posecco clustering meeting
DESCRIPTION
TRANSCRIPT
![Page 1: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/1.jpg)
Leveraging Security Models to Automate
Audits and Improve their Level of Assurance
Serena Ponta
SAP
![Page 2: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/2.jpg)
Assurance about fulfillment of requirements (laws,
regulations, customer-specific)
Critical to ensure business success, law’s compliance
Hard to achieve
Recognized need for automation and standardization
NIST effort to develop standards for security automation (SCAP)
Security guidance “Software assurance” in FISMA (June 2011)
requires to report on
progress installing tools
compliance with NIST’s standards
Audits provides assurance by involving a third-party
authority
Context
2
![Page 3: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/3.jpg)
Motivations
3
Develop
audit
program
Execute
audit
program
Request for an audit
auditee’s business and IT services
(identified risks and control objectives)
Definition of the scope of the audit
control objectives
target services, and applications
List of controls per control objective (audit program)
Execution of the audit program to
collect technical evidences
collect informal (organizational) evidences
Evaluation of results
assess control objectives
write results in audit report
Manual
collection of
information
Evaluation
based on
samples
Manual
execution
of checks
![Page 4: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/4.jpg)
PoSecCo‘s Security Models:
Complete knowlege of behavioral and structural
landscape
traceable link between business-driven security and
technical configuration settings of individual services
To provide an audit interface supporting automated
information retrieval
execution of checks
Increasing efficiency and assurance of audits
Contributions
4
![Page 5: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/5.jpg)
1. Introduction
2. Audit Process (current practices)
Develop Audit Program
Execute Audit Program
3. Posecco Security Models
4. Audit process (new concept)
Develop Audit Program
Execute Audit Program
5. Conclusions
5
![Page 6: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/6.jpg)
Running Example
6
Business Service
E-invoice
User
Mgmt
System
![Page 7: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/7.jpg)
Develop Audit Program
7
AuditorsAuditee(service provider)
Best practices
Audit Program
COBIT DS5 Control Objectives
DS5.1 Management of IT Security
DS5.2 IT Security Plan
DS5.3 Identity Management
DS5.4 User Account Management
Auditor’s experience
Previous audits
Companies’ practices
…
AuditeeAuditee’s Request for Audit
Customers must authenticate for
accessing business service
“eInvoice”
![Page 8: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/8.jpg)
Execute Audit Program
8
Auditors
Auditee
Audit Program
Audit Program
results
Audit Report
![Page 9: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/9.jpg)
Restricted knowledge of auditee‘s infrastructure
Limited visibility of technologies and policies in place
Difficult to
Define the scope of the audit
Develop the audit program (adjustments required during the
execution)
No standardized tools for automated assessment
available
Technical evidences retrieval require auditee‘s support
Audit based on samples
Limitations
9
![Page 10: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/10.jpg)
PoSecCo Security Models
10Complete information about functional and security aspects
![Page 11: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/11.jpg)
PoSecCo Security Models
11Complete information about functional and security aspects
Business Policies:
customers must authenticate for
accessing business services
IT Policies (Controls):
Password authentication for web
application X1
Configurations :
AuthN enabled on web app X1,
URI, host Y
Min psw length (N char) on User
Mgmt Sys LDAP, URI’, host B
Golden Configuration
![Page 12: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/12.jpg)
Audit Program Development
12
AuditorsAuditee(service provider)
XCCDF
Checklist
Audit
Program
(XCCDF
Checklist)
Auditee’s Request for Audit
Business and Service Model Best practices
COBIT DS5 Control Objectives
DS5.1 Management of IT
Security
DS5.2 IT Security Plan
DS5.3 Identity Management
Auditor’s experience
Previous audits
Companies’ practices
…
![Page 13: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/13.jpg)
Example – Request for Audit
13
XCCDF Checklist
Business Policy:
customers must authenticate
for accessing business service
“e-invoice”
IT Policies:
Password authentication for
web application eInvoice
Certificate authentication for
web service eInvoice
Service Provider wants the auditors to ensure that
Customers must authenticate for accessing business service “e-invoice”
![Page 14: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/14.jpg)
Auditor’s experience
Previous audits
Companies’ practices
…
Example – Audit Program
14
XCCDF
Checklist
Best practices
(business & IT policies)
Audit Program (XCCDF Checklist)
Business and Service Model
COBIT DS5 Control Objectives
DS5.1 Management of IT Security
DS5.2 IT Security Plan
DS5.3 Identity Management
DS5.4 User Account Management
![Page 15: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/15.jpg)
Increased visibility of
auditees‘s premises
technologies and policies in place
Standards for automation
Augmented, structured initial request
Reliable scope of the audit
Auditee-focused, automatable audit program (by
refining the auditee‘s request)
Advantages
15
![Page 16: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/16.jpg)
Audit Program Execution
16
Audit
Program
(XCCDF
Checklist)
Auditors
Best practices
(configurations)
Audit
Program
(SCAP
Checklist)
Audit
Result
(SCAP
Result)
Auditee
Infrastructure
Audit Report
![Page 17: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/17.jpg)
Example – Audit Program enriched
17
Audit
Program
(XCCDF
Checklist)
Best practices
(configurations)
Audit Program
Infrastructure
…
Authentication Policy:
All users are informed of the policy (ask CISO)
Password authentication for web application
eInvoice
AuthN enabled on web app eInvoice,
URI, host Y [Y’, Y’’, … in cluster setup]
Min psw length (N char) on User Mgmt
System LDAP, URI’, host B
Expiring date (M days) on User Mgmt
System LDAP, URI’, host B
Complex psw (alphanum) on User Mgmt
System LDAP, URI’, host B
…
Values:
N char: best practices 20
golden configuration 15
…
Host B
Host Y
![Page 18: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/18.jpg)
Audit Program
Example – Audit Program Execution
18
Auditee roles
(Vendor mgmt,
CISO, …)
Questionnaires
…
Authentication Policy :
All users are informed of the policy (ask CISO)
Password authentication for web application
eInvoice
AuthN enabled on web app eInvoice,
URI, host Y
Min psw length (N char) on User Mgmt
System LDAP, URI’, host B
Expiring date (M days) on User Mgmt
System LDAP, URI’, host B
Complex psw (alphanum) on User Mgmt
System LDAP, URI’, host B
…
Values:
N char: best practices 20
golden configuration 15
…
![Page 19: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/19.jpg)
Audit Program
Example – Automated checks
19
…
Password authentication for web
application eInvoice
AuthN enabled on web app eInvoice,
URI, host Y (Y’, Y’’, … in cluster setup)
Min psw length (N char) on User Mgmt
System LDAP, URI’, host B
Expiring date (M days) on User Mgmt
System LDAP, URI’, host B
Complex psw (alphanum) on User
Mgmt System LDAP, URI’, host B
…
Values:
N char: best practices 20
golden configuration 15
Target configurations:
Planned (Golden Configuration )
Actual (CMDB)
Assessment:
Misconfiguration’s evaluation
![Page 20: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/20.jpg)
Automatic processing of
low-level informations (infrastructure elements and configurations planned by auditee)
Best practices on configurations
Automatic compilation of questionnaires for target interviewees
Automatic assessment of configurations
Planned (golden configuration)
Actual (CMDB)
Reduced involvement of auditee
Exaustive analysis of infrastructure elements
Rating of misconfigurations‘ severity
Advantages
20
![Page 21: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/21.jpg)
Conclusions
21
PoSecCo’s security models to
Support auditee in augmenting initial request
Facilitate definition of scope and audit program
Define machine-readable audit program, automatically
enriched with technical information from system landscape
and configurations
executed to perform checks and create questionnaires
Rate impact of misconfigurations
Efficiency (time for knowledge collection and mechanic
activities)
Assurance (coverage, dependency on auditee)
![Page 22: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/22.jpg)
THANK YOU!
![Page 23: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/23.jpg)
EU DisclaimerPoSecCo project (project no. 257129) is partially supported/co-funded by the European
Community/ European Union/EU under the Information and Communication Technologies
(ICT) theme of the 7th Framework Programme for R&D (FP7).
This document does not represent the opinion of the European Community, and the
European Community is not responsible for any use that might be made of its content.
PoSecCo DisclaimerThe information in this document is provided "as is", and no guarantee or warranty is
given that the information is fit for any particular purpose. The above referenced
consortium members shall have no liability for damages of any kind including without
limitation direct, special, indirect, or consequential damages that may result from the use
of these materials subject to any liability which is mandatory due to applicable law.
Disclaimer
23
![Page 24: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/24.jpg)
24
![Page 25: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/25.jpg)
SCAP Standards
25
Security Content Automation Protocol (SCAP): Suite of XML-based specification for
security automation (NIST)
Enumeration
CVE (Common Vulnerability Enumeration)
CPE (Common Platform Enumeration)
CCE (Common Configuration Enumeration)
Vulnerability measurement and scoring systems
CVSS (Common Vulnerability Scoring System)
CCSS (Common Configuration Scoring System)
Expression and checking languages
XCCDF (eXtensible Configuration Checklist Description Format)
OVAL (Open Vulnerability and Assessment Language)
OCIL (Open Checklist Interactive Language)
![Page 26: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/26.jpg)
SCAP Checklist
26
XCCDF
OVAL
Questionnaire
Test action
Question Question
OCIL
Scoring Algorithm
Weight
CCSS
![Page 27: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/27.jpg)
XCCDF, OVAL and OCIL
27
![Page 28: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/28.jpg)
OVAL interpreter
CMDB WBEM JMX
Char collection
Produce system chars (3)
Configuration
validation
(SCAP interpreter)
OCIL interpreter
Def evaluation (2)
OVAL-
> OCIL
On error
R1
UI
Manual def evaluation
System landscape
Assessment
(& rating)
R2
[OVAL_result] Assess misconfig (4)
Complete rating (5)
State
Objects
Relative
State
Rating
OVAL
Defs
Sys Chars
Rating
Logic
OVAL
results
SCAP
Benchmark
Check compliance (1) Compliance result (6)
Simul
Configuration Validation
Architecture
SCAP
Report
![Page 29: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/29.jpg)
Efficiency:(Reduced) time/cost to
prepare audit request [auditee]
define audit scoping (understand auditee‘s premises and identify stakeholders, systems, risks, etc.)
prepare audit program (effort to gather data)
execute audit program
Generate reports
support execution of checks [auditee]
(Reduced) variation actual vs. predicted scope
(Increased) Audit program maturity (matching the auditee‘s controls)
(Reduced) variation of control implementation vs control design (here???)
Assurance: (Increased) Time for sensitive activities (evaluate risks, control objectives, controls)
(Increased) CoverageNumber of systems checked
(Decreased) dependency on personnel for knowledge to determine and assess controls
(Improved) customer trust in the security concept of the service provider
KPI
29
![Page 30: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/30.jpg)
Audit Interface
30
1. Scoping support:
retrieve SP’s control objectives (UC-A01)
Retrieve SP’s business policies
2. Mapping SP’s control objectives to other control
objectives (or business policies)
3. Control selection:
controls per CO defined by SP (UC-A02)
Controls per CO not defined by SP (w/o mapping 2.)
4. Controls equivalence (UC-A03 supplier + best practices)
5. Check:
Control design follows best practices (UC-A02)
Control implementation follows best practices
Configuration validation (UC-A04)
Questionnaires generation
(report and assessment of misconfigurations)
6. Simulation of changes
Controls/IT policies (UC-A02)
Control implementation (UC-A04)
![Page 31: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/31.jpg)
Audit Program Development
31
AuditorsAuditee(service provider)
XCCDF
Checklist
Audit
Program
(XCCDF
Checklist)
Auditee’s Request for Audit
Business and Service Model Best practices
COBIT DS5 Control Objectives
DS5.1 Management of IT
Security
DS5.2 IT Security Plan
DS5.3 Identity Management
Auditor’s experience
Previous audits
Companies’ practices
…
UC-A01
UC-A02
UC-A01
UC-A02
UC-A03
![Page 32: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/32.jpg)
Audit Program Execution
32
Audit
Program
(XCCDF
Checklist)
Auditors
Best practices
(tests)
Audit
Program
(SCAP
Checklist)
Audit
Result
(SCAP
Result)
Auditee
Infrastructure
Audit Report
UC-A04
![Page 33: Posecco clustering meeting](https://reader033.vdocument.in/reader033/viewer/2022051514/54c300b74a795908718b4589/html5/thumbnails/33.jpg)
OCIL Example
33