Is Continuous Monitoring the Holy Grail of FISMA compliance? Maybe, maybe not, does it really matter? Let’s leave out the debate over whether or not the new FISMA regulations actually provide any real security. The reality is that we, as government employees or contractors, must
fulfill our compliance obligations. Those of us who want to provide real security in our
environments should not only abide by all compliance mandates, but also
implement security standards and practices that truly improve security within
our appointed domains
With the variant types and levels of threats, the exponential growth in
numbers of attempted attacks and the possibility that some threats are state
sponsored, federal government security professionals that are responsible for
the nation’s information must do everything possible to minimize the attack
surfaces provided to our advisories. The days when security was provided by a firewall and an antivirus
product are long gone.
We must utilize a Defense-in-Depth strategy to minimize our
vulnerabilities. Defense-in-Depth relies on layers of defensive
technologies joined together into a mesh. Properly designed and
implemented, Defense-in-Depth strategies can provide a high level of fortification for our enterprises.
These layers have typically been comprised of products such as: firewalls,
DMZ’s. Intrusion Prevention Systems, encryption technologies, VPN’s and
antivirus products. Stopping short of the goal of complete protection, our
endpoints have been a particular problem for security professionals. For years,
protection for our endpoints has been based on blacklisting used in antivirus products.
We all know that blacklist based antivirus products have their shortcomings.
Application whitelisting based products not only overcome the shortcomings of
antivirus products, but add addition functionality that most antivirus products
do not or cannot perform.
“Lockdown” application whitelisting is a technology that has been
around for many years and has been successfully deployed in narrowly focused
controlled environments such as SCADA systems and fixed function devices.
Advanced Threat Protection, which encompasses application whitelisting as well
as memory protection and trusted change mechanisms, has matured to the place
where it is being deployed and successfully maintained in large enterprises,
including the Federal Government.
Many of the new threat vectors take advantage of vulnerabilities that
other portions of the Defense-in-Depth stack cannot defend against. As security
professionals, we have seen many breaches over the last 16 months that have one
thing in common: a user on an endpoint within the organization or its ecosystem
(like a defense contractor). People make mistakes, and we have to protect them
(and our organization) as best we can.
Social engineering techniques make it easy to get a person to make a
mistake and set off a malware attack; it happens every day. Once an attack has
started, the perpetrator wants to have some form of payload (malicious code)
loaded onto the user’s machine or leverage it to other systems inside the
network. IDS and antivirus providers do a decent job at stopping this threat as
long as they have seen it in the past and have developed hash values for the
known malware. What these providers cannot stop are the threats that are
zero-day (never seen before malware) and memory based attacks. Memory based attacks
happens when malware is loaded into memory space of an already running program
and can be executed from there. These memory attacks (e.g., DLL injections,
Reflective injections) are hard and almost impossible to detect. It is
imperative that any application control, application whitelisting or malware
detection programs that you are considering have the full and complete ability
to stop and report upon any and all in memory attacks. There are a few vendors
that claim to have memory protection but very few that are able to do the job
completely and correctly. Before you buy any of these products, make sure you
do a full and complete set of penetration tests against these products to
assure you are getting what they are trying to sell you.
We security professional must combine our tools and techniques into a
successful formula in order to provide security for our enterprise and
compliance with the regulations.
My Formula for Continuous Monitoring and Control.
(FW + DMZ + HIPS/NIPS + Crypto +VPN +
AV + AC/AW) * SOC/NOC/Reporting
Event Mitigation
The first part of the formula: (FW + DMZ + HIPS/NIPS + Crypto +VPN + AV
+ AC/AW) is the portion that is your Defense-in-Depth mesh woven together in
part or in whole by your security team.
The second part of the formula: * SOC/NOC/Reporting is the daily
monitoring of events that occur within each and every security product within
your domain; hopefully, correlated together into some manageable form via a
SOC, NOC or reporting mechanism.
STOP!!!
For us to be compliant with the Continuous Monitoring regulations in
FISMA, we are done, right? Well yes, you can stop here and be compliant under
the mandates, but have you accomplished real security in your relative domain
or are you just filling out paperwork? If you stop here, you are doing yourself
and this nation a disservice. The gist of the FISMA requirements are that the
agencies must do monthly reporting of inventory assets, as well as the
continuous monitoring and reporting of security controls. The key here is that
the regulations mention security controls and do not mention security threats.
This is where we must go above and beyond the letter of the law to truly
perform our duties. So, please, by all means, do the paperwork, follow the
regulations, but don’t stop there.
GO…
The final part of the formula: Event Mitigation is where the rubber
meets the road, where you take action and move towards fixing the issues that
have been uncovered. Without mitigation of the issues, you have not achieved
real security. Vindicate yourself, your team and your organization.
Grab the Grail…
Grab the Grail…
No comments:
Post a Comment