Continuous Monitoring for Web Application Security

1!
Con$nuous'Monitoring'for'
Web'App'Security'Dave%Shackleford,%IANS%

2%
The'Web'App'Security'Landscape'
!  Many'organiza$ons'are'not'addressing'Web'app'security'as'
they'should'
!  More'are'asking'“How'likely'are'we'to'be'hacked?”'and'
“What'should'we'do'about'it?”'
!  What'kinds'of'aCacks'are'federal'agencies'experiencing?'
And'what'should'they'do'about'it?'
!  We’ll'cover:'
!  Some%a5acks%and%research%trends%
!  Compliance%and%federal%regula>ons%to%focus%on%
!  Some%ideas%on%“what%do%about%it”.%

3%
Some'of'the'Top'Web'App'Issues'Today'
!  “Clickjacking”'and'embedded/hidden'code'aCacks'
!  “Slowloris”Lstyle'applica$on'vulnerabili$es'leading'to'DoS'
condi$ons'
!  The'BEAST'and'CRIME'aCacks'against'SSL/TLS'
!  CSRF'condi$ons'
!  SQL'worms'and'injec$on'vulnerabili$es'
!  ServerLside'Includes'(SSI)'with'development'plaUorms'

4%
Breaches'Are'Happening'Too…'

5%
What'about'compliance?'
!  FISMA'requires'a'number'of'speciﬁc'elements'in'its'
framework:'
!  Inventory%of%informa>on%systems%
!  Categorize%informa>on%and%informa>on%systems%according%to%risk%
level%
!  Security%controls%
!  Risk%assessment%
!  System%security%plan%
!  Cer>ﬁca>on%and%accredita>on%
!  Con>nuous%monitoring%

6%
What is Continuous
Monitoring?
!  One'step'in'the'NIST'6Lstep'risk'management'approach'in'
800L37'
!  Important%step%for%assessing%security%impacts%over%>me%
!  Required%by%FISMA%and%OMB%

7%
Risk Management &
Continuous Monitoring
!  Continuous Monitoring only follows sound
risk management practices & control
selection as outlined in NIST 800-53 and
800-37
!  Not replacing traditional risk assessment
and security authorization
!  The final step in the RMF (a key component
in back-end security, as defined by NIST)

8%
So…the RMF?
!  Jointly'developed'by'NIST,'DoD,'intelligence'agencies,'and'
the'CommiCee'on'Na$onal'Security'Systems'
!  Implemented'across'three'$ers:'
!  Governance%
!  Mission/business%process%
!  Informa>on%system%
!  A'lifecycle'approach'that'updates'the'C&A'process'
!  Helps%Authorizing%Oﬃcials%assess%Authority%to%Operate%(ATO)%%

9%
Automating Continuous
Monitoring
!  Automa$on?'You'bet.'
!  SCAP%is%a%good%start.%
!  Many%800]53%areas%are%good%candidates:%
!  Access%Control%
!  Iden>ﬁca>on%&%Authen>ca>on%
!  Audi>ng%&%Accountability%
!  Systems%&%Communica>on%Protec>on%
!  Real]>me%monitoring%of%these%is%key%

10%
Involving'Stakeholders'
!  Who'should'be'involved'in'planning'con$nuous'
monitoring?'
!  System%and%control%owners%
!  Business%unit%management%
!  CISO%and%CIO%
!  Authorizing%oﬃcials%

11%
Lots of Changes to Federal IT
Security and Compliance
!  Before: Go through C&A, get an ATO
!  Acronyms: Certification & Accreditation (C&A),
Authority to Operate (ATO)
!  FISMA specifies:
!  Periodic Risk Assessments
!  Periodic Testing & Evaluation
!  Annual Security Review
!  Annual Reporting

12%
And Now…?
!  800L53,'updated'in'2009L2010:'
!  Mandates%the%use%of%con>nuous%monitoring%
!  Mandates%the%implementa>on%of%a%strong%Risk%Management%
Framework%(RMF)%
!  Speciﬁc%guidance%on%event%triggers%and%responses%
Conducting a thorough point-in-time assessment of the
security controls in an organizational information system is a
necessary but not sufficient condition to demonstrate security
due diligence…The ultimate objective of the continuous
monitoring program is to determine if the security controls in
an information system continue to be effective over time in light
of the inevitable changes that occur in the system as well as the
environment in which the system operates.

13%
In other words…
!  Moving from:
!  To:
Those security controls that are volatile or critical to
protecting the information system are assessed at
least annually. All other controls are assessed at
least once during the information system s three-
year accreditation cycle.
A continuous monitoring program allows an organization to
maintain the security authorization of an information system
over time in a highly dynamic environment of operation with
changing threats, technologies and missions/business
processes. Continuous monitoring of security controls
using automated support tools facilitates near real-time risk
management and promotes organizational situational
awareness with regard to the security state of the
information system.

14%
The Federal InfoSec
Compliance Spectrum
!  FISMA'changes'and'bills'
!  “The%Federal%Informa>on%Security%Management%Act%of%
2010”%(06/2010)%
!  “Revamps%FISMA%repor>ng%requirements,%requiring%agencies%to%u>lize%
new%and%automated%monitoring%and%measuring%capabili>es%to%assess%
their%vulnerabili>es%to%cyber%threats”%
!  SCAP'
!  Measuring%&%repor>ng%on%vulnerabili>es%and%conﬁgura>on%issues%
(risk%measurement)%
!  CAG'
!  Consensus%controls%with%SANS,%Public%and%Private%organiza>ons,%and%
infosec%experts%%

15%
More on SCAP
!  Multiple standards for assessing configuration
and vulnerabilities, and reporting them
!  CVE (Vulns)
!  CVSS (Vuln scoring or rating)
!  CCE and CPE (Enumeration)
!  XCCDF and OVAL (Configs and Reporting)
!  Intended to provide standards for scanners,
local system assessment, and reporting
!  Cross-tool correlation and monitoring/alerting is a
critical function, too

16%
More on CAG
!  10'of'the'15'can'be'addressed'with'log'and'event'
management'
!  Tied%to%con>nuous%monitoring%
Can'be'facilitated'with''
con$nuous,'thorough'
Web'applica$on'assessment'

17%
Tying Web assessment to
event monitoring
!  Specific Web app scanning details to correlate:
!  Vulnerability details
!  Open ports and running/listening services
!  Risk ratings for vulnerabilities
!  System/application details
!  Correlation Examples:
!  System/application details: Correlate with current
inventory
!  Open ports: Correlate with configuration details to
determine whether unauthorized changes were made or
services are vulnerable
!  Vulnerability details: Correlate with configuration
details to determine whether unauthorized changes
were made or services are vulnerable

18%
Continuous Monitoring + CAG:
Assets/Inventory
Name Purpose IP address MAC address Purchase Date OS License Good Through Applications
CPCDSM01 File Server 1.2.3.4 AA:BB:CC:DD:EE:FF 1/2/10 Win2k8 Server SP2 1/2/14 XYZ
CPCDSM02 File Server 1.2.3.5 AA:BB:CC:DD:EE:AA 1/3/10 Win2k8 Server SP2 1/3/14 XYZ
CPCDSM03 File Server 1.2.3.6 AA:BB:CC:DD:EE:BB 1/4/10 Win2k8 Server SP2 1/4/14 XYZ
CPCDSM04 File Server 1.2.3.7 AA:BB:CC:DD:EE:CC 1/5/10 Win2k8 Server SP2 1/5/14 XYZ
CPCDSM05 File Server 1.2.3.8 AA:BB:CC:DD:EE:DD 1/6/10 Win2k8 Server SP2 1/6/14 XYZ
CPCDSM06 File Server 1.2.3.9 AA:BB:CC:DD:EE:EE 1/7/10 Win2k8 Server SP2 1/7/14 XYZ
•  System and application inventories can be
leveraged for a number of reasons
–  Determine whether systems or applications are
approved
–  Enforce license compliance
–  Determine whether systems or applications need
upgrades

19%
Assets/Inventory
!  Specific elements we want to learn with scanning:
!  System and asset names
!  Platform and application details (what is installed,
versions, patches applied, etc.)
!  Asset IP/MAC addresses
!  License status and details (maybe)

20%
Assets/Inventory
!  Correlation Examples:
!  System/application details: Correlate with
configuration details and remediation plans to ensure
consistency
!  Asset IP/MAC addresses: Ensure system addresses
have not changed
!  License status/details: Correlate with system
configuration to ensure applications are authorized and
licensed

21%
So…How s all this work?
!  A huge amount of application and
vulnerability detail needs to be collected in
today s Federal IT environments
!  All public-facing and critical apps need to be monitored
continually
!  These data sets should be aggregated, correlated and
used to create meaningful alerts
!  Assessment and reporting should follow
consistent formatting
!  SCAP is the emerging standard

22%
FedRAMP'mandates'web'applica$on'
scanning'controls'
!  The'GSA'guide'to'
implemen$ng'con$nuous'
monitoring'for'FedRAMP'
requires'Web'app'scanning'
!  Agencies'should'adhere'to'
the'same'controls,'but'even'
more'regularly'
!  This'is'becoming'best'prac$ce'
for'everyone!'

23%
Alan'Paller’s'Federal'Tes$mony'
!  Alan'Paller'tes$fied'before'a'House'subcommiCee'in'March'
of'2010:'
One$of$the$most$important$goals$of$any$federal$cyber$security$legisla6on$
must$be$to$enable$the$defenders$to$act$as$quickly$to$protect$their$systems$as$
the$a9ackers$can$act.$We#call#this#con-nuous#monitoring#and#it#is#single#
handedly#the#most#important#element#you#will#write#into#the#new#law.$
Con6nuous$monitoring$enables$government$agencies$to$respond$quickly$
and$effec6vely$to$common$and$new$a9ack$vectors.$The$Department$of$
State$has$demonstrated$the$effec6veness$of$this$security$innova6on.$Most$
major$corpora6ons$use$it.$This$model$is$the$future$of$federal$cybersecurity.$
As$our$response$to$a9acks$becomes$faster$and$more$automated,$we$will$
take$the$first$steps$toward$turning$the$6de$in$cyberspace,$and$protec6ng$
our$sensi6ve$informa6on.'
hCp://oversight.house.gov/wpLcontent/uploads/2012/01/20100324Paller.pdf'

24%
Mee$ng'Requirements'
!  FISMA'provisions'fall'into'three'major'categories:''
!  Assessment:%Determining%the%adequacy%of%the%security%of%federal%
assets%
!  Enforcement:%Requires%that%key%informa>on%security%provisions%be%
implemented%and%managed%
!  Compliance:%Establishes%provisions%for%management%of%each%agency's%
informa>on%security%program%and%accountability%for%compliance%and%
repor>ng%
!  How'can'regular'Web'app'scanning'help'agencies'improve'
security'and'meet'federal'guidelines'and'regula$ons?'

25%
Mee$ng'Requirements'&'Improving'
Security'
!  Specific'accountability%of%agencies%and%officials%
!  Regular%Web%app%scan%reports%show%security%status%of%applica>ons%
owned%by%each%organiza>on%and%manager%
!  Summary%reports%show%enterprise%view%of%applica>on%security%for%
formal%FISMA%repor>ng%
!  Assess'risk%by%seeking%to%meet%defined%security%objec>ves'
!  Reports%provide%iden>fica>on%of%levels%of%risk%
!  Data%can%be%used%in%risk%assessments%to%support%Cer>fica>on%and%
Accredita>on%ac>vity%
!  Management%can%make%risk]based%decisions%about%applica>on%
management%and%security%

26%
Security'
!  Maintain'an'inventory%of%major%systems%and%applica>ons%
!  Regular'security'assessments%and%reviews%
!  Vulnerabili>es%are%iden>fied%by%applica>on,%allowing%audits%to%be%
targeted%and%more%focused%
!  Scans%can%be%run%and%used%as%input%to%broader%assessments%
!  Assessments%can%be%automated%and%include%iden>fica>on%of%
likelihood%and%impact,%which%assist%with%Cer>fica>on%and%
Accredita>on%efforts%
!  Changes%can%be%mapped%over%>me%to%audit%compliance%with%
recommenda>ons%in%earlier%assessments%(con>nuous%monitoring!)%

27%
Security'
!  Tracking'of'deficiencies'and'remedia$on'ac$ons%taken'
!  Administrators%and%developers%can%filter%reports%to%show%specific%
vulnerabili>es%and%recommended%remedia>on%sugges>ons%
!  Tickets%can%be%assigned%to%appropriate%staff%to%enforce%remedia>on%
!  Reports%show%status%of%mi>ga>on%ac>vity%]%corrected%vs.%s>ll%ac>ve%
vulnerabili>es%

28%
Security'
!  Incident'response%and%preven>on%processes%and%capability%
!  Scans%give%early%warning%of%organiza>onal%exposure%to%vulnerabili>es%
!  Speciﬁc%vulnerabili>es%are%>ed%to%apps%for%more%rapid%assessments%
and%response%
!  Reports%can%be%shared%with%internal%and%external%incident%response%
teams%

29%
Web'App'Scanning'+'SIEM'
!  Tying'scan'results'into'event'
monitoring'can'add'powerful'
context'to'correla$on'rules'
!  Metrics'can'include:'
!  Web%and%database%applica>on%
vulnerabili>es%or%conﬁg%issues%
!  Web%and%database%plaiorm%
conﬁgura>on%changes%%
!  Web%applica>on%errors%by%web%
applica>on%by%type%

30%
Web'App'Scanning'+'WAF'
!  Web'Applica$on'Firewalls'(WAFs)'can'be'tested'with'web'
applica$on'scanning'tools'
!  Several'key'areas'to'focus'on:'
!  WAF%bypass%with%specific%scanning%types%
!  WAF%effec>veness%at%aler>ng%
!  Tuning%the%WAF%for%streamlined%detec>on%and%response%efforts%

31%
Web'App'Scanning'+'GRC'
!  Web'app'scanning'can'provide'valuable'input'to'GRC'tools'
and'metrics:'
!  Top%vulnerabili>es%see%and%remediated%
!  Changes%to%compliance%status%
!  Changes%to%overall%risk%status,%or%cri>cal%app%status%

32%
Web'App'Scanning'for'Mobile'
!  Many'mobileLoriented'Web'apps'provide'different'or'
varied'content'based'on'endpoint'device'and'browser'
!  Web'app'scanners'need'to'adapt'to'this'by'allowing'for:'
!  Various%HTTP%headers%to%be%modified%when%scanning%
!  User]Agent%values%to%be%changed%quickly%and%simply%for%different%scan%
results%
!  Varied%scrip>ng%and%data%presenta>on%op>ons%

33%
What’s'to'come?'
!  In'2013'and'beyond,'many'Federal'IT'organiza$ons'will'look'
to'implement'con$nuous'monitoring'
!  There'are'more'and'more'Web'app'vulnerabili$es'
!  Injec>on%ﬂaws%
!  XSS%and%CSRF%issues%
!  Conﬁg/Inventory%data%
!  Web%server%vulnerabili>es%
!  Centralized'monitoring'and'management'will'be'key''

1 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic!
•  Leading Security Intelligence Platform
•  Headquarters in California, Offices in Singapore &
London, 10 years in business
•  Secures >1,000,000 online applications, $Trillions of
commerce
•  Protects F1000 companies, government agencies,
universities, SMBs & all major security vendors
•  Easy to use enterprise, mobile, and SaaS solutions
•  Delivers best continuous real-world Risk Management

Cenzic Enterprise Application Security
Production
Partner /
Supply Chain Networks
Mitigate vulnerabilities
before apps move to
production
Protect against ongoing
threats and manage risks
Certify partners - Ensure
interconnecting partner
and supply chain apps are
protected
Enterprise | Cloud
Hybrid
Mobile | Managed
Enterprise
Cloud
Cloud
Managed
Enterprise Application Security
Pre-production &
App Development

Unique capabilities Cenzic solutions offer:
–  Detect vulnerabilities in web applications in terms of applicable
compliance standards
!  FISMA 3544
!  NIST 800-53
!  ASD STIG APP
–  Prioritize remediation quickly based on seriousness of compliance
issue
–  Instantaneously connect reports to specific vulnerabilities affected by
regulation
–  Correlate final results in terms of specific subsections to demonstrate
compliance
Mapping to Federal Needs
4

Sample FISMA Compliance Findings Report

Sample NIST Compliance Findings Report

Sample STIG Compliance Findings Report

Thanks
For more details, contact:
Bala Venkat
bala@cenzic.com

Continuous Monitoring for Web Application Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Continuous Monitoring for Web Application Security

Similar to Continuous Monitoring for Web Application Security (20)

More from Cenzic

More from Cenzic (7)

Recently uploaded

Recently uploaded (20)

Continuous Monitoring for Web Application Security