Federal Cybersecurity: Security Fundamentals for Federal Agencies

Policy Compliance

Policy compliance is a broad term that can encompass different types of policies such as internal agency standards or widespread regulatory requirements. Regardless of which type or types of policies your agency must comply with, auditing will play a central role in the compliance process.

Audits are the methodology used to assess policy compliance. Even if your agency implements all the required controls and capabilities required by a policy, you can still fall into noncompliance by failing to achieve a demonstrable ability to measure your systems against that policy.

Differentiate compliance from controls

It’s critical to understand the difference between the implementation of security controls and policy compliance itself. Following the directives of security controls (such as the CIS Controls, formeraly known as the Critical Security Controls) is just one set of actions that help agencies meet compliance. Policy compliance products and solutions that effectively make your control implementation efforts worthwhile possess one or more of the following capabilities:

Provide: Tools that directly provide a required control fall into this category. If an agency has a requirement for vulnerability assessment, the VA tool provides that control.

Validate: Some tools are specifically designed to measure whether another control is in place and configured correctly. These tools validate a control, but they don’t provide it directly.

Support: There are definitely cases where a tool or capability doesn’t fulfill all the requirements of a required control but makes the use of that control substantially easier or more effective.

Speaking in these terms—provide, validate, support—paves a clearer approach to compliance. Selection of a tool that provides one control doesn’t necessarily guarantee validation, so it’s important to ask how that control will be validated. At the same time, a powerful tool might not provide or validate, so it’s important to assess how other controls are supported. It’s important to avoid confusing the controls themselves with their validation.

How policy compliance adds value

Policy compliance tools should be focused on validation and justification for an auditor. Any new policy compliance tool should reduce the time spent preparing for audits by collecting data and delivering it in a usable format. In many cases, that’s a report, but it might also include the ability to extract specific data as an auditor requests it. Use previous audits as a guide to determine how the tool might help. Tools should not actually make audits harder to pass.

Policy compliance can also be a budget driver. Return on investment for security is difficult because the outcomes are difficult to predict. Policy compliance is designed to pair a risk with a predictable outcome, usually a fine or other punitive measures. That creates an environment in which budget can be effectively allocated.

That predictable outcome can also be used to secure budget for tools and capabilities that have benefits beyond the specific policy. Compliance can be leveraged to justify budget.

Tripwire Enterprise

Tripwire® Enterprise is an integrated cybersecurity solution suite composed of three primary components: Tripwire File Integrity Manager, Tripwire Policy Manager and Tripwire Remediation Manager. Tripwire Policy Manager continuously assesses system changes and reports on your agency’s compliance status with out-of-the-box compliance testing for FISMA, NERC, CIP, SOX, COBIT and many others.

Tripwire Enterprise benefits:

• Supports over 1,000 policy and platform combinations
• Reduces audit preparation time and cost with audit-ready reporting
• Frequently updated to ensure you always have the coverage you need
• Continuously compares your baseline configurations to policy standards
• Protects your data with system hardening and compliance enforcement
• Automates workflows via integrations with SIEMs and change management systems

File Integrity Monitoring

Each and every security breach correlates to a change within a system. That’s why IT managers need to understand the importance of change management and file integrity monitoring (FIM). Agency environments require preventive and detective controls that identify change.

AI, machine learning and active threat hunting are certainly providing new tactics in the security industry, but the ability to pinpoint changes across your entire environment is where you’ll find the most value.

Integrity monitoring is nothing new, but the core capabilities it utilizes have evolved dramatically in recent years. Change detection is FIM’s central functionality, and the scope of your overall integrity management strategy can be even broader.

Shift to integrity management from basic FIM

FIM isn’t just for files anymore. It now encompasses a wider range of tools and tactics that fall under the umbrella term “integrity management.” Integrity management is composed of four basic steps:

Secure deployment: Ensure that the system’s you’re deploying meet risk acceptance criteria. First, establish those criteria so that you can measure the security performance of your servers, images and containers across all environments—be they on-premise, virtual or cloud.

Baseline deployed systems: If you don’t have a solid baseline, you can’t identify changes from it to understand how they affect the risk posture of your systems.

Monitor for change: Once your baseline is established, what process will your agency use to monitor that baseline for changes? Establish an explicit and rigorous change monitoring process that yields high visibility into your entire data ecosystem.

Act on important changes: Most changes don’t require action, but you need a reconciliation process that separates the wheat from the chaff. IT managers must be able to quickly assess which changes impact risk and which changes are routine.

Integrity management’s critical role

Applying the principles of integrity management helps agencies prevent, detect and investigate security incidents in their systems. The core capabilities of integrity management satisfy a variety of regulatory standards such as the National Institute of Standards and Technology’s 800-53 governing security and privacy protocols (NIST 800-53).

NIST 800-53 requires stringent system information and integrity controls. It also calls for the use of “[...] integrity verification tools to detect unauthorized changes” on a number of organization-identified objects. This is included in control SI-07. While integrity verification is required for SI-07, the ability to detect and reconcile changes delivers validation of many other controls. Fig. 1 Tripwire Enterprise provides both robust FIM and comprehensive policy compliance.

And while integrity management cannot “[...] create, enable, modify, disable and remove information system accounts in accordance with policy” as the AC-02 account management control calls for, it will provide the ability to capture every single one of those changes for investigation and audit.

Tripwire File Integrity Manager

Integrity management processes can generate staggering amounts of data, and IT professionals don’t have the time to pour over that data to see what’s relevant and what’s merely digital noise. Available as a stand-alone solution or as part of the Tripwire Enterprise tool suite, Tripwire File Integrity Manager brings visibility and business context to the actionable data you need to focus on. Consider Tripwire File Integrity Manager to vastly improve your agency’s integrity management.

Tripwire File Integrity Manager benefits:

• Real-time change intelligence
• Change prioritization from low to high risk
• Automated reconfiguration for policy compliance
• Integration with change ticketing systems like ServiceNow
• Details pinpointing the “who, what and when” of pertinent events

Image

Log Management

Government agencies must view log management within the context of security incident and event management (SIEM). The SIEM market evolved from collecting log data and correlating it with other data sources to deliver deeper analytical capabilities. This is part of the reason fields like user behavior analytics and big data analytics have seen so much rapid growth in recent years. Higher demand for analytics means agencies are struggling to deliver the right data and insights to the right destinations.

From a cost perspective, customers can find themselves paying for data that doesn’t need to be in the SIEM or paying for log storage instead of analytics. These trends put pressure on federal IT professionals to spend more efficiently while strengthening the security of their log management practices.

Log management makes security visible

Security logging and analysis can help IT teams determine the location of attackers, identify malicious software and track activities on victim machines. “Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attacks and to subsequent actions taken by the attackers,” according to the Center for Internet Security (CIS).

“Without solid audit logs, an attack may go unnoticed indefinitely and particular damages done may be irreversible.” If IT managers are not collecting, storing and analyzing log data for every asset in the organization, they will have significant gaps in their cyber situational awareness.

Log management simplifies compliance

It’s compliance concerns—not security— that usually drive IT teams toward log management investments. The Federal Information Security Management Act is one of many regulations that requires log management components. In FISMA’s case, log management is defined by NIST in SP 800-53.

NIST 800-53 provides the most detailed exploration of log management requirements available, and it’s certainly the most applicable to government agencies. NIST 800-53’s requirements for logging are listed in the Audit and Accountability section and include defining a process for collecting logs, what log events need to be captured, what detail needs to be included in captured events as well as retention guidance and response processes.

Tripwire Log Center

The correlation engine in Tripwire Log Center® automatically identifies and responds to events of interest using a logical flow of one or more conditions. Actions can include creating a work ticket, sending a notification email, or running a command. Whether you collect logs strictly for regulatory compliance or to increase awareness of credible cyber threats, Tripwire Log Center ensures the process is secure and reliable

Tripwire Log Center benefits:

• Reliable log collection, analysis and delivery
• Tight integration with your existing infrastructure
• Critical events highlighted on a customized dashboard
• Automated remediation and alerting with triggered scripts
• Reduced noise with pre-processed data prior to passing SIEM
• Quicker threat detection with a large library of correlation rules

Image

Vulnerability Management

Vulnerability management is fundamentally about risk reduction presented by vulnerabilities within a system environment. Executive Order 13800 delineates the importance of assessing vulnerabilities: “Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.”

Vulnerability management and compliance

It’s important to consider that meeting compliance doesn’t always ensure that your vulnerability management program is adequately robust. Passing an audit is not the same as reducing vulnerability risk. If compliance is part of your organization’s drive for vulnerability assessment tools, achieving clarity on the objectives can help you avoid barriers to success down the road.

Vulnerability management and compliance should work hand in hand. For example, if you’re part of the Department of Defense and subject to Command Cyber Readiness Inspection (CCRI) audits, then a vulnerability assessment tool is a key component in audit preparation. Understanding which assets are on the network, their vulnerabilities, and which to fix first is a crucial part of CCRI preparation.

Vulnerability management is a process

The process of reducing risk from vulnerabilities is just that: a process. There are tools that make that process substantially more efficient, but they don’t replace the need for the process or the people to run it.

It’s entirely possible to create a complex workflow diagram for vulnerability management, but at its core, there are really three steps:

Discover: You have to start by deploying a solution that can pinpoint the vulnerabilities you have, and by extension all of the assets on which you might find those vulnerabilities. The output of discovery is some kind of inventory of assets and vulnerabilities.

Report: In order to take action on that inventory, organizations need reporting tools. A simple report might just be a list of vulnerabilities found, but in most cases, there needs to be some scoring method of prioritization for both the vulnerability and the sensitivity of the asset on which it resides.

Remediate: Many vulnerability management programs stop with the first two of these three steps and count themselves as successful, but unless meaningful remediation is part of the equation, you haven’t accomplished the core objective of reduction of risk. The challenge is that remediation, whether through applying a patch or some other step, is the most complicated step. The key question to answer is how you can connect the prioritized reporting of vulnerabilities to the most successful workflow in your organization.

Image

Tripwire IP360️

Tripwire IP360™ serves as a complete vulnerability management toolkit for federal agencies. It automatically scores risks to help you address significant vulnerabilities right away, allowing you to take a look at the granular details around each risk. It uses a unique fingerprinting method to produce a comprehensive asset inventory and identify vulnerabilities across each and every endpoint connected to your network. When you apply Tripwire IP360 to your environment, you can expect to reduce risk scores by more than 50 percent.

Tripwire IP360 benefits:

• Faster vulnerability scans with fewer false positives
• Combines agent-based and agentless scanning results
• Supports on-premises, cloud and hybrid environments
• Efficient and accurate vulnerability scoring and prioritization
• Open APIs enable integration with help desk and asset management
• Minimizes manual efforts through integration with your existing toolsets

Summary

Many federal agencies find themselves in need of a substantial security overhaul. They need advanced tools and techniques to keep up with both the rapid proliferation of cyberattacks and the requirements of regulatory frameworks meant to stop them. File integrity monitoring, log management, policy compliance and vulnerability management are the four security fundamentals your agency must address, and Tripwire products offer the out-of-the-box coverage federal agencies require