Binding risks to framework/referential security controls

[verzulli]

I'm deeply investigating (aka: reverse-engineer) the way Monarc use to bind Security Controls (es.: ID.AM-1 or ID.GV-1 in NIST Core) to information risks.

I saw that if I associate a "referential" (es.: Nist Core) to a new risk-assessment, at creation time, than in the Statement of Applicability I clearly see that security controls are linked...

... to a table detailing related mapped risks.

This, again, at least if a choose "Nist core" referential and play with a couple of assets.

I want to achieve the same result (binding risk to referential security controls) but with a custom referential (namely: Italian National Cybersecurity Framework, that of course I'm fully committed in creating and deploying accordingly), so the question is: where are the "joining" logic, between the various components (asset, threats, vulnerability, security_referential, security_standard_mapping, etc.) ?

At the moment, I'm analyzing underlying database schema, testing/exercising some querying around measures, measures_amvs, amvs, vulnerabilities, threats, referential tables like
in:

SELECT distinct
    m.code as 'cod_misura',
    m.label1 as 'desc_misura',
    v.code as 'cod_vulner',
    v.label2 as 'desc_vulner',
    t.code as 'cod_threat',
    t.label2 as 'desc_threat',
    a.anr_id,
    v.anr_id,
    t.anr_id
FROM 
    measures_amvs ma,
    measures m,
    amvs a,
    vulnerabilities v,
    threats t
where 
    ma.measure_id=m.uuid and
    ma.amv_id = a.uuid and
    ma.anr_id=25 and -- 25 is my "test" risk-analysis
    a.vulnerability_id = v.uuid and
    a.threat_id = t.uuid and
    ma.measure_id='231fc2b1-80c2-450e-9d80-f804f5a8984c'; --ID.AM-1

giving out this:

where I get the "join" between the control and the specific vulnerability and threat (I assume I could easily retrieve asset reference as well).

As I'm interested in DEFINING this logic, I also checked the security standard mapping schema (various JSONs downloaded from MOSP), finding something.... but definitely too-little to understand the whole figure :-(

As things are getting a bit complex... I'm trying to POST here, searching for some guidance.

Are there some documentation I can check? Are there some artifacts I can take as a basis? Or, unfortunately, reverse-engineering (both the DB schema and/or the code) is the only way to go?

Thanks everyone, in advance.

Cheers,
DV

[ruslanbaidan]

Hello,

Statement of Applicability is built based on the measures (Security controls) linked to the informational risks (DB table soa).

I want to achieve the same result (binding risk to referential security controls) but with a custom referential (namely: Italian National Cybersecurity Framework, that of course I'm fully committed in creating and deploying accordingly), so the question is: where are the "joining" logic, between the various components (asset, threats, vulnerability, security_referential, security_standard_mapping, etc.) ?

Informational risks (IR) are stored in the DB in the amvs table, it's a composition of assets, threats and vulnerabilities. And linked to measures (measures_amvs). There is a possibility to link each of the IR with controlls (measures) in the Knowledge Base.
Security standards mapping is done in the measures_measures table. E.g. when a referential is matched with another 2, in the table measures_measures will be created 4 records: 1 ref -> 1st matched red, 1 ref -> 2nd matched ref, 1st matched ref -> 1 ref, 2nd matched ref -> 1 ref.

Are there some documentation I can check? Are there some artifacts I can take as a basis? Or, unfortunately, reverse-engineering (both the DB schema and/or the code) is the only way to go?

There is no particular documentation about the DB structure correspondence or logic behind, but you might find useful for your goal and understand a bit more if read the following discussions and try to play with them validation your database after each step:
#427
#412
https://www.youtube.com/watch?v=N45p3fw_G2U

Please let us know if you need more help.

[verzulli]

First of all, thanks for answering.

Informational risks (IR) are stored in the DB in the amvs table, [...]. There is a possibility to link each of the IR with controlls (measures) in the Knowledge Base.

I'm still missing HOW, just by importing "NIST Core" referential, I got some of the IRs bounded to controls/measures.

Actually, the referential-JSON contains a value attribute resulting in an ARRAY of elements like this:

 {
      "category": "Asset Management (ID.AM)",
      "code": "1_ID.AM-1",
      "label": "Physical devices and systems within the organization are inventoried",
      "uuid": "231fc2b1-80c2-450e-9d80-f804f5a8984c"
  }

I wonder how, without any kind of reference to mapped IRs... such an association got created and shown in the SOA webpage.

Please note that I imported only NIST-Core referential... without any additional "mapping" to other referentials/referential_mappings...

Where do such an association come from?

---

P.S.: I checked the two linked discussion but that seems related to creating a new referential, based on existing ones. As such, they both ended about building a "mapping" from an existing referential to a to-be-created new one.
I'd prefer to create a new referential, without any relation to existing ones (if possible...)

[ruslanbaidan]

Thank you for your questions.

I'm still missing HOW, just by importing "NIST Core" referential, I got some of the IRs bounded to controls/measures.
Actually, the referential-JSON contains a value attribute resulting in an ARRAY of elements like this:
I wonder how, without any kind of reference to mapped IRs... such an association got created and shown in the SOA webpage.

I could assume that your one of ISO standards like ISO 27002 was already presented in the analysis, so it was created with the predefined mapping to all the "system" based standards (those you could select on the analysis creation step).
So the mapping was already in the DB for the NIST Core referential.
Regarding the SOA data, it is done automatically by the FrontEnd (angularjs framework). It processes the data set and if we go to your example, takes the value of each category (Asset Management (ID.AM) etc) and creates soacategories. The soacategories are the base for the SOA view.

P.S.: I checked the two linked discussion but that seems related to creating a new referential, based on existing ones. As such, they both ended about building a "mapping" from an existing referential to a to-be-created new one.
I'd prefer to create a new referential, without any relation to existing ones (if possible...)

Those discussions about both, mapping and creation of a new one, but in your case you would need to create new referential, related controls and link to the informational risks.

[verzulli]

I've been able to solve my problem, even if with a not-direct approach. Let me explain.

My goal was to create a new referential with related new "controls", and having monarc-provided Information-Risks be automatically bonded to such controls.

I've been able to:

1. create a new Risk-Assessment, choosing NIST SP-800 as its "base" referential;
2. create a new referential (let's call it CSRF);
3. populate the new referential controls, by uploading a properly crafted CSV to CSRF;
4. download the obtained CSRF referential, so to retrieve UUIDs that monarc generated and assigned to related controls;
5. fetch NIST SP 800-53 (Rev.5) from MOSP, and extract UUIDs of related controls;
6. prepare a "mapping" between CSRF controls (point 4.) and NIST controls (point 5.). This is simple CSV file with each row made up by CSRF control UUID and NIST control UUID (it's an N to M relationship);
7. in the referential TAB, upload such mapping

At this point, the new referential (CSRF) is properly mapped with NIST. So we can go to the Information Risk TAB, choose the CSRF referential and click the "update controls" button.
After a few seconds, CSRF controls appears aside each single IR. Of course, switching referential (eg.: choosting NIST-800), controls are updated accordingly, matching the NIST-800 ones.

So, again, this is definitely OK for my need... at the moment :-)

But.... I'm still missing, during the whole creation wizard, the origin of the initial association between my "new" risk-assessment (that start with a "Blank model") and the NIST SP-800 security controls. This is something I'm still unable to understand :-( But I'll continue the investigation :-)

---

P.S.: with my collegue, we're planning to share/upload_in_MOSP our outcome... as soon as we finalize some minor details (naming, language, etc.)

[ruslanbaidan]

Thank you very much for sharing the details of your work and willing to contribute to the community data!

The steps that you performed are clearly described and pretty much correct.

Regarding your concerns about the mapping that is appeared after creation.
The mapping exists in the common database, the same as uploaded to MOSP for the 4 available by default referentials (only mappings that are available on MOSP). So when a new analysis is created with certain referential(s), the mapping is added as well for them, even if a single one is added. Perhaps it's confusing, but this is how it works now.
Therefor when you create a risk analysis with ISO 27002, or add it later by editing it, after ether import one of NIST Core or NIST SP 800-53 nether add one or both by editing the analysis, the mapping is presented as it was taken from the monarc_common database. The same as defined on MOSP. You could find the measures_measures mapping in the initial monarc_data.sql file.

Related to publishing your CSRF referential.
You could register an account on MOSP, create an organisation and create manually the referential, but it would be better if you could upload the data that you prepared. We are going to look at the possibility and come back to you soon.

[verzulli]

[...]
The mapping exists in the common database [...] You could find the measures_measures mapping in the initial monarc_data.sql
[...]

I've given a look to monarc_data.sql that, if I'm right, it's pushed in monarc DB at install-time. So, we can assume that every monarc installation has, internally, related tables.

I've seen that within those data there are:

• a referentials table containing data related to 4 referentials. Namely NIS Directive, ISO 27002, NIST SP 800-53 and NIST Core

• a measures table with 528 records, with each record bonded to one of above referentials. Namely:
  • 30 measures pointing to NIS Directive
  • 114 measures pointing to ISO 27002
  • 276 measures pointing to NIST SP 800-53
  • 108 measure pointing to NIST Core

• And of course, such binding includes also code and labels of the measures (that we also call "controls"):

    SELECT 
        m.referential_uuid as REF_UUID,
        ref.label2 as REF_LABEL,
        m.code as MEASURE_CODE,
        m.label2 as MEASURE_LABEL
    FROM 
        measures m,
        referentials ref
    WHERE
        m.referential_uuid = ref.uuid
    ORDER BY 1,2,3
    ------------------
    REF_UUID,REF_LABEL,MEASURE_CODE,MEASURE_LABEL
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.1,"Information system security risk analysis"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.2,"Information system security policy"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.3,"Information system security accreditation"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.4,"Information system security indicators"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.5,"Information system security audit"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.6,"Human resource security"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.1.7,"Asset Management"
    3f4a2a67-a1f9-46e1-8d71-7f6486217bb7,"NIS Directive",1.2.1,"Ecosystem mapping"
    [...]
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",10.1.1,"Policy on the use of cryptographic controls"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",10.1.2,"Key management"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.1,"Physical security perimeter"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.2,"Physical entry controls"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.3,"Securing offices, rooms and facilities"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.4,"Protecting against external and environmental attacks"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.5,"Working in secure areas"
    98ca84fb-db87-11e8-ac77-0800279aaa2b,"ISO 27002",11.1.6,"Delivery and loading areas"
    [...]
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-1,"Access Control Policy and Procedures"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-10,"Concurrent Session Control"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-11,"Device Lock"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-12,"Session Termination"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-14,"Permitted Actions without Identification or Authentication"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-16,"Security and Privacy Attributes"
    cfd2cd50-95fa-4143-b0e5-794249bacae1,"NIST SP 800-53",AC-17,"Remote Access"
    [...]
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-1,"Physical devices and systems within the organization are inventoried"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-2,"Software platforms and applications within the organization are inventoried"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-3,"Organizational communication and data flows are mapped"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-4,"External information systems are catalogued"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-5,"Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.AM-6,"Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established"
    fcf78560-3d12-42ba-8f4a-5761ca02ac94,"NIST Core",1_ID.BE-1,"The organization’s role in the supply chain is identified and communicated"
    [...]

---

If the above is correct, I assume that as soon as I ADD a NEW referential, during the Risk-Assessment, via the "TAB referential" in the "Knowledge base" of the UI... I can only "bind" my new referential (and related controls) only to one of existing four above.

Is this correct?

If yes, which is the "official" way to ADD a new referential, from scratch, directly in the "measures" table, so to have it already be ready for interested users, without forcing them to go through the intermediary mapping?

[ruslanbaidan]

I would like to first explain a bit of insides.
monarc_data.sql contains data to populate monarc_common database.
The database is normally populated and managed by a BackOffice application and the DB is accessible from each of connected FrontOffice app with readonly access.
In case of a single FrontOffice installation, the database is created and populated to read for the FO and every new analysis creation fetches and recreates necessary data inside of monarc_cli database. The data are a recreated based on the model library objects, all knowledge base generic objects (assets, threats, vulnerabilities, selected referential(s), Information & operational risks etc) or specific objects linked to a specific model (in case if model is specific). All of the created analysis data have link with the analysis (anr_id).

If you would like to provide a new Monarc FrontOffice instance with the new referential inside (like include to new installations), controls, mapping and link the controls with the information risks, than you could prepare an SQL to import on installation step. Populate tables of monarc_common: referentials, measures, measures_measures, measures_amvs.
It is not necessary to have mapping to one of predefined/existing controls.

If you "bind" the new referential's controls to any of existing on MOSP referential(s), it can work too (not only Monarc default ones).
We are going to provide more information on that after an internal discussion.