WIXLIB

It affords enterprise protection againstadversaries by correlating the data frommultiple systems to identify a coordinated external penetration attack orinsider threat.For many enterprise security teams,continuous monitoring appears to justmake more work. But through datacorrelation and analysis, it improvessystem security and makes the jobof protecting them easier by helpingidentify risks and the controls needed tomitigate them.WHAT IS CONTINUOUS MONITORINGFOR FEDERAL AGENCIES?NIST is working with the Office ofManagement and Budget (OMB) andDepartment of Homeland Security (DHS)to promote continuous monitoring alongtwo different tracks. The first focuses onusing FISMA compliance to enhance arisk management framework (RMF) andsecure systems. The second, which isassociated with the DHS Cyberscope initiative, focuses on using automation tocollect and analyze agency data acrossthe entire government.To understand continuous monitoring, you should be familiar with thesetracks, including related key documentsand activities. NIST SP 800-37 discussesand describes the role and requirements of continuous monitoring in arisk management framework. SP 800137 describes additional requirementsfor continuous monitoring that willrequire automation to extend reportingand monitoring government-wide.GUIDANCE FROM NIST SP 800-37FOR CONTINUOUS MONITORINGNIST Special Publication 80037, Revision 1, Applying the RiskManagement Framework to FederalInformation Systems [Feb 2010]provides the main source for usingFISMA compliance to enhance RiskManagement Framework (RMF) andsecure systems. The publicationdescribes six steps of an RMF:»» Step 1: Categorize informationsystems»» Step 2: Select Security Controls»» Step 3: Implement Security Controls»» Step 4: Assess Security Controls»» Step 5: Authorize Information System»» Step 6: Monitor Security ControlsEach step describes security functionsand specific tasks necessary to accomplish those functions. These functionsand tasks include well-known securityconcepts such as establishing information system boundaries, ensuring securesystem deployment, and ensuring continuous monitoring of the security controlsthat protect the system.Figure 1 lists the security functionsand tasks for “Step 6: Monitor SecurityControls”. The tasks describe how tocontinuously monitor the security controlsthat protect an information system.Security teams may carry out thesetasks, but many fail to use the resultingcollected information to systematically re-assess risk. For example, theSecurity FunctionTask PrescriptionInformation System and EnvironmentalChanges6-1: Determine the security impact of proposed or actual changes tothe information system and its environment of operation.Ongoing Security Control Assessments6-2: Assess a selected subset of the technical, management, andoperational security controls employed within and inherited by theinformation system in accordance with the organization-definedmonitoring strategy.Ongoing Remediation Actions6-3: Conduct remediation actions based on the results of ongoingmonitoring activities, assessment of risk, and outstanding items inthe plan of action and milestones.Key Updates6-4: Update the security plan, security assessment report, and planof action and milestones based on the results of the continuousmonitoring process.Security Status Reporting6-5: Report the security status of the information system (includingthe effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriateorganizational officials on an ongoing basis in accordance with themonitoring strategy.Ongoing Risk Determination andAcceptance6-6: Review the reported security status of the information system(including the effectiveness of security controls employed within andinherited by the system) on an ongoing basis in accordance with themonitoring strategy to determine whether the risk to organizationaloperations, organizational assets, individuals, other organizations, orthe Nation remains acceptable.Information System Removal andDecommissioning6-7: Implement an information system decommissioning strategy,when needed, which executes required actions when a system isremoved from service.: FIG. 1 NIST 800-37 Rev 1, Step 6: How to Continuously Monitor IT Security Controls.4Defining and Planning Continuous Monitoring for NIST Requirements

Man-in-the-Middle vulnerability: making certain userpasswords and credentialinformation cannot be seenon the network and used tofor false authenticationCONTINUOUSLYMONITOR?YES, validate that thissetting is appropriate ANDdoes not change. Watchfor related changes to logsettings (specific events),escalation of privilege(events), and administrativeactivity.» Maps to risk tolerance» Adapts to ongoing needs» Actively involves managementLISHTABESAdministrative rights (thatcould change this setting),logging any changes tothe control (e.g. registryand uthentication spoofing, resulting in loss ofconfidentiality, integrity oravailability of data. Risk ofintentional or accidentalsetting changes is HighRESRisk to the ControlDEFINETThreat the ControlProtects AgainstMENEncrypt passwords andauthentication credentials(a setting in the OperatingSystem or Domain)PLESecurity ControlContinuous monitoring requires systemowners to employ various techniquesand tools. Although NIST SP 800-37 doesnot prescribe any specific techniques ortools, the analysis it demands requiresnear continuous assessment of controls, the ability to address dynamic andexternal sub-systems, and a means ofcollecting and correlating all the securitydata generated by continuous monitoring. The illustration in Figure 3, takenfrom NIST guidance, emphasizes theiterative, cyclic nature of this approach torisk assessment.IMThis example illustrates the centralrole NIST SP 800-37 plays in thefederal government’s push toward amore sophisticated risk-based model.This model relies on ongoing riskassessments of controls through continuous monitoring and subsequent tuningto meet specific system threats.REVIEW/UPDAsecurity function “Ongoing SecurityControl Assessments” assumes thatthe security team establishes an initialinventory of all security controls for aninformation system and that a selectsubset of these controls will subsequently be assessed for their associatedthreat, risk, interdependencies withother controls, and normal operatingprocess. Figure 2 shows the informationthis assessment could generate for onesystem-level control.ANALYZE/REPORT.: FIG. 3 The cyclic and dynamic nature of risk assessment.: FIG. 2 Example of assessment results.Defining and Planning Continuous Monitoring for NIST Requirements5

GUIDANCE FROM NIST SP 800-137FOR CONTINUOUS MONITORINGNIST Special Publication 800-137,Information Security ContinuousMonitoring for Federal InformationSystems and Organizations [IPD Dec2010] clarifies expectations of federalagencies around continuous monitoring.It also includes additional requirementsaround continuous monitoring that willassist in extending risk managementfrom the information system level to theenterprise level.CONTINUOUS MONITORING» Maps to risk tolerance» Adapts to ongoing needs» Actively involves managementREPORTSECURITYSTATUSThese additional requirements forenterprise-level risk managementinclude:»» Define continuous monitoringstrategy;»» Establish measures and metrics;»» Establish monitoring and assessmentfrequencies;»» Implement continuous monitoringprogram;»» Analyze data and report findings;»» Respond with mitigating strategies, orreject, transfer or accept risk; and»» Review and update continuous monitoring strategy and program.In addition, the document supportsbroader organizational goals aroundmeeting existing requirements forFISMA reporting and system-levelcertification and authorization (C&A).These requirements and goalsunderscore the need for automatedtechnologies and management.Although there is controversy aboutthese new requirements (mostlybecause many agencies already havesignificant investment in the FISMAreporting cycle and C&A process) oneagency is forging ahead. NASA recentlymade the dramatic decision to tie continuous monitoring directly to its C&Aprocess.4 The decision was designed6CONFIGURATIONMANAGEMENTAND CHANGE CONTROLMaintainvisibilityinto assetsMaintainawareness ofvulnerabilitiesSECURITYIMPACTANALYSISEnsure that implementedcontrols are achievingintended objectivesEnsure that controlsare being implementedcorrectly and as plannedASSESS AND EVALUATEIMPLEMENTEDSECURITY CONTROLS.: FIG. 4 Relationship of key elements in continuous enterprise-wide monitoring.to streamline the process and help theagency quickly experience the cost savings and improved systems security. Theeffort will focus on strong enterpriserisk management practices (defined byNIST) and suspend the traditional security certification process. Undoubtedlymany lessons will be learned as NASAexecutes this plan.KEY TAKEAWAYSFROM NIST SP 800-37NIST SP 800-137 offers two primarytakeaways. First, risk management mustbe viewed from an organization-wideperspective. Risk management activitiesat the top organizational level impact therisk management strategy and associated monitoring requirements at thecommon controls level (those controlscommon to multiple systems), on downto the level of individual informationsystem controls. In turn, the metricsmonitored at the common controls leveland the system level flow data back up tothe organizational level. This top-downDefining and Planning Continuous Monitoring for NIST Requirementsand bottum-up data flow impacts thedecisions made and controls selected atthe organizational level.Second, the following elements arekey for organization-wide continuousmonitoring:1. Configuration Management andChange Control2. Reporting of Security Status3. Assessment of Implemented Controls4. Security Impact Analysis (whichinforms which controls on whichassets are achieving intendedobjectives)Figure 4 shows the relationship betweenthese elements and helps clarify therole that data, data analytics and automation play in continuous monitoring.With the large number of controls theU.S. government employs and the comprehensive and onerous requirementsof the RMF, automation will be essential

for organization-wide risk management.In particular, automation will be neededto collect control alerts, verify controloperations, perform configuration management and report on security.AUTOMATED CONTINUOUSMONITORING AND REPORTINGFOR CYBERSCOPEThe second track related to continuous monitoring that NIST and the OMBare pursuing focuses on automation.Initially, NIST and OMB pushed for theuse of automation in new reportinginstructions for FISMA that the OMBoutlined in OMB Memorandum 10-15.5That memo explained that the OMBexpected agencies to manage their (theagencies’) security information with theOMB’s security management tools.6The OMB also wants agencies to sendtheir security information electronicallyto a new program called CyberScopethat the Department of HomelandSecurity (DHS) is currently developingin conjunction with the Department ofJustice.7 Specifically, the CyberScopemust be able to accept and analyzethe data required by NIST 800-137 thateach agency is supposed to submit. Thegovernment plans to use CyberScopeto assess its security stance across allagencies and inform its strategy fornational security and enterprise-widerisk/security. Agencies are mandatedto submit their data via CyberScope bySeptember 30, 2012.8 Given that thetechnology is still being developed, thismay be a lofty goal.Agencies not already involved withDHS’s implementation of CyberScopeand the OMB’s efforts should examine the NIST site http://scap.nist.gov/use-case/Cyberscope/. This site isassociated with the NIST efforts for theSecurity Content Automation Protocol(SCAP), the initiative to prescribe andTripwire VIA Solutions for Continuous Monitoring.: NIST guidance for FISMA calls for using automation to maintainsecure system configurations, provide robust alert and reportingfeatures, and support standards and initiatives such as CyberScope,SCAP and the Extensible Configuration Checklist DescriptionFormat (XCCDF). Tripwire VIA solutions meet the bulk of specificfunctionality called for by NIST. By using Tripwire as the coretechnology in their continuous monitoring program, the organizationshould be able to:1. Expand the number of systems and components that meetcontinuous monitoring requirements with a product that supportsthe real world mix of non-homogenous operating systems,applications and networking devices.2. Simplify setting up a continuous monitoring program with a toolthat provides continuous configuration assessment out of the box.This functionality supports prescribed controls from NIST 800-53(rev 3) for high, moderate and low baseline systems.3. Improve operational performance with a solution that supportsrecommended workflow for continuous assessment andmonitoring, and for the workflow and reporting requirementsassociated with change control, plan of action and milestones(POA&M) reporting, and remediation.4. Improve the ability to gain rapid approval of the organization’scontinuous monitoring program, thereby lowering cost of projectsecurity approval.monitor specific controls on workstations throughout the federal enterprise.At a high level, CyberScope can be seenas an analytical tool for SCAP-monitoreddevices.9 But realistically, in the shortterm CyberScope will likely see SCAPreporting as only one of many streamsof information it must process.Because agencies differ in the securitytools and tactics they employ, securitytool vendors will likely have to figure outcommon standards for sending information to CyberScope and for agency-widecollection of continuous monitoring data.Defining and Planning Continuous Monitoring for NIST Requirements7

HOW TO ADDRESSCONTINUOUS MONITORINGWhile NIST 800-137 describes the process and aspects of setting upa program for organization-wide continuous monitoring, the followingsteps give a starting point for developing such a program.STEP 1.IDENTIFY SYSTEMS ALREADYIN USE THAT CAN BE APPLIEDTO CONTINUOUS MONITORINGContinuous monitoring requires you toassess the assets, tools and technologyyou already use. Many of the security andoperational tools you use to manage yournetworks and systems will likely be partof your overall continuous monitoringsolution. In an interview, Jerry Davis atNASA noted that they simply collect security information that existing solutionslike patch and vulnerability managementtools provide, crunch that information ina database, and produce a system riskscore that they deliver to system owners.10NASA’s approach illustrates a pragmaticand logical approach to automation thatincludes the following tasks:1. Collect samples of the data andreporting existing tools provide.2. Consider what tools could automatethe identification of all IT assets andtheir status.3. Assess and categorize systems bytechnology, system boundary and risklevel/importance.4. Consider which features of securityand compliance tools best match yourneeds. For example, Take into account their age and support of other initiatives like SCAP. Examine whether their automation“capabilities” provide controls,monitoring of controls, configuration management, scanning,alerting and reporting.85. Develop a plan for assessing the needfor the following types of tools11 File Integrity Management Configuration Management/Assessment Log Management/SIEM/SEM Patch Management Vulnerability Assessment Access and Authentication Encryption and Key Management Risk Management and Assessment Change Control/Help Desk/IncidentManagementSTEP 2.ENSURE KEY PERSONNELUNDERSTAND ROLESAND RESPONSIBILITIESContinuous monitoring requires continued compliance with FISMA andother OMB mandates. To decreaseany perceived conflict in requirementsacross mandates, clearly define rolesand responsibilities and make certainthat key personnel understand the riskmanagement framework and risk management goals.NIST SP 800-137, section 2.4, describeskey personnel that in many ways havethe same responsibilities as authorizing and certifying personnel describedin FISMA. Avoid creating unnecessarynew programs and expanding personnel by reviewing potential overlap NISTSP 800-137 has with existing process,controls and risk management procedures. The results of this effort canlikely be used for compliance with continuous monitoring and CyberScope.Defining and Planning Continuous Monitoring for NIST RequirementsSTEP 3.DEVELOP (OR ENHANCE)A RISK MANAGEMENT PROCESSContinuous monitoring requires you toeither create a new risk managementprocess for the organization or enhancean existing one. Start by considering thehighest risk systems, and then createtemplates for defining system-level risksand mitigation actions for these systems.For federal systems, this step will likelyfollow the FISMA process that NIST SP800-37 describes and the controls thatNIST SP 800-53 defines. This processshould continue to support C&A compliance. Moving forward, the processshould also now describe how controlsthat can be automated are associatedwith high-priority risk, and assessed withspecific continuous monitoring tools.Next, as you begin to develop thesystem reports for continuous monitoring and the associated risk assessment,ask upper level and business levelmanagement to review reports, existingpolicies, risk tolerance, and securitymanagement to identify gaps in governance controls. These gaps will mostlikely be in policies and procedures, butthey will guide and inform the development of the organization’s continuousmonitoring program. The assessment ofcontrols, frequency of assessment, andadditional automation goals can also beclarified during this process. Decisionson what and how often to monitor willbecome the foundation for automationof the continuous monitoring program.These steps should provide a high levelstrategy for most organizations andpossibly encourage additional ideasabout how to establish a continuousmonitoring program.

CONCLUSIONS ABOUTCONTINUOUS MONITORINGTo recap what this paper has addressed: continuous monitoring isa process and a high level control with the goal of gathering andanalyzing security data to identify and mitigate risk and threats. Itshould be part of an overall system risk management strategy thatextends to all management levels.Continuous monitoring is also key tomeeting requirements for OMB/FISMAreporting via CyberScope—an evolvingnational assessment program. Prepareto work with OMB and DHS to help themdevelop this program. Meeting theserequirements will require you to defineor redefine roles and responsibilitiesand create a continuous monitoring program for managing enterprise security.Finally, continuous monitoring requirestechnology to monitor the broad rangeof controls prescribed in NIST guidance. This technology should helpsecure systems by collecting, correlating and analyzing security data.Automation of tasks and activities likecontinuous collection and correlationof status data from controls will beessential to manage and benefit fromthe volumes of valuable security datathat these controls generate.While this paper provides a high levelstrategy for developing a continuousmonitoring program, your organization may wish to start looking at someof the more technically challengingaspects of continuous monitoring—forexample, data collection, data management, and analytics.The following sources provide a starting point for examining the technicalrequirements of a solution:»» Appendix D of NIST 800-137 outlinesa series of protocols and initiativesaround continuous monitoring led byNIST, MITRE and DHS.12 These programs provide a wealth of informationand volunteer opportunities for organizations to help develop a solution.»» NIST Interagency Report 7756describes the DHS reference architecture, CAESARS, which is designedto “ enable enterprise continuousmonitoring by presenting a technicalreference architecture that allowsorganizations to aggregate collecteddata from across a diverse set ofsecurity tools, analyze that data,perform scoring, enable user queries,and provide overall situational awareness.” This reference architecturemay be useful for developing the datamanagement aspects of a continuousmonitoring solution.For many agency security teams, therequirements around continuous monitoring appear to create a great deal ofadditional work. However, investing insuch capabilities for enterprise-widesecurity will surely pay off in the longrun, with fewer major security incidentsand overall less effort expended toprotect the entire ecosystem of federalinformation systems.ABOUT SEAN SHERMAN.: Sean Sherman is a SeniorCyber-Security Consultantworking for clients to providestrategic security andcompliance solutions and solvecomplex problems to balancerisk,

and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization's networks, information, and systems, and respond by accepting, avoiding/ rejecting, transferring/ sharing, or mitigating risk as situations change." .:. NIST SP800-37, REV 1