Developing a Continuous Monitoring Action Plan
Download as PPTX, PDF2 likes841 views
The document discusses the importance of continuous monitoring in information security, emphasizing its role in risk management and operational security through real-time monitoring and data analysis. Key points include the need for organizations to integrate continuous monitoring into their IT budgets and practices, leveraging data for rapid risk assessment and management. Best practices outlined include asset categorization, risk threshold determination, monitoring frequency, and detailed reporting to enhance security responses.
![How: 1. Narrow Aim13[11 months before Feb 09]](https://image.slidesharecdn.com/02142011tripwireandinformationweekgovwebcastfinal2-110620131845-phpapp01/85/Developing-a-Continuous-Monitoring-Action-Plan-13-320.jpg)
![1/3 of Remaining Risk Removed23[Year 2: PC’s/Servers]](https://image.slidesharecdn.com/02142011tripwireandinformationweekgovwebcastfinal2-110620131845-phpapp01/85/Developing-a-Continuous-Monitoring-Action-Plan-23-320.jpg)
Developing a Continuous Monitoring Action Plan
- 1. Developing a Continuous Monitoring Action PlanAn InformationWeek Government Webcast Sponsored by
- 3. Welcome!John FoleyEditor InformationWeek Government
- 4. Today’s PresentersJohn StreufertDeputy Chief Information Officer Information AssuranceUnited States Department of StateSteve Johnston CISSP, ITIL Lead Federal Systems EngineerTripwire, Inc.
- 5. What Is Continuous Monitoring? “Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” >>NIST SP 800-137
- 6. Building It Into The IT Budget “What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the FY 2012 budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports.” >>Federal CIO Vivek Kundra, June 2010
- 7. Continuous Monitoring Domains (NIST)
- 8. CIA Invests In RedSeal Systems "Continuous monitoring technologies will enable the U.S. intelligence community to effectively operate the complex, dynamic network defenses that protect critical information and systems.”>>William Strecker, CTO, In-Q-Tel
- 9. FISMA 2.0: A Continuous MonitoringCase StudyJohn Streufert ( DOSCISO@state.gov )Deputy Chief Information Officer for Information Security US Department of StateFebruary 14, 2011
- 10. Nature of Attacks 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses10
- 12. Case Study:Scan every 36-72 hoursFind & Fix Top Issues DailyPersonal results graded Hold managers responsible12
- 13. How: 1. Narrow Aim13[11 months before Feb 09]
- 14. 2.Bad things by NumbersChemical DumpingLittering vs.L.A. Hotel Pays a$200,000 fine because an employee dumps pool chemicals into a drain fumes fill a subway station-- several people become ill March 23, 201014
- 15. Cube and Divide by 100
- 16. 3. CalculateGrades A+ to F -
- 17. 4. Focus on Worst First
- 18. Results First 12 Months18Personal Computers and Servers
- 19. Risk Scoringin 2nd Year
- 20. Operation Aurora Attack20Call a Problem 40x Worse
- 21. 21.when charging 40 points0 - 84% in seven (7) days0 - 93% in 30 days
- 22. 13 25 36 60 93133
- 23. 1/3 of Remaining Risk Removed23[Year 2: PC’s/Servers]
- 24. 24
- 25. 25
- 26. Lessons LearnedWhen continuous monitoring augments snapshots required by FISMA:Mobilizing to lower risk is feasible & fast (11 mo)Changes in 24 time zones with no direct contactCost: 15 FTE above technical management baseThis approach leverages the wider workforceSecurity culture gains are grounded in fairness, commitment and personal accountability for improvement26
- 27. Next Steps
- 28. 20 Year old commercial said“The quality goes in, before the name goes on”28
- 29. 29Should we position our best solutions before or after accidents?Cofferdam unit departing Wild West in Port Fourchon on the Chouest 280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com
- 30. RISK30
- 31. Continuous C&A PilotsPriority sequence: quick wins vs. long term:Inventory of Authorized Assets (CAG 1/2)Configuration and Vulnerability Monitoring (CAG 3/4/10/12/13)SCAP Content (automated & non-automated testing)Boundary Defense (CAG 5/14)Situational Awareness and Threat AnalysisApplications (CAG 7)Access Controls (CAG 6/8/9/11)Data Loss Protection (CAG 15)31
- 32. 32
- 33. ConclusionsRisk Scoring and Continuous Monitoring is scalable to large complex public and private sector organizationsHigher ROI for continuous monitoring of technical controls as a substitute for paper reportsSummarized risk estimates could be fed to enterprise level reporting33
- 34. Continuous Monitoring: Best PracticesSteve Johnston, CISSP, ITIL, Lead Federal Systems EngineerTripwire, Inc.
- 35. Provides continuous input to the C&A processMoves the focus back to securityEnables dynamic security to respond to evolving threatsProvides details of your information systemsMake risk based decisions
- 36. Take control and remain in control of your infrastructureSpirit of Continuous Monitoring
- 37. 1Categorize Assets2Determine Risk Threshold3Establish Monitoring Frequency4Provide Detailed Reporting36
- 38. Categorize logically and by criticalityIs it a critical asset?Is it a medical systemHigh, moderate or low severity?What kind of missions and programs do they support?Benefits to CategorizationEasier to make risk based decisionsHomepage and Reporting viewsRisks are easier to determine knowing the mission the asset supports37Categorize Assets
- 39. Intelligent information to make risk-based decisionsConfiguration data, log data – correlated togetherSet appropriate thresholds to policies and weights to control checksExample of Policy Thresholds
- 40. <50% Do Not Operational
- 41. <75% System should go through preplanning
- 42. <90% Operational
- 43. Test and control weights need to be set
- 44. Weights affect the Risk scoring
- 45. Example:
- 46. HIGH - Administrator set blank password
- 47. LOW – Users are part of a remote desktop groupDetermine Risk Threshold38
- 48. 39Determine frequency by function and risk associated with each system and security controlSystem level frequencySecurity Control level frequencyApplication level frequencyDetermine Monitoring Frequency
- 49. Example Continuous Monitoring Frequency40Near Real-Time PeriodicDaily / WeeklyFrequencyMission critical controls
- 51. Events from critical systems
- 54. Full Systems
- 56. New installs, patches, hot fixes
- 57. Event and Log Review
- 61. DB Schema
- 63. Respond and provide feedback to the Authorizing Official or representativeIncident Response
- 64. Security Alerts
- 65. Certification & AccreditationUse the intelligent data feeds to make accurate risk based decisionsProvide Detailed Reports41
- 66. Example Feedback to the Authorized OfficialRespond on Critical Control and Change Information 42
- 67. Example Feedback to the Authorized OfficialProvide actionable data What and WhereRespond to Critical Events43
- 68. 1Categorize Assets2Determine Risk Threshold3Establish Monitoring Frequency4Provide Feedback to Authorizing Official44
- 69. About TripwireTripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 5,500 customers in more than 87 countries rely on Tripwire’s integrated solutions. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com
- 70. Q&A SessionPlease Submit Your Question Now
- 71. Resources To View This or Other Events On-Demand Please Visit:http://www.netseminar.comFor more information please visit:http://www.tripwire.com
- 72. THANK YOU!