Thursday, October 29, 2009

Notes from NIST SCAP 5th Security Automation Conference

Sadly, I only had one day to spent at this fun event, but it was definitely well worth it. I missed some of the keynotes as I was speaking with various people, so the first presentation I went to was supposed to be about “HBSS Open Framework.” In this reality :-), it was replaced by John Pescatore from Gartner. He started to go about FISMA and NIST 800-53 (and even FDCC) popping up in commercial space (contractors mostly), but then  quickly boosted into the cloud :-)

One fun thing he sad was that what he used to call “nightmare [cloud] scenario” is now called “everybody scenario.”  His theme was that we used to think that security needs to be included when new [cloud] infrastructure is being built BUT (!) this moment is slipping away FAST! He even uttered that we need to “inject security back” as cloud train is speeding out of the station.  His vision can be summarized as  “MySecurity.cloud” – some kinda SaaS service that you go “through” before accessing other cloud services. He then quickly summarized what is the status of such “cloud exodus” now: vulnerability management is "”fully gone”, various filtering (“network security in the cloud”  - he called it “MitM security”) is going now, what will go next (log management or SIEM)?

Another interesting thought was about “full stack, continuous VM” – don’t just check for presence  of Skype (for example – he really means “all apps” including consumer apps on work PCs!) or for vulnerabilities in Skype, but check whether Skype is configured securely. He also show this fun chart:

/\
|
axis: value to
business
     
high embrace contain  
low disregard block  
  low high axis: security
pressure ->

[I love how Gartner folks can visualize something complex into a neat chart…]

Another insightful thought from him was that the world has shifted away from directories. There is “no directory for cell phone” – instead  “ring of trust” such as Facebook is it…

Next I went to see Ed Bellis  fling some SCAP goodness. The main idea is that one can build a tool to automate the layer of tasks and issues above vulnerability assessment. Basically, the whole workflow from discovery –> remediation task planning –> fixing the issue –> retest –> validate + track everything for all regular and custom web application vulnerabilities. I find it really, really curious that VM vendors didn’t do it like this …. So, this was very useful and checking the slides

when posted will come hand. I found it interesting that there is absolutely no reconciliation between “security asset management/discovery” with “real IT asset management.” IMHO it drives the nail into a coffin of “IT ops and security convergence” theme that many folks adore … Also, web application flaw severity scoring is still a big hole. Where is CWSS when you need it? :-)

Next I made a mistake of going to a vendor presentation. It was so salesy I almost puked :-) BTW, the name of the vendor rhymes with “BigAss.” Please, dear BigAss folks, next time send somebody who can talk substance and not just that you are “strong in government!”

As far as trend watching, for a brief second I sensed that “SCAP use outside of the government” is an emerging trend, but it really isn’t. Using CVE and other identifiers as well as CVSS for scoring – outside the government or anywhere else for that matter – does not SCAP use make. It is simply called “common sense” :-) Now, if you found some use for the juiciest pieces of SCAP – OVAL and XCCDF – then we are talking…

Next I went to CEE presentation and my log standards challenges presentation. Obviously, this was the highlight of the day. At this stage, BTW, now I am convinced we can win this one and start standardizing the logs! In particular, we will release the architecture specification in about a week or two.

I am writing this on the train to CSI2009, notes from that show will come tomorrow…

Dr Anton Chuvakin