GRC Sensors

1
GRC Sensors

• Nick Connor
• Assuria Limited

2
GRC Product Architecture
Source Information Governance
3
Sensors can ..

• provide automated inputs from low level data
• to demonstrate compliance to legislation and
  regulation (and non-compliance)
• to demonstrate working controls (and not working
  controls)
• to highlight risks / threats
• to identify incidents
• to highlight possible data leakage
• identify potential reputation damage
• many more

4
Example sensors

• Sensors to detect events
• System monitors
• Vulnerability assessment, configuration and
  policy compliance
• Network traffic monitors
• Intrusion detection, Intrusion prevention,
  Firewalls, Routers,
• Access and identity monitors
• Failed logins, privilege escalation, Bio-metric
  identities
• Web site monitors
• Pages visited, referred from,
• End point monitoring
• Data leakage
• Anti-virus, anti-phishing, Malware detection
• Others
• Event and Audit log collection OS,
  Infrastructure, applications
• CMDB systems
• Incident management
• Backup software, Business continuity management
• IT Security Information (intelligence feeds)
• Emerging

5
Sensors can add value

• Sensors could
• Monitor against expected controls, policies
• Filter out normal and report abnormal
• Aggregate many events into a threat or risk
• Map events to standards / external references
• Provide automatic feeds to GRC

6
GRC and Sensors
Governance, Risk and Compliance
Controls ISO 27001, ISO 13335, NIST 800-53, CIS
SENSORS
Software sensorsFor example Configuration
assurance, Vulnerability assessment, Policy
compliance, Change detection, Audit log management
Source Gartner (January 2006)
7
Need for common language

• Common language computer and human readable
• Standards and emerging standards.
• In IT Security the best established CVE and CVSS
• Common Vulnerabilities and Exposures, or CVE, is
  a dictionary of publicly-known information
  security vulnerabilities and exposures.
• Common Vulnerability Scoring System (CVSS) is an
  industry standard for assessing the severity of
  computer system security vulnerabilities.

8
 Similar Standards

• CVE is sponsored by MITRE, US Federally supported
  orgaisation
• Other standard being promoted include
• Configurations (CCE)
• Software Weakness Types (CWE)
• Attack Patterns (CAPEC)
• Platforms (CPE)
• Log Format (CEE)
• Reporting (CRF)
• Checklist Language (XCCDF)
• Assessment Language (OVAL)
• Security Content Automation (SCAP)
• Making Security Measurable 
• All are XML based to facilitate data interchange
• More information at http//www.mitre.org/work/cybe
  rsecurity.html

9
Sensors feed into GRC
Sensors
Sensors
Sensors
Aggregation
Aggregation
Sensors
Sensors
Sensors
Sensors
Sensors
Sensors
Sensors
Sensors
10
Challenges for SITC SIG

• Broad range of possible sensors, including
• configuration auditing
• identity and access management
• security information
• event information and management
• Not all are obviously security related but all
  are CIA (Confidentiality, Integrity,
  Availability) related
• Aggregation of information consolidate events
  (data) into GRC usable information
• Reference to external standards
• Use of emerging standards for the definition of
  common formats for information exchange between
  sensors and GRC
• Limited only by our imagination

11
Thank you

• Questions?