Posecco clustering meeting

972 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
972
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Posecco clustering meeting

  1. 1. Leveraging Security Models to AutomateAudits and Improve their Level of Assurance Serena Ponta SAP
  2. 2. ContextAssurance about fulfillment of requirements (laws,regulations, customer-specific) Critical to ensure business success, law’s compliance Hard to achieveRecognized need for automation and standardization NIST effort to develop standards for security automation (SCAP) Security guidance “Software assurance” in FISMA (June 2011) requires to report on progress installing tools compliance with NIST’s standardsAudits provides assurance by involving a third-partyauthority 2
  3. 3. Motivations Request for an audit auditee’s business and IT services (identified risks and control objectives) Manual Develop audit Definition of the scope of the audit collection of program control objectives information target services, and applications List of controls per control objective (audit program) Execution of the audit program to Manual collect technical evidences execution collect informal (organizational) evidences of checks Execute audit Evaluation of results Evaluation program assess control objectives based on samples write results in audit report 3
  4. 4. ContributionsPoSecCo‘s Security Models: Complete knowlege of behavioral and structural landscape traceable link between business-driven security and technical configuration settings of individual servicesTo provide an audit interface supporting automated information retrieval execution of checksIncreasing efficiency and assurance of audits 4
  5. 5. 1. Introduction2. Audit Process (current practices) Develop Audit Program Execute Audit Program3. Posecco Security Models4. Audit process (new concept) Develop Audit Program Execute Audit Program5. Conclusions 5
  6. 6. Running Example Business Service E-invoice User Mgmt System 6
  7. 7. Develop Audit Program Auditee (service provider) AuditorsAuditee’s Request for Audit Auditee Audit ProgramCustomers must authenticate foraccessing business service“eInvoice” Best practices COBIT DS5 Control Objectives Auditor’s experience DS5.1 Management of IT Security DS5.2 IT Security Plan Previous audits DS5.3 Identity Management Companies’ practices DS5.4 User Account Management 7 …
  8. 8. Execute Audit Program Auditors Audit Program Audit Program results Audit Report Auditee 8
  9. 9. Limitations Restricted knowledge of auditee‘s infrastructure Limited visibility of technologies and policies in place Difficult to Define the scope of the audit Develop the audit program (adjustments required during the execution) No standardized tools for automated assessment available Technical evidences retrieval require auditee‘s support Audit based on samples 9
  10. 10. PoSecCo Security Models 10Complete information about functional and security aspects
  11. 11. PoSecCo Security Models Business Policies: customers must authenticate for accessing business services IT Policies (Controls): Password authentication for web application X1 Configurations : AuthN enabled on web app X1, URI, host Y Min psw length (N char) on User Mgmt Sys LDAP, URI’, host B Golden ConfigurationComplete information about functional and security aspects 11
  12. 12. Audit Program Development Auditee (service provider) Auditors Auditee’s Request for Audit Audit XCCDF Program Checklist (XCCDF Checklist) Business and Service Model Best practices COBIT DS5 Control Objectives Auditor’s experience DS5.1 Management of IT Previous audits Security DS5.2 IT Security Plan12 Companies’ practices DS5.3 Identity Management …
  13. 13. Example – Request for AuditService Provider wants the auditors to ensure that Customers must authenticate for accessing business service “e-invoice” XCCDF Checklist Business Policy: customers must authenticate for accessing business service “e-invoice” IT Policies: Password authentication for web application eInvoice Certificate authentication for web service eInvoice 13
  14. 14. Example – Audit Program Audit Program (XCCDF Checklist) XCCDF Checklist Business and Service Model Best practices (business & IT policies) COBIT DS5 Control ObjectivesAuditor’s experience DS5.1 Management of IT SecurityPrevious audits DS5.2 IT Security PlanCompanies’ practices DS5.3 Identity Management… DS5.4 User Account Management 14
  15. 15. Advantages Increased visibility of auditees‘s premises technologies and policies in place Standards for automation Augmented, structured initial request Reliable scope of the audit Auditee-focused, automatable audit program (by refining the auditee‘s request) 15
  16. 16. Audit Program Execution Auditors Audit Auditee Program (XCCDF Checklist) Audit Audit Program Result (SCAP (SCAP Checklist) Result)Infrastructure Audit ReportBest practices(configurations) 16
  17. 17. Example – Audit Program enriched Audit Program Host B … Authentication Policy: All users are informed of the policy (ask CISO)Host Y Password authentication for web application eInvoice AuthN enabled on web app eInvoice, URI, host Y [Y’, Y’’, … in cluster setup]Infrastructure Min psw length (N char) on User Mgmt System LDAP, URI’, host B Expiring date (M days) on User Mgmt Audit System LDAP, URI’, host B Program (XCCDF Complex psw (alphanum) on User Mgmt Checklist) System LDAP, URI’, host B … Values:Best practices N char: best practices 20(configurations) golden configuration 15 17 …
  18. 18. Example – Audit Program Execution Audit Program… Auditee rolesAuthentication Policy : (Vendor mgmt, All users are informed of the policy (ask CISO) CISO, …) Password authentication for web applicationeInvoice Questionnaires AuthN enabled on web app eInvoice, URI, host Y Min psw length (N char) on User Mgmt System LDAP, URI’, host B Expiring date (M days) on User Mgmt System LDAP, URI’, host B Complex psw (alphanum) on User Mgmt System LDAP, URI’, host B…Values:N char: best practices 20 golden configuration 15 18…
  19. 19. Example – Automated checks Audit Program… Password authentication for web application eInvoice AuthN enabled on web app eInvoice, URI, host Y (Y’, Y’’, … in cluster setup) Min psw length (N char) on User Mgmt System LDAP, URI’, host B Expiring date (M days) on User Mgmt System LDAP, URI’, host B Complex psw (alphanum) on User Mgmt System LDAP, URI’, host B… Target configurations:Values:N char: best practices 20 Planned (Golden Configuration ) golden configuration 15 Actual (CMDB) Assessment: Misconfiguration’s evaluation19
  20. 20. Advantages Automatic processing of low-level informations (infrastructure elements and configurations planned by auditee) Best practices on configurations Automatic compilation of questionnaires for target interviewees Automatic assessment of configurations Planned (golden configuration) Actual (CMDB) Reduced involvement of auditee Exaustive analysis of infrastructure elements Rating of misconfigurations‘ severity 20
  21. 21. ConclusionsPoSecCo’s security models to Support auditee in augmenting initial request Facilitate definition of scope and audit program Define machine-readable audit program, automatically enriched with technical information from system landscape and configurations executed to perform checks and create questionnaires Rate impact of misconfigurations Efficiency (time for knowledge collection and mechanic activities) Assurance (coverage, dependency on auditee) 21
  22. 22. THANK YOU!
  23. 23. DisclaimerEU DisclaimerPoSecCo project (project no. 257129) is partially supported/co-funded by the EuropeanCommunity/ European Union/EU under the Information and Communication Technologies(ICT) theme of the 7th Framework Programme for R&D (FP7).This document does not represent the opinion of the European Community, and theEuropean Community is not responsible for any use that might be made of its content.PoSecCo DisclaimerThe information in this document is provided "as is", and no guarantee or warranty isgiven that the information is fit for any particular purpose. The above referencedconsortium members shall have no liability for damages of any kind including withoutlimitation direct, special, indirect, or consequential damages that may result from the useof these materials subject to any liability which is mandatory due to applicable law. 23
  24. 24. 24
  25. 25. SCAP StandardsSecurity Content Automation Protocol (SCAP): Suite of XML-based specification forsecurity automation (NIST) Enumeration CVE (Common Vulnerability Enumeration) CPE (Common Platform Enumeration) CCE (Common Configuration Enumeration) Vulnerability measurement and scoring systems CVSS (Common Vulnerability Scoring System) CCSS (Common Configuration Scoring System) Expression and checking languages XCCDF (eXtensible Configuration Checklist Description Format) OVAL (Open Vulnerability and Assessment Language) OCIL (Open Checklist Interactive Language) 25
  26. 26. SCAP Checklist Scoring Algorithm XCCDF CCSS Weight OVAL OCIL Questionnaire Test action Question Question 26
  27. 27. XCCDF, OVAL and OCIL 27
  28. 28. Configuration ValidationArchitecture SCAP SCAPBenchmark Report Objects Complete rating (5) R1 R2 Relative Assessment State (& rating) Rating [OVAL_result] Assess misconfig (4) State Check compliance (1) Configuration Compliance result (6) OVAL validation Defs (SCAP interpreter) Def evaluation (2) Sys Chars On error Rating OVAL- OCIL interpreter OVAL interpreter Logic > OCIL Manual def evaluation Produce system chars (3) OVAL results UI Char collection CMDB WBEM JMX System landscape Simul
  29. 29. KPIEfficiency: (Reduced) time/cost to prepare audit request [auditee] define audit scoping (understand auditee‘s premises and identify stakeholders, systems, risks, etc.) prepare audit program (effort to gather data) execute audit program Generate reports support execution of checks [auditee] (Reduced) variation actual vs. predicted scope (Increased) Audit program maturity (matching the auditee‘s controls) (Reduced) variation of control implementation vs control design (here???)Assurance: (Increased) Time for sensitive activities (evaluate risks, control objectives, controls) (Increased) Coverage Number of systems checked (Decreased) dependency on personnel for knowledge to determine and assess controls (Improved) customer trust in the security concept of the service provider 29
  30. 30. Audit Interface 1. Scoping support: retrieve SP’s control objectives (UC-A01) Retrieve SP’s business policies 2. Mapping SP’s control objectives to other control objectives (or business policies) 3. Control selection: controls per CO defined by SP (UC-A02) Controls per CO not defined by SP (w/o mapping 2.) 4. Controls equivalence (UC-A03 supplier + best practices) 5. Check: Control design follows best practices (UC-A02) Control implementation follows best practices Configuration validation (UC-A04) Questionnaires generation (report and assessment of misconfigurations) 6. Simulation of changes Controls/IT policies (UC-A02) Control implementation (UC-A04) 30
  31. 31. Audit Program Development Auditee (service provider) Auditors UC-A01 Auditee’s Request for Audit UC-A02 Audit XCCDF Program Checklist (XCCDF Checklist) UC-A01 UC-A02 UC-A03 Business and Service Model Best practices COBIT DS5 Control Objectives Auditor’s experience DS5.1 Management of IT Previous audits Security DS5.2 IT Security Plan31 Companies’ practices DS5.3 Identity Management …
  32. 32. Audit Program Execution Auditors UC-A04 Audit Auditee Program (XCCDF Checklist) Audit Audit Program Result (SCAP (SCAP Checklist) Result)Infrastructure Audit ReportBest practices(tests) 32
  33. 33. OCIL Example 33

×