|
NIST Validated and SCAP Enabled
Most security breaches and attacks occur at the endpoint.
Endpoints that are not up-to-date with the most current
patches and configurations are vulnerable, and unmanaged
removable media and applications can easily open the
floodgates for data to escape into the wrong hands. The
threat of data exposure and network instability or
disruption comes from outside the agency walls as well as
from within.
While many government agencies have established endpoint
security policies, they do not have the right security
management software to enforce them. Many users continue to
run software that is either unauthorized or is without the
latest patches, remove data from agency networks and
download infected or inappropriate files, which can expose
vulnerabilities that enable the theft or loss of critical
information. Recent security violations have sparked
legislative requirements and standards-based protocols
around security controls and data protection that impact
both Civilian and DOD agencies.
Lumension Security’s Vulnerability Management Solution
has been
validated by NIST as conforming to the Security Content
Automation Protocol (SCAP) and its component standards.
Civilian Solutions: Comply with Endpoint Security Mandates and Protocols
-
Federal Information Security Management
Act (FISMA) Compliance - primary
legislation governing the management of
federal information security.
-
Office of Management and Budget (OMB)
M06-16 Mandate - requires agencies
to establish safeguards for sensitive
data on laptops and desktops.
-
Federal Desktop Core Configuration (FDCC)
- security configuration standards
developed by the National Institute of
Standards and Technology (NIST), the
Department of Defense (DoD) and the
Department of Homeland Security (DHS)
that are mandated by OMB M07-11.
-
Security Automation Content Protocol (SCAP)
- repository of security content used
for automating technical control
compliance activities, vulnerability
checking of both application
misconfigurations and software flaws,
and security measurement.
DOD Solutions: Comply with Endpoint Security Mandates and
Protocols
-
Director of Central Intelligence
Directive (DCID) 6/3 - establishes
the security policy and procedures for
storing, processing, and communicating
classified intelligence information in
information systems.
-
Information Assurance Vulnerability
Alerts (IAVA) - computer application
software or operating system
vulnerability security bulletin,
determined by JTF-GNO, which alerts on
"High-Risk/Threat" vulnerabilities.
Security Management Software That Secures Critical
Information at the Endpoint
By automatically identifying and remediating security and
operational vulnerabilities and enforcing application and
device use policies at the endpoint, Lumension’s security
management software enables government organizations to
reduce the risk of network instability and protect the
confidentiality and integrity of sensitive data. Lumension
solutions include:
-
PatchLink Update™ - Proactive
management of threats through automated
collection, analysis, and delivery of
patches (all major operating systems and
applications) across heterogeneous
networks.
-
PatchLink Scan™ - Complete
network-based scanning solution enables
assessment and analysis of threats
impacting all network devices.
-
PatchLink Security Configuration
Management™ - Out-of-the-box
regulatory and standards-based
assessment to ensure endpoints are
properly configured.
-
PatchLink Developers Kit™ - Create
custom remediation packages to address
configuration issues, remove
unauthorized files and applications,
address Zero-day threats, patch custom
software and more.
-
PatchLink Enterprise Reporting™ -
Robust data warehouse that enables easy
creation and sharing of reports on all
aspects of your remediation efforts in
support of policy compliance.
-
Sanctuary® Application Control -
Policy-based enforcement of application
use to secure your endpoints from
malware, spyware and unwanted or
unlicensed software.
-
Sanctuary® Device Control -
Policy-based enforcement of removable
device use to control the flow of
inbound and outbound data from your
endpoints.
Lumension Security Management Software Helps Government Bodies to:
- Comply with
requirements for
safeguarding the
integrity and
availability of
sensitive data and IT
assets
- Remove the risk
of classified data
from being
improperly disclosed
- Prove compliance
with DCID 6/3 and
OMB M06-16 by
providing a detailed
audit trail of all
device and
application
execution attempts,
by tracking data
that is copied to
and from removable
devices and by
controlling what
data is allowed to
be copied to a
device at the file
level
- Patch and
remediate
vulnerabilities
before they can be
exploited to access
sensitive data
- Control and
monitor the flow of
inbound and outbound
data with removable
media and devices
- Identify
organizational
security holes in
the protection of
information through
comprehensive
auditing
capabilities
- Comply with security
configuration
requirements as outlined
by the FDCC and mandated
by OMB M07-11
- Map technical controls to
policies through the import of SCAP
documents
- Identify non-compliant security
configurations through comprehensive
network and agent-based scanning
capabilities
- Enforce and
maintain required
security
configurations
through rapid
remediation of
non-compliant
machines
- Prove compliance
with OMB M07-11 by
providing high level
and detailed reports
of enterprise
endpoint
configurations
- Meet strict international
requirements posed by the National
Information Assurance Partnership (NIAP)
Common Criteria Evaluation and
Validation Scheme for IT Security (CCEVS)
- Prevent malware execution
originating at an endpoint
- Protect against network security
breaches where agency data could be
exposed to fraud
- Enable the transmission,
integrity, confidentiality and
retention of sensitive data without
disruption, corruption or loss
- Improve IT system performance
- Prevent unwanted applications
and devices from burdening network
bandwidth
- Enable faster computing
resources on network, laptops and
PCs
- Maintain PCs’ performance as new
with configurations remaining stable
- Reduce endpoint security TCO
- Minimize security or DCID 6/3,
OMB M06-16, and OMB M07-11
compliance crisis response
- Remediate vulnerabilities more
quickly and with fewer required
resources
- Improve end user
productivity
- Block unwanted,
non-business desktop
applications
- Enforce policy
to ensure endpoints
run as expected
- Enforce software
license compliance
within the agency
Lumension Security Government Contracts
GWAC contracts include:
DCID 6/3 Compliance
The Director of Central Intelligence Directive (DCID)
6/3 establishes the security policy and procedures for
storing, processing, and communicating classified
intelligence information in information systems -
http://www.fas.org/irp/offdocs/dcid-6-3-manual.pdf.
To achieve compliance with DCID 6/3, agencies must
ensure that information is safeguarded at all times and
that appropriate security measures are in place to
ensure the confidentiality, integrity and availability
of that information.
Lumension’s Endpoint Security and Vulnerability
Management Solutions Enable Agencies to Comply with DCID
6/3
Lumension’s Endpoint Security and Vulnerability
Management Solutions ensure that agency information is
secured in compliance with DCID 6/3 requirements.
Lumension’s solutions ensure the confidentiality and
integrity of agency data by:
- Enforcing
granular application
and removable device
usage policies
- Enforcing
encryption when data
is copied to
removable media
- Providing
detailed auditing
information
including the flow
of data read from or
written to a
removable device and
all application and
device access
attempts, including
administrator
actions
- Discovering all
enterprise IT assets
and vulnerabilities
and providing
actionable
information
- Remediating
vulnerabilities to
ensure that system
and data exposure is
minimized
- Enterprise-wide
reporting of all
patch and
remediation
activities to ensure
that desired
security postures
are maintained
Lumension solutions include:
Endpoint Security Solutions:
-
Sanctuary® Application Control -
Policy-based enforcement of
application use to secure your
endpoints from malware, spyware and
unwanted or unlicensed software.
-
Sanctuary® Device Control -
Policy-based enforcement of
removable device use to control the
flow of inbound and outbound data
from your endpoints.
Vulnerability Management Solutions:
-
PatchLink Scan™ - Complete
network-based scanning solution
enables assessment and analysis of
threats impacting all network
devices.
-
PatchLink Update™ - Proactive
management of threats through
automated collection, analysis, and
delivery of patches (all major
operating systems and applications)
across heterogeneous networks.
Through vulnerability assessment, remediation and
endpoint control, Lumension Security solutions
complement an organizations’ DCID 6/3 compliance
strategy by implementing the proper safeguards around
the confidentiality, integrity and availability of
intelligence information:
| DCID 6/3 Requirements |
How Lumension Solutions Address DCID 6/3 Requirements |
Intelligence
information shall be appropriately
safeguarded at all times, including when
used in information systems, which shall be
protected. Safeguards shall be applied such
that:
- individuals are held accountable for
their actions
- information is accessed only by
authorized individuals and processes
- information is used only for its
authorized purpose(s)
- information retains its content
integrity
- information is available to satisfy
mission requirements
- information is appropriately marked and
labeled
|
Lumension’s
Endpoint Security and Vulnerability
Management solutions ensure that
intelligence information is appropriately
safeguarded: Lumension’s Endpoint Security
Solutions:
- Assure user compliance with endpoint security policies governing application and device control. Detailed auditing capabilities
ensure that individuals are held accountable for their actions with regards to application and removable device usage.
- Enable temporary or scheduled removable device access per established policies.
- Record filename or complete file that is read from and/or written to a removable device to contain data leakage.
- Enable agencies to define and enforce policies regarding which users or user groups have access to specific applications and/or removable devices.
- Enforce granular device control permission settings, including read/write, scheduled access, temporary access, online/offline, I/O bus type, HDD/non-HDD devices and more.
- Prevent unwanted and malicious code from executing on agency systems, protecting content and system integrity.
Lumension’s Vulnerability Management
Solutions:
- Discover IT assets that are vulnerable to exploitation
- Remediate vulnerabilities rapidly to prevent systems and data from being exposed
- Automatically enforce mandatory baselines across agency endpoints to ensure that critical vulnerabilities are patched
|
Appropriate
security measures shall be implemented to
ensure the confidentiality, integrity, and
availability of that information. The mix of
security safeguards selected for systems
that process intelligence information shall
ensure that the system meets the policy
requirements set forth in this policy and
its implementation manual.
-
Information
systems
security
shall be an
integral
part of all
system
life-cycle
phases for
all systems.
- The
security of
systems
shall be
reviewed
whenever
changes
occur to
missions,
information
systems,
security
requirements,
or threat,
and whenever
there are
significant
adverse
changes to
system
vulnerabilities.
-
Appropriate
authorities,
as defined
in the
Manual,
shall be
immediately
notified of
any threats
or
vulnerabilities
impacting
systems that
process
their data.
- All ISs
are subject
to
monitoring
consistent
with
applicable
laws and
regulations,
and as
provided for
by agency
policies,
procedures,
and
practices.
As a
minimum,
monitoring
will assess
the adequacy
of the
confidentiality,
integrity,
and
availability
controls.
|
Lumension’s Endpoint Security and
Vulnerability Management solutions ensure
the confidentiality, integrity and
availability of intelligence information:
Lumension’s Endpoint Security Solutions:
- Enable only authorized applications or removable devices to be accessed on agency machines.
- Secure sensitive agency data by encrypting data that is moved onto a removable device.
- Remove the risk of large pieces of confidential data leaving the network by enabling restrictions on the amount of data copied to a removable device on a per-user basis
- Reduce risk on unwanted files from entering or leaving the network by controlling the types of files that are moved to or from removable devices.
- Assure consistent monitoring and reporting of application and device usage or attempts by authorized and unauthorized users, including administrator actions.
- Record filename or complete file that is read from and/or written to a removable device to contain data leakage.
Lumension’s Vulnerability Management Solutions:
- Discover IT assets that are vulnerable to exploitation
- Remediate vulnerabilities rapidly to prevent systems and data from being exposed
- Automatically enforce mandatory baselines across agency endpoints to ensure that critical vulnerabilities are patched
|
FISMA Compliance
The National Institute of Standards and Technology (NIST)
800-53 provides recommended security controls of federal
information systems and is used to determine the
baseline security controls for the system. Federal IT
systems must adhere to these security guidelines to
comply with FISMA.
Lumension’s Endpoint Security and Vulnerability
Management Solutions Enable Agencies to Comply with
FISMA
Lumension Security’s common Criteria Certified EAL2+
Endpoint Security and Vulnerability Management Solutions
have been helping agencies meet the challenges of FISMA
compliance for years. These solutions include:
-
PatchLink Security Configuration
Management™ - Out-of-the-box
regulatory and standards-based
assessment to ensure endpoints are
properly configured.
-
PatchLink Scan™ - Complete
network-based scanning solution
enables assessment and analysis of
threats impacting all network
devices.
-
PatchLink Update™ - Proactive
management of threats through
automated collection, analysis, and
delivery of patches (all major
operating systems and applications)
across heterogeneous networks.
-
Sanctuary® Application Control -
Policy-based enforcement of
application use to secure your
endpoints from malware, spyware and
unwanted or unlicensed software.
-
Sanctuary® Device Control -
Policy-based enforcement of
removable device use to control the
flow of inbound and outbound data
from your endpoints.
Lumension Security’s Endpoint Security and
Vulnerability Management Solutions were designed with
FISMA compliance in mind, providing:
- Complete asset and vulnerability
discovery
- Thorough risk assessment &
prioritization
- Enforcement of security
configurations
- Robust vulnerability remediation
- Accurate verification of
security posture
- Policy-based removable device
control
- Detailed audit trail of all data
read from or written to removable
devices
- Actionable reports to show
policy compliance
Lumension Security policy-based solutions were designed to enforce and maintain desired security
postures across complex and heterogeneous government IT environments and to show compliance with FISMA
security control standards. One of the largest federal government agencies employs Lumension solutions
to achieve FISMA compliance on over 250,000 enterprise devices.
IAVA Compliance
Lumension Security has been serving the Department of
Defense for many years helping the U.S. Army achieve
IAVA compliance across their network. Through this long
standing relationship Lumension Security provides the
most robust coverage in the industry with granular
detail for all types of IAVA’s, including:
- DOD IAVA’s
- AFCERT IAVA’s
- NAVCIRT IAVA’s
- ACERT IAVA’s
- IAVA’s for each branch of the
military
Lumension’s team of security engineers is engaged
with DOD entities like the JTF-GNO and the AKO to
provide extensive and up-to-date information on IAVA’s,
which are included in every Lumension Security
Vulnerability Management Solution release.
Lumension
Security Vulnerability Management Solution, which
includes award-winning products such as
PatchLink Update and
PatchLink Scan:
- Enables the DOD
to rapidly and
accurately identify
and remediate IAVAs
- Offers numerous
ways to categorize
the IAVA database to
quickly identify the
specific information
required
- Cross references
IAVA’s to industry
standard tracking
mechanisms such as
MS number or CVE
number
- Supports all
major platforms
including Windows,
Unix, Linux, Mac and
POSIX
The below graphic, highlights examples of DOD IAVA’s
tracked by Lumension Security Vulnerability Management
Solution.
OMB M-06-16 Compliance
Office of Management and Budget M-06-16 Mandate
requires agencies to establish safeguards for sensitive
agency data on laptops and workstations -
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf.
To achieve compliance with the M-06-16 Mandate, agencies
must enforce security measures that safeguard the
integrity and availability of sensitive agency
information at the endpoint.
Lumension’s Sanctuary Helps Agencies Comply with
M-06-16 for Endpoint Security
Lumension’s
Sanctuary Device Control ensures confidentiality and
integrity of agency data on laptops and workstations by
enforcing encryption when copied to removable media and
by controlling what devices are used by whom and on what
machines. Sanctuary helps agencies prove M-06-16
compliance through bi-directional Shadowing capabilities
which detail what information has been transferred to
and from a workstation to removable media. With
Sanctuary, only authorized users can copy data onto
encrypted removable media with complete auditing of that
action.
By employing a whitelist approach, Sanctuary is
uniquely capable of enforcing application and device
usage and control policies, which enables only
authorized applications and devices to run or connect to
a network, server, terminal services server, laptop,
thin client or desktop – facilitating security and
systems management, while providing necessary
flexibility to the agency to easily enable the use of
new/upgraded applications or devices.
Through policy-based control at the endpoints to
monitor and control the inbound and outbound flow of
sensitive agency information, Sanctuary complements
organizations’ M-06-16 compliance strategy by
implementing the proper internal safeguards around
application and removable device use:
|
M-06-16 Requirements |
How Sanctuary Addresses M-06-16 Requirements |
|
Encrypt all data on mobile computers/devices
which carry agency data unless the data is
determined to be non-sensitive. |
Sanctuary secures sensitive agency data by
encrypting data that is moved onto a
removable device. |
|
Log all computer-readable data extracts from
databases holding sensitive information and
verify each extract including sensitive data
has been erased within 90 days or its use is
still required. |
Sanctuary provides comprehensive audit logs
that detail what data has been moved onto a
specific device and by which user. |
FDCC compliance
The Federal Desktop Core Configuration, developed by
the National Institute of Standards and Technology (NIST),
the Department of Defense (DoD) and the Department of
Homeland Security (DHS), provides a set of security
configuration standards by which all federal agencies
must adhere to as mandated by the
Office of Management and Budget.
Lumension
Security enables agencies to comply with FDCC standards
by providing a Security Content Automated Protocol (SCAP)
Validated FDCC Scanner that assesses, standardizes and
reports against required configurations. Lumension’s
SCAP validation can be viewed at
http://nvd.nist.gov/scapproducts.cfm#scapproducts.
Securing Endpoint Configurations and Enabling FDCC
Compliance
Lumension Security’s Vulnerability
Management Solution ensures that agency endpoint
configurations are compliant with the standards outlined
in the FDCC. Through import of SCAP policy templates,
network and agent-based scanning, policy enforcement and
enterprise reporting, Lumension’s Vulnerability
Management Solutions automatically check the security
properties of network devices and effectively map
security configuration controls to these enterprise
endpoints to enforce proper configurations and report
against FDCC requirements to prove compliance.
Lumension Security’s Vulnerability Management Solution
includes:
-
PatchLink Security Configuration
Management™ - Out-of-the-box
regulatory and standards-based
assessment to ensure endpoints are
properly configured.
-
PatchLink Scan™ - Complete
network-based scanning solution
enables assessment and analysis of
threats impacting all network
devices.
-
PatchLink Update™ - Proactive
management of threats through
automated collection, analysis, and
delivery of patches (all major
operating systems and applications)
across heterogeneous networks.
By delivering a comprehensive vulnerability
management solution that includes an SCAP Validated FDCC
Scanner, Lumension Security enables federal agencies to:
- Manage Policy –
Define, edit and import/export
security configuration policies from
SCAP documents
- Assess Policy –
Assess and apply appropriate
policies to applicable systems in a
flexible manner
- Enforce Policy
– Enforce and maintain required
security configurations by
automating the remediation process
of non-compliant machines
- Report Policy Compliance
– Report on policy compliance with
required security configurations,
including high level and detailed
views of the enterprise endpoint
configurations, such as total
percent of compliant vs.
non-compliant machines, detailed
information on individual devices
and many more
Security Content Automation Protocol (SCAP)
Sponsored by the National Institute of Standards and
Technology (NIST), SCAP is a repository of security
content used for automating technical control compliance
activities, vulnerability checking of both application
mis-configurations and software flaws, and security
measurement. The primary output from SCAP are security
checklists in a standard eXtensible Markup Language
format that agencies (and vendors) can use via automated
commercial products to help build, operate, measure and
maintain secure systems according to official government
security recommendations. Each security checklist
contains instructions for configuring information
technology products for an operational environment or
verifying that an information technology product is
already securely configured.
SCAP Validated FDCC Scanner Ensures Compliant Agency
Configurations
Lumension Security’s Vulnerability Management
Solution automates the management of security
configurations via the import/export of SCAP checklists,
discovery of assets and vulnerabilities, defining of
policies, enforcing those policies and reporting
compliance effectiveness against the standards set forth
by NIST and used by the US Department of Defense,
National Security Agency and other departments.
Lumension Security’s Vulnerability Management Solution
includes:
-
PatchLink Security Configuration
Management™ - Out-of-the-box
regulatory and standards-based
assessment to ensure endpoints are
properly configured.
-
PatchLink Scan™ - Complete
network-based scanning solution
enables assessment and analysis of
threats impacting all network
devices.
-
PatchLink Update™ - Proactive
management of threats through
automated collection, analysis, and
delivery of patches (all major
operating systems and applications)
across heterogeneous networks.
SCAP Standards include OVAL, CVE, CPE, CVSS, CWE, CCE,
CRF and XCCDF
Lumension Security’s SCAP Validated and award-winning
product portfolio has been declared or certified
compliant in the following areas:
Leader in Development of SCAP Standards
Lumension Security is a leader in the development of
standards including proposing a format for SCAP
Remediation in August 2006 and a database pattern for
all (current and future) SCAP documents, results and
reports.
-
OVAL Remediation a future Common
Remediation Language (CRL),
presented at OVAL Developers days in
the summer of 2006
- Use the link at the bottom of
this page to download the SCAP
Database Model Proposal made in
September 2007, a future Common
Database (CDB)
|
Security
Management Software for Government Agencies