Capability Maturity Model

Summary:

The provided text does not contain any specific value or numerical data in the field mentioned for assessment.

Details:

The provided text appears to be a draft or early version of a report titled "Security Management for the Enterprise™," dated June 13, 2006. It is internally confidential and intended for use by ArcSight. Here's a summarized interpretation of its content: **Document Overview:**

• **Title:** Security Management for the Enterprise™

• **Version:** 0.1

• **Date:** June 13, 2006

• **Confidentiality:** Intended solely for internal use by ArcSight.

**Structure of Report:**

• **Preface:** Includes a change history table and brief description of the document's purpose.

• **Introduction:** Explains the report's scope and its role in presenting the outcomes of a strategy consulting engagement with Gwinnett.

• **Sections:** The body is structured into sections that outline steps taken during the engagement, including discussions about customer requirements, prioritization, design and implementation of solutions, and concludes with a discussion on Capability Maturity Model (CMM).

**Purpose and Scope:** The report outlines the purpose as presenting outcomes from a strategy consulting engagement conducted between 5 June and 9 June 2006. It serves to detail how the requirements were determined, objectives achieved, and technical steps taken during the process. **Sections Description:** 1. **Introduction - Purpose and Scope**: Briefly describes the report's role in presenting outcomes of a consulting engagement with Gwinnett. 2. **Review Customer Documentation**: Provides context for understanding customer needs. 3. **Determine Customer Requirements**: Involves discussions to gather information about what is needed from the security management solutions. 4. **Prioritize Requirements**: Steps taken to decide which requirements are most critical and should be addressed first. 5. **Design and Implement Solutions**: Focuses on creating and implementing technical solutions based on determined requirements. 6. **Conclusions**: Summarizes key points from previous sections, suggesting a conclusion or summary statement about the overall approach taken during the engagement. 7. **Capability Maturity Model (CMM)**: Includes ArcSight’s adaptation of Carnegie-Melon University's software engineering CMM for assessing and improving professional services capabilities. **Technical Content:** The technical details are minimal in this excerpt, focusing more on procedural information such as the methodology used to review customer needs, prioritize requirements, and design solutions based on those priorities. The document seems to outline a structured approach to consulting engagements but lacks detailed technical specifications or outcomes beyond high-level descriptions of processes and methodologies applied. This report format is typical for strategic planning documents in professional services environments where detailed action plans and methodological approaches are emphasized over specific project outcomes. This is a summary of 5 days of ArcSight strategy consulting services focused on customizing ArcSight for HIPAA compliance at Gwinnett. Key individuals involved were Karen Gaignard, Allen Olmstead, and Nadia Fahim-Koster. Karen Gaignard was the main point of contact for the implementation, while Allen Olmstead served as technical support. Nadia Fahim-Koster acted as a Chief Information Privacy and Security Officer in an advisory role. Before ArcSight's onsite visit, several documents were provided to prepare: 1. Server Tier level1.xls - A spreadsheet containing asset modeling data used to set up data prior to the engagement. 2. Incident Management_Plan_draft4.doc - A process for identifying and responding to information security incidents. 3. IncidentManagement_Policy_draft5.doc - The policy document defining standards for incident handling. 4. 060517 Arcsight NW Diagram.vsd - A network diagram showing how ArcSight components fit into Gwinnett's network and devices sending events to ArcSight. Gwinnett outlined their requirements prior to the engagement: operational workflow definition, incident management review, notification process, asset modeling, developing custom content, active lists, rules, reports, and notifications. The goal was to prepare for these needs during the week when ArcSight personnel were onsite. This document discusses a Novell agent installation project for Gwinnett through ArcSight, emphasizing prioritization of requirements based on workflow and process analysis. Initial discussions with Gwinnett involved gathering existing requirements via email and during the first day's engagement, which focused on defining workflows that influenced notification destinations and report scheduling. Subsequently, asset data modeling was prioritized to verify content assets. Development of ArcSight content followed a logical technical dependency sequence to ensure proper integration. The project also addressed Oracle database administration practices with Gwinnett's DBA, discussing best practices for utilizing the Oracle database within the system. Lastly, efforts were made to install the Novell NetWare agent; however, due to its unavailability at the time of the engagement, this task was postponed until further notice. This document discusses a strategy engagement between ArcSight and Gwinnett to improve their security infrastructure using ArcSight's products. The initial phase involved understanding Gwinnett's workflow, which was still in the process of being defined. To address this, efforts were made to outline the workflow but due to resource constraints, some content development and identification during the engagement faced challenges. Instead, focus shifted on training technical personnel to generate future content as workflows are developed. Gwinnett provided initial asset data including hostnames, IP addresses, and descriptions, with zone definitions and categories needing further development. The ArcSight consultant(s) used a tool called ResourceGenerator to import this data into the system after minor modifications. This involved exporting CSV spreadsheets to XML format which was then imported into the ArcSight system. The ResourceGenerator provided detailed syntax for correct use along with examples, enabling Gwinnett to handle its asset data efficiently. To support rule development, Active Lists were created using existing lists that come with the ArcSight product and may be updated based on rule firings or manually via the Console. This text outlines the creation of specific active lists within a system for managing different types of entities such as attackers and targets. The system includes various default and additional active lists to categorize users, including reconnaissance, untrusted, suspicious, compromised, hostile individuals, and more. Two new active lists were created in support of specific rules: 1. "GHS/authorized su users" - This list tracks users who are authorized to execute the 'su' command without an expiration time, using event-based data that includes the attacker's username. Modifying a rule could easily change this list to track unauthorized su users. 2. "GHS/windows admin groups" - Another event-based active list that tracks user groups giving administrative rights and includes the target user names in its entries. This list is used by rules described later, possibly related to system administration or security policies. The text also mentions issues encountered during implementation with Gwinnett's infrastructure regarding lack of logging events from devices. In this summary, we are discussing logging of data to create useful rules for various purposes. The text mentions custom rules that have been authored and stock rules copied into a specific group. These include rules related to failed database connections, unauthorized su attempts, administrative rights changes on Windows systems, and detecting potential attacks or worms such as the SQL Slammer worm. 1. **Custom Rules:**

• **Failed attempts to connect to database as admin user:** Triggers after three consecutive unsuccessful attempts to connect to a database using sys, sysdba, or sa within 10 minutes. This aims to detect unauthorized access attempts.

• **Failed SU Attempt by Unauthed

The provided text outlines several cybersecurity rules used in detecting and responding to various types of cyber threats, including brute force logins, attacks from sources with reconnaissance history, hostile attempts on devices, and suspicious source attacks. Each rule has specific criteria for triggering an alert, such as a minimum number of occurrences or the presence of certain event categories like "attempt" and "hostile." The rules also define actions taken once triggered, such as adding addresses to specific active lists (e.g., Suspicious, Hostile) and setting agent severity levels. The text mentions that some other rules were not developed due to insufficient data from devices, which could be a limitation in the system's ability to fully automate or accurately detect certain types of threats without adequate information. The table mentioned provides details on these undeveloped rules but does not include specific rule names as they are unnamed in this text. The document outlines an attempt to log in using default Windows admin accounts, which is not possible due to Windows not providing enough data to determine the source. However, if a new or existing user is set to UID 0 (which represents superuser access), no syslog message indicates this, and it can be detected with external tools like ArcSight. The administrative passwords have not been changed according to policy, as there are no log messages indicating such changes, which could also be detected using external tools for monitoring. The document then shifts focus to reports, which play a crucial role in complying with HIPAA regulations concerning the Security Rule. These reports help Gwinnett improve their monitoring of access to PHI-relevant assets by providing overall visibility into how computing resources are accessed. The custom reports mentioned include: 1. General login activity: This report lists all successful login attempts, and due to the high volume of such events, it may need refinement in future iterations. 2. Network Equip Config Changes: This report lists all events from Cisco devices containing "configure" in their event names. 3. Number of events by asset: It details assets targeted in at least one event along with the total number of events per asset and those targeting non-modeled assets. 4. Number of events by device type: It categorizes events based on the Category Device Group field, listing all types and their respective totals, including those without a value in this field. This document identifies several issues related to data collection for monitoring and reporting within an IT environment using ArcSight software. The report outlines challenges encountered due to insufficient or unavailable log data from various sources such as network equipment, Windows system logs, and application event logs. It also mentions that without a defined workflow, scheduled reports are not possible and must be run manually. Additionally, the document discusses notifications within ArcSight, which can send emails and pages based on rule triggers. However, these features were not fully tested due to time constraints related to troubleshooting earlier in the week. The personnel involved have had limited practical experience with notification resources and their assignment to rule actions; issues can be addressed through support tickets or future professional services engagements. Lastly, the document does not provide details on database maintenance as requested. During a technical engagement, several challenges were encountered, primarily due to limited time and resources, which affected content development and testing. As Gwinnett's DBA resource was unavailable throughout the engagement, it was decided to hold a conference call with ArcSight Support for further database-related discussions in the following week. Despite the setbacks, the strategy engagement can be considered largely successful despite technical hurdles. A significant portion of the engagement time was consumed by troubleshooting device logging and configuration issues that hindered desired content development and testing. However, this process revealed a number of previously unaddressed issues which Gwinnett will follow up on. The engagement provided Gwinnett personnel with practical experience in rule and report development, as well as modifying existing and creating new content for the ArcSight platform. Despite the gap between planned and accomplished content, it is acknowledged that more time would have allowed for better progress; this could be addressed in a future Professional Services engagement. Additionally, an issue concerning licensing arose where Gwinnett wished to configure more user IDs than purchased licenses allow. This matter has been communicated to both Professional Services management and the sales representative, highlighting the complexity of managing such issues within multi-licensed systems like ArcSight. This document outlines Gwinnett's requirements for a strategy consulting engagement with ArcSight Security Consulting, detailing their status and follow-up tasks. The table summarizes the current status of various requirements and specifies what actions Gwinnett should take next to ensure satisfactory completion. Additionally, it provides an overview of how ArcSight has adapted the Capability Maturity Model (CMM) to evaluate and enhance security process maturity during engagements. The provided text describes a progression from a basic, informal level (Ad Hoc) to a more structured, documented level (Documented), and finally to a repeatable level (Repeatable) in handling security alerts and incidents using ArcSight ESM (Enterprise Security Manager). At Level 1 - Ad Hoc:

• Alerts are evaluated randomly.

• Focus is on the accuracy of a single data source like NIDS or HIDS.

• No formal process for alert evaluation, prioritization, or assurance.

• Data from multiple systems typically requires manual collection and combination using tools like PowerPoint or Excel.

At Level 2 - Documented:

• Implementation of ArcSight ESM provides a central console to view alerts from various devices and vendors.

• Basic workflow exists but lacks advanced features such as correlation rules and statistical analysis.

• Alerts are identified through filters and active channels, enhancing monitoring efficiency.

• Few correlation rules exist for aggregation notifications; more focus on individual alert details.

• Detailed information about affected assets is often incomplete or gathered externally.

• Reports and dashboards rely mainly on base events.

At Level 3 - Repeatable:

• A formal workflow is enforced by the system, improving consistency in handling alerts.

• Advanced features like correlation rules and statistical analysis are utilized for more efficient alert processing.

• Reporting and analytics capabilities within ArcSight improve significantly, providing deeper insights into incidents.

Overall, the progression from Ad Hoc to Documented reflects a gradual improvement in formalizing processes and introducing technological tools to enhance security operations. The text outlines a hierarchical model for achieving increasing levels of maturity in using an ArcSight system to monitor, analyze, and respond to security events. At Level 4 - Managed, customers fully utilize all features of the ArcSight system, including filters, active channels, workflow, rules, reports, and dashboards. They also develop additional use cases, provide robust training, have formal processes for event tracking and mitigation, and ensure full integration with audit requirements. At Level 5 - Optimized, customers continue to utilize all aspects of the ArcSight system but focus on continual improvement through workflow and internal processes. This level aims to make information security fully transparent, providing all stakeholders with visibility into the effectiveness of the systems and data sources used.