supporting secure sft o tisoftware operations · cyber observable broader use cases detect...

Supporting Secure S ft O tiSoftware Operations

Robert A. Martin

© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED

Sean BarnumMay 2011

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE MAY 2011 2. REPORT TYPE

3. DATES COVERED 00-00-2011 to 00-00-2011

4. TITLE AND SUBTITLE Supporting Secure Software Operations

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) MITRE Corporation,202 Burlington Road,Bedford,MA,01730-1420

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES Presented at the 23rd Systems and Software Technology Conference (SSTC), 16-19 May 2011, Salt LakeCity, UT. Sponsored in part by the USAF. U.S. Government or Federal Rights License

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

32

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Agenda

8:00-8:45am Software Security Knowledge about Applications Weaknesses

9:00-9:45am Software Security Knowledge about Attack Patterns Against ApplicationsApplicationsTraining in Software Security

10:15-11:00am Software Security Practicey11:15-12:00am Supporting Capabilities

Assurance CasesSecure Development & Secure Operations


Secure Software Operations■ Where secure development use cases required foundational

knowledge and ways to package it and understand it within a static context, Secure Software Operations requires situational

& i t t ti f f d ti l k l d ithiawareness & interpretation of foundational knowledge within a dynamic context

■ Considering that secure operations is a key element of overall software assurance we need ways to:software assurance we need ways to:– Bridge the secure development and secure operations domains– Improve the analysis, characterization, collection, discovery &

knowledge sharing of malwareknowledge sharing of malware– Combine elements of the ecosystem as practical applications to

support secure software operations■ This portion of the tutorial will focus on resources/efforts■ This portion of the tutorial will focus on resources/efforts

focused at addressing these three needs

© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED3

Secure Software Operations

■Bridge the secure development and secure Cyber Observable eXpression

(C bOX)p

operations domains■ Improve the analysis,

characterization collection

(CybOX)

Malware Attribute Enumeration characterization, collection, discovery & knowledge sharing of malwareC bi l t f th

a a e bu e u e a o& Characterization (MAEC)

■Combine elements of the ecosystem as practical applications to support secure software operations

Security Content Automation Protocol (SCAP) and other

Automation Protocolssoftware operations

© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED4

Bridge the secure development and secure operations domains

Cyber Observable eXpression (CybOX)

The topic and content covered in this presentation was published as an article in the Sep/Oct 2010 issue of CrossTalk: The Journal of Defense Software Engineering


Sep/Oct 2010 issue of CrossTalk: The Journal of Defense Software Engineering

Attack Patterns Bridge Secure Development and Operationsand Operations

Attack Patterns

Secure Development Secure Operations

Attack Patterns


Secure Operations Knowledge Offers Unique Value to Secure Development■ Using attack patterns makes it possible for the secure

development domain to leverage significant value from secure operations knowledge, enabling them to:

Unique Value to Secure Development

– Understand the real-world frequency and success of various types of attacks.

– Identify and prioritize relevant attack patterns.y p p– Identify and prioritize the most critical weaknesses to avoid.– Identify new patterns and variations of attack.

■ Attack patterns enable those in the secure operations

Secure Development Knowledge Offers Unique Value to Secure Operations■ Attack patterns enable those in the secure operations

domain to provide appropriate context to the massive amounts of data analyzed to help answer the foundational secure operations questions.


p q

So, this all sounds great but how do we map these high-level attack

tt b t ti t th lpattern abstractions to the low-level operational world?

Cyber ObservablesThe Secret Sauce for Bridging the Abstract to the Concrete


Cyber Observables Overview■ The Cyber Observables construct is intended to capture

and characterize events or properties that are observable in the operational domain.

■ These observable events or properties can be used to adorn the appropriate portions of the attack patterns in order to tie the logical pattern constructs to real-world evidence of their occurrence or presence.

■ This construct has the potential for being the most important bridge between the two domains, as it enables th li t f th l l l t i fthe alignment of the low-level aggregate mapping of observables that occurs in the operations domain to the higher-level abstractions of attacker methodology, motivation, and capability that exist in the developmentmotivation, and capability that exist in the development domain.

■ By capturing them in a structured fashion, the intent is to enable future potential for detailed automatable mapping


enable future potential for detailed automatable mapping and analysis heuristics.

A Brief History of Cyber Observables

■ September 2009: Concept introduced to CAPEC in Version 1.4 as future envisioned adornment to the structured Attack E ti FlExecution Flow

■ June 2010: Broader relevance to MSM recognized leading to CAPEC, MAEC & CEE teams collaborating to define one common structure to serve the common needscommon structure to serve the common needs

■ August 2010: Discussed with US-CERT at GFIRST 2010■ December 2010: Cyber Observables schema draft v0.4

completed■ December 2010: Discussions with Mandiant for

collaboration and alignment between Cyber Observables d M di t O IOCand Mandiant OpenIOC

■ January 2011: Discussed & briefed with MITRE CSOC■ February 2011: Discussed & briefed with NIST – EMAP and


US-CERT who also have a need for this construct and had begun to work on parallel solutions

Simplified Overview of Current Schema


---------------------- ~ observables:Me:asure -

-------------------~ __ ?_~_:_~-~~~~~~~~-~-~-~~-~---:-

-;:~~i~~-~-~-~~~ ~~~~~~iii. :J

r obse,yable"MeasureTw-;---------------------------------------------

-r_ ~~~~~-~~~~-~-=-:~-=-~=-~-~~~ ~~~~~~ -_$

I" """"" """"""""" """"""" ~

- ~~~~==~':~~l_e_s..:_~::'?~ifl!i~~-~ lobse-;::b~:~nType-------------- -~

E)iilttributes

I I I I I

~- ~ -~~:::r.'-:~~l;:;.~~:t?.~~~~i~~~~ -~ I L __________ _

1 .. 00

L----------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-~;~b~~;~;bi;;:E~~~-~-Obf~;~~~~~ lM

- ~-~~~~;~~~~~~~~~~~~~~~~~~e-c~h~n~~~~~ ~

·-~=-a-1 observables:Observable $ ~ ..... -a 0 .. 00

MITRE

observables:Oescription +

1..oo observables:Observables +

Generated by XMLSpy wWN.altova.com

■ Detect malicious activity from attack patterns

Cyber Observable Broader Use Cases■ Detect malicious activity from attack patterns■ Empower & guide incident management■ Identify new attack patterns■ Prioritize existing attack patterns based on tactical reality

■ Potential ability to analyze data from all types of tools and y y ypall vendors

■ Improved sharing among all cyber observable stakeholders■ Ability to metatag cyber observables for implicit sharing■ Ability to metatag cyber observables for implicit sharing

controls■ Enable automated signature rule generation

Enable new levels of meta analysis on operational cyber■ Enable new levels of meta-analysis on operational cyber observables

■ Potential ability to automatically apply mitigations specified in attack patterns


in attack patterns■ Etc….

Improve the analysis characterizationImprove the analysis, characterization, collection, discovery & knowledge sharing of malwaresharing of malwareMalware Attribute Enumeration & Characterization (MAEC)& Characterization (MAEC)


Malware Attribute Enumeration and Characterization (MAEC)

■ Language for sharing

Characterization (MAEC)

structured information about malware – Grammar (Schema)– Vocabulary

(Enumerations)– Collection Format (Bundle)

ThreatsDetection

■ Focus on attributes and behaviors

■ Enable correlation,

Vulnerabilities

ResponsePlatforms ,integration, and automation

pPlatforms

© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 14

MAEC Use Cases■ Operational

Tool

■ Analysis– Help Guide Analysis Process– Standardized Tool Output


– Standardized Tool Output– Malware Repositories

Page 15

Tool

MAEC Overview


High-level

Mid-level

Low-level

Semantics

MITRE

Mechanisms • • • . . • • • •

Behaviors • • . . . •

Abstracted

Actions

e.g. Persistence

e.g. Malicious Binary Instantiation

•••••• e.g. Create File: xyz.dll •••••• •••

• •• ••••• .........

Implementation Models

Dynamic Malware Analysis MAEC

■ Demonstrate the ability to■ Demonstrate the ability to generate MAEC XML descriptions from dynamic analysis toolsanalysis tools

■ Developed proof-of-concept translators for:

CW Sandbox (Sunbelt)– CW Sandbox (Sunbelt)– ASAT (MITRE)– Anubis– ThreatExpert


Test Case: CWSandbox Output -> MAEC

Raw CWSandbox Output

Python XSD

Bindings MAEC XML

MAEC

Bindings•MAEC Actions•MAEC Objects•MAEC Behaviors


MAEC XSD

Collaboration

R l t d M ki S it M bl Eff t■ Related Making Security Measurable Efforts– There is significant overlap between MAEC, CAPEC, and CEE in

describing observed actions, objects, and states.A h ’ ki d l i h ti– As such, we’re working on developing a common schematic structure of observables for use in these efforts:


MAEC Community: Discussion List

■ Request to join: http://maec.mitre.org/community/discussionlist.html

■ Archives available


MAEC Community: MAEC Development Group on Handshake

■ MITRE hosts a social

Group on Handshake

■ MITRE hosts a social networking collaboration environment: https://handshake.mitre.org

■ Supplement to mailing list to facilitate collaborative schema development

■ Malware Ontologies SIG Subgroup


Combine elements of the ecosystem asCombine elements of the ecosystem as practical applications to support secure software operationssoftware operationsSecurity Content Automation Protocol (SCAP) and other Automation Protocolsand other Automation Protocols


Remembering the Acronyms• CPE (Platforms)What IT systems do I have in my enterprise?

• CVE (Vulnerabilities)What vulnerabilities do I need to worry about?

• CVSS (Scoring System)What vulnerabilities do I need to worry about • CVSS (Scoring System)yRIGHT NOW?

• CCE (Configurations)How can I configure my systems more securely?

• XCCDF (Configuration Checklists)How do I define a policy of secure fi ti ? XCCDF (Configuration Checklists)configurations?

• OVAL (Assessment Language)How can I be sure my systems conform to policy?

• OCIL (Interactive Language)How can I be sure the operation of my systems conforms to policy?conforms to policy?

• CWE (Weaknesses)What weaknesses in my software could be exploited?

• CAPEC (Attack Patterns)What attacks can exploit which weaknesses?

• CEE (Events)What should be logged, and how?

• ARF (Results)How can I aggregate assessment results?


• MAEC (Malware Attributes)How can we recognize malware?

Standardization Efforts leveraged by theSecurity Content Automation Protocol (SCAP)

• CPE (Platforms)What IT systems do I have in my enterprise?

• CVE (Vulnerabilities)What vulnerabilities do I need to worry about?

• CVSS (Scoring System)What vulnerabilities do I need to worry about • CVSS (Scoring System)yRIGHT NOW?

• CCE (Configurations)How can I configure my systems more securely?

• XCCDF (Configuration Checklists)How do I define a policy of secure fi ti ? XCCDF (Configuration Checklists)configurations?

• OVAL (Assessment Language)How can I be sure my systems conform to policy?

• OCIL (Interactive Language)How can I be sure the operation of my systems conforms to policy?conforms to policy?

• CWE (Weaknesses)What weaknesses in my software could be exploited?

• CAPEC (Attack Patterns)What attacks can exploit which weaknesses?

• CEE (Events)What should be logged, and how?

• ARF (Results)How can I aggregate assessment results?


• MAEC (Malware Attributes)How can we recognize malware?

SCAP – FDCC and USGCB


M-07-18

MEMORANDUM

FROM:

SUBJECI':

lbeOilice "Implemelll.l1ioo Sys!CmS," which and/or plans to cooillguratiOM by

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET

WASHINGTON. D.C. 20503

June 1, 2007

M-08-22

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE 0 ° \1ANA GE MENT AND BUDGET

W ASHING TON . 0 C 205-i}J

August I I. 2008

l\1.EMORANDUM FOR THE CHIEF INFORMAT ION OFFICERS

FROM: Karen s. Evan~:i."V.,LQ(Wv 1-J Admini~trator qltt E-Government and Information Technology

Su BJECT: Guidance on the Federal Desktop Core Configuration (FDCC)

In March 2007. OMB Memorandum M~7- l l announced the ''Implementation ofConunonly Accepled Security Configurations for Windows Operating Systems." directing agencies witll Windows XP " ' deployed and/or plan to u pgrade to the Vista " ' operating system to adopt tlle Federal Desktop Core Configuration (FDCC) security oonfiguratiOil< developed by tlle National Institute of Standards and Technology (NIST). tlle Department of Defense (DoD) aJld tlle Department of Homeland Security (DHS).

On June 20.2008, NIST published lhe updated Federal Desktop Core Configuration Major Version 1.0 senings release. Relative to the pre.,•ious version ofFOCC which was originally posted in July 2007. 40 settings have changed . Changes were derived from public conunent during the April and May 2008 public comment periods, aJ>alysis of the March 31 ,2008, Agency FDCC reports and subject matter expert.ise. FDCC Major Version 1.0 settings are a\•a.ilable at hnp://nvd.nist.gov/fdccldownload fdcc.cfm .

•'ederal Desktop Core Conll2urat1on Major Version I Jl

FDCC Major Version 1.0 is based on Microsoft Windows XP Service Pack (SP) 2 and Microsoft Windows Vista SP I. Although Security Content Automation Protocol (SCAP) Content has been engineered so that it will also operate 0 11 Windowi XP SP3. near-term \Vi11dows XP patch checking will be oriented toward Windows XP SP2. It is understood that many managed e.~vironments lhroughout lhe Federal government implement service packs shortly after their release. \\'bile ne.u-tenn Windows XP checking is based on Windows XP/SP2. we do not anticipate "''Y signifiCant measurement issues for Windows XP/SP3. KIST is currently working witlliT product vendors 10 develop additional SCAP Content based on lhe FDCC settings for olher platforms and appl ications.

To coincide with tbe release of fDCC Major Version 1.0. 11ew SCAP Conte.lt has also been made available. This SCAP Content is inclusive of the 40 FDCC settings changes. At !his time. lhe FDCC is comprised of settings located at http://fdcc.nisa.gov that CaJl be checked using the updated SCAP Content and SCAP-validated tools wilh FDCC Scanning capability as specified on the NIST website at http://n, ·d.nist .gov/scapproducts.cfm. Not all FDCC settings can be checked using autonu.ted scanning tools. NIST is coordinating the refinement of SCAP Content

NVDC>Ontai fW:

29632 eyE VL!In...-.bi!itin 150~

132~

2 150 U S CERT VYin Nqt§

31 7 1~

1)666 V uln« "'!le Prqdur!J

.._.. upcQot.d: 02/20/ 08 CVf:Publi~tion,..t•:

1 8 vulner.t>MOII!:I / d ..,.

ConfigurationGuidance

Knowledge Repositories SCAP-Based FDCC Guidance

Operations Security Management Processes

FDCC C li T lConfiguration

GuidanceAnalysis

FDCC Compliant Tools

Operational Enterprise Networks

E i IT

Enterprise IT Asset Management


CentralizedReporting

Enterprise ITChange Management


Knowledge Repositories SCAP-Based FDCC Reporting

IRSDOE DHS WH

ARMY AIRNAVY DISA IC

IRS COMMERCEDOE DHS WH

FORCE

LABOR DOJEDUCATION HUD HHS

DOT TREASURYVA INTERIOR DOS

© 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDCentralized Reporting

VulnerabilityAlert


AssetDefinition

Knowledge Repositories

ThreatAlert

IncidentReport

CPE/OVAL XCCDF/OVAL/CCE/CCSS

CVE/CWE/OVAL/CVSS/CWSS

CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/MAEC/CCSS/CWSS/

CVE/CWE/CVSS/CPE/CWSS/CCE/CCSS CVSS/CWSS OVAL/CPE/MAEC/CCSS/CWSS/

CEE/ARFCPE/CWSS/CAPEC/MAEC

AssetInventory

ConfigurationGuidanceAnalysis

VulnerabilityAnalysis

ThreatAnalysis

IntrusionDetection

IncidentManagement

CCE/CCSS/OVAL/ARF/

CVE/CWE/CVSS/ARF/

CVE/CWE/CVSS/ARF/CCE/CCSS/

CVE/CWE/CVSS/ARF/.CCE/OVAL/CCSS

CPE/OVAL/

OVAL/XCCDF/CCE/CCSS/CPE/ARF SCAP

Assessment

System &Software

AssuranceGuidance/


OVAL/ARF/XCCDF/CPE

CCE/CCSS/ARF/CWSS/OVAL/CPE/XCCDF

CCE/CCSS/OVAL/CWSS/XCCDF/CPE/CAPEC/MAEC

/XCCDF/CPE/CAPEC/CWSS/MAEC/CEE

ARFCPE/ARF SCAP

Assessment of System

Development,Integration, &Sustainment

Activitiesand

Certification &

Requirements

CWE/CAPEC/SBVR/CWSS/MAEC


Certification &Accreditation

CWE/CAPEC/CWSS/MAEC/OVAL/OCIL/XCCDF/CCE/CPE/ARF/SAFES/SACM

CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF



Centralized ReportingEnterprise ITChange Management

Development & SustainmentSecurity ManagementProcesses Enterprise IT Asset Management

TrustManagement

IdentityManagement

Other Automation Protocols Can Capture the Government Use Cases…■ Enterprise System Information Protocol (ESIP)

– For reporting of asset inventory information. Common Platform Enumeration (CPE), etc.

■ Threat Analysis Automation Protocol (TAAP)– For reporting and sharing structured threat information. Malware

Attribute Enumeration & Characterization (MAEC), Common Attack Pattern Enumeration & Classification (CAPEC), Common Platform Enumeration (CPE), Common Weakness Enumeration (CWE), Open Vulnerability and Assessment Language (OVAL), Common Configuration Enumeration (CCE), and Common Vulnerabilities and g ( ),Exposures (CVE).

■ Event Management Automation Protocol (EMAP)– For reporting of security events. Common Event Expression (CEE),For reporting of security events. Common Event Expression (CEE),

Malware Attribute Enumeration & Characterization (MAEC), and Common Attack Pattern Enumeration & Classification (CAPEC).


Other Automation Protocols Can Capture the Government Use Cases…(concluded)

■ Incident Tracking and Assessment Protocol (ITAP)– For tracking, reporting, managing and sharing incident information. Open

Vulnerability and Assessment Language (OVAL), Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE), Common Vulnerability Scoring System (CVSS), Malware Attribute Enumeration & Characterization (MAEC), Common Attack Pattern Enumeration & Classification (CAPEC), Common Weakness Enumeration (CWE), Common Event Expression (CEE), Incident Object Description Exchange Format (IODEF), National Information Exchange Model (NIEM), and Cybersecurity Information Exchange Format (CYBEX).

■ Enterprise Remediation Automation Protocol (ERAP)■ Enterprise Remediation Automation Protocol (ERAP)– For automated remediation of mis-configuration & missing patches. Common

Remediation Enumeration (CRE), Extended Remediation Information (ERI), Open Vulnerability and Assessment Language (OVAL), Common Platform p y g g ( )Enumeration (CPE), and Common Configuration Enumeration (CCE).

■ Enterprise Compliance Automation Protocol (ECAP)– For reporting configuration compliance. Asset Reporting Format (ARF), Open


p g g p p g ( ), pChecklist Reporting Language (OCRL), etc.

VulnerabilityAlert


AssetDefinition

Knowledge Repositories

ThreatAlert

IncidentReport

CPE/OVAL XCCDF/OVAL/CCE/CCSS

CVE/CWE/OVAL/CVSS/CWSS

CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/MAEC/CCSS/CWSS/

CVE/CWE/CVSS/CPE/CWSS/CCE/CCSS CVSS/CWSS OVAL/CPE/MAEC/CCSS/CWSS/

CEE/ARFCPE/CWSS/CAPEC/MAEC

AssetInventory

ConfigurationGuidanceAnalysis

VulnerabilityAnalysis

ThreatAnalysis

IntrusionDetection

IncidentManagement

CCE/CCSS/OVAL/ARF/

CVE/CWE/CVSS/ARF/

CVE/CWE/CVSS/ARF/CCE/CCSS/

CVE/CWE/CVSS/ARF/.CCE/OVAL/CCSS

CPE/OVAL/

OVAL/XCCDF/CCE/CCSS/CPE/ARF SCAP EMAPESIP ITAPTAAP

Assessment

System &Software

AssuranceGuidance/


OVAL/ARF/XCCDF/CPE

CCE/CCSS/ARF/CWSS/OVAL/CPE/XCCDF

CCE/CCSS/OVAL/CWSS/XCCDF/CPE/CAPEC/MAEC

/XCCDF/CPE/CAPEC/CWSS/MAEC/CEE

ARFCPE/ARF SCAP EMAPESIP ITAPTAAP

Assessment of System

Development,Integration, &Sustainment

Activitiesand

Certification &

Requirements

CWE/CAPEC/SBVR/CWSS/MAEC


Certification &Accreditation

CWE/CAPEC/CWSS/MAEC/OVAL/OCIL/XCCDF/CCE/CPE/ARF/SAFES/SACM

SwAAPCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/CPE/CAPEC/MAEC/CWSS/CEE/ARF



Centralized ReportingEnterprise ITChange Management

Development & SustainmentSecurity ManagementProcesses Enterprise IT Asset Management

TrustManagement

IdentityManagement

ERAP ECAP

[makingsecuritymeasurable.mitre.org]


... MITRE. In oolabora!Jon with II"W"'menl. induslty, and academocsta<&f1olclon.ll lm!>n>v"'l tho meuun~bll)y a(

HCUnly through onumeraUng ba ..... MCUrity data. p!OY!d.ng standardized r.nuuiiU .. u means far acx:untloly IXlftV11Unaling tha onfomlatDn, and onccunoglng tho shomg a( tho or4onnallan w;th UIOrl by dowlopng repoa1tot1U

Tho-~and inruab'IGII listed here llava ,.,.., """""pta or ccmpolble approacheS to MITRE's Together al cl thoaa lllo<1a ore helpong lo m ... MQJnly moro meosu'llble by defining tho conoopbs thai nood to be moasu-ed. p!OY!dong lor higl1 fodohly axnmuruc:atDna abo.A tho ~MBSUromenls, and p!OY!d.ng "" sharing altho mNSUr&tMrlta and the delinlionl cl w'lallo .,.. ....

Making Security Measurable

http:/ /msm.mltre.org/

.. ,..... •.curttr ~*taN ... ma'*'-n tD thl foftowi"Q ......

· ~t:tu:yMen:~gllf"ee't • AssatSea.loty~e!'t

Common Wnerablhbel and Expoluret. tcvall) • ootr.tren

~yM:MntifMJ

C ~JE Common Weakneu Enumetr.lon ICWE"') • bsl ol ~'\ire :J' ............ typOS

CAPEC C<>rnmonAIIad<PenomE"""'...-anoCiefll1leal""'fCAPEC'• > • ~ ol OClf'M"'Cln anack pallema

:•:C Common ~Enumera!Jon fCPE""l- common ptattorm -llfotn

Cont«lo< '"""'"" Securl!y ICIS! Con!enou! Secu<''Y MeltiCO DeftnUJono ·set ol stardard rrecncs and data dehnlbons 11'\81 can be UWd aaoss organtZIIUOfW to collea and W\llyze data on seo.rity process pertcrrr.ance and outc:cmes

Tvr.'!nly MOIIItre!O!tlnt Conttoll and Met<'lct lOr Ett~ C't!MN' Oelenee n1 Ccnli'IUoUSFISMACompUnce • t\loentykey ICIIonsorsecur.ty '"cOflltt'b" ftal otgltiza!IJns muat taU to bfoc:k 01 mitigate knOwn and taa~ expected ottacl<s

SANS Too Twenty· SANS/fBI consensus hi of lh8 Twenly ~ <:nticllllnlamel Securiry ~lklies lhtt uses CVE-10510 ~ty lhe ISSues

M ,EC Mhn A.'1rblte Erunlraton anc1 Charlcwtzauon CMAEC r.l • --- JtandatdiNd language kw atlribule--DUed malWate Chltacten2alon

8encf'ltr.attc~-resourceskw aeabng ~~ &1t'UCIUtlCI. and eutomatat»t secumy gudance

OVAllnterpt!tflr- tree 10e11 tor COilecbng Information rcr teltf'IQ. ~out OVAL DeMiionl and ptesent.ng tHUits ot lhe tHis

Brd'lrr.-tt Edtcw"" - tree toolllal Erilanon MCS ~· cnta)Cn and eckbng or bBnchmitf1t docUments wrllen 10 XCCOf an;J OVAL

ftecon!tr.endatfon lr8CkefN • f.tee IOQI thlf faclilates lhe develoc:w'r.entol autornl., ...,., ... -Ex-Cot!ftgur!!!o? ~~~ Oe!crc!C""' F<otmM IXCCOfl · spooJicotJan language tcrun.tomo e_...,ol 58<Utty ctoedllsts. bef'clvM!I<s anoconfig..atJon~

CMn ChedchstlnranM:tNe l.nlu80! IOCILl • 51an0afdlzed LaroJage for expr~t~slng ana evauatng non-aJtcmatec:J seaxt1y c::tl8dt5

C9mr!>n V....,_;y Sa!t!ng Sy!:!m ICVSSl • _......,.,. flat<lOIWO)'I """'"'"""'..-tyondhllpS<Io<t•mno...-gencyanoprlotltyolreoponoe

Pok:y Languaoe lor Assellfrlent Rewtts Repot!nq fPlAAAl -18ngu8Qt tor r~ IT asset tssesttr«''l r85l.ltJ rrom 10011. dal8basH. and octer products

Aues.sment Rnultl FOI'I"Nt fAAft · open language IIOr uc:hlnglng p8f-Oe\ltoe assessment rewtts data between essessrreol tools. nset 4a:abases.. end Olhef ptOdJCU NIIT'8fl8Q6 asset nkltma1lon

AJ5es.5menl Sumrr!l'f Results tASRl -lenguage fof ·~ tf.mmartled &SStitmenl ftiUitl data

(J..IXL (JI/IoJ..fleoool!o!y·""""""''~(JI/IoJ..\IIAnentblhl)'. •t#••••••r Complinoe. lnvencory, and Palef'l Oeftnttionl

Natsonll \Unetabd"Y Database (NVQ) • u.s. >Mnetabil!y ~se tlese<l on eve II"'M integrates al ~kfy evaubte vulnerlbtl!ty resources and ref«ences

NIST Seouri!'t Contant~ l'!p!oool !SCAPI · secuntyconlenllor llkJIOml~ I8Chnlcal ccntrot COI"''¥llance actM!Iet., ..unerabllty d'ledang, and _ .............. Red Hat ReooatO!')' • OVAL Patc:n Dtinuons mtresponcbng to Red Hat Etra!a sewrlty advoK~MS

Nationol er-1101 P!o(nm Ropo!i!O!'I • U.S. _.,...,.,. reposllotyot ptdcly IValabfe MOJnty c::l'ledcbts."bMc:hnaaks

CeMif lot lntemec Sec:ur ty {CIS! Bendmatks-be~pntCIICe secuity conllguraoono ac:cepted tor""""*""" wort FISMA, Ole ISO Slall<lanl, CLB, SOot. HIPM, Wid FIRPA. end Olhlt regulatory Nql.llf8r'IW!tllot 1'\kltmiiltian 18CUI'ity

OISA ~ Tadvlicol lrrp!eme!!a!!on GU<!et ISTICSI· U,S. Delonoe lnfcrno81Jcn SyatemaAgenc¥1 (OISA) STICS era cxonl~ """""'"'tor 000 Wonnalion assurance and llriotma'Jon assur~tie<l d~ and syr.:lems.

Common FratflewotU tot Vtlnlf'lbii•N D-tdoture and Resoottt! fCVRFl • stat'ldaR:I

lonnat to< "'f'OM9 end """"1111 "'"""""""Y -....tJon '""""9 """''*' 0tg8110:allons

F-.. Des-<10!! Ccro Cot!'g!.!!t!on IFOCCl · OMB.,._aewtiy conllgurao.cn to< Mlctooolt 1._.111<1a 11110 XPopentllt'q i)"tem-

....,.0<1 States ()o.ootmo""'Con!!c!..n!t.M BM..,. I!JSCCBl · 58<Uttyc:on!guta!lon

.......... "" ll - de!>b)'ed """"' teoeral _..,...

Vlow Uho current collection of org~~nlutlono, octlvltln, and lnltl.Uveo.

Tm YltDSIIIIIa "IOIUdb"J'T>-e Uf .. R( Ccrpc:nJ!ton Cl 2010~ YlR[ ~ CY( ard()/AL .. ,......_, ~ .-.:1 b MaJtn; Soa.r~Me_,.,~ 1cJVCt. <X:£.CW(. CP£. CAP'£C, CU MAEC ~ Ealor Mel Ailaomf"Widllbc:lr> l'ldter 81W ~of~ JliTR£ ~. AIJotrw\fKIIRIWb ... tne~oflf'ler~WCMTW'II Ccwaclia; ~~MintO!ll

P. L..- Upct.lllod: Seplaorller 02. 2010

supporting secure sft o tisoftware operations · cyber observable broader use cases detect...

Documents