NIST unveils specs for continuous security monitoring
- By William Jackson
- Jan 20, 2012
Two draft reports released this month by the National Institute of Standards and Technology offer technical specifications for continuous security monitoring of IT systems and guidance for applying the workflows in asset, configuration and vulnerability management.
Interagency Report 7799, "Continuous Monitoring Reference Model, Workflow, and Specifications," provides the technical specifications for enabling continuous monitoring across any data domain being monitored.
The second draft, IR 7800, "Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains," binds the resulting workflows for managing specific domains.
Getting the most out of automated IT security management
NIST offers a how-to for must-do continuous monitoring
Continuous monitoring is evolving as a basic requirement for understanding and maintaining the security status of IT systems and for complying with requirements including the Federal Information Security Management Act. It is expected to be more effective than periodic static analysis of system conditions, providing near-real-time situational awareness that is necessary to fend off increasingly sophisticated and rapidly changing threats.
Effective monitoring requires a degree of automation, and tools are being developed to enable this, including the Security Content Automation Protocols (SCAP) and its supported specifications. Products embodying these tools are becoming available to enable automated monitoring, and the complexity of the environments being monitored and variety of tasks they must perform require a framework for their development.
Draft IR 7799 enables product instrumentation and development, along with product testing, validation, procurement and interoperability. It focuses on workflows and the role played by subsystems within the workflows, and on the interfaces that provide communication paths between subsystems.
“It is not expected, or desired, that any specific product adopt all of the subsystem specifications,” the authors write. Existing products already incorporate some specifications or can be made to comply with them with “only gentle instrumentation.” In other cases, new functionalities are described that are not now on the market. “If vendors choose to adopt these specifications, they will likely need to develop new products.”
The specifications in Draft IR 7799 are “domain agnostic,” and can be used for monitoring any data domain. Draft IR 7800 provides guidance for binding workflows and capabilities to the domains of asset management, configuration management and vulnerability management. It leverages the SCAP Version 1.2 for configuration and vulnerability scan content and dictates reporting results in an SCAP-compliant format.
NIST is soliciting comments on the draft documents through Feb. 17. Comments should be e-mailed to email@example.com.
William Jackson is freelance writer and the author of the CyberEye blog.