The document discusses the importance of continuous monitoring in information security, emphasizing its role in risk management and operational security through real-time monitoring and data analysis. Key points include the need for organizations to integrate continuous monitoring into their IT budgets and practices, leveraging data for rapid risk assessment and management. Best practices outlined include asset categorization, risk threshold determination, monitoring frequency, and detailed reporting to enhance security responses.

1. Developing a Continuous Monitoring Action PlanAn InformationWeek Government Webcast Sponsored by

2. Webcast Logistics

3. Welcome!John FoleyEditor InformationWeek Government

4. Today’s PresentersJohn StreufertDeputy Chief Information Officer Information AssuranceUnited States Department of StateSteve Johnston CISSP, ITIL Lead Federal Systems EngineerTripwire, Inc.

5. What Is Continuous Monitoring? “Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” >>NIST SP 800-137

6. Building It Into The IT Budget “What makes us more secure is real-time security monitoring--continuous monitoring--and acting on data. That's why agencies are directed as part of the FY 2012 budgeting process to make sure that their budget reflects presidential priority in terms of investing in tools, not in paperwork reports.” >>Federal CIO Vivek Kundra, June 2010

7. Continuous Monitoring Domains (NIST)

8. CIA Invests In RedSeal Systems "Continuous monitoring technologies will enable the U.S. intelligence community to effectively operate the complex, dynamic network defenses that protect critical information and systems.”>>William Strecker, CTO, In-Q-Tel

9. FISMA 2.0: A Continuous MonitoringCase StudyJohn Streufert ( DOSCISO@state.gov )Deputy Chief Information Officer for Information Security US Department of StateFebruary 14, 2011

10. Nature of Attacks 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses10

11. Threats Increasing2%5%TypeTickets39%200851%1%2%19%2%9%201084%

12. Case Study:Scan every 36-72 hoursFind & Fix Top Issues DailyPersonal results graded Hold managers responsible12

13. How: 1. Narrow Aim13[11 months before Feb 09]

14. 2.Bad things by NumbersChemical DumpingLittering vs.L.A. Hotel Pays a$200,000 fine because an employee dumps pool chemicals into a drain fumes fill a subway station-- several people become ill March 23, 201014

15. Cube and Divide by 100

16. 3. CalculateGrades A+ to F -

17. 4. Focus on Worst First

18. Results First 12 Months18Personal Computers and Servers

19. Risk Scoringin 2nd Year

20. Operation Aurora Attack20Call a Problem 40x Worse

21. 21.when charging 40 points0 - 84% in seven (7) days0 - 93% in 30 days

22. 13 25 36 60 93133

23. 1/3 of Remaining Risk Removed23[Year 2: PC’s/Servers]

24. 24

25. 25

26. Lessons LearnedWhen continuous monitoring augments snapshots required by FISMA:Mobilizing to lower risk is feasible & fast (11 mo)Changes in 24 time zones with no direct contactCost: 15 FTE above technical management baseThis approach leverages the wider workforceSecurity culture gains are grounded in fairness, commitment and personal accountability for improvement26

27. Next Steps

28. 20 Year old commercial said“The quality goes in, before the name goes on”28

29. 29Should we position our best solutions before or after accidents?Cofferdam unit departing Wild West in Port Fourchon on the Chouest 280 workship named Joe Griffin 05 May 2010 -- Photo from BP.com

30. RISK30

31. Continuous C&A PilotsPriority sequence: quick wins vs. long term:Inventory of Authorized Assets (CAG 1/2)Configuration and Vulnerability Monitoring (CAG 3/4/10/12/13)SCAP Content (automated & non-automated testing)Boundary Defense (CAG 5/14)Situational Awareness and Threat AnalysisApplications (CAG 7)Access Controls (CAG 6/8/9/11)Data Loss Protection (CAG 15)31

32. 32

33. ConclusionsRisk Scoring and Continuous Monitoring is scalable to large complex public and private sector organizationsHigher ROI for continuous monitoring of technical controls as a substitute for paper reportsSummarized risk estimates could be fed to enterprise level reporting33

34. Continuous Monitoring: Best PracticesSteve Johnston, CISSP, ITIL, Lead Federal Systems EngineerTripwire, Inc.

35. Provides continuous input to the C&A processMoves the focus back to securityEnables dynamic security to respond to evolving threatsProvides details of your information systemsMake risk based decisions

36. Take control and remain in control of your infrastructureSpirit of Continuous Monitoring

37. 1Categorize Assets2Determine Risk Threshold3Establish Monitoring Frequency4Provide Detailed Reporting36

38. Categorize logically and by criticalityIs it a critical asset?Is it a medical systemHigh, moderate or low severity?What kind of missions and programs do they support?Benefits to CategorizationEasier to make risk based decisionsHomepage and Reporting viewsRisks are easier to determine knowing the mission the asset supports37Categorize Assets

39. Intelligent information to make risk-based decisionsConfiguration data, log data – correlated togetherSet appropriate thresholds to policies and weights to control checksExample of Policy Thresholds

40. <50% Do Not Operational

41. <75% System should go through preplanning

42. <90% Operational

43. Test and control weights need to be set

44. Weights affect the Risk scoring

45. Example:

46. HIGH - Administrator set blank password

47. LOW – Users are part of a remote desktop groupDetermine Risk Threshold38

48. 39Determine frequency by function and risk associated with each system and security controlSystem level frequencySecurity Control level frequencyApplication level frequencyDetermine Monitoring Frequency

49. Example Continuous Monitoring Frequency40Near Real-Time PeriodicDaily / WeeklyFrequencyMission critical controls

50. External facing devices

51. Events from critical systems

52. DB stored Procedures

53. Mission X Systems

54. Full Systems

55. Application data controls

56. New installs, patches, hot fixes

57. Event and Log Review

58. Hypervisor Controls

59. Internal network devices

60. Directory Services

61. DB Schema

62. etc…Device / Control

63. Respond and provide feedback to the Authorizing Official or representativeIncident Response

64. Security Alerts

65. Certification & AccreditationUse the intelligent data feeds to make accurate risk based decisionsProvide Detailed Reports41

66. Example Feedback to the Authorized OfficialRespond on Critical Control and Change Information 42

67. Example Feedback to the Authorized OfficialProvide actionable data What and WhereRespond to Critical Events43

68. 1Categorize Assets2Determine Risk Threshold3Establish Monitoring Frequency4Provide Feedback to Authorizing Official44

69. About TripwireTripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 5,500 customers in more than 87 countries rely on Tripwire’s integrated solutions. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com

70. Q&A SessionPlease Submit Your Question Now

71. Resources To View This or Other Events On-Demand Please Visit:http://www.netseminar.comFor more information please visit:http://www.tripwire.com

72. THANK YOU!