Академический Документы
Профессиональный Документы
Культура Документы
Prescriptive Guide-Security Reference Architecture
Prescriptive Guide-Security Reference Architecture
Security Reference
Architecture
A Practical Guide to Implementing Foundational Controls
AUTHOR:
Dave Meltzer
CTO, Tripwire, Inc.
FOUNDATIONAL CONTROLS FOR
SECURITY, COMPLIANCE & IT OPERATIONS
TABLE OF CONTENTS
Part One: Introduction��������������������������������� 3 Determining SCM
Asset Coverage and Monitoring �������������������������������� 19
What You’ll Learn ��������������������������������������������������������� 3
Evaluating Effectiveness��������������������������������������������� 21
Selecting A Framework������������������������������������������������� 3
Relationship of SCM to
Choosing A Maturity Model������������������������������������������� 4
the C2M2 Maturity Model�������������������������������������������� 21
Developing A
SOPs for SCM�������������������������������������������������������������� 22
Security Architecture���������������������������������������������������� 5
Standard Operating
Prioritizing Security
Procedures Outline����������������������������������������������������� 22
Investments And Efforts����������������������������������������������� 7
Additional Services
Key Takeaways ������������������������������������������������������������� 8
Provided by Tripwire SCM������������������������������������������� 23
Key Takeaways������������������������������������������������������������� 23
Part Two: A Reference Architecture for
File & System Integrity Monitoring������������� 9 Part Four: A Reference Architecture for
Business Drivers for
File Integrity Monitoring ����������������������������������������������� 9
Vulnerability Management������������������������ 24
Business Drivers for Vulnerability Management������� 24
Relation to Security Frameworks������������������������������� 10
Relation to Security Frameworks������������������������������� 25
FIM Use Cases ����������������������������������������������������������� 10
Use Cases for VM�������������������������������������������������������� 25
FIM Key Integration Points����������������������������������������� 11
VM Key Integration Points������������������������������������������� 26
FIM Deployment with Tripwire������������������������������������ 12
VM Deployment with Tripwire ������������������������������������ 26
Determining FIM
Asset Coverage and Monitoring��������������������������������� 12 Determining VM Asset
Coverage and Monitoring ������������������������������������������� 26
Evaluating Effectiveness��������������������������������������������� 13
Evaluating Effectiveness��������������������������������������������� 27
Relationship of FIM to the
C2M2 Maturity Model�������������������������������������������������� 14 Relationship of VM to the
C2M2 Maturity Model�������������������������������������������������� 28
FIM Standard Operating Procedures�������������������������� 14
Systems Inventory and Categorization����������������������� 28
Additional Services Provided by Tripwire Enterprise
FIM������������������������������������������������������������������������������� 15 Standard Operating Procedures for Vulnerability
Management���������������������������������������������������������������� 29
Key Takeaways������������������������������������������������������������� 15
Key Takeaways������������������������������������������������������������� 29
Part Three: A Reference Architecture for References������������������������������������������������������������������� 30
Security Configuration Management��������� 16
Business Drivers for Security Configuration
Management���������������������������������������������������������������� 16
Relation to Security Frameworks������������������������������� 17
Use Cases for SCM����������������������������������������������������� 17
SCM Key Integration Points���������������������������������������� 18
SCM Deployment with Tripwire���������������������������������� 19
PART ONE:
INTRODUCTION
For today’s chief information security officer (CISO), tion vendors, and prioritize investments for the best
securing the organization has never been more chal- results.
lenging. Unfortunately, the CISO’s job is unlikely to
get easier in our lifetime for a dizzying number of The subsequent chapters in this Prescriptive Guide
reasons. Among these reasons, the rapidly expand- discuss in much greater depth the three foundational
ing set of devices to protect, driven by growth in vir- controls of the reference architecture offered by
tualization, the cloud, bring your own device (BYOD), Tripwire solutions—file integrity monitoring, security
and the Internet of Things (IoT). Add to that a con- configuration management and vulnerability man-
tinued shortage of qualified and skilled people to agement. They describe each control, explain where
tackle the work, an ever-increasing sophistication of each fits in common security frameworks, how it
threat actors, and stringent industry regulations and gets used, key integration points with other controls
compliance demands. Then top it off with a jumble of and business systems, deployment architecture dia-
security solutions meant to address these issues that grams, and many other important details and consid-
the CISO and security team must evaluate against erations related to the control.
security and compliance requirements and opera-
tional demands. Although the reference architecture at the secu-
rity control level is based on Tripwire solutions, your
Today’s organization needs to build a resilient archi- overall strategy must address the other controls out-
tecture—a dynamic system that can provide effective lined by your security framework. As a result, a com-
security today, but that’s flexible enough to protect plete IT security system will encompass a broader
against the unknown threats and new technology of set of solutions from multiple vendors. Ideally, these
tomorrow. While the dream of the silver bullet solu- vendors and their solutions will work together to help
tion with the power to stop all attacks on all systems your organization build a cohesive, inter-connected
is just that—a dream—you can establish and follow a system.
sensible path forward to arrive at that system. Like
any complex project, you can transform the over- SELECTING A FRAMEWORK
whelming into something manageable by stepping Your first step in developing an architecture involves
back, taking a deep breath, and breaking down the selecting a security framework. The security frame-
larger project into smaller, doable pieces. That’s the work formally describes the many processes, pro-
intent of this Prescriptive Guide. cedures and associated security controls that you
can use to reduce risk across your organization
WHAT YOU’LL LEARN and out to its many and diverse endpoints. Security
This guide describes an overall, holistic strategy frameworks vary in their level of specificity. Some
and approach to developing a system that protects frameworks have very specific prescriptive guidance
against today’s threats in today’s technology environ- on what should be done and the relative priority of
ment. each action, while others just paint a broad picture of
everything that could be done.
It explains how to develop an overall strategy for
security and compliance, including selecting the COMMON SECURITY FRAMEWORKS
security framework that will guide you in building Commonly used security frameworks include the
your system, and the maturity model that will help NIST Cybersecurity Framework, CIS Critical Security
you advance your security program. It also discusses Controls, ISO 27000-series, ISA 99/IEC 62443, FFIEC
the need to adopt or develop a reference architecture Information Security, COBIT, COSO, and HITRUST
at the higher security system level. It then introduces CSF. The PCI DSS, though mostly perceived as a
a reference architecture built on the various founda- compliance mandate, provides highly prescriptive
tional controls available through Tripwire’s solutions. security guidance that smaller and mid-size orga-
Finally, it discusses how to select the security solu- nizations in particular can leverage as a framework.
A MATURITY MODEL FOR When selecting a security maturity model, you may
CRITICAL SYSTEMS AND ENDPOINT SECURITY need to include a separate model to help you gauge
Many security programs now recognize the impor- and improve the effectiveness of your security pro-
tance of using a maturity model specific to particular gram in securing the organization’s endpoints.
areas of security. Systems that are most important
to the organization need to receive a heightened level TRIPWIRE’S REFERENCE ARCHITECTURE AND
The SANSofEndpoint
attentionSecurity
compared to a common
Maturity end-user laptop.
Model (CONTINUED)
THE C2M2 MATURITY MODEL
Critical systems are a smaller but more highly sensi- This reference architecture sets relate back to matu-
tive set of systems compared to the broader set of rity levels defined in C2M2. The architecture helps
Level 5: Proactive, Comprehensive, Continuous and Measurable
devices—endpoints—which can be broadly defined as place each security control into its appropriate C2M2
At this pinnacle level, the organization has a model security program around all its
every device or system that connects to the organiza- domain, defining what levels of maturity you can
endpoints and user endpoints, designed and executed to anticipate change. It is aligned
tion’s technology infrastructure. expect by implementing the reference architecture
with IT, procurement and business risk. It accurately identifies and protects all critical
business processes, information and assets related to endpoints. Security policies are
for a given control, and differentiating between the
Security
readily availablemodels for
on an intranet, andcritical systems
all affected users and
are required endpoints
to read relevant various levels by what technologies, processes or
models
policies have
annually. beensecurity
All endpoint developed and
infrastructure are seeing
components greater
are monitored people are in place. The reference architecture fur-
ns nurture a use because many organizations perceive the guid-
continuously, initial responses to incidents are fully automated, and security leadership ther defines appropriate MILs for the controls pro-
has established close coordination with Computer Emergency Response Teams (CERTs)
wherein all ance from traditional security maturity models to be vided by Tripwire products, augmenting the general
and law enforcement. If applicable, the organization participates actively with the
r security to too broad
appropriate or generic
Information Sharing and toAnalysis
adequately
Center. address endpoint definitions of the MILs with more specific guidance.
. security. Tripwire and SANS recently collaborated to
DEVELOPING A
All endpoint information is classified and labeled, and critical endpoint assets are
develop
physically the SANS
segmented to isolate Endpoint Security
the most sensitive Maturity
material. Data Model
loss prevention
to help organization’s
is in place, and anygauge
encryptedthe effectiveness ofentities
their
(DLP) technology
issecurity program
proxied so that content may with endpoint
be inspected.
communications
Endpointssecurity.
with outside
are locked downThe model
so that SECURITY ARCHITECTURE
defines five levels of maturity based on measure-
no unauthorized software can run (whitelisting), and the network is configured to While a security framework provides a broad view of
automatically reject any device not authorized, disabling the port and sending an alert
ments of six different dimensions, called elements. the many different security controls an organization
to operations staff. Users are fully aware of their security responsibilities; regular training
may need to deploy and manage; you shouldn’t view
and inoculation result in nearly zero user-error security incidents.
it as a checklist of 149 controls that you can imple-
ment one by one until you are finished and secure. In
the past, a checklist approach may have been more
appropriate, but security has evolved. Organizations
used to have a “defense in depth strategy,” with
numerous independently deployed security controls
that provided layers of protection. Today, security
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
is more of an interconnected web of controls that
Random, or Reactive, Preventative Organized, Proactive, communicate with each other and adapt dynamically
Disorganized or Tactical or Directed Comprehensive,
Continuous and based on changing intelligence and needs.
Measurable
MIL3: Mature
ROGRAM implementation
9 Detecting a Targeted Data Breach with Ease
MIL2: Established with high degree of
and followed automation and
MIL1: Accomplishing standard operating highly optimized
objectives, but with procedures, more
MIL0: Not some automation, automation
accomplishing but minimal or ad
objectives, or hoc process
accomplishing with
manual process
Fig. 2: The Cybersecurity Capability Maturity Model (C2M2) maturity indicator levels (MILs)
»Level
» 2: Specific security controls reference CRITERIA FOR SECURITY CONTROLS DESCRIBED BY
architecture, which describes the architecture for THE TRIPWIRE REFERENCE ARCHITECTURE
the individual controls offered by Tripwire. Tripwire’s reference architecture first distills all the
possible systems security controls you could deploy
Our reference architecture set excludes other areas
into a smaller set that meets the following criteria:
where reference architectures are also important.
For example, the set excludes the areas of network Security is the control’s primary function. Some con-
and application security and the myriad security con- trols like disaster recovery may be critical to secu-
trols outside of the scope of Tripwire’s offerings. rity, but serve their primary function in a broader IT
operations use case. Such controls would fit into an
Note that systems security is a broad area that cov-
IT operations reference architecture, and while no
ers multiple security controls. It includes controls
less important, are not included here.
offered by Tripwire, such as file integrity monitor-
ing, security configuration management, vulnerabil- Security of the individual system the control inter-
ity management and log management. But it also acts with is its primary function. Some controls may
includes additional controls from Tripwire partners combine network-based protections with individual
and others in the market, such as antivirus/anti- system tools. For example, web filtering may be pri-
malware, identity and access management, asset marily done with a network proxy, but have a system
management, deployment management, remote component available for mobile and remote workers
management, patch management, email filtering, as well. The Tripwire reference architecture excludes
browser protection, exploit prevention and disaster such a control because it would typically be found in
recovery. a network security reference architecture.
Critical System
Controls
• Integrity Monitoring -—
Change Auditing
• + Mid-level Controls
Endpoint Controls
• Vulnerability Management
• Antivirus/Anti-Malware
• Exploit Prevention
• Identity & Access
• Endpoint Detection and Response
• Encryption
Patch Management
Fig. 4: Pyramid of asset count and value Fig. 5: Sample set of system controls allocated by risk
PART TWO:
A REFERENCE ARCHITECTURE FOR
FILE & SYSTEM INTEGRITY MONITORING
In Part 1 you learned important background steps »»Standard operating procedures (SOPs) for build-
to take when developing a system to protect against ing, maintaining and operating your FIM solution
threats in today’s complex and dynamic technology
environment and threat landscape. It also introduced »»Additional valuable business services you can
three security controls that can help your organiza- gain using FIM with Tripwire Enterprise beyond
tion construct a foundation for an effective defense meeting the control objectives for change moni-
against today’s threats. These controls include file toring
integrity monitoring (FIM), security configuration
management (SCM), and vulnerability management BUSINESS DRIVERS FOR
(VM). FILE INTEGRITY MONITORING
You may have heard the phrase, “What’s good for
This part of the guide delves into greater detail about
security is good for compliance.” You could modify
the security control FIM, also known as system integ-
that phrase to “What’s good for security is good for
rity monitoring or change auditing. FIM is the control
IT operations,” and it would still ring true. Security,
that monitors, detects and manages all changes to
compliance, and operational requirements tend to
system state. For simplicity’s sake, this guide will
be highly interrelated, a fact that’s reflected by the
use Tripwire’s acronym for the capability, FIM, even
demand for FIM across all three programs for these
though identified state changes may be anywhere on
areas.
a system, and not necessarily in a file.
»The
» relationship of SCM to a variety of common DRIVERS FOR SCM FOR SECURITY
security frameworks Two complementary requirements often drive the
need for SCM. The first, to reduce your organiza-
»The
» two main use cases for SCM tion’s security risk by assuring you have secure
»Key
» integrations of SCM with other controls, sys- configurations in place. The second, to ensure your
tems and workflows compliance with regulations that require you to have
this control in place and auditable. As you can see,
»Descriptions
» of and diagrams for SCM deploy- these two requirements are highly inter-related, with
ment compliance around SCM helping ensure IT and data
security, and security for your SCM directly support-
»Considerations
» for determining SCM asset cover- ing compliance.
age and monitoring levels
From a security standpoint, you’ll see that almost
»Key
» performance indicators (KPIs) to evaluate every security framework, best-practice, and regu-
your SCM implementation’s effectiveness lation has SCM baked in. That’s because SCM is so
»C2M2
» levels of security maturity your security fundamental to reducing risk in an environment.
program can attain using SCM with Tripwire
From a compliance perspective, your organization
»Standard
» operating procedures (SOPs) for build- may require SCM to achieve regulatory compliance.
ing, maintaining and operating your SCM solution In almost all cases, that regulatory requirement
Diagram: Tripwire Enterprise model—SCM Deployment with both agent and agentless approaches used
The readiness of a particular asset, group of assets, an IT administration team capable of remediating
or part of an IT organization for SCM is also an issues on them, and asset owners who have bought
important consideration when prioritizing coverage. into the value of SCM, you’re better off deploying SCM
For example, if you already have a set of best prac- on those systems than on a mainframe system that
tices security policies defined for your Unix servers, has no clear pre-existing policy and an administrator
who would be reticent to make any changes even if
security issues were communicated to him or her.
EVALUATING EFFECTIVENESS
Identifying and tracking key performance indica-
Diagram: Tripwire Configuration Compliance Manager includes
tors (KPIs) for your SCM implementation can help
a scan engine component to support agentless and dissolvable
you evaluate your security program’s effectiveness.
agent approaches
In reviewing KPIs, don’t lose sight of the key objec-
tives of SCM: first, to proactively prevent successful
breaches by reducing the attack surface of systems, C2M2 DOMAINS RELEVANT TO SCM
and second, if applicable, to ensure compliance with The C2M2 maturity model categorizes broad areas of
regulatory standards. Make sure that the indicators security programs into domains. SCM falls within the
you select do indeed reflect the effectiveness of your C2M2 Asset, Change, and Configuration Management
SCM process in achieving those goals. domain. In addition to addressing SCM, this This
domain encompasses asset inventory, integrity moni-
Tripwire has developed a set of commonly used met- toring, and vulnerability management are all relevant
rics and criteria that may be used for evaluating your to this domain.
SCM implementation. These should be thoughtfully
considered and then tailored to meet your organiza- Within the scope of the objectives and practices rel-
tion’s specific business needs and structure: evant to SCM, implementing the Tripwire Reference
Architecture for SCM supports an organization
»Policy
» Compliance—The level of compliance of reaching either the MIL2 or MIL3 level of maturity. To
assets against the configured policies reach MIL3, you must have more detailed processes
»Average
» Risk Score—The level of risk of assets and associated personnel in place for configuration
based on deviations from configured policies and change management. You must also ensure that
»Top
» Policy Failures—The most common devia- you’ve rolled out SCM comprehensively, including in
tions from configured policies across an asset set the pre-production phases of your deployment pro-
cesses.
»Asset
» Coverage—The number of assets of an
asset set (or complete organization) with active If you’d like to learn more, refer to section 5.2 of the
SCM C2M2 Security Maturity Model, available at www.
For each of these metrics, evaluate the data across energy.gov/oe/services/cybersecurity/cybersecurity-
several categories or dimensions, including: capability-maturity-model-c2m2-program/cyberse-
curity
»Enterprise-wide
»
»By
» System Type
ADVANCING THROUGH THE MATURITY LEVELS
During the initial phase of deploying and operation-
»By
» Business Function alizing Tripwire Enterprise and Tripwire CCM, most
»By
» Business Unit organizations tend to operate at MIL1. If you’re oper-
ating at this maturity level, you’re using these solu-
»By
» Regulatory Scope
tions to accomplish essential and necessary activities
related to SCM. These activities include deployment
RELATIONSHIP OF SCM TO of Tripwire Enterprise agents or agentless deploy-
ment of Tripwire Configuration Compliance Manager
THE C2M2 MATURITY MODEL on critical systems and ongoing security configura-
As emphasized in the introductory part of this guide, tion assessments and monitoring. It also includes
a security maturity model can guide your organiza- having procedures in place for reviewing changes
tion’s security program as it advances to greater that your Tripwire SCM solutions indicate fail to align
levels of security. Maturity models do this by explain- with the associated policy.
ing what your security program can achieve by imple-
menting recommendations for a control, but also by To move up to MIL2, you must mature your processes
describing what additional technologies, processes, and practices around SCM. Processes will be more
or people your program must have in place to work formally documented and you will be incorporating
its way up through the various maturity levels. more best practices used by other organizations in
these areas, particularly around the use of automa-
While you can use any maturity model to advance tion. Although at MIL1, you may be performing the
your program, this guide refers to the C2M2 secu- same practices around assessment and continuous
rity maturity model, shown below, and relates that monitoring and have some process documentation,
to using SCM with Tripwire Enterprise or Tripwire as your program evolves to MIL2 and then on to MIL3,
Configuration Compliance Manager. processes and practices should become more com-
prehensive and formalized.
Several organizations with Tripwire Enterprise have 2. Sample Design and Implementation Guide for
evolved their implementation up to MIL3. The next Tripwire Enterprise and Tripwire CCM. Operational
section presents SOPs based on these organizations process documentation collaboratively developed
that you can leverage as best practices to help your by Tripwire Professional Services with a Tripwire
organization reach higher maturity levels. customer that has mature processes in in place.
»C2M2
» levels of security maturity your security
program can attain using VM with Tripwire
»An
» approach to inventorying systems to protect
Diagram: Architecture for key integration points for vulnerability Diagram: Tripwire IP360 includes a VnE Manager and Tripwire
management IP360 Device Profilers
»Generating
» vulnerability aging reports to track
remediation efforts
»Producing
» granular reports to track risks asso-
ciated with individual system owners so that
you can compare which owners are adhering to
established standards and where improvements
are needed
»Creating
» clean, simple trend analysis and execu-
tive reports that give senior level management a
Diagram: Aggregated reporting, analytics, and visualization quick view of your organization’s exposures and
provided by an additional component allows for scalability and the risk management program’s performance
provides additional capabilities over time
»Automating
» reports to ensure they address all
compliance and audit needs so that your analysts
EVALUATING EFFECTIVENESS can focus on threat analysis rather than generat-
Identifying and tracking key performance indicators ing reports/metrics
(KPIs) for your VM solution can help you evaluate
your security program’s effectiveness. In reviewing »Producing
» reports with multiple views, including
KPIs, don’t lose sight of the key objectives of VM: individual asset and application reports, that can
first, to proactively prevent successful breaches by roll up to create an organization risk framework
reducing the attack surface, and second, if appli-
cable, to ensure compliance with regulatory stan- For each of KPI metric, evaluate the data across sev-
dards. Make sure that the indicators you select do eral categories or dimensions, including:
indeed reflect the effectiveness of your VM process in
achieving those goals. »Enterprise-wide
»
»By
» System Type
Tripwire has developed a set of commonly used met-
rics and criteria that may be used for evaluating your »By
» Business Function
VM implementation. These should be thoughtfully »By
» Business Unit
considered and then tailored to meet your organiza-
»By
» Regulatory Scope
tion’s specific business needs and structure:
Kim, G. (2005). The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps.
Eugene, OR: Information Technology Process Institute.
North America Electric Reliability Corporation (NERC). NERC Critical Infrastructure Protection (CIP).
http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cyber-
security.
http://www.nist.gov/cyberframework/
National Institute of Standards and Technology (NIST). Special Publication 800-53 Rev 4: Security and Privacy
Controls for Federal Information Systems and Organizations.
http://dx.doi.org/10.6028/NIST.SP.800-53r4
National Institute of Standards and Technology (NIST). Special Publication 800-128: Guide for Security-Focused
Configuration Management of Information Systems.
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
©2019 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc. All other product and company names are
property of their respective owners. All rights reserved. BRRXTRA1k 1701