NIST, DHS push security automation to the next stage

SCAP sets standards to ensure products work together, while Einstein is evolving into an automated tool that will not only detect, but block, malicious code.

The future of network security is automation, using various tools to monitor systems and network traffic for signs of trouble, alert administrators and even respond to attacks on their own. Automation can handle jobs that otherwise would have to be done by IT staff members, who are then freed up for other tasks.

MORE INFO

Can automated security put agencies a step ahead of the hackers?

A growing number of products can help automate IT security; Nevada's DOT found they can help in other areas, too. Read more.

Agencies face challenges in getting to an automated environment, however, whether because of tight budgets, complex systems or automated tools that don’t necessarily work together. The federal government is supporting the effort by developing the standards that are necessary for interoperable tools and offering intrusion detection and prevention as a service to agencies.

SCAP

The government is working to create a standards-based security environment through the Security Content Automation Protocol (SCAP), a suite of interoperable specifications developed at the National Institute of Standards and Technology in collaboration with the public- and private-sector security community.

Although NIST’s agenda for security automation goes beyond vulnerability management, SCAP in its present form, Version 1.2, deals primarily with endpoint compliance for configuration requirements. The specifications, contained in Special Publication 800-126,  support automated configuration, vulnerability and patch checking, technical control compliance and security measurement.

“In the U.S. government it has been a challenge to implement configuration management,” said NIST’s Dave Waltermire, SCAP architect. “There is often a tension between allocating resources to manage systems and developing configuration management policies, procedures and baselines.”

The SCAP specifications provide the building blocks for vendors to create standards-based tools that can work and communicate with each other in automating these processes. They create a common format for developing and enforcing baselines and producing standardized results. This requires common methods of expressing information about hardware, software and vulnerabilities.

SCAP Version 1.2 includes 11 component specifications in five categories:

  • Languages for expressing security policy, technical check mechanisms and assessment results, including Extensible Configuration Checklist Description Format, Open Vulnerability and Assessment Language and Open Checklist Interactive Language.
  • Reporting formats to express collected information, including Asset Reporting Format and Asset Identification. Although Asset Identification is not explicitly a reporting format, SCAP uses it in identifying the assets.
  • Enumerations, standard nomenclatures and an official dictionary of items expressed using that nomenclature, including Common Platform Enumeration, Common Configuration Enumeration and Common Vulnerabilities and Exposures.
  • Measurement and scoring systems for evaluating severity of a security weakness, including Common Vulnerability Scoring System and Common Configuration Scoring System.
  • Integrity of SCAP content and results, Trust Model for Security Automation Data.

Independent laboratories are accredited by NIST to validate security products that conform to SCAP requirements for government use. There currently are 43 products from 32 vendors validated under the program.

Einstein

While NIST is building a framework for interoperable vendor products that agencies can implement within their systems, the Homeland Security Department is developing an intrusion detection and prevention system to be offered as a managed service through agencies’ Internet service providers.

Einstein was initially deployed in 2004 to detect and block malicious activity across the .gov domain. The first version analyzed network flow information from participating agencies to provide a high-level view for observing potential malicious activity. Its second iteration, Einstein 2, launched in 2008, is a passive, automated system that incorporates intrusion detection based on custom signatures of known or suspected threats, and is able to alert US-CERT of malicious activity. It relies primarily on commercial tools for detection.

Einstein 2 now is deployed at 17 of 18 agencies that are using a Trusted Internet Connection provider, and at 52 other agencies using Managed Trusted IP Services (MTIPS) under the Networx contract. DHS officials say the department is on track to meet its milestone of providing Einstein 2 service to 70 percent of executive branch agencies by the end of fiscal 2013 as legacy networking contracts expire and agencies that are not yet served move to MTIPS. That 70 percent figure for agencies could include as much as 90 percent of .gov network traffic, officials said.

Einstein 2 already has shown its value for detecting and alerting, department officials said. As analytical capabilities grow its value is expected to increase, and alerting will be expanded from US-CERT to agency security operations centers as well. This is expected to happen in 2014.

In its next iteration, Einstein 3 will be a managed service through service providers to not only detect but also automatically block malicious traffic before it enters government networks. Under the direction of DHS, service providers will administer threat-based decisions on traffic entering and leaving participating agency networks. Agencies will enter into agreements with DHS to authorize use of intrusion prevention capabilities through service providers.

Einstein 3 includes three major activities. The first, operational today, is the ability to connect analysts with the data that will be used to block malicious traffic. The second activity is the segregation and aggregation of .gov traffic by ISPs for analysis. Four contracts for this function have been awarded; one is fully operational and two more are expected to become operational this summer. The fourth contract is being finalized and should be operational by the end of September.

The final activity is the trickiest one: automated blocking of malicious traffic. One contract for this was awarded to an ISP in March, but it is not yet operational. Other contracts with ISPs are in the works, and service delivery plans are being developed.

Initially there will be two countermeasures used by service providers against malicious traffic.

  • Domain Name Server sinkholing will block malware in .gov networks from communicating with known or suspected malicious domains, redirecting the traffic to safe sinkhole servers. ISPs will have access only to information about the DNS request for this traffic and not to the contents.
  • E-mail filtering will scan incoming mail addressed to .gov networks for malicious attachments, URLs and other malicious content. Infected e-mails could be quarantined or redirected for further inspection and analysis by DHS.

Even without enterprisewide systems such as Einstein and large-scale frameworks such as SCAP, individual tools have demonstrated the power of automation to improve both network security and management.

Nevada’s Department of Transportation for example, was able to spot misconfigured devices almost immediately when it began using Splunk Enterprise to gather and correlate log data and has been able to troubleshoot problems more efficiently. The DOT was able to reduce errors on its networks and is aiming to put Splunk to other uses.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.