NIST SP 800-137

From: alnaqeb.com

By Brian Contos

At GFIRST in Atlanta, Georgia, I just gave an application and database hacking demonstration.  I demonstrated various attacks such as:

• SQL Injection
• XSS
• Session Hijacking
• Parameter Tampering
• Database Protocol Hacking

I also gave a demonstration of a targeted Phishing attack that brought together Metasploit, Stuxnet, Bit.ly, Facebook…oh, and Cameron Diaz.

These demonstrations were meant to highlight how vulnerable applications, databases, and sensitive data in general can be without the right security controls and development practices.  This is extremely relevant to Continuous Monitoring (CM) for federal agencies.

Continuous Monitoring

About a decade ago, the Federal Information Security Management Act (FISMA) of 2002 was created in response to the realization that information security is vital to the economic and national security of the US. However, the perception is that FISMA has had a marginal impact on improving security for many federal agencies.

Existing federal IT security practices lack processes built atop risk-based security controls. Without these controls, achieving the level of automation and granularity necessary for success in federal agencies is far too complicated, costly, manual,
 and error-prone. Thus, implementing continuous monitoring to measure its effectiveness isn’t possible. Understanding this disconnect, the US Department of Homeland Security (DHS) responded, and Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) and CAESARS Framework Extension (FE) were released about 10 years following FISMA.

CAESARS provides federal agencies with a technical reference architecture. This architecture is specifically designed to deliver guidance for secure, broad-based continuous monitoring implementations. CAESARS focuses on supporting cybersecurity operations, not on running reports to placate auditors and demonstrate compliance with regulatory mandates. Compliance reporting is a natural result of any holistic security strategy that is operationally effective both qualitatively and quantitatively.

CAESARS is a reference architecture that requires vendors to have expertise in endpoint, network, data, mobile, cloud, and embedded security along with centralized management and monitoring solutions for the entire security architecture. This is where the Security Connected platform from McAfee can help you achieve continuous monitoring.

McAfee offers a comprehensive security portfolio that maps directly to the CAESARS reference architecture. McAfee solutions encompass support for all subsystems, including sensor, database, presentation/reporting, and analysis/risk scoring. McAfee solutions interface with all 11 of the data domains that CAESARS requires—and we even offer integrated controls to secure CAESARS data.

The Security Connected platform is open, extensible, and built on the concept of integration with a vast array of solutions to enable agencies to realize value from existing investments in McAfee and third-party solutions. The result is improved ROI and streamlined compliance.

Continual, regular assessments are a prerequisite 
for moving IT security management from isolated assessments to continuous risk management as described by the National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB). McAfee is ready to help agencies seamlessly build the full end-to-end continuous monitoring solution they need to improve security and make FISMA compliance reporting easier and more efficient.