Since 2010, the United States government has required all federal information systems to comply with the government’s Risk Management Framework (RMF), a set of security standards, for architecting, securing, and monitoring IT systems.
Now managed by the National Institute of Standards and Technology (NIST), the RMF standards offer detailed best practices for improving IT security in the face of threats such as data breaches and ransomware attacks.
In this blog post, I’ll offer an overview of the NIST RMF and explain how Tanium Risk and other Tanium products can help agencies comply with these important standards.
NIST security frameworks for managing risk
Let’s start out by defining what we’re trying to manage.
Risk, according to NIST, is “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.” To understand IT risk, then, an organization needs to understand the value of its IT resources and the harm that could come from those resources being disrupted or damaged.
An organization also needs to understand the likelihood of each potential threat, so that it can prioritize its investments and responses for reducing risk appropriately. After all, you don’t want to pour money into preventing a risk with a 0.01% likelihood, while neglecting risks that have a 10% likelihood.
The primary NIST standard for establishing the federal government’s risk security framework is NIST SP 800-37 Rev. 2. This standard provides “a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.”
Precision and timeliness matter in these assessments. NIST 800-37 calls for IT organizations to engage in real-time or near-real-time monitoring, moving beyond the daily or weekly status reports security teams might have relied on for endpoint security in the past. In contrast to relying on periodic snapshots of the status of critical infrastructure, the RMF “promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes … [and] provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions.”
Conducting risk assessments with NIST SP 800-30
According to NIST SP 800-39, Risk management processes include: (i) framing risk; (ii)
assessing risk; (iii) responding to risk; and (iv) monitoring risk.
NIST SP 800-30: Guide for Conducting Risk Assessments, goes into more details about performing the second process in that list, assessing risks. NIST SP 800-30 a process for identifying the scope, purpose, and other elements of the assessment. Then it describes how to conduct the assessment itself, which these steps:
- Identify threat sources and events
- Identify vulnerabilities and predisposing conditions
- Determine the likelihood of occurrence
- Determine magnitude of impact
- Determining risk
This assessment doesn’t complete the work. The results of the assessment need to be communicated to stakeholders, and the assessment needs to be maintained, using monitoring “to keep current, the specific knowledge of the risk organizations incur.”
Does the organization have the reporting in place it needs to share risk assessments with business and IT stakeholders? Does it have a systematic way of maintaining the assessment, ensuring, for example, that an assessment made a week ago is still accurate today? These are questions IT and security leaders might ask after studying NIST SP 800-30.
Managing information security risk with NIST SP 800-39
Another standard, NIST SP 800-39, Managing Information Security Risk, provides guidance for “an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.”
The standard proposes a three-tiered approach to risk management “(i) organization level; (ii) mission/business process level; and (iii) information system level.” Effective risk management, in other words, requires a broad scope, taking in the organization’s mission and strategies, its business processes, and its individual IT systems.
NIST 800-39 proposes that the organization’s risk management practices include:
- Developing an IT architecture linked to the strategic goals and objectives of organizations, defined missions/business functions, and associated mission/business processes.
- Incorporating an information security architecture that implements architectural-level information security requirements.
- Translating the information security requirements from the “segment” or “mission-area” architecture into specific security controls for information systems/environments of operation as part of the solution architecture.
- Allocating management, operational, and technical security controls to information systems and environments of operation as defined by the information security architecture.
The first step is identifying potential risks based on the organization’s mission and IT systems. Begin by identifying the roles specific systems and resources play in supporting the company’s strategy and mission. Then brainstorm to identify all important risks to each of those systems and resources.
For example, if the organization’s mission depends on a web server, consider all the threats, malicious or otherwise, that could interrupt or damage that web server. Your list might include DDoS attacks, power outages, configuration problems, usage spikes, and so on.
Next comes measuring and assessing risks based on an understanding of how specific IT systems contribute to the organization’s overall mission and what the likelihood is of specific risks affecting those systems.
Once risks are identified and ranked by likelihood, the organization should take steps to mitigate them. For example, if having unpatched servers is identified as a risk, the company could implement a patch management system to mitigate that risk.
The results of those previous three steps should be reported to stakeholders and monitored to determine if the status of risks has changed. The process concludes with governance. In this step, IT and business leaders decide where and how to invest to reduce risks and optimize risk management overall.
How Tanium helps support the Risk Management Framework
The Tanium platform provides security and IT operations teams with a single, comprehensive, real-time view of critical endpoint data so that organizations can make informed decisions and act quickly to minimize disruptions and reduce risk. Tanium modules — components of the Tanium platform — address key requirements of the RMF.
Tanium modules for risk identification
Three Tanium modules provide the real-time endpoint intelligence companies need to understand what IT systems they have — whether on premises, in remote locations, or in the cloud — and how those systems work together to support operations and processes.
- Discover – Inventory the entire environment across all endpoints in minutes. Scan networks with hundreds of thousands of endpoints to find unmanaged assets, so administrators can block them or bring them under management.
- Asset – Quickly build and maintain an accurate inventory of your IT assets so you can make better decisions for risk management and operational success.
Tanium modules for risk measurement and assessment
Once you have identified the threats, vulnerabilities, impact, likelihood, and predisposing conditions, you can calculate and rank the risks your organization needs to address using the following Tanium modules:
- Comply – Identify vulnerabilities and compliance gaps across all your endpoints in minutes versus days or weeks.
- Reveal – Quickly locate changes to sensitive data fields and act directly on the endpoint.
- Impact – Quickly identify high-risk accounts and systems to reduce your attack surface.
- Integrity Monitor – Continuously monitor critical low-level OS, application and registry files, elevating investigations when alerts are triggered.
- Risk – Get the real-time data, automation, and intelligence needed for making informed decisions faster with a comprehensive assessment of endpoint risk. Use this data to prioritize actions with intelligent risk scoring based on operational and security metrics.
Tanium modules for risk mitigation
Next, take your ranked list of risks and start to figure out how to mitigate the threats from the greatest to the least. You and your team might decide that risks below a certain level are not worth addressing, either because the likelihood of them occurring is too remote or because you’ve identified much more pressing risks to focus on in the first term. That’s all right. Risk management is an ongoing process. If a risk is genuinely important, you will have an occasion to address it when you repeat your risk analysis process. And should the likelihood of that risk suddenly increase, you’ll be prepared with Tanium risk management software in place providing real-time insights about risks and providing you with real-time controls for containing and mitigating threats.
The following Tanium modules can help you with risk mitigation.
- Deploy – Install, update and remove software based on a flexible set of target computer groups or an individual machine.
- Patch – Schedule operating system patches to fix missing patches across endpoints in seconds.
- Enforce – Centralize and enforce policy management across operating systems and device locations.
- Threat Response – Proactively hunt for adversaries using arbitrary heuristics.
Tanium modules for risk reporting and monitoring
The RMF requires that organizations maintain a list of known risks and monitor those risks to ensure compliance with all applicable policies.
- Trends – Gain insight into key security metrics and operational health by creating visualizations that show current and historical data from endpoints.
- Risk – Produce reports to communicate key trends, improvements and industry benchmarks for executive and board-level reporting. By using Risk to continuously monitor endpoints, you can improve your compliance and risk posture.
- Connect – Integrate Tanium easily with third-party solutions and the U.S. Federal CDM Dashboard.
Let Tanium help you with RMF compliance
Tanium has helped federal agencies and other organizations take a proactive and efficient approach to risk and compliance. Through the combination of its extensible data model, distributed communications protocol, and lightweight agent, the Tanium platform enables customers to save time and reduce costs associated with managing risk.
The Tanium platform:
- Provides and maintains comprehensive visibility not only to vulnerability and compliance gaps, but also to overall risk across all their endpoints in just minutes instead of days or weeks.
- Offers a single, accurate, and rich source-of-truth that drives consensus around prioritization and remediation across IT operations, security, and risk teams.
- Allowing teams to quickly remediate problems across their environments without switching tools.
- Spares organizations the expense and trouble of buying yet another tool and installing the infrastructure that goes with it.