhancing the overall security posture of agency networks.


Continuous Monitoring For Dummies, Special Edition 12 3. Agencies can share progress reports that track results

within and among agencies. They can also feed sum-mary information into an enterprise-level dashboard to inform and prioritize ongoing cyber-risk assessments.

Visit www.gsa.gov/cdm or www.dhs.gov/cdm for further information.

Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS)

CAESARS is a reference architecture that is based on security automation standards and provides guidance to agencies implementing continuous monitoring within their IT infra-structures.

Agencies use CAESARS as a model to effectively implement continuous monitoring. The implementation consists of four subsystems: Sensor, Database, Presentation/Reporting, and Analysis/Risk Scoring.

Check out Chapter 3 for a deeper look at CAESARS.


http://www.gsa.gov/cdm

http://www.dhs.gov/cdm

Chapter 3

Implementing CMIn This Chapter▶ Talking about the implementation process

▶ Looking at CAESARS subsystems and solutions

▶ Delving into the challenges and benefits of CM

A s IT managers, users, and professionals, you deal with complexity on a daily basis. Establishing and maintaining

the security of the IT infrastructure is one of the most impor-tant tasks you face. With the threat levels increasing daily, it’s getting more difficult to stay ahead of the bad guys. Symantec and DLT Solutions understand the importance of these threats and provide solutions that enable you to do just that.

This chapter discusses the continuous monitoring imple-mentation process and some of the challenges and benefits involved in managing a secure IT infrastructure.

The Implementation ProcessChapter 2 introduces you to CAESARS, CDM, and the continu-ous monitoring process. Here, you get a little deeper look at the areas you need to focus on when implementing continu-ous monitoring.

NIST and DHS have identified three key areas where the focus needs to start so that organizations can begin to see where the IT infrastructure stands from an Asset, Configuration, and Vulnerability management standpoint. These are the key areas:


Continuous Monitoring For Dummies, Special Edition 14 ✓ Asset management is the first brick in the continuous

monitoring foundation. You need to know what you have so that you can apply the correct patches and controls and understand the vulnerabilities associated with your assets.

✓ Configuration management allows you to identify assets and data that are outside of your compliance require-ments.

✓ Vulnerability management identifies known vulnerabili-ties that will adversely affect the environment.

The Symantec Continuous Monitoring Solution provides customers with a process that guides an agency toward meeting its continuous monitoring requirement. Symantec’s Continuous Monitoring Solution provides federal government customers with capabilities that enable agencies to continu-ously monitor their data and IT environments and to take mitigating action to resolve vulnerable and out-of-compliance items. Their processes and product solutions assist federal agencies in meeting their responsibilities to build and main-tain highly secure and auditable IT environments.

The United States federal government and other respected security organizations have identified controls (such as soft-ware or a procedure that’s put into place to reduce or remove a risk) that can help to mitigate the majority of any agency’s risks. These controls are what the IT teams implement to sat-isfy the requirements in the process. Think of it this way: At a higher level, the process tells you what you need in place to meet the organization’s security requirements. The controls are how you satisfy the steps in the process.

Essentials in understanding CMAccording to the NISTIR (NIST Interagency Report) 7756 pub-lication, “Continuous security monitoring is a risk manage-ment approach to Cybersecurity that maintains a picture of an organization’s security posture, provides visibility into assets, leverages use of automated data feeds, monitors effectiveness of security controls, and enables prioritization of remedies.” The goal is to monitor the IT infrastructure at the desired level of frequency that allows the security controls and risks to be assessed and analyzed sufficiently to protect the organization’s IT assets.


Chapter 3: Implementing CM 15 Continuous monitoring is a critical component in NIST’s Risk

Management Framework (RMF). The RMF describes a disci-plined and structured process that integrates information security and risk management activities into the system development life cycle.

Situational awareness means that you have an understanding and a clear picture of what is actually going on around you, or in this case, the state of your IT infrastructure’s security pos-ture and system status.

Using the CAESARS architectureCAESARS is an architecture that agencies can reference to build and implement secure and auditable IT infrastructures, and it is an end-to-end integrated approach that yields numer-ous benefits. CAESARS allows an agency to:

✓ Assess the actual state of its IT assets

✓ Identify gaps between its current and desired security baseline

✓ Quantify the relative risk of each gap

✓ Provide scores that reflect the aggregate risks of each site and system

✓ Ensure that the responsibility for each system is cor-rectly assigned

✓ Provide targeted information and reports for security and system managers to use in taking action to make critical changes

The federal government and highly respected security organi-zations (for example NIST, DoD, and DHS) and vendors such as Symantec have generated numerous case studies, documents, and papers about security-related issues. This detailed infor-mation serves to keep you informed so that you, in turn, can keep your agency compliant, secure, and auditable. I suggest you stay up-to-date on the latest security issues by visiting your vendor’s website (for example, Symantec, www. symantec.com) and government websites like NIST (www.nist.gov), DHS (www.dhs.gov), and DoD (www.defense.gov).


http://www.symantec.com


http://www.nist.gov

http://www.dhs.gov

http://www.defense.gov


Risk Management and the CAESARS Subsystems

The CAESARS architecture is an operating concept that is based on the NIST Risk Management Framework (RMF). The RMF is based on a six-step process that exists throughout the life cycle of the system. The six steps are: categorize the information system, select security controls, implement secu-rity controls, assess security controls, authorize information system, and monitor security controls. Because space is limited in this small book, check out NIST Special Publication 800-37 at www.nist.gov for the details.

The CAESARS reference architecture is intended to be custom-izable and to mesh within the six-step process. Within that architecture are four subsystems. Each subsystem contains functions and services that interact with the other subsys-tems. The technology in each subsystem can be built and/or purchased by the agency creating the system. Each subsys-tem can operate independently and function with the compo-nents in the other subsystems. The goal is to build a robust and modular system that will achieve the CM and security goals of the agency using the CAESARS architecture.

The following list goes into a bit more detail regarding the CAESARS subsystems. It also shows how Symantec’s products are used within each subsystem and how its technologies provide the actual services and functions that bring the CAESARS architecture to life.

✓ Sensors subsystem. Sensors can be both technical (automated) and human-based (you ask someone). The purpose of a sensor is to collect data from the entire IT infrastructure and pass that data upstream for analysis, reporting, and presentation. Symantec’s point prod-ucts are Control Compliance Suite Standards Manager (CCS-SM), Symantec Endpoint Protection (SEP), Altiris, and Data Loss Prevention (DLP). CCS can facilitate data aggregation from both Symantec and third-party sources. Symantec’s CCS Asset Manager (CCS-AM) product employs questionnaires used to gather data from the human-based sensor.


http://www.nist.gov

Chapter 3: Implementing CM 17 ✓ Data Repository subsystem. Data from all sensors need

to be aggregated into a single repository. Once aggre-gated, you can use the data to show compliance, ensure that the sensors are effective, send an alert on a security event, and pass it upstream for further analysis. Keep in mind that a person can be a sensor, too. Symantec’s CCS product has the capability to aggregate data from both Symantec and non-Symantec products. CCS-AM facilitates the data collection from non-technical sensors.

✓ Analysis/Risk Scoring, Presentation, and Reporting subsystems. These subsystem technologies contain the analytic tools and are used to identify discrepancies between the agency’s configuration baselines and the actual findings. In short, the risk-scoring component produces information about the configuration, compli-ance, and risks to which the agency’s platforms are exposed. The results of collecting, storing, analyzing, and scoring provide the information that will be used to present and report on to the IT staff and management. The Presentation and Reporting subsystem must be flexible enough to support the various needs of those who consume this data, such as compliance reporting, executive-level reporting, and reporting for non-security situations. Symantec’s CCS product provides robust reporting and dashboarding capabilities.

Regarding risk-based decision making, many types of consumers, ranging from system administrators to the Chief Information Officer (CIO) to possibly external compliance or auditing entities, need CM data. These consumers need to make decisions (especially those regarding effectiveness, efficiency, security, and compliance) based on a set of requirements. The CM architecture must provide the necessary information to make these decisions.

Symantec suggests that an agency take a holistic approach using the CAESARS architecture when planning, scoping, implementing, and maintaining its CM process. Agencies should resist the urge to narrowly focus on one or two subsys-tems, and instead, implement the process as a whole.



The Benefits and ChallengesImplementing continuous monitoring has tremendous benefits for your organization but, as with many good things, it has some challenges as well. Creating highly beneficial and secure systems is very hard to do and is complex, expensive, and can take many man-hours to complete and maintain. In short, the CM process is a key component in managing an agency’s IT infrastructure and is an expensive asset that must be profes-sionally built, managed, and protected.

It’s often said that if you don’t measure something, you’re not really managing it. Symantec’s Continuous Monitoring point product solutions make it possible to monitor and manage your entire IT infrastructure at all times while performing the necessary reporting that is mandated by your agency. CM allows an agency to determine whether it is secure and compliant with its applicable policies, and verifies that the assets are patched and systems are available to the user base and function according to the organization’s standards and baselines.

With any change, however, you’re bound to encounter obsta-cles. Here are some of the top challenges:

✓ Changing an agency’s culture to one that fully embraces the entire CM process can be difficult.

✓ Creating a baseline for all of those assets isn’t easy, and it takes time.

✓ Costs are always a factor and require management sup-port for CM to succeed.

Continuous monitoring requires a lot of understanding and planning for when implementing. Don’t let that deter you though. CM is a must-have and needs to be implemented fully for an agency to manage and secure its IT infrastructure against today’s complex and constant threats. If your agency already has a CM environment, make sure that it is secure, auditable, robust, and resilient by using the resources men-tioned in this book. Management, and most importantly, your agency’s customers, will definitely appreciate your efforts.


Chapter 4

Ten Things to Like about Continuous Monitoring

In This Chapter▶ Identifying the benefits of continuous monitoring

M aintaining and monitoring an organization’s enterprise security posture has its challenges — make no bones

about it. There are more systems, more users, more data, and definitely more complexity involved in IT security than ever before. For private and public sector IT people, this environ-ment makes for a very interesting day at the office.

This chapter lists ten key benefits of continuous monitoring (CM), which will go a long way toward easing your pain.

Continuous monitoring:

✓ Provides an automated process that can greatly increase the organization’s security posture.

✓ Provides the IT infrastructure staff and management with near real-time security information that can be acted upon according to the agency’s policies and standards.

✓ Reinforces a culture that focuses on security and empow-ers the staff to make informed decisions and to act in the interests of the agency and its customers.

✓ Is recognized and supported by numerous agencies and vendors. For example, agencies can use NIST’s reference architecture, CAESARS, to implement and maintain their CM process. The research, support, and solutions these


Continuous Monitoring For Dummies, Special Edition 20agencies and vendors provide are critical to establishing and maintaining a highly secure IT infrastructure using CM.

✓ Enables IT management and staff to collect and analyze key data and report their agency’s security posture.

✓ Facilitates changes in management’s security policies so they can be quickly and securely implemented.

✓ Enables the IT staff to quickly respond to negative find-ings and remediate any faults and vulnerabilities dis-covered by the CM processes, enhancing an agency’s situational awareness regarding their IT infrastructure.

✓ Makes the IT infrastructure more easily auditable because asset information and metrics are maintained in a repository by the software.

✓ Allows your agency to share continuous monitoring data and reports with other agencies that have oversight responsibilities, such as the Department of Homeland Security.

✓ Exists as a component of Symantec’s Situational Awareness strategy of best practices. By focusing on the asset, configuration, and vulnerability management, Symantec can address the vast majority of risks to your IT infrastructure.

For an excellent source of information, visit Symantec’s web-site at www.symantec.com and search for continuous moni-toring. You can also search the DHS and NIST websites (at www.dhs.gov and www.nist.gov) for documents on continuous monitoring, CAESARS, CDM, and other security-related topics.



http://www.dhs.gov

http://www.nist.gov


Documents

M g E g E ! n c d T s l Improve and maintain the · Never before has so much information been available to so many people through so much media. On the flipside, never before have