Transcription
Prescriptive Guide SeriesSecurity ReferenceArchitectureA Practical Guide to Implementing Foundational ControlsAUTHOR:Dave MeltzerCTO, Tripwire, Inc.FOUNDATIONAL CONTROLS FORSECURITY, COMPLIANCE & IT OPERATIONS
TABLE OF CONTENTSPart One: Introduction 3What You’ll Learn 3Selecting A Framework 3Choosing A Maturity Model 4Developing ASecurity Architecture 5Prioritizing SecurityInvestments And Efforts 7Key Takeaways 8Part Two: A Reference Architecture forFile & System Integrity Monitoring 9Business Drivers forFile Integrity Monitoring 9Relation to Security Frameworks 10FIM Use Cases 10FIM Key Integration Points 11FIM Deployment with Tripwire 12Determining FIMAsset Coverage and Monitoring 12Evaluating Effectiveness 13Relationship of FIM to theC2M2 Maturity Model 14FIM Standard Operating Procedures 14Additional Services Provided by Tripwire EnterpriseFIM 15Key Takeaways 15Part Three: A Reference Architecture forSecurity Configuration Management 16Business Drivers for Security ConfigurationManagement 16Relation to Security Frameworks 17Use Cases for SCM 17SCM Key Integration Points 18SCM Deployment with Tripwire 192 TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTUREDetermining SCMAsset Coverage and Monitoring 19Evaluating Effectiveness 21Relationship of SCM tothe C2M2 Maturity Model 21SOPs for SCM 22Standard OperatingProcedures Outline 22Additional ServicesProvided by Tripwire SCM 23Key Takeaways 23Part Four: A Reference Architecture forVulnerability Management 24Business Drivers for Vulnerability Management 24Relation to Security Frameworks 25Use Cases for VM 25VM Key Integration Points 26VM Deployment with Tripwire 26Determining VM AssetCoverage and Monitoring 26Evaluating Effectiveness 27Relationship of VM to theC2M2 Maturity Model 28Systems Inventory and Categorization 28Standard Operating Procedures for VulnerabilityManagement 29Key Takeaways 29References 30
Security Reference Architecture–IntroductionPART ONE:INTRODUCTIONFor today’s chief information security officer (CISO),securing the organization has never been more challenging. Unfortunately, the CISO’s job is unlikely toget easier in our lifetime for a dizzying number ofreasons. Among these reasons, the rapidly expanding set of devices to protect, driven by growth in virtualization, the cloud, bring your own device (BYOD),and the Internet of Things (IoT). Add to that a continued shortage of qualified and skilled people totackle the work, an ever-increasing sophistication ofthreat actors, and stringent industry regulations andcompliance demands. Then top it off with a jumble ofsecurity solutions meant to address these issues thatthe CISO and security team must evaluate againstsecurity and compliance requirements and operational demands.Today’s organization needs to build a resilient architecture—a dynamic system that can provide effectivesecurity today, but that’s flexible enough to protectagainst the unknown threats and new technology oftomorrow. While the dream of the silver bullet solution with the power to stop all attacks on all systemsis just that—a dream—you can establish and follow asensible path forward to arrive at that system. Likeany complex project, you can transform the overwhelming into something manageable by steppingback, taking a deep breath, and breaking down thelarger project into smaller, doable pieces. That’s theintent of this Prescriptive Guide.WHAT YOU’LL LEARNThis guide describes an overall, holistic strategyand approach to developing a system that protectsagainst today’s threats in today’s technology environment.It explains how to develop an overall strategy forsecurity and compliance, including selecting thesecurity framework that will guide you in buildingyour system, and the maturity model that will helpyou advance your security program. It also discussesthe need to adopt or develop a reference architectureat the higher security system level. It then introducesa reference architecture built on the various foundational controls available through Tripwire’s solutions.Finally, it discusses how to select the security solu-tion vendors, and prioritize investments for the bestresults.The subsequent chapters in this Prescriptive Guidediscuss in much greater depth the three foundationalcontrols of the reference architecture offered byTripwire solutions—file integrity monitoring, securityconfiguration management and vulnerability management. They describe each control, explain whereeach fits in common security frameworks, how itgets used, key integration points with other controlsand business systems, deployment architecture diagrams, and many other important details and considerations related to the control.Although the reference architecture at the security control level is based on Tripwire solutions, youroverall strategy must address the other controls outlined by your security framework. As a result, a complete IT security system will encompass a broaderset of solutions from multiple vendors. Ideally, thesevendors and their solutions will work together to helpyour organization build a cohesive, inter-connectedsystem.SELECTING A FRAMEWORKYour first step in developing an architecture involvesselecting a security framework. The security framework formally describes the many processes, procedures and associated security controls that youcan use to reduce risk across your organizationand out to its many and diverse endpoints. Securityframeworks vary in their level of specificity. Someframeworks have very specific prescriptive guidanceon what should be done and the relative priority ofeach action, while others just paint a broad picture ofeverything that could be done.COMMON SECURITY FRAMEWORKSCommonly used security frameworks include theNIST Cybersecurity Framework, CIS Critical SecurityControls, ISO 27000-series, ISA 99/IEC 62443, FFIECInformation Security, COBIT, COSO, and HITRUSTCSF. The PCI DSS, though mostly perceived as acompliance mandate, provides highly prescriptivesecurity guidance that smaller and mid-size organizations in particular can leverage as a framework.TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTURE 3Page 3
Each framework consists of high-level functions anddetailed guidance on security controls. For example,the NIST Cybersecurity Framework, first published in2014 and widely adopted in the US, defines five highlevel functions of security: identify, protect, detect,respond and recover. It further defines 22 categories and 98 sub-categories within those functions.Similarly, the Center for Internet Security CriticalSecurity Controls for Effective Cyber Defense (formerly known as the SANS Top 20 and the 20 CriticalSecurity Controls), identifies 20 high-level criticalsecurity controls. Those 20 critical controls are categorized into families of ten System, four Network,and six Application controls, which are then furthersegmented into 149 total controls.security controls of an existing framework, explainshow these controls can interoperate most effectively,and outlines how they can do so in the context ofTripwire’s solutions and products.CONSIDERATIONS FORSECURITY FRAMEWORK SELECTIONThe second step involves choosing a maturity model,a valuable companion to your chosen security framework that focuses on your security program’s implementation and management of security. A maturitymodel specifies the types of processes and controlsthat should be in place as your security programadvances through each stage of the model. You’ll useyour chosen model to assess and establish a baseline of the current state of your security program,and guide it toward achieving higher levels of securitybased on your chosen framework. You can also useit to evaluate the effectiveness of your program andprioritize new investments.Selecting a primary security framework can helpyour organization align with a cohesive strategy, buthow do you go about choosing one? Making a choicemay appear particularly perplexing given that mostframeworks actually have more commonalities thandifferences, especially when it comes to their technical aspects. While no single framework can be definitively called the best, a few considerations will likelylead you to choose one over the other.Some frameworks have been developed with certainvertical industries in mind—for example, IEC 62443specifically provides guidance for organizations inindustrial markets. Other frameworks are morewidely adopted within geographies based on history and evolution. For example, although they arenot specific to these areas, the NIST Cybersecurityframework has more adoption in North America,while the ISO 27000-series has more European adoption. Although this should not be a single disqualifying factor, it is worth considering.Generally, leveraging the same security frameworkas your industry or regional peers provides significant advantages, including more available expertiseto implement it, easier benchmarking of program’smaturity against it, and a greater familiarity with it byauditors that leads to easier acceptance and approvalof its approaches to security.USING A FRAMEWORK WITHA SECURITY REFERENCE ARCHITECTUREThis security reference architecture doesn’t dictatewhich security framework you must use. Instead, itsimply provides best practices for using the individual4 TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTUREAlthough the reference architecture can be used withno overall security framework in place, selecting anappropriate security framework is recommended asa foundation for building and evolving your securityprogram. If you’ve already selected and implementeda framework, this reference architecture speaks tohow these controls fit in the frameworks most usedby our customers. As a result, you should be able tofairly easily understand how it fits within your choice.CHOOSING A MATURITY MODELCOMMONLY USED MATURITY MODELSJust as with security frameworks, you can selectfrom a large number of maturity models. Your choicemay be somewhat obvious depending on your selected framework, as many maturity models go handin-hand with a given framework. For example, theCybersecurity Capability Maturity Model (C2M2), produced by the US Department of Homeland Security inconjunction with the Department of Energy, complements the NIST Cybersecurity Framework. The C2M2model defines four levels of maturity with its maturityindicator levels, which range from 0–3 for each of thesecurity domains covered by the NIST CybersecurityFramework.If you are a customer of Gartner, their ITScore forInformation Security ecurity) is another option. Thisdefines five maturity levels that range from Level1: Initial to Level 5: Optimizing, along 10 measureddimensions. Forrester also offers its InformationSecurity Maturity Model, with maturity levels thatrange from 0 – Non-existent to 5 – Optimized.
Security Reference Architecture–IntroductionA MATURITY MODEL FORCRITICAL SYSTEMS AND ENDPOINT SECURITYMany security programs now recognize the importance of using a maturity model specific to particularareas of security. Systems that are most importantto the organization need to receive a heightened levelattentionSecuritycomparedto a commonend-user laptop.The SANSofEndpointMaturityModel (CONTINUED)Critical systems are a smaller but more highly sensitive set of systems compared to the broader set ofLevel 5: Proactive, Comprehensive, Continuous and Measurabledevices—endpoints—which can be broadly defined asAt this pinnacle level, the organization has a model security program around all itsevery device or system that connects to the organizaendpoints and user endpoints, designed and executed to anticipate change. It is alignedtion’stechnologyinfrastructure.withIT, procurementand businessrisk. It accurately identifies and protects all criticalns nurture awherein allr security to.ROGRAMbusiness processes, information and assets related to endpoints. Security policies odelson an intranet,andcriticalall affected usersare requiredto readrelevantpoliciesannually.All endpointinfrastructurecomponentsare monitoredmodelshavebeensecuritydevelopedandare seeinggreateruse because many organizations perceive the guidance from traditional security maturity models to beand law enforcement. If applicable, the organization participates actively with thetoo broador generictoAnalysisadequatelyaddress endpointappropriateInformationSharing ated toAll endpoint information is classified and labeled, and critical endpoint assets aredevelopthe SANSSecurityMaturityModelphysicallysegmentedto isolate Endpointthe most sensitivematerial. Dataloss preventionto LP)technologyis in place, and anygaugeencryptedthecommunicationswith outsideissecurityproxied so thatcontent may withbe inspected.Endpointssecurity.are locked downso thatprogramendpointThemodelno unauthorized software can run (whitelisting), and the network is configured todefines five levels of maturity based on measureautomatically reject any device not authorized, disabling the port and sending an alertments of six different dimensions, called elements.to operations staff. Users are fully aware of their security responsibilities; regular trainingcontinuously, initial responses to incidents are fully automated, and security leadershiphas established close coordination with Computer Emergency Response Teams (CERTs)and inoculation result in nearly zero user-error security incidents.LEVEL 1Random, orDisorganizedLEVEL 2Reactive,or TacticalLEVEL 3PreventativeLEVEL 4Organized,or DirectedLEVEL 5Proactive,Comprehensive,Continuous andMeasurableWhen selecting a security maturity model, you mayneed to include a separate model to help you gaugeand improve the effectiveness of your security program in securing the organization’s endpoints.TRIPWIRE’S REFERENCE ARCHITECTURE ANDTHE C2M2 MATURITY MODELThis reference architecture sets relate back to maturity levels defined in C2M2. The architecture helpsplace each security control into its appropriate C2M2domain, defining what levels of maturity you canexpect by implementing the reference architecturefor a given control, and differentiating between thevarious levels by what technologies, processes orpeople are in place. The reference architecture further defines appropriate MILs for the controls provided by Tripwire products, augmenting the generaldefinitions of the MILs with more specific guidance.DEVELOPING ASECURITY ARCHITECTUREWhile a security framework provides a broad view ofthe many different security controls an organizationmay need to deploy and manage; you shouldn’t viewit as a checklist of 149 controls that you can implement one by one until you are finished and secure. Inthe past, a checklist approach may have been moreappropriate, but security has evolved. Organizationsused to have a “defense in depth strategy,” withnumerous independently deployed security controlsthat provided layers of protection. Today, securityis more of an interconnected web of controls thatcommunicate with each other and adapt dynamicallybased on changing intelligence and needs.Fig. 1: The SANSEndpoint Security Maturity Model CurveFigure 2. Endpoint Security Maturity Model Curve9MIL0: Notaccomplishingobjectives, oraccomplishing withmanual processDetecting a Targeted Data Breach with EaseMIL1: Accomplishingobjectives, but withsome automation,but minimal or adhoc processMIL2: Establishedand followedstandard operatingprocedures, moreautomationMIL3: Matureimplementationwith high degree ofautomation andhighly optimizedFig. 2: The Cybersecurity Capability Maturity Model (C2M2) maturity indicator levels (MILs)TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTURE 5
confidence in its ability to sustain the performance of the practices over time and acrossthe organization.3.2.3 Summary of MIL CharacteristicsTable 3 summarizes the characteristics of each MIL. At MIL2 and MIL3, the characteristicassociated with the approach progression is distinguished from the characteristics associatedwith the institutionalization progression.Table 3: Summary of Maturity Indicator Level sPractices are not performedInitial practices are performed but may be ad hocInstitutionalization characteristics:Practices are documentedStakeholders are identified and involvedAdequate resources are provided to support the processStandards or guidelines are used to guide practice implementationApproach characteristic:Practices are more complete or advanced than at MIL1Institutionalization characteristics:Activities are guided by policy (or other directives) and governancePolicies include compliance requirements for specified standards or guidelinesActivities are periodically reviewed for conformance to policyResponsibility and authority for practices are assigned to personnelPersonnel performing the practice have adequate skills and knowledgeApproach characteristic:Practices are more complete or advanced than at MIL2Fig. 3: Generic characteristics of each Maturity Indicator Leveldefined in C2M2To better understand this evolution, consider thisexample: In the past, a network firewall and a fileintegrity monitoring system on a server had nothing in common other than they were both providingsecurity to an organization. Network and systemsecurity were considered very different practices,and although both were important, they barely overlapped. Because they were so different, building adeployment architecture for a firewall was unlikely toeven consider what security controls were in place onservers, other than perhaps what ports and protocolsthey would need to communicate over for management purposes.Contrast that to the way these controls are beingdeployed today. Next-generation firewalls now connect to threat intelligence services that provideupdated rules designed to block the command andcontrol of infected endpoint systems. These rulesare developed based on dynamic analysis of malicious code that’s been delivered to sandbox analysissystems.With the example above, a security reference architecture can help you coordinate the detection andreal-time delivery of a potentially malicious executable for analysis from a critical server to a malwareanalytics service. That service can then create blocking rules on an organization’s external firewall, whichmay block a successful malicious code insertionfrom being used to pivot to additional systems orexfiltrate data. That’s the connection and coordination of three separate security controls—a networkfirewall, a malware sandbox analysis service, and anendpoint detection and response system.6 TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTUREThe now interconnected nature of security controlsrequires you to architect security solutions together.A security reference architecture can help you definehow to implement your controls so that they form thisinterconnected and coordinated web of controls.CONSIDERATIONS WHEN SELECTINGSECURITY CONTROL SOLUTIONSWhile it would be wonderful if you could simply buyall 149 security controls from a single vendor andhave them all work together, that’s just not reality.Ironically, the vendors that have accumulated thelargest number of controls tend to do the worst jobof actually integrating them. In addition, some of thelargest security vendors in times past have recentlybeen the most active in end of life-ing and divestingproducts.That said, you probably don’t want to buy13your 149 controls from 149 different security vendors,either.Selecting the right vendors is important in developing a successful architecture. Maintaining a coreset of trusted strategic vendors that have articulated a well-defined framework, and demonstratedboth commitment and execution on integration andinteroperability with other security control vendors isthe best approach here.The ideal architecture for a security control is a complete, well-documented, and open API, with pre-builtintegrations with many partners. This allows for theconnectivity between security controls required bytoday’s approach to security. Unfortunately, thesecharacteristics tend to be present only in controlsbuilt on aggregating data from other systems. Whenchoosing a solution for a security control, identify themost important integration points in the architecturefor that control and determine if the solution has thecapability for those specific integrations.THE TRIPWIRE REFERENCE ARCHITECTURE SETYou can apply a model for security architecture tomultiple layers of security and at different levels ofabstraction. Tripwire’s reference architecture provides details at two levels:»Level»1: Systems security reference architecture,which describes the inter-related controls of anentire framework as it relates to systems security. This is complementary to other architecturesthat focus on network security.
Security Reference Architecture–Introduction»Level»2: Specific security controls referencearchitecture, which describes the architecture forthe individual controls offered by Tripwire.Our reference architecture set excludes other areaswhere reference architectures are also important.For example, the set excludes the areas of networkand application security and the myriad security controls outside of the scope of Tripwire’s offerings.Note that systems security is a broad area that covers multiple security controls. It includes controlsoffered by Tripwire, such as file integrity monitoring, security configuration management, vulnerability management and log management. But it alsoincludes additional controls from Tripwire partnersand others in the market, such as antivirus/antimalware, identity and access management, assetmanagement, deployment management, remotemanagement, patch management, email filtering,browser protection, exploit prevention and disasterrecovery.PRIORITIZING SECURITYINVESTMENTS AND EFFORTSWhen selecting security controls, you must first takethe time to identify which controls to use for all yourdifferent types of assets. This takes significant effortand thought. In addition, you must prioritize and balance the following three competing strategies acrossthis complete control set—perhaps an even greaterchallenge:»Depth»of coverage: Make additional use of thecontrols already in place on the assets alreadycovered»Breadth»of coverage: Deploy controls already inuse on additional assets not currently covered»Broaden»control set: Deploy new controls notcurrently in use on some assetsPerhaps the most logical way to determine whichcontrols to use and where involves taking a riskbased approach to prioritizing new security projects.This approach makes that determination by forecasting the impact a new project may have on reducingrisk and seeking to maximize that impact. In reality,almost any legitimate security control will reducerisk, and the sheer number of defined controls makeit impractical to fully evaluate the benefits of eachoption, so establishing these priorities can presentmany difficult decisions.CRITERIA FOR SECURITY CONTROLS DESCRIBED BYTHE TRIPWIRE REFERENCE ARCHITECTURETripwire’s reference architecture first distills all thepossible systems security controls you could deployinto a smaller set that meets the following criteria:Security is the control’s primary function. Some controls like disaster recovery may be critical to security, but serve their primary function in a broader IToperations use case. Such controls would fit into anIT operations reference architecture, and while noless important, are not included here.Security of the individual system the control interacts with is its primary function. Some controls maycombine network-based protections with individualsystem tools. For example, web filtering may be primarily done with a network proxy, but have a systemcomponent available for mobile and remote workersas well. The Tripwire reference architecture excludessuch a control because it would typically be found ina network security reference architecture.The resulting list of system security controls thatmeet these criteria include antivirus/anti-malware,exploit prevention, file/system integrity monitoring,identity and access management, log management,security configuration management and vulnerabilitymanagement.Figure 4 shows the systems to be addressed inthe Tripwire reference architecture based on bothnumbers of the type of asset and importance of theasset to the organization. Not surprisingly, endpointsconstitute the most numerous systems, but havethe lowest value. Infrastructure sits in the middle,and critical systems, while the least in number,rank highest in importance for an organization.Critical systems include both IT systems as well asoperational technology systems that run the physicaloperations of a company.While you can allocate all of your security investmentto the top of the pyramid to protect the crown jewelsat all costs, that leaves the majority of the organization at the base of the pyramid completely insecure.Finding the right balance of investment is the challenge, but the pyramid figure shows that investmentlevels should be higher at the top and relatively lowat the bottom, on a per asset basis.This suggests that for the critical systems, all themajor security controls are on plan to be implemented, but some controls may be omitted for endpoints,TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTURE 7
particularly those that require significant humaneffort to make work operationally. You should construct a more detailed implementation order basedon their prioritization with regards to the set of allcritical assets—for example, your payment systemsmay be most critical so you would invest more insecuring them sooner than you would in protectingyour less, but still critical, assets.Figure 5 shows how you can allocate systems security controls based on risk. Higher-risk systems inheritthe controls from lower risk systems, then add further security controls appropriate for those assets.KEY TAKEAWAYSAt this point, you should understand the importanceof, and have guidance on, selecting a security framework for creating your reference architecture. Youshould also recognize the value of selecting a security maturity model and have guidance on makingthat choice as well.In addition, you should realize that treating a securityframework as a checklist does not work with today’ssecurity that relies on an interconnected and coordinated web of security controls. Developing a resilientsystem for today’s security environment benefitsgreatly from use of a security systems referencearchitecture that spells out at a high level how eachcontrol connects with other controls and systems.Your system also benefits from a security controlsreference architecture that takes an in-depth look ateach control and its role in the overall systems security architecture.Finally, you should understand the challenges you’llface when prioritizing your security investmentsand possible approaches, such as a risk-basedapproach, that can aid you in meeting this challenge.Prioritization helps you identify the controls you willfocus on first when applying your security systemsand security controls reference architecture sets.Critical SystemControls Integrity Monitoring -—Change Auditing Mid-level ControlsEndpoint Controls Vulnerability Management Antivirus/Anti-Malware Exploit Prevention Identity & Access Endpoint Detection and Response EncryptionPatch ManagementFig. 4: Pyramid of asset count and value8 TRIPWIRE PRESCRIPTIVE GUIDE TO A SECURITY REFERENCE ARCHITECTUREFig. 5: Sample set of system controls allocated by risk
Security Reference Architecture–Part TwoPART TWO:A REFERENCE ARCHITECTURE FORFILE & SYSTEM INTEGRITY MONITORINGIn Part 1 you learned important background
and business systems, deployment architecture dia-grams, and many other important details and consid - erations related to the control Although the reference architecture at the secu-rity control level is based on Tripwire solutions, your overall strategy must address the other controls o
