«

»

Feb
17

Continuous Monitoring: Holy Grail to FISMA Compliance – Is It or Not?

From: WhiteSpace

by Patrick Dean

Well is it or is it not? Who cares? Let’s take out the debate about whether or not the new FISMA regulations actually do anything for security practices, and face the reality that we, as government entities (whether directly employed by or contractually attached to a government entity), must fulfill our compliance obligations. Those of us who want to actually secure our environments will not only abide by the compliance mandates, but we will also implement security standards and practices that truly improve security within our appointed domains.

With the variant types and levels of threats, the exponential growth in numbers of attempted attacks and the possibility that some threats are state sponsored, federal government security professionals that are responsible for the nation’s information must do everything possible to minimize the attack surfaces provided to our enemies. The days when a Firewall and an antivirus product provided security to our resources are long gone.

We must utilize a Defense-in-Depth strategy to minimize our vulnerabilities. Defense-in-Depth relies on a layered stack of defense technologies joined together into a mesh, that properly designed and implemented, can provide a high level of fortification for our enterprises. These layers have typically been comprised of products such as: Firewalls, DMZ’s. Intrusion Prevention Systems, encryption technologies, VPN’s and antivirus products. Stopping short of the goal of complete protection, our endpoints have been a particular problem for security professionals. For years, protection for our endpoints has been based on blacklisting antivirus products. We all know that blacklist based antivirus products have their shortcomings. Application whitelisting based products not only overcome the shortcomings of antivirus products, but add addition functionality that most antivirus products do not or cannot perform.

“Lockdown” application whitelisting is a technology that has been around for many years and has been successfully deployed in narrowly focused controlled environments such as SCADA systems and fixed function devices. Advanced Threat Protection, which encompasses application whitelisting as well as memory protection and trusted change mechanisms, has matured to the place where it is being deployed and successfully maintained in large enterprises, including the Federal Government.

Many of the new threat vectors take advantage of vulnerabilities that other portions of the Defense-in-Depth stack cannot defend against. As security professionals, we have seen many breaches over the last 16 months that have one thing in common: a user on an endpoint within the organization or its ecosystem (like a defense contractor). People make mistakes, and we have to protect them (and our organization) as best we can.

Social engineering techniques make it easy to get a person to make a mistake and set off a malware attack; it happens every day. Once an attack has started, the perpetrator wants to have some form of payload (malicious code) loaded onto the user’s machine or leverage it to other systems inside the network. IDS and antivirus providers do a decent job at stopping this threat as long as they have seen it in the past and have developed hash values for the known malware. What these providers cannot stop are the threats that are zero-day (never seen before malware) and memory based attacks. Memory based attacks happens when malware is loaded into memory space of an already running program and can be executed from there. These memory attacks (e.g., DLL injections, Reflective injections) are hard and almost impossible to detect. CoreTrace Bouncer has been able to detect and terminate many DLL type attacks for some time. CoreTrace also has a patent pending process that can to detect and stop the Reflective Injection type payload. (Please see my colleague, Greg Valentine’s, video demonstrating the attack and how Bouncer stops it.)

We security professional must combine our tools and techniques into a successful formula in order to provide security for our enterprise and compliance with the regulations.

My Formula for Continuous Monitoring and Control.

(FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) * SOC/NOC/Reporting
Event Mitigation

The first part of the formula: (FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) is the portion that is your Defense-in-Depth mesh woven together in part or in whole by your security team.
The second part of the formula: * SOC/NOC/Reporting is the daily monitoring of events that occur within each and every security product within your domain; hopefully, correlated together into some manageable form via a SOC, NOC or reporting mechanism.

STOP!!!

For us to be compliant with the Continuous Monitoring regulations in FISMA we are done, right? Well yes, you can stop here and be compliant under the mandates, but have you accomplished real security in your relative domain or are you just filling out paperwork? If you stop here, you are doing yourself and this nation a disservice. The gist of the FISMA requirements are that the agencies must do monthly reporting of inventory assets, as well as the continuous monitoring and reporting of security controls. The key here is that the regulations mention security controls and do not mention security threats. This is where we must go above and beyond the letter of the law to truly perform our duties. So, please, by all means, do the paperwork, follow the regulations, but don’t stop there.

GO…

The final part of the formula: Event Mitigation is where the rubber meets the road, where you take action and move towards fixing the issues that have been uncovered. Without mitigation of the issues, you have not achieved real security. Vindicate yourself, your team and your organization. Grab the Grail…

Leave a Reply

Please Answer: *