Bracketology

Vulnerability & Patch Management

Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an the digital enterprise and the information supply chain. Patch and vulnerability management tools are essential components of continuous diagnostics and mitigation and cybersecurity automation and orchestration.

Vulnerability management and vulnerability scanning of continuously identify, classify, remediate, and mitigate vulnerabilities. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware by significantly reducing the opportunities for exploitation of bugs and weaknesses in the system. Patches also add new features to software and firmware, including security capabilities.

These are the controls where vulnerability and patch management tools are applicable:

• CA-2 Security Assessments  
• CA-7 Continuous Monitoring 
• CM-3 Configuration Change Control
• IR-4 Incident Handling
• IR-5 Incident Monitoring
• MA-2 Controlled Maintenance
• RA-5 Vulnerability Scanning 
• SA-11 Developer Security Testing
• SI-2 Flaw Remediation 
• SI-11 Error Handling

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Event & Incident Management

Event and incident management systems define, collect and manage the raw data about what's going on in your information supply chain. These tool assemble the information that is fed into other systems and/or used to orchestrate continuous monitoring of your digital enterprise. There are two sets of tools that are used for event and incident management. They are mapped to the corresponding controls below.

Logging & Log Management

Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events. The data collected directly correlates to your specific configurations, architectures, endpoint and user access and authentication capabilities. These log files feed other automation and orchestration tools to enable continuous assessment of a system or information supply chain's risk posture and wellness.

• AU-2 Auditable Events 
• AU-3 Content of Audit Records
• AU-4 Audit Storage Capacity
• AU-5 Response to Audit Processing Failures
• AU-6 Audit Review, Analysis, and Reporting 
• AU-7 Audit Reduction and Report Generation
• AU-8 Time Stamps
• AU-12 Audit Generation
• CA-2 Security Assessments  
• CA-7 Continuous Monitoring 
• IR-5 Incident Monitoring
• RA-3 Risk Assessment 
• SI-4 Information System Monitoring  
Read NIST Log Management Guidance Here

Intrusion Detection & Prevention Systems (IDPS)

Intrusion detection prevention systems (IPS) are network security appliances that monitor network or system activities for malicious activity. This hardware monitors events occurring in the computer system or network monitoring for signs of possible incidents, violations of security policies, acceptable use of policies logging information about the state of the network and system components, attempting to stop certain behavior, and reporting them to system administrators. It is also used for identifying problems with existing security policies.

• AC-4 Information Flow Enforcement
• AC-17 Remote Access
• AC-18 Wireless Access
• AU-2 Auditable Events 
• AU-6 Audit Review, Analysis, and Reporting 
• AU-12 Audit Generation
• AU-13 Monitoring for Information Disclosure
• CA-2 Security Assessments 
• CA-7 Continuous Monitoring 
• IR-5 Incident Monitoring
• RA-3 Risk Assessment 
• SC-7 Boundary Protection
• SI-3 Malicious Code Protection
• SI-4 Information System Monitoring 
• SI-7 Software and Information Integrity  

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Malware Detection

Malware, a portmanteau for malicious software, is the contemptible amalgam of hostile and intrusive software, computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and phishing tools designed to be covertly inserted into your information supply chain to destroy data, compromise the confidentiality, integrity, or availability of your data, applications, or operating system and generally mess up your systems ruining your day, your weekend and your appearance at the next board meeting.

Malware is the most common external threat to most digital enterprises, causing widespread damage and disruption and necessitating extensive recovery endeavors. This is one of those risk areas where you need to continuously update your malware detection capabilities for known vulnerabilities while building capabilities to deploy resilient systems for the zero-day exploits and other increasingly sinister creations from the hacker underworld that you don't know about yet.

• CA-2 Security Assessments  
• CA-7 Continuous Monitoring 
• IR-5 Incident Monitoring
• RA-3 Risk Assessment 
• SA-12 Supply Chain Protection
• SA-13 Trustworthiness
• SI-3 Malicious Code Protection
• SI-4 Information System Monitoring 
• SI-7 Software and Information Integrity  
• SI-8 Asset Management

And while you are here, let us remind you to backup your data and critical apps on a regular schedule.

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Network Management

A network management encompasses the hardware and/or software tools that allow an IT professional to supervise the individual components of a network. These tools enable network administrators manage a network's independent components inside a bigger network management framework. Network management is an increasingly complex domain given the breadth and scope and exponentially expanding boundaries of what constitutes your network.

• AC-4 Information Flow Enforcement
• AC-17 Remote Access
• AC-18 Wireless Access
• CA-7 Continuous Monitoring 
• CM-2 Baseline Configuration 
• CM-3 Configuration Change Control
• CM-4 Security Impact Analysis
• CM-6 Configuration Settings
• CM-8 Information System Component Inventory  
• SC-2 Application Partitioning
• SC-5 Denial of Service Protection
• SC-7 Boundary Protection
• SC-10 Network Disconnect
• SC-32 Information System Partitioning
• SI-4 Information System Monitoring 

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Software Assurance

Software Assurance is the planned and systematic set of activities that ensure that software processes and products conform to requirements, standards, and organizational procedures help achieve:

• Trustworthiness – No exploitable vulnerabilities exist, either of malicious or unintentional origin; and
• Predictable Execution – Justifiable confidence that software, when executed, functions as intended.

These are the security controls to consider when building Software Assurance into your risk-based cybersecurity architecture:

• CA-7 Continuous Monitoring 
• SA-4 Acquisitions
• SA-8 Security Engineering Principles
• SA-11 Developer Security Testing
• SA-12 Supply Chain Protection
• SA-13 Trustworthiness
• SA-14 Critical Information System Components
• SI-13 Predictable Failure Prevention

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Information Protection | Data Loss Prevention (DLP)

Data loss prevention and information protection cover the techniques for protecting your most important digital assets. It prevents end users from removing data or emailing to their friends, it protects these assets from deliberate or inadvertent disclosure and insures that all of your data assets are identified and tracked.

From a cybersecurity perspective Data Loss Prevention tools also provide the mechanisms to watch the flow of data out of your enterprise by monitoring the normal ebb and flow of data in your environment. DLP software forces the bad guys to steal your stuff more slowly so that your DLP doesn't tip you off that there is a change in your data movements.

• AC-4 Information Flow Enforcement
• AC-17 Remote Access
• CA-3 Information System Connections
• CA-7 Continuous Monitoring 
• CM-7 Least Functionality 
• SC-9 Transmission Confidentiality
• SI-12 Information Output Handling and Retention

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Security Information and Event Management

Security information event management (SIEM) tools gather, analyze and present information from network and security devices, identity and access-management applications, vulnerability management and policy-compliance tools, operating-system, database and application logs, external threat data.

SIEMs aggregate data, correlate and link events to turn data into useful information; perform security alerting on issues within the environment; automate compliance and security governance and auditing functions and enable presentation of dashboards to facilitate real-time monitoring of the state and health of the system and its components.

SIEM tools may be used as part of an implementation strategy for these controls:

• AC-5 Separation of Duties
• AU-2 Auditable Events 
• AU-6 Audit Review, Analysis, and Reporting 
• AU-7 Audit Reduction and Report Generation
• CA-2 Security Assessments  
• CA-7 Continuous Monitoring 
• IR-5 Incident Monitoring
• PE-6 Monitoring Physical Access
• RA-3 Risk Assessment 
• RA-5 Vulnerability Scanning 
• SI-4 Information System Monitoring 

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Configuration Management

Configuration management is the holy grail of cybersecurity. If you don't know what you have, how it's configured, and where it is you can't protect it. Configuration management (CM) is a governance and systems engineering process that ensures the proper accounting of an enterprise's information technology assets and of the interrelationship between them in an operational environment across the system lifecycle.

• AC-2 Account Management 
• AC-3 Access Enforcement
• AC-5 Separation of Duties
• AC-7 Unsuccessful Login Attempts
• AC-9 Previous Logon (Access) Notification
• AC-10 Concurrent Session Control
• AC-11 Session Lock
• AC-19 Access Control for Mobile Devices
• AC-20 Use of External Information Systems
• AC-22 Publicly Accessible Content 
• CA-2 Security Assessments  
• CA-7 Continuous Monitoring 
• CM-2 Baseline Configuration 
• CM-3 Configuration Change Control
• CM-5 Access Restrictions for Change 
• CM-6 Configuration Settings
• CM-7 Least Functionality 
• IA-2 Identification and Authentication (Organizational Users)
• IA-3 Device Identification and Authentication
• IA-4 Identifier Management  
• IA-5 Authenticator Management 
• IA-8 Identification and Authentication (Non-Organizational Users)
• IR-5 Incident Monitoring
• MA-5 Maintenance Personnel
• PE-3 Physical Access Control 
• RA-3 Risk Assessment 
• SA-7 User Installed Software
• SA-10 Developer Configuration Management
• SI-2 Flaw Remediation 

In today's world of agile software development, continuous DevOps deployment cycles, security-focused configuration management is an essential element in digital innovation and digital transformation.

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Asset Management

Asset Management is the process of tracking a diverse set of hardware and software and the location and configuration of networked devices and software across the enterprise — hardware include servers, workstations, and network devices; software include operating systems, applications, and files.

Comprehensive asset management programs enable organizations to more securely and efficiently monitor and manage their organization's many information technology (IT) assets in an increasingly complex information supply chain that includes complex systems and complex organizations that can include networks of IT assets supporting networks of subsidiaries, branches, third-party partners, contractors, temporary workers, constituents, customers, and guests.

Consider these controls when building asset management into your cybersecurity program.

• CA-7 Continuous Monitoring 
• CM-2 Baseline Configuration 
• CM-3 Configuration Change Control
• CM-4 Security Impact Analysis
• CM-8 Information System Component Inventory  
• SA-10 Developer Configuration Management

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

License Management

License management keeps track of software license agreements, how those licenses are deployed and managed, and providing access to software resources in usage-based business models. License management is used to insure license compliance and to digital rights management. From a cybersecurity perspective this enables management of legitimate software and helps find unlicensed software present in the environment.

• CA-7 Continuous Monitoring 
• CM-8 Information System Component Inventory  
• SA-6 Software Usage Restrictions

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.

Management Dashboards

Management dashboards provide a visual representation of what is happening within the digital enterprise and the information supply chain providing a quick and easy way to see and assess your risk posture. Dashboards automatically and securely connects to your data and continuously update in real-time. The challenge in building and deploying effective management dashboards is to determining which metrics provide the most relevant actionable information on the state and status of your systems Here are the controls that can help you build your dashboards; and risk and security awareness strategies.

• AC-5 Separation of Duties
• CA-6 Security Authorization 
• CA-7 Continuous Monitoring 
• PM-6 Information Security Measures of Performance
• PM-9 Risk Management Strategy
• RA-3 Risk Assessment 
• SI-4 Information System Monitoring 

Controls with   indicate controls where Cloud Service Providers have corresponding responsibilities to the implementation of the control.