Leveraging Security Models to Automate

Audits and Improve their Level of Assurance

Serena Ponta

SAP

Assurance about fulfillment of requirements (laws,

regulations, customer-specific)

Critical to ensure business success, law’s compliance

Hard to achieve

Recognized need for automation and standardization

NIST effort to develop standards for security automation (SCAP)

Security guidance “Software assurance” in FISMA (June 2011)

requires to report on

progress installing tools

compliance with NIST’s standards

Audits provides assurance by involving a third-party

authority

Context

2

Motivations

3

Develop

audit

program

Execute

audit

program

Request for an audit

auditee’s business and IT services

(identified risks and control objectives)

Definition of the scope of the audit

control objectives

target services, and applications

List of controls per control objective (audit program)

Execution of the audit program to

collect technical evidences

collect informal (organizational) evidences

Evaluation of results

assess control objectives

write results in audit report

Manual

collection of

information

Evaluation

based on

samples

Manual

execution

of checks

PoSecCo‘s Security Models:

Complete knowlege of behavioral and structural

landscape

traceable link between business-driven security and

technical configuration settings of individual services

To provide an audit interface supporting automated

information retrieval

execution of checks

Increasing efficiency and assurance of audits

Contributions

4

1. Introduction

2. Audit Process (current practices)

Develop Audit Program

Execute Audit Program

3. Posecco Security Models

4. Audit process (new concept)

Develop Audit Program

Execute Audit Program

5. Conclusions

5

Running Example

6

Business Service

E-invoice

User

Mgmt

System

Develop Audit Program

7

AuditorsAuditee(service provider)

Best practices

Audit Program

COBIT DS5 Control Objectives

DS5.1 Management of IT Security

DS5.2 IT Security Plan

DS5.3 Identity Management

DS5.4 User Account Management

Auditor’s experience

Previous audits

Companies’ practices

…

AuditeeAuditee’s Request for Audit

Customers must authenticate for

accessing business service

“eInvoice”

Execute Audit Program

8

Auditors

Auditee

Audit Program

Audit Program

results

Audit Report

Restricted knowledge of auditee‘s infrastructure

Limited visibility of technologies and policies in place

Difficult to

Define the scope of the audit

Develop the audit program (adjustments required during the

execution)

No standardized tools for automated assessment

available

Technical evidences retrieval require auditee‘s support

Audit based on samples

Limitations

9

PoSecCo Security Models

10Complete information about functional and security aspects

PoSecCo Security Models

11Complete information about functional and security aspects

Business Policies:

customers must authenticate for

accessing business services

IT Policies (Controls):

Password authentication for web

application X1

Configurations :

AuthN enabled on web app X1,

URI, host Y

Min psw length (N char) on User

Mgmt Sys LDAP, URI’, host B

Golden Configuration

Audit Program Development

12

AuditorsAuditee(service provider)

XCCDF

Checklist

Audit

Program

(XCCDF

Checklist)

Auditee’s Request for Audit

Business and Service Model Best practices

COBIT DS5 Control Objectives

DS5.1 Management of IT

Security

DS5.2 IT Security Plan

DS5.3 Identity Management

Auditor’s experience

Previous audits

Companies’ practices

…

Example – Request for Audit

13

XCCDF Checklist

Business Policy:

customers must authenticate

for accessing business service

“e-invoice”

IT Policies:

Password authentication for

web application eInvoice

Certificate authentication for

web service eInvoice

Service Provider wants the auditors to ensure that

Customers must authenticate for accessing business service “e-invoice”

Auditor’s experience

Previous audits

Companies’ practices

…

Example – Audit Program

14

XCCDF

Checklist

Best practices

(business & IT policies)

Audit Program (XCCDF Checklist)

Business and Service Model

COBIT DS5 Control Objectives

DS5.1 Management of IT Security

DS5.2 IT Security Plan

DS5.3 Identity Management

DS5.4 User Account Management

Increased visibility of

auditees‘s premises

technologies and policies in place

Standards for automation

Augmented, structured initial request

Reliable scope of the audit

Auditee-focused, automatable audit program (by

refining the auditee‘s request)

Advantages

15

Audit Program Execution

16

Audit

Program

(XCCDF

Checklist)

Auditors

Best practices

(configurations)

Audit

Program

(SCAP

Checklist)

Audit

Result

(SCAP

Result)

Auditee

Infrastructure

Audit Report

Example – Audit Program enriched

17

Audit

Program

(XCCDF

Checklist)

Best practices

(configurations)

Audit Program

Infrastructure

…

Authentication Policy:

All users are informed of the policy (ask CISO)

Password authentication for web application

eInvoice

AuthN enabled on web app eInvoice,

URI, host Y [Y’, Y’’, … in cluster setup]

Min psw length (N char) on User Mgmt

System LDAP, URI’, host B

Expiring date (M days) on User Mgmt

System LDAP, URI’, host B

Complex psw (alphanum) on User Mgmt

System LDAP, URI’, host B

…

Values:

N char: best practices 20

golden configuration 15

…

Host B

Host Y

Audit Program

Example – Audit Program Execution

18

Auditee roles

(Vendor mgmt,

CISO, …)

Questionnaires

…

Authentication Policy :

All users are informed of the policy (ask CISO)

Password authentication for web application

eInvoice

AuthN enabled on web app eInvoice,

URI, host Y

Min psw length (N char) on User Mgmt

System LDAP, URI’, host B

Expiring date (M days) on User Mgmt

System LDAP, URI’, host B

Complex psw (alphanum) on User Mgmt

System LDAP, URI’, host B

…

Values:

N char: best practices 20

golden configuration 15

…

Audit Program

Example – Automated checks

19

…

Password authentication for web

application eInvoice

AuthN enabled on web app eInvoice,

URI, host Y (Y’, Y’’, … in cluster setup)

Min psw length (N char) on User Mgmt

System LDAP, URI’, host B

Expiring date (M days) on User Mgmt

System LDAP, URI’, host B

Complex psw (alphanum) on User

Mgmt System LDAP, URI’, host B

…

Values:

N char: best practices 20

golden configuration 15

Target configurations:

Planned (Golden Configuration )

Actual (CMDB)

Assessment:

Misconfiguration’s evaluation

Automatic processing of

low-level informations (infrastructure elements and configurations planned by auditee)

Best practices on configurations

Automatic compilation of questionnaires for target interviewees

Automatic assessment of configurations

Planned (golden configuration)

Actual (CMDB)

Reduced involvement of auditee

Exaustive analysis of infrastructure elements

Rating of misconfigurations‘ severity

Advantages

20

Conclusions

21

PoSecCo’s security models to

Support auditee in augmenting initial request

Facilitate definition of scope and audit program

Define machine-readable audit program, automatically

enriched with technical information from system landscape

and configurations

executed to perform checks and create questionnaires

Rate impact of misconfigurations

Efficiency (time for knowledge collection and mechanic

activities)

Assurance (coverage, dependency on auditee)

THANK YOU!

EU DisclaimerPoSecCo project (project no. 257129) is partially supported/co-funded by the European

Community/ European Union/EU under the Information and Communication Technologies

(ICT) theme of the 7th Framework Programme for R&D (FP7).

This document does not represent the opinion of the European Community, and the

European Community is not responsible for any use that might be made of its content.

PoSecCo DisclaimerThe information in this document is provided "as is", and no guarantee or warranty is

given that the information is fit for any particular purpose. The above referenced

consortium members shall have no liability for damages of any kind including without

limitation direct, special, indirect, or consequential damages that may result from the use

of these materials subject to any liability which is mandatory due to applicable law.

Disclaimer

23

24

SCAP Standards

25

Security Content Automation Protocol (SCAP): Suite of XML-based specification for

security automation (NIST)

Enumeration

CVE (Common Vulnerability Enumeration)

CPE (Common Platform Enumeration)

CCE (Common Configuration Enumeration)

Vulnerability measurement and scoring systems

CVSS (Common Vulnerability Scoring System)

CCSS (Common Configuration Scoring System)

Expression and checking languages

XCCDF (eXtensible Configuration Checklist Description Format)

OVAL (Open Vulnerability and Assessment Language)

OCIL (Open Checklist Interactive Language)

SCAP Checklist

26

XCCDF

OVAL

Questionnaire

Test action

Question Question

OCIL

Scoring Algorithm

Weight

CCSS

XCCDF, OVAL and OCIL

27

OVAL interpreter

CMDB WBEM JMX

Char collection

Produce system chars (3)

Configuration

validation

(SCAP interpreter)

OCIL interpreter

Def evaluation (2)

OVAL-

> OCIL

On error

R1

UI

Manual def evaluation

System landscape

Assessment

(& rating)

R2

[OVAL_result] Assess misconfig (4)

Complete rating (5)

State

Objects

Relative

State

Rating

OVAL

Defs

Sys Chars

Rating

Logic

OVAL

results

SCAP

Benchmark

Check compliance (1) Compliance result (6)

Simul

Configuration Validation

Architecture

SCAP

Report

Efficiency:(Reduced) time/cost to

prepare audit request [auditee]

define audit scoping (understand auditee‘s premises and identify stakeholders, systems, risks, etc.)

prepare audit program (effort to gather data)

execute audit program

Generate reports

support execution of checks [auditee]

(Reduced) variation actual vs. predicted scope

(Increased) Audit program maturity (matching the auditee‘s controls)

(Reduced) variation of control implementation vs control design (here???)

Assurance: (Increased) Time for sensitive activities (evaluate risks, control objectives, controls)

(Increased) CoverageNumber of systems checked

(Decreased) dependency on personnel for knowledge to determine and assess controls

(Improved) customer trust in the security concept of the service provider

KPI

29

Audit Interface

30

1. Scoping support:

retrieve SP’s control objectives (UC-A01)

Retrieve SP’s business policies

2. Mapping SP’s control objectives to other control

objectives (or business policies)

3. Control selection:

controls per CO defined by SP (UC-A02)

Controls per CO not defined by SP (w/o mapping 2.)

4. Controls equivalence (UC-A03 supplier + best practices)

5. Check:

Control design follows best practices (UC-A02)

Control implementation follows best practices

Configuration validation (UC-A04)

Questionnaires generation

(report and assessment of misconfigurations)

6. Simulation of changes

Controls/IT policies (UC-A02)

Control implementation (UC-A04)

Audit Program Development

31

AuditorsAuditee(service provider)

XCCDF

Checklist

Audit

Program

(XCCDF

Checklist)

Auditee’s Request for Audit

Business and Service Model Best practices

COBIT DS5 Control Objectives

DS5.1 Management of IT

Security

DS5.2 IT Security Plan

DS5.3 Identity Management

Auditor’s experience

Previous audits

Companies’ practices

…

UC-A01

UC-A02

UC-A01

UC-A02

UC-A03

Audit Program Execution

32

Audit

Program

(XCCDF

Checklist)

Auditors

Best practices

(tests)

Audit

Program

(SCAP

Checklist)

Audit

Result

(SCAP

Result)

Auditee

Infrastructure

Audit Report

UC-A04

OCIL Example

33