Defined Categories of Security As a Service (Preview) - Continuous Monitoring As a Service © 2016 Cloud Security Alliance – All Rights Reserved All Rights Reserved

SECURITY AS A SERVICE WORKING GROUP Defined Categories of Security as a Service (Preview) - Continuous Monitoring as a Service © 2016 Cloud Security Alliance – All Rights Reserved All rights reserved. You may download, store, display on your computer, view, print, and link to this document at http://www.cloudsecurityalliance.org/download, subject to the following: (a) the Report may be used solely for your personal, informational, non-commercial use; (b) the Report may not be modified or altered in any way; (c) the Report may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Report as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions this document. ACKNOWLEDGMENTS

Initiative Lead Bernd Jaeger

Key Contributors Robert de Monts Kevin Fielder Jens Laundrup Tim Owen Roshan Sequiera Cameron Smith John Yeoh

Acknowledgments...... 3 Executive Overview...... 5 Categories of Security as a Service...... 6 Continuous Monitoring as a Service (CMaaS)...... 7 Category Description...... 7 Business Elements...... 7 Core Functionalities...... 7 Optional Features...... 7 Technical Elements...... 8 Disciplines...... 8 Related Categories of Services...... 8 Related Standards and Technologies...... 8 CSA Domains (v3.0)...... 8 Controls...... 8 CCM v3.0.1 Mapping...... 8 Elements not mapped...... 8 Threats Addressed...... 9 Challenges...... 9 Examples...... 9 References...... 9

Numerous security vendors are now leveraging cloud based models to deliver their security solutions known as Security as a Service (SecaaS). This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market confusion and complicating the selection process. Customers are increasingly faced with evaluating security solutions, which do not run on premises. They need a better understanding of these offerings to assess the type of security risks they address and the need a better understanding of these offerings to evaluate the security risks and the shared responsibility over the security of systems for which they are accountable.

In order to improve the understanding of these services and accelerate their market acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create guidelines for implementing SecaaS offerings, facilitate the purchasing process for such solutions, and aid those tasked with implementing or auditing them.

The SecaaS Working Group will address these challenges by working with experienced knowledge leaders and intelligent market research in the industry to align with cloud governance best practices, document use cases, identify standards requirements, and create other innovative research artifacts. This overview document is the first in a series of business, technical, and implementation guidance documents for the following security service categories:

- Business Continuity and Disaster Recovery - Continuous Monitoring - Data Loss Prevention - Email Security - Encryption - Identity and Access Management (IAM) - Intrusion Management - Network Security - Security Assessments - Security Information and Event Management - Vulnerability Scanning - Web Security

For more information about CSA Security as a Service, visit: https://cloudsecurityalliance.org/security-as-a-service

Network Security Network Security consists of security services that allocate network access, distribute, monitor, and protect network services

Vulnerability Scanning Vulnerability Scanning scans the target infrastructure or systems for security vulnerabilities via a public network.

Web Security Web Security offers real-time protection of public facing application services generally offered by proxying web traffic through the cloud service provider.

Email Security Email Security provides control over inbound and outbound email, protecting the organization from phishing, malicious attachments, and spam, and providing business continuity options.

Identity and Access Management Identity and Access Management (IAM) provides identity administration, (IAM) governance and access controls. This includes authentication, identity assurance, access intelligence, and privileged user management.

Encryption Encryption is the process of obfuscating data using cryptographic and numerical ciphers. Transforming clear-text into cipher-text to make it unreadable

Intrusion Management Intrusion Management is the process of using pattern recognition to detect statistically unusual events, prevent or detect intrusion attempts, and manage the incidents.

Data Loss Prevention (DLP) Data Loss Prevention is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use.

Security Information and Event Security Incident and Event Management (SIEM) systems accept log and event Management (SIEM) information, correlation and incident data and provide real time analysis and correlation.

Business Continuity and Disaster Business Continuity and Disaster Recovery is the implementation of measures Recovery (BCDR) designed to ensure operational resiliency in the event of any service interruptions.

Continuous Monitoring Continuous Monitoring performs the function of continuous risk management presenting the current security posture of the organization.

Security Assessments Security Assessments are third party audits of cloud services based on industry standards.

Continuous Monitoring performs the function of continuous risk management presenting the current security posture of the organization. Using industry approved risk management frameworks, Continuous Monitoring collects inventory of deployed organizational assets (including but not limited to current patch/version status, vulnerabilities, threats, and traffic) and generates ongoing risk scores across the enterprise. The intent of Continuous Monitoring is to reduce the time and effort required to identify security risks, assist in defining mitigation strategies, and implement any necessary controls reducing the security risk window.

BUSINESS ELEMENTS Core Functionalities Asset Discovery & Management - Scan for assets, discover assets and create a continuously updated asset inventory. Inventory based on the classification of assets by the organization - Collect traffic metrics and create baselines profiles. Baselines are created based against industry accepted standards. - provide processes support via workflow integration

Collection and Data Evaluation - Ingest of data from other security functions (Automated collection and manual inputs). Collect: - Configuration status - Patch status - Vulnerability scanning results - Pen-Testing findings - SIEM feeds - Transformation of different input formats (format conversion, ormalization, de-duplication) - Information Correlation

Risk & Compliance Assessment - Identification and/or definition of policies and standards to measure against - Assessment against policies, certification standards and other legal & compliance requirements - Risk scoring

Reporting - Report current risk and compliance status

Continuous Mitigation Process/Cycle - Identify remediation and mitigation activities - Prioritize activities - Tack progress and effectiveness

©2016 Cloud Security Alliance - All Rights Reserved. 7 TECHNICAL ELEMENTS Supporting Core Functionalities Risk reporting, encryption, anonymization, logging, data categorization, data correlation, data integrity protection, threat intelligence management, patch management, creating policies, asset management, vulnerability management, configuration management, compliance monitoring/management Related Categories of Services SIEM, Network Security, Security Assessments, Vulnerability Scanning, IAM, Intrusion Management

Related Technologies Cloud Access Security Broker (CASB)

Related Standards DFARS, FISMA, FISMA II, ISO/IEC 27001, NASA-FARS, NERC/FERC CIP, NIST Cybersecurity Framework, NIST IR 7800,NIST SP 800-137, NIST SP 800-53

CSA Domains (v3.0) Domain 2 Governance and Enterprise Risk Management, Domain 4: Compliance and Audit Management, Domain 9 Incident Response, Domain 14 SecaaS

Controls - Classification of information systems - Assessing technical and administrative security controls - Monitoring security controls (i.e. preventative, detective) - Indirectly during the mitigation or follow-up cycle: - Selecting security controls - Implementing security controls (i.e. process, technical, administrative) - Authorizing information systems CCM v3.0.1 Mapping - Audit Assurance & Compliance AAC-01, AAC-02, AAC-03 - Change Control & Configuration Management CCC-01, CCC-02, CCC-04, CCC-05 - Data Security & Information Lifecycle Management DSI-01, DSI-02, DSI-03, DSI-04, DSI-05 - Datacenter Security DCS-01, DCS-03 - Encryption & Key Management EKM-03 - Governance & Risk Management GRM-01, GRM-02, GRM-04, GRM-06, GRM-08, GRM-09, GRM-10, GRM-11 - Human Resources HRS-05, HRS-08 - Identity & Access Management IAM-01, IAM-03, IAM-04, IAM-05, IAM-07, IAM-08, IAM-09, IAM-10 - Infrastructure & Virtualization Security IVS-01, IVS-02, IVS-05, IVS-06, IVS-07, I VS-11, IVS-12 - Mobile Security MOS-02, MOS-03, MOS-09, MOS-10, MOS-12, MOS-15, MOS-16, MOS-17,MOS-19 - Threat & Vulnerability Management TVM-01, TVM-02

©2016 Cloud Security Alliance - All Rights Reserved. 8 Threats Addressed - Non-compliance and policy violations - Insecure configuration (changes) - Being vulnerable between point-in-time audits - APT (intrusion via Advanced Persistent Threats) Challenges - full coverage of the infrastructure in scope - asset discovery blocked by firewalls/gateways - poor or no policies / processes defined to assess against - lack of stakeholder or Senior Management commitment - handling of offline or legacy devices - appropriate risk evaluation and prioritization - Sound processes for mitigation - dynamic topology changes, cloned devices/assets, offline copies in a Software Defined/Driven ICT environment (i.e. SDN, NFV, cloud) References http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf http://www.gsa.gov/portal/getMediaData?mediaId=199735 http://www.gsa.gov/portal/mediaId/199735/fileName/CDM_Product_Catalog.action