Automated IT security gets a step closer
Agencies could be a step closer to automating their IT security with the further integration of two sets of security protocols. The Trusted Computing Group has released draft specifications for standardizing content using the government’s Security Content Automation Protocol (SCAP) for use in TCG’s Trusted Network Connect architecture.
The two protocols handle different domains of IT security. The TNC standards focus on network security, while SCAP, developed by the National Institute of Standards and Technology, focuses on endpoint compliance. Using them in tandem provides the benefits of two open standards to improve endpoint security.
The new spec, SCAP Messages for IF-M, is available for public comment until Jan. 15. Comments can be sent to a TCG mailing list at SCAP-Messages-Comments@trustedcomputinggroup.org.
Plans to integrate TNC with SCAP were announced by NIST in 2010, because the two sets offered complementary capabilities, each powerful in its own right but more powerful when combined. Automation is an imperative in government IT security. Enabling automation of routine security scanning and reporting and taking humans “out of the loop” allows security tools to operate at the speed of the increasingly sophisticated and automated attacks they must counter.
The two schemes remain separate sets of standards developed under the auspices of their own organizations.
SCAP is a specification for expressing and manipulating security data in standardized ways, developed under the authority of NIST in cooperation with other organizations, including the National Security Agency, Mitre Corp., and the Forum for Incident Response and Security Teams. It allows coordinated use of a suite of standards for naming and scoring, including:
- Common Vulnerabilities and Exposures (CVE), a set of unique identifiers for publicly known security vulnerabilities.
- Common Vulnerability Scoring System (CVSS), for assigning scores to software vulnerabilities.
- Common Configuration Enumeration (CCE), a set of configuration elements for applications and operating systems.
- Common Configuration Scoring System (CCSS), for scoring configuration elements.
- Common Platform Enumeration (CPE), a naming scheme to IT systems, platforms, and packages.
- Open Vulnerability Assessment Language (OVAL), for making logical assertions about the state of an endpoint system.
- Open Checklist Interactive Language (OCIL), a standard way of querying human users.
- eXtensible Configuration Checklist Description Format (XCCDF), a language to express, organize, and manage security guidance.
- Asset Reporting Format (ARF), a language to express information about assets.
The proposed TNC specification defines the SCAP messages used to communicate instructions for SCAP assessments and results between the server's integrity measurement verifier modules and the client's integrity measurement collectors. Using TNC protocols to transport and encode the SCAP messages provides communication between the network and endpoint communities. SCAP scanners could receive assessment instructions and return results over network security equipment using the TNC specifications.
It is unlikely that humans ever could be -- or should be -- taken completely out of the security loop, but tools that help remove the burden of routine drudge work could free them up to focus on the elements where they are most needed.