Appendix A Patch Management System Security Practices¶
Section 3.4.7 describes Scenario 6, “Patch management system security (or other system with administrative privileged access).” In support of Scenario 6, this appendix describes recommended security practices for systems like patch management systems which have administrative privileged access over many other systems as defined as “critical software” in Executive Order (EO) 14028. It then summarizes how the example solution components described in this practice guide could support each of those recommended security practices.
A.1 Security Measures¶
The table below defines security measures for software of critical importance. Note that these security measures are not intended to be comprehensive. They are based on those in the NIST publication Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028. A security measure (SM) is a high-level security outcome statement that is intended to apply to critical software or to all platforms, users, administrators, data, or networks (as specified) that are part of running critical software. The security measures are grouped by five objectives:
Protect critical software and critical software platforms (the platforms on which critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage.
Protect the confidentiality, integrity, and availability of data used by critical software and critical software platforms.
Identify and maintain critical software platforms and the software deployed to those platforms to protect the critical software from exploitation.
Quickly detect, respond to, and recover from threats and incidents involving critical software and critical software platforms.
Strengthen the understanding and performance of humans’ actions that foster the security of critical software and critical software platforms.
Each row in the table defines one security measure and lists mappings to it from the NIST Cybersecurity Framework and NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. These mappings are in the forms of Cybersecurity Framework Subcategories and SP 800-53 security controls, respectively. The mappings are general and informational; any particular situation might have somewhat different mappings.
Security Measure (SM) |
Cybersecurity Framework Subcategories |
SP 800-53 Rev. 5 Controls |
|---|---|---|
Objective 1: Protect critical software and critical software platforms from unauthorized access and usage. |
||
SM 1.1: Use multi-factor authentication that is verifier impersonation-resistant for all users and administrators of critical software and critical software platforms. |
PR.AC-1, PR.AC-7 |
AC-2, IA-2, IA-4, IA-5 |
SM 1.2: Uniquely identify and authenticate each service attempting to access critical software or critical software platforms. |
PR.AC-1, PR.AC-7 |
AC-2, IA-9 |
SM 1.3: Follow privileged access management principles for network-based administration of critical software and critical software platforms. Examples of possible implementations include using hardened platforms dedicated to administration and verified before each use, requiring unique identification of each administrator, and proxying and logging all administrative sessions to critical software platforms. |
PR.AC-1, PR.AC-7, PR.MA-1, PR.MA-2 |
AC-2, IA-2, SC-2, SC-7 enhancement 15 |
SM 1.4: Employ boundary protection techniques as appropriate to minimize direct access to critical software, critical software platforms, and associated data. Examples of such techniques include network segmentation, isolation, software-defined perimeters, and proxies. |
PR.AC-3, PR.AC-5 |
SC-7 |
Objective 2: Protect the confidentiality, integrity, and availability of data used by critical software and critical software platforms. |
||
SM 2.1: Establish and maintain a data inventory for critical software and critical software platforms. |
ID.AM-3, DE.AE-1 |
CM-8, PM-5 |
SM 2.2: Use fine-grained access control for data and resources used by critical software and critical software platforms to enforce the principle of least privilege to the extent possible. |
PR.AC-4 |
AC-2, AC-3, AC-6 |
SM 2.3: Protect data at rest by encrypting the sensitive data used by critical software and critical software platforms consistent with NIST’s cryptographic standards. |
PR.DS-1 |
SC-28 |
SM 2.4: Protect data in transit by using mutual authentication whenever feasible and by encrypting sensitive data communications for critical software and critical software platforms consistent with NIST’s cryptographic standards. |
PR.AC-3, PR.AC-7, PR.DS-2, PR.PT-4, DE.CM-7 |
AC-4, AC-17, SC-8 |
SM 2.5: Back up data, exercise backup restoration, and be prepared to recover data used by critical software and critical software platforms at any time from backups. |
PR.IP-4 |
CP-9, CP-10 |
Objective 3: Identify and maintain critical software platforms and the software deployed to those platforms to protect the critical software from exploitation. |
||
SM 3.1: Establish and maintain a software inventory for all platforms running critical software and all software (both critical and non-critical) deployed to each platform. |
ID.AM-1, ID.AM-2, ID.SC-2 |
CM-8, PM-5, RA-9 |
SM 3.2: Use patch management practices to maintain critical software platforms and all software deployed to those platforms. Practices include:
|
ID.RA-1, ID.RA-2, ID.RA-6, PR.IP-12, DE.CM-8, RS.MI-3 |
CA-7, RA-5, SI-2, SI-5, SR-8 |
SM 3.3: Use configuration management practices to maintain critical software platforms and all software deployed to those platforms. Practices include:
|
ID.RA-1, ID.RA-2, ID.RA-6, PR.AC-4, PR.IP-1, PR.IP-3, PR.PT-3, DE.CM-8, RS.MI-3 |
AC-5, AC-6, CA-7, CM-2, CM-3, CM-6, CM-7, RA-5, SI-5 |
Objective 4: Quickly detect, respond to, and recover from threats and incidents involving critical software and critical software platforms. |
||
SM 4.1: Configure logging to record the necessary information about security events involving critical software platforms and all software running on those platforms. |
PR.PT-1 |
AU-2, AU-3, AU-4, AU-5, AU-8, AU-9, AU-11, AU-12 |
SM 4.2: Continuously monitor the security of critical software platforms and all software running on those platforms. |
DE.CM-7 |
CA-7, SI-4 |
SM 4.3: Employ endpoint security protection on critical software platforms to protect the platforms and all software running on them. Capabilities include:
|
PR.DS-5, PR.DS-6, DE.AE-2, DE.CM-4, DE.CM-7, DE.DP-4 |
SI-3, SI-4, SI-7 |
SM 4.4: Employ network security protection to monitor the network traffic to and from critical software platforms to protect the platforms and their software using networks. Capabilities include:
|
PR.DS-5, DE.AE-1, DE.AE-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.DP-4 |
AU-13, AU-14, SC-7, SI-3 |
SM 4.5: Train all security operations personnel and incident response team members, based on their roles and responsibilities, on how to handle incidents involving critical software or critical software platforms. |
PR.AT-5, PR.IP-9, PR.IP-10 |
AT-3, CP-3, IR-2 |
Objective 5: Strengthen the understanding and performance of humans’ actions that foster the security of critical software and critical software platforms. |
||
SM 5.1: Train all users of critical software, based on their roles and responsibilities, on how to securely use the software and the critical software platforms. |
PR.AT-1 |
AT-2, AT-3 |
SM 5.2: Train all administrators of critical software and critical software platforms, based on their roles and responsibilities, on how to securely administer the software and/or platforms. |
PR.AT-2 |
AT-3, CP-3 |
SM 5.3: Conduct frequent awareness activities to reinforce the training for all users and administrators of critical software and platforms, and to measure the training’s effectiveness for continuous improvement purposes. |
PR.AT-1, PR.AT-2 |
AT-3 |
A.2 Component Support of Security Measures¶
This section provides summary tables for how each technology provider’s components in the example solution could support the security measures defined above. The technical mechanisms, configuration settings, or other ways in which the components could provide this support were not necessarily utilized in the example solution build. The information is provided here to offer examples of how these security measures might be implemented, not to serve as recommendations for how to implement them.
Each table in this section has the same four columns:
SM #: This lists a security measure ID from the previous section and links to the definition of that ID.
Question: This contains a question NIST asked the technology providers to answer for their components regarding the associated security measure.
Technical Mechanism or Configuration: This is a summary of the answer from the component’s technology provider. The content submitted by each technology provider has been edited for brevity.
Refs.: This provides hyperlinks to any applicable references specified by the technology provider. This column is blank if no reference was needed or available, or if there is a single reference for all entries in a table, in which case the reference is defined immediately before the table.
In each table, rows with no answer or an answer of “no” or “not applicable” have been omitted for brevity.
A.2.1 Cisco FTD Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
Certificates from a Personal Identity Verification (PIV) card or Common Access Card (CAC) can be used along with soft certificates to authenticate admin users. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
Services using the pxGrid solution to gather data from the system or publish require the use of certificates to secure the communications channel. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Cisco FMC admin console supports role-based access control. There are predefined roles, and custom roles with permissions can be created. |
||
Does the system allow for the use of discretionary access control lists (DACLs), network segmentation, or isolation for access to the platform? |
Administrators can limit access by IP address and port. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Cisco FMC admin console and command-line interface (CLI) both support role-based access control. |
||
Does the system support performing regular backups and restorations? |
Cisco FMC enables backup and restore of configuration and monitoring. FMC also provides backup and restore of the devices it manages. |
||
Does the platform allow for the deployment of patches and OS updates? |
Cisco distributes several types of upgrades and updates for Firepower deployments. These include OS versions, patches, vulnerability databases, intrusion rules, and geolocation databases. These are all deployed centrally from FMC. |
||
Does the security tool support logging and sending that data to rsyslog or Security Information and Event Management (SIEM)? |
FMC allows for sending all logs to a third-party SIEM using syslog or eStreamer. |
||
Does the platform allow for logging connection events to the tool? |
The system can generate logs of the connection events its managed devices detect. Connection events include Security Intelligence events (connections blocked by the reputation-based Security Intelligence feature.) |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Cisco provides training resources through direct offering, partner, knowledge partners, and on-demand through Cisco Live. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Cisco provides training resources through direct offering, partner, knowledge partners, and on-demand through Cisco Live. |
||
Are trainings updated and metrics collected to improve trainings? |
Cisco regularly collects metrics from completed user training to make improvements and updates. |
A.2.2 Cisco ISE Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
Certificates from a PIV or CAC can be used along with soft certificates to authenticate admin users. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
Services using the ISE pxGrid solution to gather data from the system or publish require the use of certificates to secure the communications channel. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Cisco ISE admin console and CLI both support role-based access control. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
Both the admin user interface (UI) and CLI can be configured to limit IP access to the system. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Cisco ISE admin console and CLI both support role-based access control. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
Cisco ISE can be configured for Federal Information Processing Standards (FIPS) compliance. In this mode, only the protocols listed here are allowed to be used for authentication: EAP-TLS, PEAP, EAP-FAST, and EAP-TTLS. |
||
Does the system support performing regular backups and restorations? |
Cisco ISE backs up both the configuration and event data to a repository. The system provides high-availability (HA) capabilities with redundant service pairs. |
||
Does the platform allow for the deployment of patches and OS updates? |
Cisco ISE provides a centralized patching mechanism through the admin node to apply patches to all systems that are a member of the deployment. Patches are rollups, so administrators do not have to install multiple patches. Patches include vulnerability fixes and bug fixes. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
Cisco ISE allows administrators to turn on and off features and functions. Cisco ISE does not allow access to the underlying OS, so services are only enabled and disabled based on the packages needed to support the enabled services. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
Log events for the following categories are sent by all nodes in the deployment to the logging targets: Administrative and Operational Audit, System Diagnostics, and System Statistics. |
||
Does the platform allow for logging connection events to the tool? |
The web interface can specify remote syslog server targets to which system log messages are sent. Log messages are sent to the remote syslog server targets in accordance with the syslog protocol standard (RFC 3164). |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Cisco provides training resources through direct offering, partner, knowledge partners, and on-demand through Cisco Live. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Cisco provides training resources through direct offering, partner, knowledge partners, and on-demand through Cisco Live. |
||
Are trainings updated and metrics collected to improve trainings? |
Cisco regularly collects metrics from completed user training to make improvements and updates. |
A.2.3 Eclypsium Administration and Analytics Service Support of Security Measures¶
All entries in this table have the same two references: the Eclypsium-supplied Solution Guide and Deployment Guide. The Solution Guide is built into the product, and Eclypsium provides the Deployment Guide at purchase, so it was not possible to provide hyperlinks for this table.
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
Eclypsium integrates with multiple authentication mechanisms, many of which support multi-factor authentication (MFA). |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
Unique application programming interface (API) tokens are managed by Eclypsium administrators. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Eclypsium platform contains Admin/User access roles. Only administrators can change systemwide analysis policies. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
The Linux OS hosting Eclypsium can be configured to allow for the creation of network-based access restrictions. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Eclypsium platform contains Admin/User access roles. Only administrators can change systemwide analysis policies. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
The data-at-rest encryption implementation is done as part of the backend platform onto which Eclypsium is deployed. In the cloud, the provider’s key management system may be used. In an on-premises deployment, the OS or hardware-based encryption on the physical servers may be used. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
All communications occur over Transport Layer Security (TLS). FIPS mode can be enabled and utilized where desired. |
||
Does the system support performing regular backups and restorations? |
Backups of the Eclypsium backend are performed as part of the platform onto which it is deployed. Standard mechanisms for Linux server backup/restore will operate normally. |
||
Does the product list all software dependencies and currently installed applications/services? |
This information is in the Solution Guide. When scanning firmware on target systems, similar information may be inferred from binary analysis. |
||
Does the platform allow for the deployment of patches and OS updates? |
The cloud version is managed by Eclypsium to provide updates. The on-premises version is the responsibility of the customer. The OS can be configured to perform updates. On target systems, Eclypsium will indicate whether firmware is up to date. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
Eclypsium directly manages the configuration of cloud deployments. In an on-premises environment, configuration management becomes the responsibility of the customer. Normal configuration management for Linux servers will apply to the Eclypsium backend. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
In most instances, syslog is integrated with SIEM tools. Eclypsium alerts for target systems are forwarded over syslog to such tools when configured. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
There is an audit trail of users who have logged in and the actions they performed. Updates are also sent out to help remediate software running on the platform. |
||
Is anti-malware or antivirus able to be installed on the system running your platform? |
Eclypsium scanners and the Eclypsium backend are compatible with running other endpoint security software on the same device. |
||
Does the platform allow for logging connection events to the tool? |
In cloud deployments, Eclypsium manages network security protections. In an on-premises deployment, this would be inherited from the environment into which Eclypsium is deployed. |
||
Are there training courses or procedures in the event of an incident involving the tool or platform? |
Eclypsium security operations personnel receive security and incident response training. Customer training is available from Eclypsium to cover firmware security and incident response scenarios. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Eclypsium has the latest training catalog. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Eclypsium has the latest training catalog. |
||
Are trainings updated and metrics collected to improve trainings? |
Eclypsium has the latest training catalog. |
A.2.4 Forescout Platform Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
The Forescout platform’s integration with PIV and Homeland Security Presidential Directive 12 (HSPD-12) cards allows for this capability. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Forescout platform supports a range of accounts with different access levels as required to support least privilege. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
Forescout supports the use of DACLs, virtual local area network (VLAN) assignment, and any other network-based control offered by the network devices in use for device isolation as needed. |
||
Does the software list and maintain an inventory of all software criticalities and integrations? |
This is enabled via Forescout’s native policy. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
The Forescout platform supports a range of accounts with different access levels as required to support least privilege. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
Forescout natively encrypts the data at rest on the hard drives but can also verify and establish the encryption level of managed endpoints. |
||
Does the system support performing regular backups and restorations? |
Forescout supports backup/restore of data and configurations of all appliances. |
||
Does the product list all software dependencies and currently installed applications/services? |
Forescout can identify applications and services that are installed and/or running on Windows, Linux, and macOS. Remote inspection capabilities are enabled either by integration with AD (LDAP) or via an agent (Secure Connector). This in turn can be enhanced by creating Forescout security policies to identify all software with enhanced privileges and known CVEs. |
||
Does the platform allow for the deployment of patches and OS updates? |
Forescout integrates with a variety of patch and OS management tools. Forescout has native remediations via scripting on endpoints via policy. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
Forescout can perform control actions against any managed endpoint. Services as a property are an attribute detected running/installed on the endpoint. These attributes (services) can in turn can be stopped/started or removed as required via policy. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
The Forescout platform sends rich device context information to a SIEM system for logging and event analysis. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
Forescout supports a default Windows Vulnerability CVE/Patch plugin (published by Microsoft) to actively scan all Windows clients/servers in real time via policy. The Forescout platform also provides Security Policy Templates (SPT) covering zero-day information and assesses software and hardware for these issues. SPT includes vulnerability and response templates with relevant data for vulnerabilities as documented by Forescout security labs. |
||
Does the platform allow for logging connection events to the tool? |
All successful and failed connections to the Forescout platform are logged in system event logs. Administrators can view these logs. An option is also available to forward event messages to third-party logging systems via syslog. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Forescout offers training and certifications for administrators. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Forescout offers training and certifications for engineers. |
A.2.5 IBM Code Risk Analyzer Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
It leverages the IBM Cloud authentication mechanism, which provides multi-factor authentication for all users and administrators. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
All users and machines are identified using the Identity and Access Management feature of IBM Cloud. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
Accounts can be created and assigned to appropriate roles that have different access levels. This functionality is provided by the Identify and Access Management feature of IBM Cloud. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
Network segmentation and isolation is done by using Kubernetes clusters and Istio as the service mesh. Strict policies exist for egress and ingress. |
||
Does the software list and maintain an inventory of all software criticalities and integrations? |
The software keeps a bill of materials for each component. This bill of materials contains a full list of third-party dependencies. Integration is allowed with only IBM-authorized software. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
This feature is achieved by using the Identity and Access Management (IAM) feature of IBM Cloud. IAM has comprehensive features for granular access for users, administrators, and machines. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
All data at rest, whether in databases or file systems, is encrypted using NIST-certified cryptographic standards. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
All data in transit is encrypted using NIST-certified cryptographic standards. This includes data that is flowing between microservices inside a cluster. |
||
Does the system support performing regular backups and restorations? |
The system data is backed up regularly for offsite storage. Disaster recovery procedures are reviewed and tested regularly by IBM engineers. |
||
Does the product list all software dependencies and currently installed applications/services? |
A bill of materials is created for each microservice. Integrations with databases and other systems are tracked. Change management is rigorously followed. |
||
Does the platform allow for the deployment of patches and OS updates? |
The OS, middleware, and application components are regularly patched using automated pipelines. These components are scanned for any vulnerabilities and patches are deployed within strict timeframes. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
The system is configured and deployed using various standard techniques such as Kubernetes Helm charts and YAML files. The service can be disabled in all regions within minutes by disabling DNS entries, reverse proxies, etc. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
Syslog data is streamed to centralized logging mechanisms. The security events data is also made available to clients using the Activity Tracker mechanism. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
Continuous monitoring for security is accomplished by using firewalls and service mesh. |
||
Is anti-malware or antivirus able to be installed on the system running your platform? |
All systems running the system have anti-malware software running on them. Comprehensive reports are generated to ensure compliance. |
||
Does the platform allow for logging connection events to the tool? |
All successful and unsuccessful connections are logged in the Activity Tracker and in the Identity and Access Management system of IBM Cloud. |
||
Are there training courses or procedures in the event of an incident involving the tool or platform? |
Process documentation, runbooks, training, and technology are in place to respond to incidents in a timely manner. High-severity incidents are tracked at executive levels. Root-cause analysis is performed and actionable tasks are documented. Best practices are shared across all teams in IBM Cloud. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Self-service tutorials are available to users based on their roles. Comprehensive documentation is available as well. |
||
Are there training courses for teaching administrators how to utilize the platform? |
IBM Garage teams host courses for all aspects of the IBM Cloud platform. |
||
Are trainings updated and metrics collected to improve trainings? |
Regular trainings are conducted for all developers and administrators who are responsible for operating the IBM Cloud. The training materials are revised as new best practices become available. |
A.2.6 IBM MaaS360 with Watson Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
Connections to IBM MaaS360 are authenticated with API keys or credentials. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
In the MaaS360 admin console, roles can be assigned to each administrator based on their individual needs. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
In the MaaS360 admin console, custom roles can be defined with granular access rights. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
IBM MaaS360 offers training courses that are catered to the role an individual will hold for utilizing the product. |
||
Are there training courses for teaching administrators how to utilize the platform? |
IBM MaaS360 offers training courses for administrative users. |
||
Are trainings updated and metrics collected to improve trainings? |
Release Notes are regularly updated with new and updated feature information, and the “MaaS360 Latest” panel provides videos and tutorials on new and updated capabilities. Each training course has a star rating system for effectiveness and improvement purposes. |
A.2.7 Lookout MES Support of Security Measures¶
SM # |
Description |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
Organizations can integrate their existing Security Assertion Markup Language (SAML) 2.0 MFA solutions for authorization purposes into the Lookout MES Console. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
Lookout identifies and authenticates each user or machine account that attempts to access the platform. Audit logs also collect actions taken by each account. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
Lookout allows for the creation of several administrative types with decreasing levels of access. |
||
Does the software list and maintain an inventory of all software criticalities and integrations? |
The Lookout MES Console provides a full application inventory list of all devices within the customer’s user fleet. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
Lookout allows for the creation of several administrative types with decreasing levels of access. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
Data at rest is encrypted using Advanced Encryption Standard (AES) 256-bit encryption. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
Data in transit is encrypted using TLS version 1.2. |
||
Does the system support performing regular backups and restorations? |
Daily backups and snapshots of the production environment are taken and stored via Amazon’s S3 service within multiple zones and U.S. regions. Regular integrity checks occur through restorations occurring multiple times annually. These restores populate new production instances which are then verified and monitored. |
||
Does the product list all software dependencies and currently installed applications/services? |
The Lookout MES Console provides a full application inventory list of all devices within the customer’s user fleet. |
||
Does the platform allow for the deployment of patches and OS updates? |
Patches to the Lookout MES Console are controlled and maintained by Lookout backoffice support. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
Lookout uses a representational state transfer (REST) API to capture and send all console-related logs (e.g., device changes, threat information, system audit events) to SIEMs and syslog readers. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
Lookout is Federal Risk and Authorization Management Program (FedRAMP) Moderate and therefore follows strict patch management controls for patching our own software. |
||
Does the platform allow for logging connection events to the tool? |
Lookout captures connection events to the tool and activities conducted within the tool via our auditing capabilities. |
||
Are there training courses or procedures in the event of an incident involving the tool or platform? |
Internally, Lookout has established procedures for how to respond to a security incident (leak, compromise, etc.). These procedures follow strict FedRAMP Moderate policies. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Lookout provides first-touch training and guidance for using the Lookout MES and for integration guidance with a customer’s MDM. Additionally, frequently asked questions (FAQs), integration guides, and console user guides are available to all administrators via the Lookout Support Knowledge portal. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Lookout provides first-touch training and guidance for using the Lookout MES and for integration guidance with a customer’s MDM. Additionally, FAQs, integration guides, and console user guides are available to all administrators via the Lookout Support Knowledge portal. |
A.2.8 Microsoft Endpoint Configuration Manager (ECM) Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
Access to ECM Site Collections can be restricted via strong authentication. This can include MFA and passwordless options like Windows Hello for Business. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
ECM natively audits logins and activities and can be reported on by utilizing ECM Reports. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
ECM supports achieving least privilege through security roles, scopes, and collections. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
Microsoft provides guidance around the ports and protocols required by ECM. Customers can use this to implement firewalls between services and clients. |
||
Does the software list and maintain an inventory of all software criticalities and integrations? |
Configuration Manager uses an in-console service method called Updates and Servicing. It makes it easy to find and install recommended updates for your Configuration Manager infrastructure. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
ECM supports achieving least privilege through security roles, scopes, and collections. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
ECM supports encryption at rest natively and through the use of BitLocker. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
ECM supports encryption for data in transport. |
||
Does the system support performing regular backups and restorations? |
Backup and restore operations are core resiliency capabilities in ECM. |
||
Does the product list all software dependencies and currently installed applications/services? |
ECM lists the software dependencies that are required for the platform to operate on the server in addition to client end nodes. |
||
Does the platform allow for the deployment of patches and OS updates? |
Configuration Manager uses an in-console service method called Updates and Servicing. It makes it easy to find and install recommended updates for your Configuration Manager infrastructure. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
Configuration Manager supports installing specific roles, for example management points, distribution points, and software update points, which contain the services required to run that service only. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
Logs are stored in the ECM database, log files, and Windows Event Logs. Implementation guidance is specific to the capabilities of the SIEM. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
Configuration Manager includes software update monitoring, which can be used to identify vulnerable software on its infrastructure. |
||
Is anti-malware or antivirus able to be installed on the system running your platform? |
Anti-malware and anti-virus solutions can be installed on the host operating system. Microsoft recommends allowlisting the files and processes related to ECM. |
||
Does the platform allow for logging connection events to the tool? |
Client and management point logging can be configured at various levels to meet customer requirements. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Microsoft offers training courses that are catered to the role an individual will have for utilizing the product. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Microsoft provides e-learning and certification preparation guides for ECM on the Microsoft Learn portal. Hands-on or train-the-trainer models are provided through an implementation partner. |
||
Are trainings updated and metrics collected to improve trainings? |
Courses and certifications are periodically updated based on product enhancements and feedback from customers. |
A.2.9 Tenable.sc Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform allow for the use of a two-factor authentication method for access? |
MFA is achieved through certificate-based authentication and SAML authentication. |
||
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
This is default behavior. Connections are authenticated with API keys or credentials, then handled via session cookie. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
This is default behavior provided by role-based access control. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
Tenable.sc can bind the HTTPS interface to a single IP/network interface card (NIC) and utilize sideband networks for management/administration. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
This is default behavior provided by role-based access control. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
Tenable.sc provides encryption for critical resources (target credentials). For vulnerability data and application configuration information, an external data-at-rest solution is required. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
This is default behavior. |
||
Does the system support performing regular backups and restorations? |
Tenable supports administrator backup of the opt/sc directory. Backups can be scripted to run on the host OS. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
The Tenable.sc application can use the host OS’s syslog implementation to leverage an external syslog or SIEM. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
Tenable.sc can scan an environment passively (with the use of Nessus Network Monitor/NNM) and actively to achieve continuous monitoring. |
||
Is anti-malware or antivirus able to be installed on the system running your platform? |
Anti-malware and anti-virus solutions can be installed. Tenable recommends allowlisting the files and processes related to Nessus and Tenable.sc. |
||
Does the platform allow for logging connection events to the tool? |
NNM not only does passive analysis for vulnerabilities, but it can also provide logging of connection events as Informational events. |
||
Are there training courses or procedures in the event of an incident involving the tool or platform? |
Tenable has many training options available to customers of our products, including instructional videos, free trainings, and paid trainings for deeper dives and larger groups. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
Tenable offers training courses that are catered to the role an individual will have utilizing the product. |
||
Are there training courses for teaching administrators how to utilize the platform? |
Tenable offers training courses for administrative users. |
||
Are trainings updated and metrics collected to improve trainings? |
Tenable continually collects feedback and introduces changes based on product updates and user feedback. |
A.2.10 VMware vRealize Automation SaltStack Config Support of Security Measures¶
SM # |
Question |
Technical Mechanism or Configuration |
Refs. |
|---|---|---|---|
Does the software platform identify and authenticate users and machine accounts that try to access the platform? |
This can be set up in the SaltStack Config component or done through integration with LDAP, AD, SAML, or OpenID Connect (OIDC) providers. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
This can be set up in SaltStack Config or done through integration with LDAP, AD, SAML, or OIDC providers. |
||
Does the system allow for the use of DACLs, network segmentation, or isolation for access to the platform? |
The Linux OS hosting SaltStack Config can be configured to perform network isolation. |
||
Does the software list and maintain an inventory of all software criticalities and integrations? |
VMware tracks each product used by SaltStack Config and any updates and vulnerabilities in those products. |
||
Does the system allow for creating accounts with different access levels to enforce least management? |
This can be set up in SaltStack Config or done through integration with LDAP, AD, SAML, or OIDC providers. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data at rest? |
SaltStack Config has a FIPS-compliant mode that can be configured at installation time to support encryption of data at rest. |
||
Does the system use or contain an option to enable the use of NIST-certified cryptographic standards for protecting data in transit? |
SaltStack Config supports encryption for data in transit by default. Key generation uses standard algorithms found in the OpenSSL library. These algorithms rely on OS-generated random seed data. |
||
Does the system support performing regular backups and restorations? |
SaltStack Config allows administrators to perform manual backups. |
||
Does the product list all software dependencies and currently installed applications/services? |
SaltStack provides a list of all dependent software and libraries used within the product. |
||
Does the platform allow for the deployment of patches and OS updates? |
The Linux system hosting SaltStack can be updated by administrators. The SaltStack SecOps component can be utilized to perform updates on SaltStack nodes and client end nodes. |
||
Does the platform allow for configuration management practices such as removal or disabling of services to maintain security? |
SaltStack Config allows for configuration management through the implementation of Salt states, the beacon and reactor system, and/or orchestration. |
||
Does the security tool support logging and sending that data to rsyslog or a SIEM? |
Salt returners can be used/configured to send logs to third-party tools like rsyslog and Splunk. |
||
Does the platform monitor the security and vulnerabilities associated with all software and dependencies used? |
VMware tracks each product used by SaltStack Config and tracks any updates and vulnerabilities that are announced by the product owners. |
||
Is anti-malware or antivirus able to be installed on the system running your platform? |
Anti-malware and anti-virus solutions can be installed on the host Linux OS. |
||
Does the platform allow for logging connection events to the tool? |
You can set the logging level to debug or turn on the audit trail, and that will provide connection events. |
||
Are there training courses or procedures in the event of an incident involving the tool or platform? |
There is official training for customers of the platform. Also, support contracts can be purchased to help troubleshoot and fix incidents with the product. |
||
Are there training courses in how to use the products? Are there different courses for different roles? |
VMware provides training on the underlying platform (SaltStack Config and vRealize Automation) as well as the security operations product. |
||
Are there training courses for teaching administrators how to utilize the platform? |
VMware provides training on the underlying platform (SaltStack Config and vRealize Automation) as well as the security operations product. |
Appendix B List of Acronyms¶
AD |
Active Directory |
AES |
Advanced Encryption Standard |
ANC |
Adaptive Network Control |
API |
Application Programming Interface |
BIOS |
Basic Input/Output System |
CAC |
Common Access Card |
CIO |
Chief Information Officer |
CISO |
Chief Information Security Officer |
CLI |
Command-Line Interface |
CRADA |
Cooperative Research and Development Agreement |
CVE |
Common Vulnerabilities and Exposures |
CVSS |
Common Vulnerability Scoring System |
DACL |
Discretionary Access Control List |
DHCP |
Dynamic Host Configuration Protocol |
DNS |
Domain Name System |
ECM |
(Microsoft) Endpoint Configuration Manager |
EMM |
Enterprise Mobility Management |
EO |
Executive Order |
FAQ |
Frequently Asked Questions |
FedRAMP |
Federal Risk and Authorization Management Program |
FIPS |
Federal Information Processing Standards |
FMC |
(Cisco) Firepower Management Center |
FTD |
(Cisco) Firepower Threat Defense |
HA |
High Availability |
HSPD-12 |
Homeland Security Presidential Directive 12 |
IAM |
Identity and Access Management |
ICS |
Industrial Control System |
IoT |
Internet of Things |
IP |
Internet Protocol |
ISE |
(Cisco) Identity Services Engine |
IT |
Information Technology |
LDAP |
Lightweight Directory Access Protocol |
MDM |
Mobile Device Manager |
MES |
(Lookout) Mobile Endpoint Security |
MFA |
Multi-Factor Authentication |
NCCoE |
National Cybersecurity Center of Excellence |
NIC |
Network Interface Card |
NIST |
National Institute of Standards and Technology |
NNM |
(Tenable) Nessus Network Monitor |
OIDC |
OpenID Connect |
OS |
Operating System |
OT |
Operational Technology |
PC |
Personal Computer |
PIV |
Personal Identity Verification |
REST |
Representational State Transfer |
RMF |
Risk Management Framework |
SaaS |
Software as a Service |
SAML |
Security Assertion Markup Language |
SAN |
Storage Area Network |
SCCM |
(Microsoft) System Center Configuration Manager |
SGT |
Security Group Tag |
SIEM |
Security Information and Event Management |
SM |
Security Measure |
SMS |
(Microsoft) Systems Management Server |
SP |
Special Publication |
SPT |
(Forescout) Security Policy Templates |
SSH |
Secure Shell |
TLS |
Transport Layer Security |
UEM |
Unified Endpoint Management |
UI |
User Interface |
VLAN |
Virtual Local Area Network |
VM |
Virtual Machine |
WaaS |
Windows as a Service |
WSUS |
(Microsoft) Windows Server Update Services |