340 likes | 539 Views
Enclave Security: Secure Configuration Management (SCM). David Hoon DISA PEO-MA SCM PMO http://www.disa.mil/scm. Unclassified.
E N D
Enclave Security: Secure Configuration Management (SCM) David Hoon DISA PEO-MA SCM PMO http://www.disa.mil/scm Unclassified
The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government 2
Agenda • SCM Introduction • SCM Lifecycle • SCM Objectives • SCM Community Model • Current Capability Framework • Governance Model • Capability Program Map • NSA SCM R&D Focused Efforts • SCM Programs • CMRS • DPMS • IAVM
Introduction • Security-focused Configuration Management (SecCM) is defined as: “the management and control of configurations for information systems to enable security and facilitate the management of information security risk.” (NIST SP 800-128) PROGRAM OBJECTIVES: • The DoD SCM Program is the integration and optimization of enterprise IA applications, tools, and data standards to support automated processes used to support risk management and near-real time awareness. • Enable Information System Monitoring as part of DoD’s Continuous Monitoring Strategy – supporting the initial data sets of assets, system configurations, and vulnerabilities (FISMA reporting requirements). PROGRAM CAPABILITIES: • Leverage inherent SCM capabilities used within CC/S/As • Provide pervasive enterprise capabilities and interfaced automated capabilities based on common data standards to enhance and accelerate CC/S/As ability to: • Identify assets • Check system configuration compliance against policies and standards • Search for potential vulnerabilities • Act on known vulnerabilities for known risk posture for system/networks • Report status & share information with those that need to know • Configure assets securely; Maintain secure Configurations; Provide continuous situational awareness to the right people
Why SCM? • The Enterprise Today: • Difficult to maintain secure configurations: high level of effort, diminished return on investment • Disparate IA tool sets: proprietary capabilities, disconnected and stand-alone configurations • Manual reporting: resource intensive, slow, and limits trusted situational awareness • The Future Enterprise: • Automated, end-to-end security compliance process • Standardized and validated toolsets connected throughout the enterprise • Continuous reporting to improve data integrity and validity
The SCM Program implements published standards, using validated tools and employs standardized interfaces to realize essential Secure Configuration capabilities. Standards: Secure Configuration Automation Protocol (SCAP). A NIST-developed, industry-adopted set of standards supporting interoperability and automated data exchange. Extended to include standard data formats for reporting asset and summary information. Tools: Commercial-off-the-Shelf (COTS) and Government-off-the-Shelf (GOTS) tools validated as conforming to SCAP standards. Interfaces: Leverage SCAP and emerging standards (Asset Report Format (ARF) / ARF Summary Report (ASR)) to distribute asset data by defining data input and output formats for SCAP-validated tools Capabilities: Content/Policy development; Asset Inventory/Discovery; Security State Analysis/Risk Assessment; and Risk Mitigation SCM Program Objectives
Automated STIGs • Automated STIG & IAVM Benchmarks (with OVAL) available: • Windows XP • Windows Vista • Windows 2003 Domain Controller & Member Server • Windows 2008 Domain Controller & Member Server • Windows 7 • Windows 2008R2 • Red Hat 5 • Solaris 9 (x86 and sparc) • Solaris 10 (x86 and sparc) • HP-UX 11.23 • HP-UX 11.31 • AIX 5.3 • AIX 6.1 • Windows IAVM 2009, 2010, 2011, 2012 * PKI restricted • IE8 • IE9 • http://iase.disa.mil/stigs/scap/index.html
SCM R&D FOCUS AREAS (FY13 - FY17) • SCM in Mobile Environment: Develop SCM capabilities for mobile and wireless devices. • Mobile Device Manager • Dynamic Policy Generation (supports BYOD) • Mobile Application Store • Automated Remediation: Develop remediation policies allowing centralized control and decentralized execution of remediation • COTS Remediation Tools • Remediation Standard • Group Policy Fixes • Policy-Driven Automated Course-of-Action (ACoA) • Collect Configuration Data from Human Sensors: Develop automated capabilities to collect IT asset and configuration relevant data from human sensors (i.e., Open Checklist Interactive Language/OCIL, part of the SCAP protocol suite) • Certification and Accreditation • Non-Automated STIG Checks • Training • CCRI (Command Cyber Readiness Inspection) / CSIP (Cyber Security Inspection Process) • SCM in a Virtualized Environment: Develop SCM capabilities for non-persistent and persistent IT virtualization environments • Hypervisor • Virtual Desktop Environment • Streaming Application Server 14
FY12 Completed Combined Baseline Criteria for Mobile Device Manager (MDM) MDM Tool Qualitative Market Analysis Policy and Configuration Guidance Market Analysis CONOP for SCM in Mobile Environment MDM Security Capability Assessment MDM-SCAP Middleware Application SCM in Mobility PROGRESS & Way Forward FY13 Market Analysis of MDM / MAS COTS Tool Evaluation and Testing (MDM/MAS) Standards development for mobile assessment (OVAL) Standards-based compliance scanning of mobile devices Integration with TNC concepts Dynamic Policy Generation (Supports BYOD) Integration of MDM with Continuous Monitoring Solution 15
FY12 Work with NIST on Remediation standard development (CRE & ERI) Work with SPAWAR on the development of the SPAWAR Remediation Tool Automated Remediation PROGRESS & Way Forward FY13 Aggregated automated remediation requirements Automated Remediation CONOP Market Analysis and evaluation of Remediation COTS tools Support further refinement of Remediation standards Create Remediation content to support automated remediation Refine STIG and IAVM automated remediation approach Integrate Remediation Content into DISA Digital Policy Management System Remediation Event Management capability Support Proof of Concept of Automated Remediation course of action 16
FY12 OCIL Content for Windows 7 Lessons Learned for OCIL reference implementation Input to OCIL 2.0 standard Pilot with Telos tool using OCIL Automated human sensor PROGRESS & Way Forward FY13 Market Analysis of current COTS tools that leverage the OCIL data standard CONOP for OCIL to support C&A, STIG Compliance, Training, and, CSIP Use Cases Draft requirements for Enterprise OCIL solution Create OCIL content to support indentified use cases Provide input to OCIL 3.0 standard Pilot for using OCIL for C&A Pilot for using OCIL for CCRI/CSIP Pilot for using OCIL STIG Compliance SCAP Protocol: OCIL (Open Checklist Interactive Language) 17
FY12 Collaborate with DISA and CYBERCOMMAND to derive test cases for evaluating security of virtual environments Procure and Establish Virtualization Pilot Lab Configure NSA IT Efficiencies Environment in Lab Install current DISA SCM Tools in Lab Execute test cases to determine security gaps with current DISA tools Recommend approaches to resolve security gaps SCM in Virtualization PROGRESS & Way Forward FY13 Complete Virtualization Pilot Final SCM Use Case Execution Gap Analysis Report Recommendations Paper for DISA Hypervisor Scanning Capability STIG/SRG Market Analysis of Tools SCAP content Standards updates (ARF/ASR) Operational Prototype in L:ab Non-Persistent Desktop Scanning Capability Approach to scanning non-persistent desktops/templates Market Analysis of Tools Operational Prototype in Lab 18
ACAS CMRS/PRSM DPMS IAVM Service VMS STIG Maintenance Patch Repository Severity Scoring eMASS ENMLDS HBSS Policy Auditor OAM APS ACCM Remediation Manager VMS SCM Programs
What is Digital Policy Management Service? • Author validated Machine-readable Content • Search for and Modify/Copy already created content • Content Distribute Capability (Machine-to-Machine (M2M), Versioning) • Based on signatures; Marines gets Marines signed content, Navy gets Navy signed content, everyone gets Authoritative content • Collaboration • Content Sharing / Learning (e.g., Patch testing reciprocity) • Army can share custom content with Navy; Navy can share custom content with Marines; CYBERCOM can share content with everyone 23
Authoritative Sources of Content • Authoritative sources need to create as well as validate content created by other sources (Army, Navy, etc.). Content validated/signed by the respective Authoritative source should be scored different in the Enterprise Risk Scoring (ERS) capability • Types of Content: • SCAP Content • STIG (CCE) (FSO) • IAVM (FSO & CYBERCOM) • Malware (MAEC) (CYBERCOM) • Custom HIPS, AV & other remediation (CYBERCOM) 24
IAVM System Overview • Automates USCYBERCOM vulnerability scoring and policy generation processes • Includes CVSS-compliant scoring engine • Provides real-time interfaces with Symantec DeepSight, NVD, and VMS • Supports SCAP standards including CVE, CVSS, and CPE System is live! June 2012 25
IAVM System Capabilities • Primary System Capabilities • PKI authentication & access control • Symantec DeepSight web service data feeds for real-time vulnerability info • Vulnerability analyst workspace/dashboard • Pre-populated IAVM template and workflow • SCAP-compliant CVSS vulnerability scoring engine • Web-based pre-coord collaboration area to capture and track feedback • Enhanced search - ability to search across current and historical IAVMs using multiple parameters 27
QUESTIONS SCM PMO disa.meade.peo-ma.list.scm-pmo@mail.mil www.disa.mil/scm 28