CMMC - Audit & Monitoring

 The Cybersecurity Maturity Model Certification (CMMC) was developed to create a framework to assess an organization's implementation of cybersecurity practices evenly across the defense industrial base.  Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework. Over the next 5 years, starting in June 2020, organizations that create Government off-the-shelf (GOTS) products, handle Federal Contract Information (FCI), or Controlled Unclassified Information (CUI) will need to show compliance at 1 of the 5 levels. Only Cyber 3rd Party Accreditation Organizations (C3PAO) will be able to certify an organization as compliant or not. Tenable.sc provides on-prem solutions for assessing Cyber Exposure practices and maps these practices to known assessment regulations such as NIST, CSF, and others. 

The Audit & Monitoring dashboard showcases practices from the Audit & Accountability (AU) and System & Communications Protection (SC) domains. The AU domain includes system configuration auditing practices. Defining audit requirements, performing audits, identifying and  protecting audit information, and reviewing and managing audit logs all fall under the AU domain. Some of the goals of the SC domains are defining security requirements for systems and communications, and controlling control communications at system boundaries.

Sensitive but unclassified federal information is routinely processed by, stored on, or transmitted through nonfederal information systems. Failing to properly protect this Controlled Unclassified Information (CUI) could impact the ability of the federal government to successfully carry out required missions and functions. CMMC provides requirements for protecting the confidentiality of CUI. 

Implementing a continuous monitoring strategy involves establishing policies and procedures to monitor network traffic, remediate vulnerabilities in a timely manner, and configure audit policies to monitor internal systems. To obtain the most accurate view of the organization’s current security posture, routine vulnerability scans should also be performed as a part of a continuous monitoring strategy. 

Information presented within this dashboard enhances existing audit policies, and can improve overall response efforts. Analysts can use this information to obtain an accurate look into the overall attack surface, and have actionable intelligence needed to improve the organization’s security posture. Audit checks are performed to identify issues with audit policies or security controls that should be addressed by security teams.

Protecting and retaining records, monitoring systems security alerts, and identifying system flaws in a timely manner are essential to protecting information systems. Monitoring inbound and outbound communications is essential to detect attacks, and potential indicators of attacks. Improperly maintained systems, accounts, or audits will hinder investigations concerning inappropriate system activity, and may potentially give  attackers opportunities to exploit them.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requires audit files utilizing NIST 800-53 and NIST 800-171 checks.

The dashboard requirements are:

• Tenable.sc 5.12.0
• Nessus 8.9.0
• Compliance Data

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously Assess an organization’s adherence to best practice configuration baselines. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective cybersecurity practices prescribed by CMMC standard.

Components

Network Mapping - Top Active Services: This table enumerates the top services that were active and listening on the network. The table is sorted so that the services with the highest number of detections are at the top. To reduce the network attack surface, services that are not being used should be disabled. Any unauthorized services should be further investigated. 

GLBA - Antivirus: The Antivirus dashboard component leverages the Nessus antivirus auditing plugins to report known antivirus installations and identified vulnerabilities.

Verizon DBIR - Anti-Virus: This matrix assists the organization in monitoring anti-virus (AV) solutions. The "% Hosts AV Up-to-Date" column displays the percentage of total systems that have AV installed and working properly; the "% Hosts AV Detected" column displays the percentage of total systems on which AV has been detected, whether or not the AV is working properly. The "AV Vulnerabilities" column displays the number of detected vulnerabilities related to AV. Clicking on a highlighted indicator will bring up the analysis screen to display details on the detections and events and allow further investigation.

Exploits by Platform - Network Attack Surface: The table lists the most exploitable subnets by vulnerability score. The table is filtered for exploitable vulnerabilities and includes the IP range, total vulnerability count, and a bar chart of vulnerabilities by severity. Security analysts can use this table to identify the most vulnerable subnets within the environment.

CMMC - Compliance Summary: This component displays a summary  of several audit standards (NIST 800-53, NIST 800-171, CSF), providing a host count, and ratio bars for each severity level. CMMC focuses on NIST 800-53 and NIST 800-171, at the same time Cyber Security Framework (CSF) is cross mapped with several other standards to provide a more holistic account of security compliance tracking. The three columns with ratio bars provide a ratio of total audit checks to a specified status of the check. Checks that have passed are green, failed checks are red, and checks which require manual verification are in orange.

Track Mitigation Progress - Vulnerability Summary by Severity: Tenable.sc records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. In the matrix, the row with red is critical severity vulnerability information, the row with orange is high severity, the row with yellow is medium severity, and the row with green is low severity. The Mitigated column displays the number of vulnerabilities that have been moved to the mitigated database. A vulnerability is moved to the mitigated database when the vulnerability is no longer detected by a rescan; the vulnerability is assumed to be remediated. The Unmitigated column displays the number of current vulnerabilities that are not yet remediated and have not been moved to the mitigated database. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.

Account Status Indicators - Group Memberships: There are several default groups such as the administrators, server operators, account operators, backup operators, print operators, and replicator; this matrix provides an easy method to monitor these memberships.

Network Mapping - System Counts: This component presents the counts of systems detected on the network in various categories. The total number of systems is displayed, along with the counts of actively scanned systems detected by Nessus, passively detected systems discovered by NNM, and systems from which LCE obtained logs. For these, percentages of the total system count are displayed. The percentage bar color reflects coverage and will be red for a low percentage of total systems, yellow for a medium percentage, and green for a high percentage. In addition, counts of external-facing systems, systems that clients connect to (servers), admin systems, wireless access points, and web servers are also displayed. For each of these, percentages of the total system count are displayed with black bars. Finally, the count of exploitable systems on the network is displayed, along with a percentage bar displayed in red. Using this matrix, organizations will be able to gain a more complete picture of existing assets and high-valued systems on the network. Clicking on a highlighted indicator will bring up the analysis screen to display the specific systems and allow further investigation.

CSF - Tracking Vulnerabilities: SecurityCenter records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This component assists in tracking vulnerability mitigations. In the matrix, the top row is total vulnerabilities at all severity levels, and the row with red breaks out the critical severity vulnerabilities. The Mitigated column displays the number of vulnerabilities that have been moved to the mitigated database. A vulnerability is moved to the mitigated database when the vulnerability is no longer detected by a rescan; the vulnerability is assumed to be remediated. The Unmitigated column displays the number of current vulnerabilities that are not yet remediated and have not been moved to the mitigated database. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to allow further investigation.