Upload
lythu
View
222
Download
2
Embed Size (px)
Citation preview
Returning to HWAM, SWAM, CSM, and VULN
March 23, 201712:00 pm – 1:00 pm EST
A CDM LEARNING COMMUNITY EVENT
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
2
Today’s Webinar Goals
Provide CDM community with PMO and agency Phase 1 implementation perspectives
Answer all audience questions during the allotted question and answer time
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
3
Agency panelists will answer these questions:
► Where is your agency in Phase 1 implementation?
► What was your agency’s Information Security Continuous Monitoring (ISCM) program maturity before implementation?
► What are the top two or three implementation takeaways you want to highlight (e.g., lessons learned, challenges, successes/enhancements)?
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
4
Today’s Panelist: Dan FrantzCDM Program Manager, Social Security Administration (SSA)
► CDM Program Manager at SSA, overseeing CDM Phase 1 and 2 implementation
► At SSA since 2012, working with CDM data and Federal Information Security Modernization Act (FISMA) reporting integration and automation
► In information technology (IT) since 1998, specialties include server and network administration, security infrastructure management, security information and event management, intrusion detection and incident response, tier 3 security engineering
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
5
Today’s Panelist: Marian CodySenior IT Portfolio Manager, U.S. Department of Housing and Urban Development (HUD), recently retired
► 28 years at HUD; HUD’s primary point of contact (POC) for Department of Homeland Security (DHS) CDM Program
► Participated in Group E Continuous Monitoring as a Service (CMaaS) acquisition process
► Designed, developed HUD’s CDM program
► Managed HUD’s Phase 1 implementation
► Served as Chief Information Security Officer (CISO) at HUD and U.S. Environmental Protection Agency (EPA)
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
6
Today’s Panelist: Kris CaylorChief, Strategic and Capital Planning & Portfolio Management Branch, Department of the Interior (DOI) ► Joined DOI, Office of the Chief Information
Officer (OCIO), Office of Information Assurance (OIA) staff in 2006 as an IT Security Manager
► Enterprise Vulnerability Manager for Cybersecurity Operations team, including all Enterprise Continuous Monitoring tools
► 16 years U.S. Navy active duty as both enlisted and officer
► Transitioned to Navy Reserves in 2006, retiring with combined 27 years of military service in May
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
7
Today’s Panelist: Matthew HartmanDeputy CDM Program Manager, DHS
► Technical POC for CDM Blanket Purchase Agreement (BPA) and CDM Dashboard contract
► CDM Program Manager (Acting) from June 2016 to January 2017
► Project Manager for CDM Program’s first delivery order and Task Order 2A and 2E
► National Protection and Programs Directorate (NPPD) OCIO liaison to the Office of Infrastructure Protection
8
SSA CDM Status Currently, we are an estimated 75% through Phase 1 implementation. ForeScout
deployed and detecting assets, re-using SCCM 2012 for SWAM and CSM, and Nessus for VULN.
The SSA started continuous monitoring efforts before August 2012.
Initial work was to identify all security tools and what NIST 800-53 controls they supported or supplied data.
Identified controls that could be automated based on P1 controls, ease of automation, and benefit in automating FISMA reporting / CyberScope reporting.
Ingested that data into Splunk, creating control-specific dashboards (Ex. RA-05, CM-08, IR-06, IA-02), and continuously improved our methodology on those controls, while evaluating further controls to automate.
Lessons learned: 1) Identify and educate stakeholders sooner. 2) Build it, then build it better.
Returning to HWAM, SWAM, CSM and VULN: An Early Adopter’s Experience at HUD
Status: Combination O&M and Planned
ISCM Status: oProgram Established for Phase 1 CapabilitiesoMature HWAM/CSMoActive Vulnerability ManagementoImmature SWAM
LessonsoObtain And Sustain Management SupportoLeverage What You Are Already Doing And Scope The Project To Allow Success – Starting Small And Iteratively Expanding To Cover The Entire EnvironmentoData reconciliation Across Tools/SensorsoLearn From Others – Share Lessons Learned
Department of the Interior - CDM Phase 1Current Phase 1 implementation status:
● BigFix, McAfee Vulnerability Manager/Tenable, and ForeScout installed
● RES core installed but on hold due to RES vuln issues● Splunk and RSA Archer installed and being configured● 1st renewal of DHS provided BigFix licenses completed
Pre-CDM Phase 1 status:● McAfee Vulnerability Manager/Tenable fully deployed● BigFix deployed to approximately one third of DOI
Key takeaways:● Governance is hard, but crucial to the success of CDM
○ Enterprise-wide governance approved for HWAM, CSM and VULN
● BigFix licensing costs were higher than expected
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
11
CDM Program Successes to Date ► 75 agencies have signed MOAs with CDM PMO
– 23 CFO Act Agencies participate in CDM– 52 smaller Agencies participate or will participate in current/future CDM
Shared Services► Key successes to date:
– During asset discovery, developed a stronger understanding of the asset counts in the agencies to secure against the threat.
– Deploying sensors to all CFO Act Agencies. – Increased standardization of security tools and began deployment of
agency dashboards to automate reporting and keep the data current.– Achieved increased savings (~$600M) through the consolidation of tool
purchases reflecting a 70% savings compared to IT Schedule 70. – Shared services platform will be ready in Q3 FY17 for non-CFO Act
Agencies.
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
12
What’s Next► Complete Phase 1 deployment, including implementation of both the
Agency and Federal Dashboards► Continue Phase 2 deployment to gain visibility of general user
credentials and privileged user access► New contracting approach – existing BPA expires in 2018► Award new task orders for Phase 3 (and eventually Phase 4) to assist
with perimeter protections and develop the approaches for ongoing assessment, ongoing authorization, and incident reporting standardization
► Update Phase 1 to include cloud and mobile situational awareness► Mature Dashboards and integrate with other federal cybersecurity
programs, including the National Cybersecurity Protection System (NCPS, operationally known as Einstein) and the Automated Indicator Sharing (AIS) program
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
13
What We Have Found: Implications for Federal Cybersecurity► Programmatic:
– What Worked:• Established consistent engagement by developing Memoranda of Agreement for the
agencies• Pioneered an innovative acquisition approach combining agencies into groups for
similar requirements and project efficiencies• Helped agencies achieve internally consistent enterprise approach, allowing them to
leverage similar product knowledge, subject matter expert support, and licensing• Leveraged consistent system engineering lifecycle
– Challenges:• Timeline from obligation of funding to award to deployment too long• Three year period of performance of contracts was too short given size and complexity
of work• Program success depends on collaboration between the offices of the CIO, CFO, and
CISO, as well as between network and security operations, presenting challenges particularly in federated agencies
• Varying levels of agency governance and duplicative change control processes• Suitability and clearance issues
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
14
What We Have Found: Implications for Federal Cybersecurity► Technical:
– What Worked:• Six agencies have completed tool deployment and have increased visibility into
network assets, strengthening management and reducing the attack surface; deployments continue at remaining agencies
• Program met commitment to using Commercial-Off-the-Shelf (COTS) tools for all program requirements
• Agencies, including those that are federated, are striving to deploy enterprise approach to continuous monitoring
• Program established CDM approved products list by evaluating tools to meet the program’s technical requirements
– Challenges:• Program and agency requirements not always clearly defined• Some agency infrastructure required hardware procurements to support the CDM
tools• Testing and pre-production environments not always available• Difficult to streamline and achieve testing efficiencies due to inconsistencies in
integrator testing approaches
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
15
Audience Q&A
Please use the question box on the top right of your screen to ask questions.
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
17
Get Involved with the CDM Learning Program!
Visit our website: https://www.us-cert.gov/cdm
Engage with our weekly blog: https://www.govloop.com/groups/cdm-learning-bits-bytes
Join our mailing list: [email protected]
THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN
18
Thank you for attending today’s CDM webinar!► A certificate of attendance will be available to download
at www.us-cert.gov/cdm/training within one week of today’s event.
► Please help us provide better learning content by completing the short questionnaire. Your feedback matters!