aware scoringaware scoring summary scoring area description shown on federal dashboard weight metric...

For Official Use Only

AWARE Scoring Agency-Wide Adaptive Risk Enumeration

FITSC 2018

Department of Homeland Security, CDM PMO

November 7, 2018


Generic Risk Scoring Concept

Source: https://arch.idmanagement.gov/

https://arch.idmanagement.gov/


Background

iPost

• Department of State

Security Posture Dashboard Reporting (SPDR)

• Department of Justice

Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS)

• Department of Homeland Security

CDM Dashboard Risk Scoring currently

utilizes Archer’s out-of-the-box scoring


Base Metric [Vulnerability]

The Common Vulnerability Scoring System (CVSS) provides an open

framework for communicating the characteristics and impacts of IT

vulnerabilities.

CVSS Value Scaled CVSS

Value

10.0 10.0

9.0 7.29

8.0 5.12

7.0 3.43

6.0 2.16

5.0 1.25

4.0 0.64

3.0 0.27

2.0 0.08

1.0 0.01

Scaled Base CVSS

[Vulnerability] X

Age [Decay] X

Weight [Threat, Impact] X

Tolerance [Grace Period] =

AWARE Score


Scoring Factors


Aging (Control Decay)

Developed in iPost

Extended in SPDR with policy variables (n days to double)

Kept in AWARE to encourage timely remediation of

vulnerabilities

Measured from the publication date of the Common

Vulnerabilities and Exposures (CVE)

Current default is 90 days to double score

for base CVEs

Source: https://arch.idmanagement.gov/

https://arch.idmanagement.gov/


Current Aging Facts

Vulnerabilities are all aged logarithmically

FVAs are aged more aggressively than non-FVAs

Configuration settings are not aged

Unapproved hardware is not aged

Future scoring areas may or may not use aging, which is

part of the general AWARE formula:

𝑆𝑐𝑜𝑟𝑒 = 𝐵𝑎𝑠𝑒 𝑆𝑐𝑜𝑟𝑒 ∗ 𝐴𝑔𝑖𝑛𝑔 𝐹𝑎𝑐𝑡𝑜𝑟 ∗ 𝑊𝑒𝑖𝑔ℎ𝑡𝑖𝑛𝑔 𝐹𝑎𝑐𝑡𝑜𝑟 ∗(𝐼𝑚𝑝𝑎𝑐𝑡 𝐹𝑎𝑐𝑡𝑜𝑟)


General Principles of Risk Aging

Opportunity Risk

If there is risk at all, it usually gets worse over time simply because

an adversary has more time to exploit it.

In certain cases, other factors (see later slide) may come into play that

arrest or even reverse this increase.

Bounded Risk

As risk increases, there remains a bound (saturation point),

beyond which the amount of increased risk is no longer accepted

as credible or useful.

Stages of Aging

External events may occur during aging that justify/require

changing the way a risk is aged.


Weight [Impact]

Two independent factors proposed for AWARE

Federal Vulnerability Action (FVA)

• Weight factor on a CVE due to a heightened threat level for that CVE

• Commercial threat tool identifies critical ratings

High Value Factor (HVF)

• Weight factor that occurs on endpoints in FISMA systems with a Federal Information Processing Standards 199 (FIPS 199) impact of “High”


Allowable Tolerance [Grace period]

Intended to give agencies a number of days to test and deploy patches

and/or mitigate vulnerabilities before the agency’s federal score is

impacted

Begins when vulnerability is added to Agency Dashboard

Scores not shown to Federal Dashboard if within allowable tolerance period

Actual Score (With) Anticipated Score (Without)

All metrics used, including the Allowable

Tolerance Metric

All metrics used except the Allowable

Tolerance Metric

Considered to be the baseline federal score Provides an indication of what the scores

would be if they were not shielded by

Allowable Tolerance periods


AWARE Scoring Summary Scoring

Area Description

Shown on

Federal

Dashboard

Weight

Metric

• High Value Factor: 1.5

• FVA Factor: 2.0 Yes

VUL

• Base Metric: Scaled CVSS base score

• Age Metric: Logarithmic aging, doubles in 90 days (7 days default for

FVAs)

• Weight Metric: High Value Factor (if applicable and in addition to 2.0 for

FVAs)

• Allowable Tolerance Period: 30 days (7 days for FVAs as default)

Yes

CSM

• Base Metric (STIG): [.72, .36, .12] for [CAT I, CAT II, CAT III]

• Age Metric: 1

• Weight Metric: High Value Factor, if applicable

• Allowable Tolerance: 30

Yes

UAH

• Base Metric: 10

• Age Metric: 1

• Weight Metric: None

• Allowable Tolerance: 7 days

Yes


Mission Operations

Capability Area Capability Set Mission Operations Capability Functionality

What is on the

network? (Phase 1) Manage Assets

Hardware Inventory,

Software Inventory,

Configuration Settings,

Vulnerabilities/Anti-virus

Who is on the

network? (Phase 2)

Manage Accounts for People and

Services

Trust in People Granted Access

Security Related Behavior

Credentials & Authentication

Privilege and Account Access

What is happening on

the network? (Phase

3)

Manage Events

Network/Physical Access Control, (deferred to Phase 3)

Prepare for Incidents and Contingencies

Respond to Incidents and Contingencies

Ongoing Assessment

Manage Security Lifecycle /

Design and Build in Security

Requirements, Policy and Planning

Quality Management

Supply Chain Risk Management (SCRM)

Manage Security Lifecycle /

Operate, Monitor and Improve

Operational Security

Generic Audit/ Monitoring

Ongoing Authorization

How is data

protected? (Phase 4) Manage Data Protection

Manage Data Protection

CDM Operational Requirements ~ Capability Areas

12

For Official Use Only 13


Benchmark Quality Ratings

• Binary scoring (met/unmet), compliance checks (pass/fail), or control measurement (80%) lack

context and are difficult to translate into the overall risk picture.

• Benchmarking assists mission owners and operators with:

• Gain an independent perspective about performance across groups

• Clearly identify specific areas of need (trigger assessments & control testing)

• Validate assumptions

• Prioritize improvement opportunities

• Set performance expectations

• Monitor performance and manage change

1

4


How will you use AWARE scoring?

15


16

Improving Risk Posture

The traditional view holds that

even a modest investment

in security raises the bar for all attackers

Source: Original content Attack Surface


Managing Relative Performance

Outcomes

• Transparency & improvement

• Improved situational awareness

• Comparison between similar peers

• Social and group pressure

• Results Sharing

• Comparisons over time

Impacts

• Reduced attack surface

• Hierarchical pressure

• Better / faster risk decisions

• Measurable control

aware scoringaware scoring summary scoring area description shown on federal dashboard weight metric...

Documents