automating enterprise it management

22
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009

Upload: john-gilligan

Post on 14-Dec-2014

763 views

Category:

Technology


2 download

DESCRIPTION

Automating Enterprise IT Management by Leveraging a Security Content Automation Protocol, a presentation by John M. Gilligan in May 2009.

TRANSCRIPT

Page 1: Automating Enterprise IT Management

Automating Enterprise IT Managementby Leveraging

Security Content Automation Protocol (SCAP)

John M. Gilliganwww.gilligangroupinc.com

May, 2009

Page 2: Automating Enterprise IT Management

Problem

Today’s state—CIOs of large enterprises cannot:• See their IT assets—they don’t know what

they have• Tell which systems comply with policy

• Makes reporting, enforcement impossible• Change configurations quickly in reaction to

changing threats or vendor updates

2

IT organizations cannot effectively manage complex environments

Page 3: Automating Enterprise IT Management

Root Cause

Today’s enterprise IT capabilities are:• Complex• Dynamic• Vulnerable• Fragmented in use of automated management

3

Processes and tools are immature

Page 4: Automating Enterprise IT Management

CIOs are concerned about enterprise IT management

• Cost of poorly managed IT is growing rapidly• Cyber attacks are exploiting weak enterprise

management– Weakest link becomes enterprise “Achilles Heel”– Cyber exploitation now a National Security issue

• High quality IT support requires effective enterprise management

4

SCAP enables effective enterprise IT management and security

Page 5: Automating Enterprise IT Management

Goal—Well-Managed Enterprise

• Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so

• Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost

5

Page 6: Automating Enterprise IT Management

Solution Elements

• Governance• Technology• Discipline

6

Page 7: Automating Enterprise IT Management

Governance

• Define management and security policies and properties to be implemented in enterprise IT environments

• Accelerate evolution to a disciplined environment– Federal Desktop Core Configuration (FDCC)--Establishes initial

configuration discipline– 20 Critical Controls for Effective Cyber Defense: Consensus Audit

Guidelines—Counter most significant threats with measurable controls

– NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls

7

Page 8: Automating Enterprise IT Management

Technology

• Use tools that are Security Content Automation Protocol (SCAP)-enabled• Automate management of configuration, asset

management, and security properties– Continuously assess, report, enforce endpoint compliance– React quickly to changing situations (e.g., vendor patches,

new configurations, revised policy)

• Achieve cross-vendor integration, interoperability

8

SCAP enables tool integration and interoperability for disciplined enterprise IT management

Page 9: Automating Enterprise IT Management

Discipline

Verify compliance with enterprise IT policies:• Continuously verify effectiveness of controls by

leveraging automation and trend metrics• Also employ metrics for operational effectiveness

and cost• Use Auditors and Red Teams to independently

validate discipline• Ensure visible accountability for those who

violate policies9

Page 10: Automating Enterprise IT Management

Leveraging SCAP for Enterprise IT Management

10

Page 11: Automating Enterprise IT Management

Current SCAP Standards

11

CVECVSS

OVALCCECPE

XCCDF

Software vulnerability management

Configurationmanagement

Compliance management

Assetmanagement

SCAP supports foundational IT management functions

Page 12: Automating Enterprise IT Management

Specific SCAP Standards

12

CVECVSS

OVAL

CCECPE

XCCDF

Software vulnerability management

Configurationmanagement

Compliance management

Assetmanagement

Identifies vulnerabilitiesScores vulnerability severity Criteria to check presence of

vulnerabilities, configurations, assets

Identifies configuration controls

Language to express configuration guidancefor both automatic and manual vetting

Identifies packages and platforms

SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools

Page 13: Automating Enterprise IT Management

Mature Standards Illustrate Possibilities

• Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities– 36,000+ vulnerabilities agreed upon over the last 10 years– 245 products, 138 organizations, 25 countries

• Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments

13

Industry has adopted SCAP standards for individual needs

Page 14: Automating Enterprise IT Management

SCAP Gaining Momentum

• Federal Desktop Core Configuration (FDCC/SCAP)– Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only

establishes standard configurations for hardware suppliers, it also addresses security for those that develop software”

• Open Vulnerability Assessment Language (OVAL)– McAfee: “The ability to…describe vulnerabilities on a system

and exchange that information between tools is doing a great deal to improve [vendor] offerings”

• NIST issues SCAP content for FISMA compliance– Steve Quinn (NIST): “[SCAP is] an automated approach to

help agencies make the jump from security policies and mandates to secure systems.” 14

Page 15: Automating Enterprise IT Management

Product InteroperabilityThe Problem• Different vendor products give different answers• CIOs can’t integrate across vendorsThe Solution• SCAP standard ‘OVAL’ introduced to enable integration

• Red Hat adopted OVAL; found it increased value of their advisories to customers

• Other vendors have followed (e.g., Symantec)

15

OVAL provides the “glue” for SCAP-compliant tools leading to interoperability

Page 16: Automating Enterprise IT Management

Enterprise IT Management Using SCAP

• DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP– SCAP shows which systems are vulnerable; enables

rapid, prioritized response (e.g., rush patching); provides follow-up reporting

– Tony Sager (NSA): “We do it all now with SCAP-compatible tools.”

• Organizations beginning to see SCAP benefits for other enterprise applications

16

Page 17: Automating Enterprise IT Management

Leadership is needed now

17

Shape technology to serve the public interest

Page 18: Automating Enterprise IT Management

Recommended Actions

How Federal government can provide leadership:1. Require SCAP-validated tools2. Educate IT staff in how SCAP can be used for

enterprise IT management3. Deploy SCAP-validated tools; evolve to

automated enterprise IT management4. Share lessons learned with IT managers and

vendors– More use cases—not just security– More transparent integration

18

Page 19: Automating Enterprise IT Management

SCAP can transform individual tools into integrated parts of an Enterprise

IT Management Capability

19

Capabilities

Tools

SCAP

Page 20: Automating Enterprise IT Management

Enterprise IT Management Roadmap

20

Capability

Cost

Page 21: Automating Enterprise IT Management

Contact Information

21

John M. Gilligan

[email protected]

www.gilligangroupinc.com

Page 22: Automating Enterprise IT Management

Strategic Roadmap

• Controlled configuration for Windows• Controlled configuration for major

operating systems and applications• Standardized application white and

black listing• Adaptive configurations based on threat• Faster vulnerability impact/patch level

assessment• Standardized remediation, configuration

control

• Today• 2010

• 2010• 2011• OVAL

adoption• 2012

22

More secure, more automated

Real-time management

More secure, automated, real time