Providing a FedRAMP or 800-171 compliant solution requires a strong continuous monitoring and management program. DHS' CDM initiative is a robust blueprint for architecting a proven set of policies, procedures and tools that effectively provide the information needed to detect issues and anomalies.

1. Proprietary and confidential information of stackArmor
MEETING SECURITY AND COMPLIANCE REQUIREMENTS USING AWS SERVICES
Security by Design
Session 2:
Continuous Monitoring and Management (CM)

2. About Jack Heyman
2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR
 Has worked with many Federal agencies, Fortune 500 companies and
Accounting/Consulting firms.
 Teaches IT related courses on a nationwide basis.
 Teaches CDM to most Federal agencies on behalf of Booz Allen Hamilton.
 Holds several certifications such as CISA, CAP, CIPP, CGFM, and CPA.
 Previously worked at PricewaterhouseCoopers for approximately 6 years.
 Loves to travel and interact with people from all over the world.
 Spent time volunteering to help those in need.

3. Why do you care about CDM?
• CDM is a best practice developed by experts in security and IT
systems management experts over a period of many years
• There are great lessons, practices and technologies that can be
leveraged by security focused organizations without having to
re-invent the wheel
• CDM is a great reference implementation and benchmark
source to help Executive Management understand the need for
continuous security monitoring and investments
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 3

4. Introduction to CDM
• Established by the Department of Homeland Security (DHS).
• In conjunction with OMB, NIST, and others.
• Will address aspects of other requirements (e.g. FISMA,
Privacy laws, etc.).
• Better management of vulnerabilities, coordination of issues
across agencies, as well as cost savings
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4

5. CDM Requirements
•New devices need to be identified within 72 hours.
•Weaknesses need to be identified and remediated within
specified timelines.
•All agencies need to report up to DHS.
•DHS needs to be able to send communications and other
correspondence with the ’subordinate’ agencies.
•All agencies (Executive branch), States, and other affected
entities need to know their hardware, software, and be able
to report timely.
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5

6. The CDM Tech Stack
• There are 5 tools to be deployed as part of complying with
CDM:
◦ ForeScout
◦ BigFix
◦ RES
◦ Splunk
◦ Dashboard (RSA Archer)
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6

7. Manages inventory.
Works with many technologies.
Can identify, alert, restrict, disable and more for endpoints on the network.
Can even locate non-IP addressable endpoints on the network.
ForeScout Overview

8. All internal IP addresses need to be configured.
Assets must be categorized correctly (e.g. Windows, etc.) and also the various segments and
organizational units.
Specific ports needs to be open or listening in order for Forescout to report correctly (e.g. Port
135, 139, 445)
Assets that are unassigned or unclassified.
Firewalls must also not block the BigFix reporting.
Syslog communication
ForeScout Challenges

9. Applies patches and updates globally based on technology type.
Works with many technologies.
Subscribe to various checklists (e.g. CIS, USGCB, STIG, etc.) and ensure your endpoints are
compliant with those respective checklists.
BigFix Overview

10. Can accommodate secure LDAP (port 636 must be open for this to work properly)
Specific ports must be open (e.g. 52311/bi-directional) or else BigFix won’t work properly
 There are additional ports that should be open as well such as 52312, 52314, and 52315 (Web Reports,
Security and Compliance, and Inventory)
Firewalls must also not block the BigFix reporting.
Assigning Master operators to the same endpoints will likely result in errors (e.g one operator running a Fixlet
and the other operator running an opposing Fixlet).
Editing the Masthead (access to the URL where software is downloaded from).
Access to the database (DBA rights may be different from the BigFix endpoints).
Audit data is retained only for 10 days by default.
Syslog communication
BigFix Challenges

11. Homogenizes and anonymizes data for consistent reporting (e.g. individual Agency to DHS).
Identify only those audit events needed for reporting purposes.
Like Google but for searching data anywhere on the network.
Works with other technologies such as Nessus.
Splunk Overview

12. Access and configuration to the forwarders (those hardware items that forward data to the Splunk
indexer) for analysis.
Maybe incomplete data was configured to be sent to the syslog servers.
Other access configurations such as:
 Removing the use of LDAP.
 Limiting the number of jobs.
 Changing ports.
 Enabling SSL and/or email security.
Specific ports must be open (e.g. 8443, 8089, 8191, and 9996) or else Splunk won’t work
properly
 8443 – Splunk search page (port used for user login)
 8089 – used by the search engine (used by the search head against the indexer - 9996)
 8191 – used to store lookups for populating events with fields pulled from the Key Value (KV) store
 9996/7 – used by the data gathering component to the indexer
Splunk Challenges

13. Reporting tool based on all data ingested by Splunk.
Run filters, queries and other analysis to identify in real-time any issues that may have arisen.
Facilitates preventive, detective, and corrective controls.
RSA Archer Overview

14. RSA Archer Questions
General
 How can I see a report of all devices grouped by operating system, technology, etc.?
 Can I see a pie chart of the various operating systems?
 Can I sort by Windows 2008 R2?
 Can I see the location of my hardware devices?
 What were the changes to my inventory since last month?
 Can I get a report of all Nessus vulnerabilities by technology and location?
 Which of my systems are FISMA reportable?

15. RSA Archer Questions
Forescout
 Is there a report to show me all unassigned hardware from Forescout?
 How about a report of all unclassified hardware from Forescout?
 Is there a report showing which hardware appliances are currently without BigFix installed?
 Can I see a report of all new hardware devices added in the last month?
 Were there any hardware devices that had their firewall rulesets changed to block Forescout
reporting?
 Are there any IP addresses that have not been assigned or configured?
 Is there a report showing which servers have had specific ports closed?
 What are the assets that are non-IP addressable assets that are tracked by Forescout but not
BigFix?

16. RSA Archer Questions
BigFix
 How about a report that shows which applications have out of date patches?
 Is there a report showing which servers have had specific ports closed?
 Have there been any modifications to the Masthead within the BigFix installation?
 Have there been any new users created, deleted or modified with regard to the SQL database
used for BigFix?
 Has auditing exceeded the 10 day setting and is now being overwritten?

17. RSA Archer Questions
Splunk
 Have there been any new forwarders configured in the last month?
 Has the threshold limitations changed in the last month for ingesting data?
 Were any new configurations deployed within the Splunk architecture (e.g. forwarders, indexers,
index clusters)?
 Have the parameters concerning Splunk buckets changed or was data removed from the
buckets?
 Was SSL disabled on the Splunk indexer?
 Have any of the Splunk ports been closed in the last month?

18. Learn more at www.stackArmor.com
Thank you
www.stackArmor.com
solutions@stackArmor.com
Security By Design
https://www.stackArmor.com/SecurityByDesign