SlideShare une entreprise Scribd logo

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP)

Télécharger en tant que PPTX, PDF
J
John Gilligan

The story of Security Content Automation Protocol (SCAP)

Technologie
1  sur  22
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009 1
Problem Today’s state—CIOs of large enterprises cannot: • See their IT assets—they don’t know what they have • Tell which systems comply with policy • Makes reporting, enforcement impossible • Change configurations quickly in reaction to changing threats or vendor updates 2 IT organizations cannot effectively manage complex environments
Root Cause Today’s enterprise IT capabilities are: • Complex • Dynamic • Vulnerable • Fragmented in use of automated management 3 Processes and tools are immature
CIOs are concerned about enterprise IT management • Cost of poorly managed IT is growing rapidly • Cyber attacks are exploiting weak enterprise management – Weakest link becomes enterprise “Achilles Heel” – Cyber exploitation now a National Security issue • High quality IT support requires effective enterprise management 4 SCAP enables effective enterprise IT management and security
Goal—Well-Managed Enterprise • Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so • Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost 5
Solution Elements • Governance • Technology • Discipline 6
Governance • Define management and security policies and properties to be implemented in enterprise IT environments • Accelerate evolution to a disciplined environment – Federal Desktop Core Configuration (FDCC)--Establishes initial configuration discipline – 20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines—Counter most significant threats with measurable controls – NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls 7
Technology • Use tools that are Security Content Automation Protocol (SCAP)-enabled • Automate management of configuration, asset management, and security properties – Continuously assess, report, enforce endpoint compliance – React quickly to changing situations (e.g., vendor patches, new configurations, revised policy) • Achieve cross-vendor integration, interoperability 8 SCAP enables tool integration and interoperability for disciplined enterprise IT management
Discipline Verify compliance with enterprise IT policies: • Continuously verify effectiveness of controls by leveraging automation and trend metrics • Also employ metrics for operational effectiveness and cost • Use Auditors and Red Teams to independently validate discipline • Ensure visible accountability for those who violate policies 9
Leveraging SCAP for Enterprise IT Management 10
Current SCAP Standards 11 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management SCAP supports foundational IT management functions
Specific SCAP Standards 12 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools
Mature Standards Illustrate Possibilities • Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities – 36,000+ vulnerabilities agreed upon over the last 10 years – 245 products, 138 organizations, 25 countries • Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments 13 Industry has adopted SCAP standards for individual needs
SCAP Gaining Momentum • Federal Desktop Core Configuration (FDCC/SCAP) – Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only establishes standard configurations for hardware suppliers, it also addresses security for those that develop software” • Open Vulnerability Assessment Language (OVAL) – McAfee: “The ability to…describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve [vendor] offerings” • NIST issues SCAP content for FISMA compliance – Steve Quinn (NIST): “[SCAP is] an automated approach to help agencies make the jump from security policies and mandates to secure systems.” 14
Product Interoperability The Problem • Different vendor products give different answers • CIOs can’t integrate across vendors The Solution • SCAP standard ‘OVAL’ introduced to enable integration • Red Hat adopted OVAL; found it increased value of their advisories to customers • Other vendors have followed (e.g., Symantec) 15 OVAL provides the “glue” for SCAP-compliant tools leading to interoperability
Enterprise IT Management Using SCAP • DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP – SCAP shows which systems are vulnerable; enables rapid, prioritized response (e.g., rush patching); provides follow-up reporting – Tony Sager (NSA): “We do it all now with SCAP- compatible tools.” • Organizations beginning to see SCAP benefits for other enterprise applications 16
Leadership is needed now 17 Shape technology to serve the public interest
Recommended Actions How Federal government can provide leadership: 1. Require SCAP-validated tools 2. Educate IT staff in how SCAP can be used for enterprise IT management 3. Deploy SCAP-validated tools; evolve to automated enterprise IT management 4. Share lessons learned with IT managers and vendors – More use cases—not just security – More transparent integration 18
SCAP can transform individual tools into integrated parts of an Enterprise IT Management Capability 19 Capabilities Tools SCAP
Enterprise IT Management Roadmap 20 Capability Cost
Contact Information 21 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
Strategic Roadmap • Controlled configuration for Windows • Controlled configuration for major operating systems and applications • Standardized application white and black listing • Adaptive configurations based on threat • Faster vulnerability impact/patch level assessment • Standardized remediation, configuration control • Today • 2010 • 2010 • 2011 • OVAL adoption • 2012 22 More secure, more automated Real-time management More secure, automated, real time

Recommandé

Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT Management
John Gilligan
 
Open Architecture: The Key to Aviation Security
Open Architecture: The Key to Aviation SecurityOpen Architecture: The Key to Aviation Security
Open Architecture: The Key to Aviation Security
agoldsmith1
 
Panel Discussion: Why IT Service and IT Asset Management are Better Together
Panel Discussion: Why IT Service and IT Asset Management are Better TogetherPanel Discussion: Why IT Service and IT Asset Management are Better Together
Panel Discussion: Why IT Service and IT Asset Management are Better Together
Ivanti
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
DevOpsDays Chicago 2014 - Controlling Devops
DevOpsDays Chicago 2014 - Controlling DevopsDevOpsDays Chicago 2014 - Controlling Devops
DevOpsDays Chicago 2014 - Controlling Devops
Brian Henerey
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
Netwrix Corporation
 
7 Ways Backup Makes IT More Productive
7 Ways Backup Makes IT More Productive7 Ways Backup Makes IT More Productive
7 Ways Backup Makes IT More Productive
marketingunitrends
 

Recommandé

Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT Management
John Gilligan
 
Open Architecture: The Key to Aviation Security
Open Architecture: The Key to Aviation SecurityOpen Architecture: The Key to Aviation Security
Open Architecture: The Key to Aviation Security
agoldsmith1
 
Panel Discussion: Why IT Service and IT Asset Management are Better Together
Panel Discussion: Why IT Service and IT Asset Management are Better TogetherPanel Discussion: Why IT Service and IT Asset Management are Better Together
Panel Discussion: Why IT Service and IT Asset Management are Better Together
Ivanti
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
DevOpsDays Chicago 2014 - Controlling Devops
DevOpsDays Chicago 2014 - Controlling DevopsDevOpsDays Chicago 2014 - Controlling Devops
DevOpsDays Chicago 2014 - Controlling Devops
Brian Henerey
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
Netwrix Corporation
 
7 Ways Backup Makes IT More Productive
7 Ways Backup Makes IT More Productive7 Ways Backup Makes IT More Productive
7 Ways Backup Makes IT More Productive
marketingunitrends
 
Selecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organizationSelecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organization
AlgoSec
 
Empowering the evolving workforce with virtual workspaces
Empowering the evolving workforce with virtual workspacesEmpowering the evolving workforce with virtual workspaces
Empowering the evolving workforce with virtual workspaces
Dell World
 
Independent Software Assessments
Independent Software AssessmentsIndependent Software Assessments
Independent Software Assessments
DCG Software Value
 
TDi Technologies - IT Foundation Management (IT Operations)
TDi Technologies - IT Foundation Management (IT Operations)TDi Technologies - IT Foundation Management (IT Operations)
TDi Technologies - IT Foundation Management (IT Operations)
TDiTechnologies
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
powertech
 
Dell Endpoint Systems Management Solutions
Dell Endpoint Systems Management SolutionsDell Endpoint Systems Management Solutions
Dell Endpoint Systems Management Solutions
CTI Group
 
Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT
Kaseya
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
New Model for IT: Cloud Service Provider
New Model for IT: Cloud Service ProviderNew Model for IT: Cloud Service Provider
New Model for IT: Cloud Service Provider
VMware
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
Why SaaS BI
Why SaaS BIWhy SaaS BI
Why SaaS BI
Birst
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
Netwrix Corporation
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Level Up to a Seamless End-User Experience
Level Up to a Seamless End-User ExperienceLevel Up to a Seamless End-User Experience
Level Up to a Seamless End-User Experience
VMware
 
Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019
Agile India
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
EnergySec
 
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
VMware
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT
Kaseya
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 

Contenu connexe

Tendances

Selecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organizationSelecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organization
AlgoSec
 
Dell Endpoint Systems Management Solutions
Dell Endpoint Systems Management SolutionsDell Endpoint Systems Management Solutions
Dell Endpoint Systems Management Solutions
CTI Group
 
Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT
Kaseya
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
Netwrix Corporation
 
Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019
Agile India
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
EnergySec
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT
Kaseya
 

Tendances (20)

Selecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organizationSelecting the right security policy management solution for your organization
Selecting the right security policy management solution for your organization
 
Empowering the evolving workforce with virtual workspaces
Empowering the evolving workforce with virtual workspacesEmpowering the evolving workforce with virtual workspaces
Empowering the evolving workforce with virtual workspaces
 
Independent Software Assessments
Independent Software AssessmentsIndependent Software Assessments
Independent Software Assessments
 
TDi Technologies - IT Foundation Management (IT Operations)
TDi Technologies - IT Foundation Management (IT Operations)TDi Technologies - IT Foundation Management (IT Operations)
TDi Technologies - IT Foundation Management (IT Operations)
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
Dell Endpoint Systems Management Solutions
Dell Endpoint Systems Management SolutionsDell Endpoint Systems Management Solutions
Dell Endpoint Systems Management Solutions
 
Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT Patch Management: 4 Best Practices and More for Today's Healthcare IT
Patch Management: 4 Best Practices and More for Today's Healthcare IT
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
New Model for IT: Cloud Service Provider
New Model for IT: Cloud Service ProviderNew Model for IT: Cloud Service Provider
New Model for IT: Cloud Service Provider
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
Why SaaS BI
Why SaaS BIWhy SaaS BI
Why SaaS BI
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Level Up to a Seamless End-User Experience
Level Up to a Seamless End-User ExperienceLevel Up to a Seamless End-User Experience
Level Up to a Seamless End-User Experience
 
Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019Principle 11 needs to go! by Ken France at #AgileIndia2019
Principle 11 needs to go! by Ken France at #AgileIndia2019
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
Higher Efficiency and IT Empowerment with VMware vSphere with Operations Mana...
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT
 

Similaire à Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP)

Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
Puppet
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
Oracle
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
Tripwire
 
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
AppDynamics
 

Similaire à Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) (20)

Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
 
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
The Business Value of Modernizing your Windows Infrastructure and Bringing Li...
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practiceJohn Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
John Mcdermott - Gold sponsor session: Hybrid - IT needs hybrid good practice
 
Redefine Corporate CyberSecurity Frameworks under "COVID-19" Situations, OW2o...
Redefine Corporate CyberSecurity Frameworks under "COVID-19" Situations, OW2o...Redefine Corporate CyberSecurity Frameworks under "COVID-19" Situations, OW2o...
Redefine Corporate CyberSecurity Frameworks under "COVID-19" Situations, OW2o...
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
Software Engineering.ppt
Software Engineering.pptSoftware Engineering.ppt
Software Engineering.ppt
 
Get ahead of the cloud or get left behind
Get ahead of the cloud or get left behindGet ahead of the cloud or get left behind
Get ahead of the cloud or get left behind
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Enterprise Agile Adoption
Enterprise Agile AdoptionEnterprise Agile Adoption
Enterprise Agile Adoption
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
Suffering from “Franken” Monitoring?
Suffering from “Franken” Monitoring?Suffering from “Franken” Monitoring?
Suffering from “Franken” Monitoring?
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
Context Is Critical for IT Operations - How Rich Data Yields Richer Results
Context Is Critical for IT Operations - How Rich Data Yields Richer Results Context Is Critical for IT Operations - How Rich Data Yields Richer Results
Context Is Critical for IT Operations - How Rich Data Yields Richer Results
 
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
 
PureApp Hybrid Cloud - Mark Willemse ING Presentation 11th September 2014
PureApp Hybrid Cloud - Mark Willemse ING Presentation 11th September 2014PureApp Hybrid Cloud - Mark Willemse ING Presentation 11th September 2014
PureApp Hybrid Cloud - Mark Willemse ING Presentation 11th September 2014
 

Plus de John Gilligan

Plus de John Gilligan (13)

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problems
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP)

  • 1. Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009 1
  • 2. Problem Today’s state—CIOs of large enterprises cannot: • See their IT assets—they don’t know what they have • Tell which systems comply with policy • Makes reporting, enforcement impossible • Change configurations quickly in reaction to changing threats or vendor updates 2 IT organizations cannot effectively manage complex environments
  • 3. Root Cause Today’s enterprise IT capabilities are: • Complex • Dynamic • Vulnerable • Fragmented in use of automated management 3 Processes and tools are immature
  • 4. CIOs are concerned about enterprise IT management • Cost of poorly managed IT is growing rapidly • Cyber attacks are exploiting weak enterprise management – Weakest link becomes enterprise “Achilles Heel” – Cyber exploitation now a National Security issue • High quality IT support requires effective enterprise management 4 SCAP enables effective enterprise IT management and security
  • 5. Goal—Well-Managed Enterprise • Every device in an enterprise is known, actively managed, and configured as securely as necessary all the time, and the right people know this is so or not so • Integrated and automated enterprise management tools increase operational effectiveness and security without increased cost 5
  • 6. Solution Elements • Governance • Technology • Discipline 6
  • 7. Governance • Define management and security policies and properties to be implemented in enterprise IT environments • Accelerate evolution to a disciplined environment – Federal Desktop Core Configuration (FDCC)--Establishes initial configuration discipline – 20 Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines—Counter most significant threats with measurable controls – NIST Special Publication 800-53 (Information Security; Recommended Security Controls for Federal Information Systems)—Establish comprehensive disciplined management and security policies and controls 7
  • 8. Technology • Use tools that are Security Content Automation Protocol (SCAP)-enabled • Automate management of configuration, asset management, and security properties – Continuously assess, report, enforce endpoint compliance – React quickly to changing situations (e.g., vendor patches, new configurations, revised policy) • Achieve cross-vendor integration, interoperability 8 SCAP enables tool integration and interoperability for disciplined enterprise IT management
  • 9. Discipline Verify compliance with enterprise IT policies: • Continuously verify effectiveness of controls by leveraging automation and trend metrics • Also employ metrics for operational effectiveness and cost • Use Auditors and Red Teams to independently validate discipline • Ensure visible accountability for those who violate policies 9
  • 10. Leveraging SCAP for Enterprise IT Management 10
  • 11. Current SCAP Standards 11 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management SCAP supports foundational IT management functions
  • 12. Specific SCAP Standards 12 CVE CVSS OVAL CCECPE XCCDF Software vulnerability management Configuration management Compliance management Asset management Identifies vulnerabilities Scores vulnerability severity Criteria to check presence of vulnerabilities, configurations, assets Identifies configuration controls Language to express configuration guidance for both automatic and manual vetting Identifies packages and platforms SCAP enables enterprise-wide, cross-vendor interoperability and aggregation of data produced by separate tools
  • 13. Mature Standards Illustrate Possibilities • Common Vulnerabilities and Exposures (CVE): industry standard for identifying vulnerabilities – 36,000+ vulnerabilities agreed upon over the last 10 years – 245 products, 138 organizations, 25 countries • Common Vulnerability Scoring System (CVSS): Payment Card Industry (PCI) uses to judge compliance of organizations that process card payments 13 Industry has adopted SCAP standards for individual needs
  • 14. SCAP Gaining Momentum • Federal Desktop Core Configuration (FDCC/SCAP) – Ken Heitkamp (ex-Deputy CIO AF): “FDCC with SCAP not only establishes standard configurations for hardware suppliers, it also addresses security for those that develop software” • Open Vulnerability Assessment Language (OVAL) – McAfee: “The ability to…describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve [vendor] offerings” • NIST issues SCAP content for FISMA compliance – Steve Quinn (NIST): “[SCAP is] an automated approach to help agencies make the jump from security policies and mandates to secure systems.” 14
  • 15. Product Interoperability The Problem • Different vendor products give different answers • CIOs can’t integrate across vendors The Solution • SCAP standard ‘OVAL’ introduced to enable integration • Red Hat adopted OVAL; found it increased value of their advisories to customers • Other vendors have followed (e.g., Symantec) 15 OVAL provides the “glue” for SCAP-compliant tools leading to interoperability
  • 16. Enterprise IT Management Using SCAP • DoD Computer Network Defense (CND) data sharing pilot demonstrating enterprise management using SCAP – SCAP shows which systems are vulnerable; enables rapid, prioritized response (e.g., rush patching); provides follow-up reporting – Tony Sager (NSA): “We do it all now with SCAP- compatible tools.” • Organizations beginning to see SCAP benefits for other enterprise applications 16
  • 17. Leadership is needed now 17 Shape technology to serve the public interest
  • 18. Recommended Actions How Federal government can provide leadership: 1. Require SCAP-validated tools 2. Educate IT staff in how SCAP can be used for enterprise IT management 3. Deploy SCAP-validated tools; evolve to automated enterprise IT management 4. Share lessons learned with IT managers and vendors – More use cases—not just security – More transparent integration 18
  • 19. SCAP can transform individual tools into integrated parts of an Enterprise IT Management Capability 19 Capabilities Tools SCAP
  • 20. Enterprise IT Management Roadmap 20 Capability Cost
  • 21. Contact Information 21 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
  • 22. Strategic Roadmap • Controlled configuration for Windows • Controlled configuration for major operating systems and applications • Standardized application white and black listing • Adaptive configurations based on threat • Faster vulnerability impact/patch level assessment • Standardized remediation, configuration control • Today • 2010 • 2010 • 2011 • OVAL adoption • 2012 22 More secure, more automated Real-time management More secure, automated, real time