IASM Support for FISMA

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

NIST Special Publication

Four Deadly Traps of Using Frameworks NIST Examples

FISMAand the Risk Management Framework

NIST Security Certification and Accreditation Project

NIST Special Publication

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

NIST Compliance Controls

SAC PA Security Frameworks - FISMA and NIST

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

INFORMATION ASSURANCE DIRECTORATE

Appendix 12 Risk Assessment Plan

FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Ensuring System Protection throughout the Operational Lifecycle

Altius IT Policy Collection Compliance and Standards Matrix

Appendix 12 Risk Assessment Plan

Altius IT Policy Collection Compliance and Standards Matrix

CSAM Support for C&A Transformation

locuz.com SOC Services

Security Management Models And Practices Feb 5, 2008

Streamlined FISMA Compliance For Hosted Information Systems

Rev.1 Solution Brief

TEL2813/IS2820 Security Management

Recommended Security Controls for Federal Information Systems and Organizations

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Securing an IT. Governance, Risk. Management, and Audit

New Guidance on Privacy Controls for the Federal Government

QuickBooks Online Security White Paper July 2017

SECURITY & PRIVACY DOCUMENTATION

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

INFORMATION ASSURANCE DIRECTORATE

Ransomware. How to protect yourself?

Evolving Cybersecurity Strategies

CIS 444: Computer. Networking. Courses X X X X X X X X X

CCISO Blueprint v1. EC-Council

The Common Controls Framework BY ADOBE

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

MIS Week 9 Host Hardening

Continuous protection to reduce risk and maintain production availability

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

The NIST Cybersecurity Framework

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Executive Order 13556

INFORMATION ASSURANCE DIRECTORATE

Varonis and FISMA Compliance

Compliance with NIST

Forensics and Active Protection

Meeting RMF Requirements around Compliance Monitoring

Security Standards for Electric Market Participants

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

CloudCheckr NIST Audit and Accountability

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

NW NATURAL CYBER SECURITY 2016.JUNE.16

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

ENTS 650 Network Security. Dr. Edward Schneider

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Defining IT Security Requirements for Federal Systems and Networks

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

CompTIA Cybersecurity Analyst+

CND Exam Blueprint v2.0

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Solutions Technology, Inc. (STI) Corporate Capability Brief

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

NIST Risk Management Framework (RMF)

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security+ SY0-501 Study Guide Table of Contents

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cybersecurity & Privacy Enhancements

NIST Special Publication

Certification Report

Information Systems Security Requirements for Federal GIS Initiatives

ClearPath OS 2200 System LAN Security Overview. White paper

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

Certification Report

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Certification Report

How AlienVault ICS SIEM Supports Compliance with CFATS

External Supplier Control Obligations. Cyber Security

Transcription:

Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products they are considering for purchase can help them comply with FISMA. This document identifies the FISMA security controls for which Promia s Intelligent Agent Security Manager (IASM) provides implementation support and describes the IASM features that provide that support. Thus, when an agency has completed their FISMA security risk assessment and identified the security controls required in one or more of their information systems, they will then be able to determine how IASM assists in meeting their FISMA-related requirements. Overview of FISMA FISMA is an acronym that, depending on the context in which it is used, can refer to one of the following: Title III (the Federal Information Security Management Act) of U.S. Public Law 107-347 (the Electronic Government Act), which was signed into law on 17 December 2002; The FISMA implementation guidance that PL 107-347 explicitly required the National Institute of Standards and Technology (NIST) to develop and promulgate as Federal Information Processing Standards (FIPS); The security risk assessment process that PL 107-347 explicitly requires an agency or commercial enterprise to apply to each information system that is subject to the terms of the law in order to identify the technical security controls that are needed in that system; This document concentrates on FISMA in the context of the implementation guidance described in the second bullet, since that is where the concrete technical security controls to which IASM is a solution are defined and explained. As stated in the FISMA (PL 107-347, Title III, 3541): The purposes of this subchapter are to: (1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; (2) recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; (3) provide for development and maintenance of minimum controls required to protect Federal information and information systems; (4) provide a mechanism for improved oversight of Federal agency information security programs; (5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; and Page 1 of 8

(6) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products. The FISMA statute tasked NIST with developing: Standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; Guidelines recommending the types of information and information systems to be included in each category; and Minimum information security requirements, (i.e., management, operational, and technical security controls), for information and information systems in each such category. As a result, NIST has produced the following FIPS (Federal Information Processing Standards) and Special Publications: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, which addresses the first of the three NIST tasks. FIPS Publication 199 establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization resulting from the operation of its information systems; FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, which addresses the NIST tasking to develop Minimum information security requirements, (i.e., management, operational, and technical security controls), for information and information systems in each such category. FIPS Publication 200 specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. The goal of FIPS Pub 200 is to promote the development, implementation, and operation of more secure information systems within the federal government by establishing minimum levels of due diligence for information security and facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements. NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, which provides guidance for the security certification and accreditation of information systems supporting the executive agencies of the federal government. NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, which provides guidance for selecting and specifying security controls for information systems supporting the executive agencies of the Page 2 of 8

federal government. The guidelines apply to all components of an information system that process, store, or transmit federal information. NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, which provides guidance for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, which provides guidance for identifying an information system as a national security system, which would be excluded from the requirements of FISMA. NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, which provides guidance for determining the types of information and information systems to be included in each category of potential security impact. Overview of IASM The Intelligent Agent Security Manager (IASM) is a high-speed, security-hardened appliance that collects, consolidates, and analyzes log data from network and security devices, as well as operating systems and applications, to detect and manage operational and security incidents. It is designed to also pull data from vulnerability management systems as well as databases and syslog servers. As well, it is capable of rapidly reconfiguring itself to receive and process data from new devices, systems, and applications. Log records are first analyzed, pre-filtered, and normalized by intelligent agent for each sensor on the monitored network. The records are then sent to the IASM appliance where the data is then correlated and analyzed further by one or more analytic engines to determine cyber attack profiles in real time. The IASM includes the Asset Viewer (AV) graphical user interface, which uses flexible and powerful 3-dimensional, user-definable, graphical components to provide a consolidated visualization of all assets on the monitored network. This visualization includes versions and patch levels of node operating systems, device and application status, ports in use, and other related information. The visualization also allows an operator to navigate between subnets of the monitored network, thus exposing the contextual relationship between those subnets. It also displays both operational and security incidents detected by the IASM appliance in a rapidly comprehensible view suitable to the needs of enterprise network operations center personnel. These visualization models have been operationally validated in a globally distributed enterprise. The visual elements can also be annotated with English descriptions to help operations personnel interpret their networks electronic terrain. Under an SBIR contract with the US Navy Computer Network Defense program, Promia jointly developed the IASM, which integrates security countermeasures for security incident detection, management, and response into the Navy network operations centers (NOCs). IASM is a new class of product, categorized as Security Information Management (SIM) that automatically collects, normalizes, and analyzes the operational and security event logs of diverse security relevant devices. IASM detects security incidents that are only visible when data available from multiple devices is considered. Having detected the incidents, IASM then identifies candidate Page 3 of 8

responses based on site-specific organizational policies and provides a unified operator interface for managing the incidents and responses. A requirement of the SBIR program is to reduce the lifecycle costs of technology by generalizing government-specific systems into commercially available products. Along with this requirement for commercializing the IASM technology is the obligation to comply with the policy that US Government organizations must favor the use of information assurance technologies that have been evaluated according to the Common Criteria (ISO 15488). The IASM Common Criteria (CC) TOE (Target Of Evaluation) is the general purpose Security Information Management Platform that provides the IASM functions that are needed both in an enterprise-specific SIMS such as the Navy-specific IASM and can be successfully evaluated using the CC. One of the most important aspects of selecting the functions in the IASM CC TOE was determining which IASM functions could be specified and tested without reference to detailed knowledge of a specific network. Also included in the IASM family of products is the Network Security Event Sensor (NSES) appliance, which functions as both an integral component of the IASM asset management capabilities and as a stand-alone intrusion and asset detection appliance. The NSES appliance provides: asset identification and mapping, passive asset fingerprinting, IP traffic anomaly detection (which is able to detect Zero-day network attacks), and attack signature sensing based on the Snort engine. The NSES also includes a collection of analytic services including false positive reduction, message aggregation, and IP address white- and black-listing. It also incorporates a "fishbowl" capability that records 1-60 second "snapshots" of IP traffic both before and after a security event for later review by remote analysts. This feature allows rapid propagation of summary event records while retaining contextual traffic information at the sensor level in case forensic review by highly skilled incident analysis personnel is later required. Figure 1, below, shows the operational concept for how the IASM, NSES, and Asset Viewer fit together with a monitored network. Page 4 of 8

Promia Security Management Products Network Security Event Sensor Appliance Intelligent Agent Security Manager Appliance Asset Viewer Figure 1 Promia Security Management Products Operational Concept In summary, the IASM family of products provides the following set of functions for possible use as part of the IT controls needed to comply with Sarbanes-Oxley requirements: Automatic detection (by the NSES) and visualization (by the AV) of hardware, operating system, and software application assets on the monitored network; Network intrusion detection sensors (on the NSES) that use both signature- and anomalybased algorithms to detect known and previously unseen network intrusion attempts; Collection and consolidation of operational and security events from both the NSES and third-party products into a unified, high-integrity,a security information management (SIM) repository where they are later available for a SOX compliance audit; Real-time analysis of events as they are collected from sensors on the monitored network by one or more analytic engines to monitor and detect security, operations, and SOX non-compliance incidents as they occur; Real-time visualization of emerging incidents, backed up by the ability to drill down through the security, operations, and SOX non-compliance incidents into the events that indicate and support the incident; Tools for managing the lifecycle of detected security, operations, and SOX noncompliance incidents: including remediation actions taken to correct detected problems; Tools for defining and generating summary and detail reports about security, operations, and SOX non-compliance incidents and actions taken to address the incidents, which can be used for continuous SOX compliance monitoring, as well as compliance audits; Page 5 of 8

Implementing FISMA Technical Security Controls Using IASM FIPS Publication 200 identifies minimum security requirements that cover seventeen securityrelated areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems and are the organizational framework for the 163 security controls identified in NIST Special Publication (SP) 800-53. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. The bolded security-related areas above are ones for which the IASM has features that can be used to implement one or more of the security controls assigned to that area. The table below shows each of the security controls for which the IASM provides supporting functionality and describes the IASM feature(s) that support that control. CNTL NO. C O N T R O L N AM E Audit and Accountability I AS M F e a t u r e ( s ) S u p p o r t i n g t h e C o n t r o l AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 Auditable Events Content of Audit Records Audit Storage Capacity Audit Processing Audit Monitoring, Analysis, and Reporting Audit Reduction and Report Generation A core feature of IASM is consolidation and management of audit records from multiple devices, OS, and applications. IASM also generates and manages the records of its own operation. This feature was validated by the NIAP evaluation. IASM models have 1-2 Terabytes of storage: enough for 180 days of records from medium to large enterprise networks All aspects of this control are present in IASM and were verified by both analysis and testing by the NIAP evaluation. IASM was developed specifically to automate this control and allows the simultaneous use of multiple analysis algorithms to improve the effectiveness of incident detection. Promia is continuously improving the breadth, depth, and effectiveness of the algorithms it provides with IASM. All aspects of this control are present in IASM and were verified by both analysis and testing by the NIAP evaluation. Page 6 of 8

CNTL NO. AU-8 AU-9 AU-10 AU-11 Time Stamps C O N T R O L N AM E Protection of Audit Information Non-repudiation Audit Retention Certification, Accreditation, and Security Assessments I AS M F e a t u r e ( s ) S u p p o r t i n g t h e C o n t r o l IASM implements this control (which was verified by both analysis and testing by the NIAP evaluation) for its internal use and also provides mechanisms to normalize events consolidated from other devices, OS, and applications to its internal time reference. All aspects of this control are present in IASM and were verified by both analysis and testing by the NIAP evaluation. Subject to the information being part of the audit records produced by relevant other devices, OS, and applications, IASM analytic engines can be developed to implement this control. If the originating devices, OS, & applications digitally sign the audit record, the non-repudiation case is stronger. IASM models have 1-4 Terabytes of storage: enough for 180 days of records from medium to large enterprise networks CA-7 CM-2 CM-3 CM-4 Continuous Monitoring Baseline Configuration Configuration Change Control Monitoring Configuration Changes Configuration Management Contingency Planning Subject to the appropriate configuration of other devices, OS, and applications on the IS, IASM can monitor and report on the availability and operation of control implementations. IASM asset management features provide tools for both establishing the baseline and detecting and managing changes to the baseline. IASM asset management features provide partial support for documenting completed changes to the information system. IASM asset management features detect the addition of new devices, OS, & applications, which supports this control. CP-9 CP-10 Information System Backup Information System Recovery and Reconstitution Incident Response IASM provides the hardware and software to conduct tape backups of the consolidated audit records from other devices, OS, & applications on the IS, as well as its internal audit trail. IASM can restore the consolidated audit records of other devices, OS, & applications on the IS from tape backups. IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 Incident Response Policy and Procedures Incident Response Training Incident Response Testing Incident Handling Incident Monitoring Incident Reporting IASM provides support for multiple incident response roles and for automation of the workflow between and within those roles. Promia developed a simulation product that it uses for IASM usage training that can support this control at customer sites. Promia conducts similar testing as part of its IASM quality and security assurance processes, which can be leveraged into IASM customer solution consulting. IASM was developed specifically to automate the analysis and detection of security incidents: even including the simultaneous use of multiple analysis algorithms to improve the effectiveness of incident detection. IASM has features to categorize incidents, recommend responses, and automate those responses. Finally, IASM has user interface workflow support to ensure involvement of appropriate personnel as required by the organization s incident handling process. Customers can use IASM s report generation feature to produce incident reports for appropriate authorities. IASM includes report templates for several such authorities. For authorities with automated reporting mechanisms, IASM s automated incident response feature can be used to integrate the submission of the reports into the customer s automated internal incident management process. Page 7 of 8

CNTL NO. C O N T R O L N AM E I AS M F e a t u r e ( s ) S u p p o r t i n g t h e C o n t r o l System and Services Acquisition SA-4 Acquisitions IASM can meet acquisition requirements for CC evaluation. SA-5 SA-8 SA-10 SA-11 SC-2 SC-3 SC-5 SC-8 SC-9 SC-10 SC-11 Information System Documentation Security Design Principles Developer Configuration Management Developer Security Testing Application Partitioning Security Function Isolation Denial of Service Protection Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path System and Communications Protection As a result of its CC evaluation, IASM is shipped with user and administrator documentation, as well as installation, generation, & startup instructions. Likewise, Promia maintains the internals documentation required by an EAL3 evaluation and can make it available as part of customer solution consulting The IASM component of any customer solution has been shown to comply with the security design principles specified in CC EAL3. The IASM component of any customer solution has been shown to comply with the configuration management requirements of CC EAL3, as well as the additional requirements of CC ALC_FLR.2 for flaw remediation. The IASM component of any customer solution has been shown to comply with function security testing requirements of CC EAL3. In addition, Promia has extensive experience supporting the CT&E of IASM according to DITSCAP. IASM is a dedicated hardware appliance with no mechanisms for running user-developed code. Using both SSL at the network level and role-based access control to its operational and administrative user interfaces, IASM ensures isolation of its security functions from users on the information system being monitored and protected. As a mechanism for detecting DoS attacks, IASM provides the system operators with information needed to counteract those attacks before they affect the system operation. IASM uses SSL to protect the integrity and confidentiality of both event data that it collects from the information system being monitored and protected and its own user interfaces. IASM enforces this control on both user interfaces and event collection agents. IASM uses SSL to establish the trusted path between itself and the operator or administrator s browser. SC-12 Cryptographic Key Establishment & Management IASM uses the standard mechanisms within SSLv3 SC-13 Use of Validated Cryptography The SSL implementation in IASM has been validated according to FIPS 140-2 SC-17 Public Key Infrastructure Certificates IASM can use PKI certificates when they are available. System and Information Integrity SI-2 SI-4 SI-5 SI-6 SI-7 Flaw Remediation Intrusion Detection Tools and Techniques Security Alerts and Advisories Security Functionality Verification Software and Information Integrity The asset manage feature of IASM can provide better information about components of the IS that might be subject to newly discovered flaws. Also, Promia has an aggressive flaw remediation program in place in the event of IASM flaws. IASM is designed to be a core component of solutions for this control. IASM incident management and response management features can automate some parts of this control. If appropriate events are logged and forwarded to IASM, it can provide real-time detection of anomalous security function behavior in other components of the IS. In combination with HIDS that provide integrity checking, IASM can provide real-time detection of anomalous changes to critical resources. Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback