FedRAMP

Prisma Cloud Compute configuration of features and functions to support an organization’s FedRAMP certification.

Document revisions

Date Comment

20201012

Released for an older version of Prisma Cloud Compute(19.03). Updates are coming shortly.

Download

Findings can be downloaded as a CSV file from here.

Findings

Control Twistlock Feature Twistlock Sub-Feature Console UI Location Twistlock API Values NIST SP800-53 Control ISO/IEC 27001 AND 15408 Cybersecurity Framework Version 1.1 NCCoE SP1800-19 FedRAMP Notes Twistlock Docs

AC-2: Access Management

Authentication

Manage > Authentication

https://nvd.nist.gov/800-53/Rev4/control/AC-2

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Controls_Baseline.xlsx

Twistlock leverages existing identity management systems for identity and access into the Twistlock Console and API. NIST SP800-53 moderate controls identity management functions are performed via existing organizational IDMgmt process. Twistlock should be configured for Active Directory, OpenLDAP, SAML and x.509 auth

SAML 2.0 Federation

Manage > Authentication > SAML

/api/v1/settings/saml

Enabled | Disabled

AC-2 - Account Management - Moderate

AC-2 - Account Management - Moderate

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_saml_post

Active Directory and OpenLDAP

Manage > Authentication > LDAP

/api/v1/settings/ldap

Enabled | Disabled

AC-2 - Account Management - Moderate

AC-2 - Account Management - Moderate

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_ldap_post

x.509 Smartcard authentication

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs

AC-2 - Account Management - Moderate

AC-2 - Account Management - Moderate

DoD CAC card and PIV card Issuing CAs uploaded into the Twistlock Console

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post

Enable certificate revocation checking

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

on|off

AC-2 - Account Management - Moderate

AC-2 - Account Management - Moderate

CRL and OCSP supported. Only enable when Twistlock Console is able to reach CDP endpoints

https://docs.twistlock.com/docs/latest/configure/custom_certs_console_access.html

AC-3: Access Enforcement

https://nvd.nist.gov/800-53/Rev4/control/AC-3

Twistlock can be configured not to contain any local user accounts

Authentication

No local account with Twistlock database stored password

Manage > Authentication > Users

/api/v1/users

Basic | SAML | LDAP

AC-3 - Account Management - Moderate

AC-3 - Account Management - Moderate

Check for user accounts authType=basic

Disable basic authentication to Console and API

Manage > Authentication > Logon

/api/v1/settings/logon

on|off

AC-3 - Account Management - Moderate

AC-3 - Account Management - Moderate

If using SAML federation access to the API will not work since HTTP redirection is not understood by scripts/programs that access the API. If using x.509 smartcard auth first call the /api/v1/authenticate-client API to obtain an access token

SAML and LDAP group assignments to role within Twistlock

Manage > Authentication > Groups

/api/v1/groups

AC-3 - Account Management - Moderate

AC-3 - Account Management - Moderate

ldapGroup = true samlGroup = true

https://docs.twistlock.com/docs/latest/access_control/assign_roles.html#assigning-roles-to-adopenldapsaml-users

AC-4: Information Flow Enforcement

https://nvd.nist.gov/800-53/Rev4/control/AC-4

ID.AM-3: Organizational communication and data flows are mapped

Firewall (layer 3)

Cloud Native Network Firewall - Containers

Defend > Firewalls > Cloud Native Network Firewall

api/v1/policies/firewall/network/container

Disable | Alert | Prevent

AC-4 Information Flow Enforcement - Moderate

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

AC-4 Information Flow Enforcement - Moderate

Twistlock Runtime modeling will learn container to container TCP traffic. These "whitelisted" communications can be added to within this configuration.

https://docs.twistlock.com/docs/latest/firewalls/cnnf.html#overview

Firewall (layer 3)

Cloud Native Network Firewall - Hosts

Defend > Firewalls > CNNF for Host

api/v1/policies/firewall/network/host

Disable | Alert

AC-4 Information Flow Enforcement - Moderate

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

AC-4 Information Flow Enforcement - Moderate

Twistlock Runtime modeling will learn host to host TCP traffic. These "whitelisted" communications can be added to within this configuration. Host CNNF supports Alerting

https://docs.twistlock.com/docs/latest/firewalls/cnnf.html#overview

Twistlock Intelligence Stream

Anonymously report threats and vulnerabilities to Twistlock

Manage > System > Intelligence

/api/v1/status/intelligence

on|off

Customer’s Twistlock Console automatically establishes a secure web socket session that authenticates with license access token to receive up-to-date vulnerability and threat information. Supports offline environments.

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

Istio Monitoring

Monitor the configuration of an Istio mesh

System > Manage > Defenders > Deploy Daemon Set

Monitor Istio = On

Twistlock will query the Istio mesh configuration for container to container communication

Firewall (layer 7)

Cloud Native Application Firewall - Container

Defend > Firewalls > Cloud Native App Firewall

/api/v1/policies/firewall/app/container

Disable | Alert | Prevent

AC-4 Information Flow Enforcement - Moderate

AC-4 Information Flow Enforcement - Moderate

Twistlock Layer 7 Web Application Firewall (WAF) for containers using the Defender running as a container on the same node as the destination container.

https://docs.twistlock.com/docs/latest/firewalls/cnaf.html

Firewall (layer 7)

Cloud Native Application Firewall - RASP

Defend > Firewalls > CNAF for RASP

/api/v1/policies/firewall/app/rasp

Disable | Alert | Prevent

AC-4 Information Flow Enforcement - Moderate

AC-4 Information Flow Enforcement - Moderate

Twistlock Layer 7 Web Application Firewall (WAF) within containers using the RASP Defender

https://docs.twistlock.com/docs/latest/firewalls/cnaf.html

Firewall (layer 7)

Cloud Native Application Firewall - Host

Defender > Firewalls > CNAF for Hosts

/api/v1/policies/firewall/app/host

Disable | Alert | Prevent

AC-4 Information Flow Enforcement - Moderate

AC-4 Information Flow Enforcement - Moderate

Twistlock Layer 7 Web Application Firewall (WAF) for hosts using the Host Defenders (Docker based Defender and System Service Defender).

https://docs.twistlock.com/docs/latest/firewalls/cnaf.html

|

AC - 5: Separation of Duties

https://nvd.nist.gov/800-53/Rev4/control/AC-5

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

Access Control

User Roles

Manage > Authentication > Users

/api/v1/users

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

AC - 5 Separation of Duties - Moderate AC -6 Least Privileged - Moderate

AC - 5 Separation of Duties - Moderate

All Twistlock users are assigned a role

https://docs.twistlock.com/docs/latest/access_control/user_roles.html

Access Control

Assign Roles

Manage > Authentication > Groups

/api/v1/groups

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

AC - 5 Separation of Duties - Moderate

AC - 5 Separation of Duties - Moderate

Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied

https://docs.twistlock.com/docs/latest/access_control/assign_roles.html

Projects

Tenant Project

System > Projects

/api/v1/settings/projects

Tenant Project

AC - 5 Separation of Duties - Moderate

AC - 5 Separation of Duties - Moderate

Centrally defined role-based access control, but have sub-groups own rules and configurations. Tiered instances of Twistlock.

https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html

|

AC - 6: Least Privileged

https://nvd.nist.gov/800-53/Rev4/control/AC-6

Runtime Defense

Host Policy

Defend > Runtime > Host Policy : Activities

/api/v1/policies/runtime/host

Disable | Alert | Prevent

AC -6 Least Privileged

AC -6 Least Privileged

Monitor host level activities: general user activities, docker commands, sshd and sudo

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

Runtime Defense

Container Policy

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Disable | Alert | Prevent

AC -6 Least Privileged

AC -6 Least Privileged

Twistlock automatically models container runtime behaviors (process, file system, network and system calls) and creates a whitelist of behaviors for every image. Global policies can be applied to all containers or a subset of containers

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

|

AC - 7: Unsuccessful Logon Attempts

https://nvd.nist.gov/800-53/Rev4/control/AC-7

Authentication

No local account with Twistlock database stored password

Manage > Authentication > Users

/api/v1/users

Basic | SAML | LDAP

Recommend using Active Directory, OpenLDAP, SAML or x.509 based authentication methods to leverage existing IDMgmt authentication attempts throttling controls.

|

AC - 8: System Use Notification

https://nvd.nist.gov/800-53/Rev4/control/AC-8

Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that

Future feature, GH Issue #10039

|

AC - 12: Session Termination

https://nvd.nist.gov/800-53/Rev4/control/AC-12

Logout

All Twistlock Console user interface screens has a user logout icon

User icon in the top right corner has a "Log out" action

|

AC - 14: Permitted Actions without Identification or Authentication

https://nvd.nist.gov/800-53/Rev4/control/AC-14

Authentication

All Twistlock access requires authentication

|

AC - 17: Remote Access

https://nvd.nist.gov/800-53/Rev4/control/AC-17

Twistlock can be deployed in a completely offline environment

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

Logging

Console Logs

Manage > View Logs > Console

/api/v1/audits/mgmt

AC-17 (1) Automated monitoring

AC-17 (1) Automated monitoring

Logging within Twistlock Console is automatic and cannot be disabled

https://docs.twistlock.com/docs/latest/audit/audit_admin_activity.html

Authentication

Console Authentication

Manage > Authentication > System Certificates : Advanced certificate configuration

/api/v1/settings/certificates

Console TLS certificate and keys upload

AC-17 (2) Protection of confidentiality / Integrity using encryption

PR.PT-4: Communications and control networks are protected

AC-17 (2) Protection of confidentiality / Integrity using encryption

Access to Twistlock Console and API is performed over the TLS protected port. 3rd party TLS certificate and keys and be used.

https://docs.twistlock.com/docs/latest/configure/disable_http_access_console.html

|

AC - 20: Use of External Information Systems

https://nvd.nist.gov/800-53/Rev4/control/AC-20

ID.AM-4: External information systems are catalogued

Access Control

AC - 20 (1) - USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE

AC - 20 (1) - USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE

Twistlock can be deployed in a completely offline environment. Access to Twistlock Console and API is dependent upon the organizational policy.

|

AC - 21: Information Sharing

Intelligence Stream

Anonymously report threats and vulnerabilities to Twistlock

Manage > System > Intelligence > Anonymously report threats and vulnerabilities to Twistlock

/api/v1/settings/telemetry

on | off

AC - 21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT

AC - 21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT

Opt-in feature to anonymously report threat information to Twistlock

|

AU - 1: Audit and Accountability Policy and Procedures

https://nvd.nist.gov/800-53/Rev4/control/AU-1

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

Compliance

Compliance Policy Templates

Defend > Compliance > Policy

/api/v1/static/vulnerabilities

300+ compliance checks available

Using Twistlock Compliance Templates you can quickly enable the compliance rules that apply to an industry: GDPR, PIC, HIPAA & NIST SP 800-190

https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html

|

AU - 3: Content of Audit Records

Logging

Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity

Manage > System > Logging

/api/v1/settings/logging

Detailed output for vulnerabilities and compliance: on | off Detailed output of all runtime process activity: on | off

AU - 3(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION

AU - 3(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION

Twistlock Syslog and Stdout logging can be configurated for verbose output

https://docs.twistlock.com/docs/latest/audit/syslog_integration.html

|

AU - 4: Audit Storage Capacity

https://nvd.nist.gov/800-53/Rev4/control/AU-4

Logging

Console and Defender logs can be downloaded

Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage

Console: /api/v1/logs/system/download Defender: /api/v1/logs/defender

AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE

Twistlock logs can be downloaded. Twistlock is configured for log rotation. 100MB log rotation of 10 historical logs.

https://docs.twistlock.com/docs/latest/audit/log_rotation.html#overview

|

AU - 6: Audit Review, Analysis and Reporting

https://nvd.nist.gov/800-53/Rev4/control/AU-6

Alerts

Alert Providers

Manage > System > Alerts

/api/v1/settings/alerts

Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor

AU-6(1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION

AU-6(1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION

Twistlock can disseminate alerts based upon the type of alert and the alert method of the event owner.

https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html

|

AU - 7: Audit Reduction and Report Generation

https://nvd.nist.gov/800-53/Rev4/control/AU-7

Alerts

Alert Labels

Manage > System > Alerts > Alert Labels

/api/v1/settings/custom-labels

Docker and Kubernetes labels can be used to direct Alerts

https://docs.twistlock.com/docs/latest/audit/annotate_audits.html

Logging

Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity

Manage > System > Logging

/api/v1/settings/logging

Detailed output for vulnerabilities and compliance: on | off Detailed output of all runtime process activity: on | off

AU-7(1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING

AU-7(1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING

Twistlock Syslog and Stdout logging can be configurated for verbose output

https://docs.twistlock.com/docs/latest/audit/syslog_integration.html

|

AU - 8: Time Stamps

https://nvd.nist.gov/800-53/Rev4/control/AU-8

Logging

Console and Defender logs use GMT time zone

Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage

AU-8(1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE

Twistlock clock is mapped to GMT automatically

|

AU - 9: Protection of Audit Information

https://nvd.nist.gov/800-53/Rev4/control/AU-9

Authentication

User Role

Manage > Authentication > Users

User role of Auditor or higher allows access to view the Twistlock logs

AU -9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS

PR.PT-4: Communications and control networks are protected

AU -9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS

Twistlock Defender transfers event data to the Twistlock Console is over an encrypted channel (mutual TLS)

|

AU - 11: Audit Record and Retention

https://nvd.nist.gov/800-53/Rev4/control/AU-11

Logging

Console and Defender logs can be downloaded

Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage

Console: /api/v1/logs/system/download Defender: /api/v1/logs/defender

AU-11(1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY

AU-11(1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY

Twistlock logs can be downloaded. Twistlock is configured for log rotation. 100MB log rotation of 10 historical logs.

https://docs.twistlock.com/docs/latest/audit/log_rotation.html#overview

|

AU - 12: Audit Generation

https://nvd.nist.gov/800-53/Rev4/control/AU-12

Logging

Syslog and Stdout

Manage > System > Logging

/api/v1/settings/logging

Enabled | Disabled

AU-12(2) AUDIT GENERATION | STANDARDIZED FORMATS

AU-12(2) AUDIT GENERATION | STANDARDIZED FORMATS

RFC5424 compliant event message formatting

https://docs.twistlock.com/docs/latest/audit/syslog_integration.html

|

CA - 2: Security Assessments

https://nvd.nist.gov/800-53/Rev4/control/CA-2

Twistlock continuously monitors the environment for new and emerging threats

Vulnerabilities

Only scan images with running containers

Manage > System > Scan

/api/v1/settings/scan

On | Off

CA-2 SECURITY ASSESSMENTS

ID.RA-1: Asset vulnerabilities are identified and documented

CA-2 SECURITY ASSESSMENTS

Recommend setting to "Off." All images discovered local to the hosts will be scanned.

https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html

Vulnerabilities

Configure scan intervals

Manage > System > Scan

/api/v1/settings/scan

1 - 24 hours

CA-2 SECURITY ASSESSMENTS

ID.RA-1: Asset vulnerabilities are identified and documented

CA-2 SECURITY ASSESSMENTS

Scheduled frequency of when Twistlock scans

https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html

Intelligence Stream

Enable automatic Twistlock Intelligence Stream Updates

Manage > System Intelligence > Enable online updates of Intelligence Stream

/api/v1/settings/intelligence

On | Off

CA-2 SECURITY ASSESSMENTS

CA-2 SECURITY ASSESSMENTS

Recommend setting to "On." Twistlock can be deployed in a completely offline environment

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

Access Console

Auditor User Role

Manage > Authentication > Users

/api/v1/users

Auditor

CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS

CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS

Twistlock Auditor role can be given to independent assessors

https://docs.twistlock.com/docs/latest/access_control/user_roles.html

|

CA - 3: System Interconnections

https://nvd.nist.gov/800-53/Rev4/control/CA-3

Runtime

Container Network

Defend > Runtime > Container Policy > Network

/api/v1/policies/runtime/container

IP Connectivity: - Allowed listen ports, outbound ports and Outbound IP addresses - Denied listen port, outbound ports and Outbound IP addresses DNS: Allowed | Denied domains

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Twistlock Runtime Container rules can control a containers ability to communicated to externally via TCP/IP

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

Host Network

Defend > Runtime > Host Policy > Network

/api/v1/policies/runtime/host

IP Connectivity: - Allowed listen ports, outbound ports and Outbound IP addresses - Denied listen port, outbound ports and Outbound IP addresses DNS: Allowed | Denied domains

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Twistlock Runtime Host rules can control a hosts ability to communicated to externally via TCP/IP

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

Firewall

Cloud Native Network Firewall: Container

Defend > Firewall > Cloud Native Network Firewall

/api/v1/policies/firewall/network/container

Allow | Alert | Prevent Source: Image | IP Address Destination: Image | IP Address Ports: range of allowed TCP port

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Rules can be defined between container and between containers and external networks where Twistlock is not running

https://docs.twistlock.com/docs/latest/firewalls/cnnf.html

Cloud Native Network Firewall: Host

Defend > Firewall > CNNF for Hosts

/api/v1/policies/firewall/network/host

Allow | Alert Source: Image | IP Address Destination: Image | IP Address Ports: range of allowed TCP port

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Rules can be defined between apps or between apps and external networks where Twistlock is not running

https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html

Custom Feeds

IP Reputation Lists

Manage > System > Custom Feeds > IP Reputation Lists

/api/v1/feeds/custom/ips

IP Address in CIDR format

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

List of suspicious or high risk IP endpoints. Supplement the Twistlock Intelligence Stream with your own list of banned IP addresses

https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#banned-ip-addresses

|

CA - 5: Plan of Action and Milestones

https://nvd.nist.gov/800-53/Rev4/control/CA-5

Twistlock API can be used to generate reports for POAMs

https://github.com/twistlock/sample-code/tree/master/powershell

API

Vulnerability Reporting

Monitor > Vulnerabilities > Vulnerability Explorer

/api/v1/stats/vulnerabilities/impacted-resources

CA-5(1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY

ID.RA-4: Potential business impacts and likelihoods are identified

CA -5 PLAN OF ACTION AND MILESTONES

Query Twistlock API for a summary count of CVEs in the images, containers, hosts, and serverless functions your environment

https://docs.twistlock.com/docs/latest/api/api_reference.html#stats_vulnerabilities_get

API

Compliance Reporting

Monitor > Compliance > Compliance Explorer

/api/v1/stats/compliance

CA-5(1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY

Query Twistlock API for a summary count of compliance findings in the images, containers, hosts, and serverless functions your environment

https://docs.twistlock.com/docs/latest/api/api_reference.html#stats_compliance_get

Custom Feeds

CVE Allow List

Manage > System > Custom Feeds > CVE Allow List

api/v1/feeds/custom/cve-allow-list

Allow CVEs to existing for a specified period of time, after time expires the vulnerability will be alerted and rules can be based upon the CVE. System wide exception.

https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list

Vulnerabilities

Image Policy CVE Exception

Defend > Vulnerabilities > Images : Policy > Advanced Settings

/api/v1/policies/vulnerability/images

Allow CVE exception within individual image vulnerability rules

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

Vulnerabilities

Host Policy CVE Exception

Defend > Vulnerabilities > Policy

/api/v1/policies/vulnerability/host

Allow CVE exception within individual host vulnerability rules

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

|

CA - 6: Security Authorization

https://nvd.nist.gov/800-53/Rev4/control/CA-6

Twistlock API to generate authority to operate packages

API

Compilation of vulnerability, compliance and runtime results for a microservice

Various locations

multiple API calls

Use Twistlock API to generate Authority to Operate reports for the applications to be deployed

https://github.com/twistlock/sample-code/blob/master/powershell/rmf_ato.ps1

Compliance

Trusted Images

Defend > Compliance > Trusted Images

/api/v1/trust

SP800-190 4.2.3

Define image trust based upon the Docker Registry of the image, the Docker imageID and RootFS layers of a "base image." Compliance rule #423 Image is not Trusted can be applied to block the creation of a container from an image that is not trusted. The authorizing official can deem an image trusted or not trusted

https://docs.twistlock.com/docs/latest/compliance/trusted_images.html

|

CA - 7: Continuous Monitoring

https://nvd.nist.gov/800-53/Rev4/control/CA-7

All Twistlock features are included in a single license. All out-of-the box rules are enabled to alert.

Firewall

Cloud Native Network Firewall: Container

Defend > Firewall > Cloud Native Network Firewall

/api/v1/policies/firewall/network/container

Allow | Alert | Prevent

DE.CM-1: The network is monitored to detect potential cybersecurity events

Set to "Alert" to continually monitor container to container traffic

https://docs.twistlock.com/docs/latest/firewalls/cnnf.html

Cloud Native Network Firewall: Host

Defend > Firewall > CNNF for Hosts

/api/v1/policies/firewall/network/host

Allow | Alert

DE.CM-1: The network is monitored to detect potential cybersecurity events

Set to "Alert" and create a policy for all App "" communicating to all Apps ""

https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html

Runtime

Container: Default - alert on suspicious runtime behavior

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Default - alert on suspicious runtime behavior policy is enabled by default

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

Host: Default - alert on suspicious runtime behavior

Defend > Runtime > Host Policy

/api/v1/policies/runtime/host

Default - alert on suspicious runtime behavior policy is enabled by default

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

Vulnerabilities

Images: Default - alert all components

Defend > Vulnerabilities > Images

/api/v1/policies/vulnerability/images

ID.RA-1: Asset vulnerabilities are identified and documented

Default - alert all components is enabled by default

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

Hosts: Default - alert all components

Defend > Vulnerabilities > Host

/api/v1/policies/vulnerability/host

ID.RA-1: Asset vulnerabilities are identified and documented

Default - alert all components is enabled by default

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

Configure scan intervals

Manage > System > Scan

/api/v1/settings/scan

1 - 24 hours

CA-7(1) CONTINUOUS MONITORING

CA-7(1) CONTINUOUS MONITORING

Scheduled frequency of when Twistlock scans

https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html

Compliance

Container & Images: Default - alert on critical and high

Defend > Compliance> Container and Images

/api/v1/policies/compliance/container

Default - alert on critical and high is enabled by default. This scans for all Critical and High compliance issue for container and images. Based upon the CIS Docker& Kubernetes Benchmarks and NIST 800-190

https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html

Container & Images: Default - alert on critical and high

Defend > Compliance > Hosts

/api/v1/policies/compliance/host

Default - alert on critical and high is enabled by default. This scans for all Critical and High compliance issue for container and images. Based upon the CIS Docker, Kubernetes & Linux Benchmarks and NIST 800-190

https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html

Alerts

Alert Providers

Manage > System > Alerts

/api/v1/settings/alerts

Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor

Twistlock can disseminate alerts based upon the type of alert and the alert method of the audit owner

https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html

Logging

Syslog and Stdout

Manage > System > Logging

/api/v1/settings/logging

Enabled | Disabled

RFC5424 compliant event message formatting

https://docs.twistlock.com/docs/latest/audit/syslog_integration.html

Forensics

Forensic data collection

Manage > System > Forensics

/api/v1/settings/forenic

Enabled | Disabled

CA-7(3) CONTINUOUS MONITORING | TREND ANALYSES

DE.AE-2: Detected events are analyzed to understand attack targets and methods

Collect detailed host and container forensics data.When enabled, Defenders store a local log of host and container operations onthe host, and selectively forwards it to Console on-demand

https://docs.twistlock.com/docs/latest/runtime_defense/incident_explorer.html

|

CA - 9: Internal System Connections

https://nvd.nist.gov/800-53/Rev4/control/CA-9

Firewall

Cloud Native Network Firewall: Container

Defend > Firewall > Cloud Native Network Firewall

/api/v1/policies/firewall/network/container

Allow | Alert | Prevent

Container to Container layer 3 firewalling is based upon images. When the images spawn as container the CNNF rules are applied when TCP connections are established from the source container to the destination container

https://docs.twistlock.com/docs/latest/firewalls/cnnf.html

Cloud Native Network Firewall: Host

Defend > Firewall > CNNF for Hosts

/api/v1/policies/firewall/network/host

Allow | Alert

Set to "Alert" and create a policy for all App "" communicating to all Apps ""

https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html

Compliance

Compliance Actions

Defend > Compliance > Container and Images > Policy

/api/v1/policies/compliance/container

Ignore | Alert | Block

CA-9(1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS

Ability to block the deployment of an image as a container based up compliance status.

https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html

Vulnerabilities

Severity Based Actions

Defend > Vulnerabilities > Images > Policy

/api/v1/policies/vulnerability/images

Ignore | Alert | Block

CA-9(1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS

Ability to block the deployment of an image as a container based up vulnerability status.

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

|

CM - 2: Baseline Configuration

https://nvd.nist.gov/800-53/Rev4/control/CM-2

Backup & Restore

System Backups

Manage > System > Backup & Restore > System Backups

/api/v1/recovery/backup

daily | weekly monthly

CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS

CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS

Automatic process

https://docs.twistlock.com/docs/latest/configure/disaster_recovery.html#configuring-automated-backups

Manual Backups

Manage > System > Backup & Restore > Manual Backups

/api/v1/recovery/backup

on demand backup

CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS

CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS

Manual backup via UI or API call

https://docs.twistlock.com/docs/latest/configure/disaster_recovery.html#making-manual-backups

Rule Filtering

All vulnerability and compliance rules

Defend

CM-2(7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS

CM-2(7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS

Twistlock vulnerability, compliance, runtime rules can be granularly applied to resources based upon their associated level of risk

|

CM - 3 Configuration Change Control

https://nvd.nist.gov/800-53/Rev4/control/CM-3

Projects

Tenant Project

System > Projects

/api/v1/settings/projects

Tenant Project

CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES

Testing and evaluation environments can be monitored and controlled via a Twistlock Tenant Project configuration.

https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html

|

CM - 5: Access Restriction for Change

https://nvd.nist.gov/800-53/Rev4/control/CM-5

Access Control

User Roles

Manage > Authentication > Users

/api/v1/users

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING

CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING

All Twistlock users are assigned a role, roles have assigned change controls

https://docs.twistlock.com/docs/latest/access_control/user_roles.html

Access Control

Assign Roles

Manage > Authentication > Groups

/api/v1/groups

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING

CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING

Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied, roles have assigned change controls

https://docs.twistlock.com/docs/latest/access_control/assign_roles.html

|

CM - 6: Configuration Settings

https://nvd.nist.gov/800-53/Rev4/control/CM-6

Compliance

Compliance Policy Templates

Defend > Compliance > Policy

/api/v1/static/vulnerabilities

300+ compliance checks available

CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION

CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION

Using Twistlock Compliance Templates you can quickly enable the compliance rules that apply to an industry: GDPR, PIC, HIPAA & NIST SP 800-190. Ability to alert or block when a setting is deemed non-compliant

https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html

|

CM - 7: Least Functionality

https://nvd.nist.gov/800-53/Rev4/control/CM-7

Runtime

Container Policy

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Disable | Alert | Prevent | Block

CM-7(2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION CM-7(4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE / BLACKLISTING

CM-7(2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION

Manual and Automated whitelisting of processes, file system, system calls and networking behaviors. Twistlock Runtime defense is the set of features that provide both predictive and threat based active protection for running containers. For example, predictive protection includes capabilities like determining when a container runs a process not included in the origin image or creates an unexpected network socket. Threat based protection includes capabilities like detecting when malware is added to a container or when a container connects to a botnet.

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

|

CM - 8: Information System Component Inventory

https://nvd.nist.gov/800-53/Rev4/control/CM-8

Vulnerabilities

Configure scan intervals

Manage > System > Scan

/api/v1/settings/scan

1 - 24 hours

CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION

CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION

Scheduled frequency of when Twistlock scans to identify new images and containers

https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html

Vulnerabilities

Image

Monitor > Vulnerabilities

CM-8(5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS

CM-8(5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS

Twistlock automatically associates duplicate images if discovered local to the host, within a Docker registry or discovered during a CI build process

Deployment

Defenders

Manage > Defenders

/api/v1/defenders

CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION

CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION

Deploy Twistlock Defenders using orchestration tools (e.g. Kubernetes, OpenShift, SWARM, etc.) to ensure Defenders are deployed to new scaled up nodes within the environment

https://docs.twistlock.com/docs/latest/install/install_defender.html

|

CM - 10: Software Usage Restrictions

https://nvd.nist.gov/800-53/Rev4/control/CM-10

Vulnerabilities

Images

Monitor > Vulnerabilities > Image > Package Info

/api/v1/containers/count

CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE

Twistlock image scan reposts include the package information: type, name, path within image, version, known CVEs and license. This information can be used to determine if Open Source software is used within the environment.

|

CM - 11 User-Installed Software

https://nvd.nist.gov/800-53/Rev4/control/CM-11

Runtime

Container Policy

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Disable | Alert | Prevent | Block

CM-11(1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS

Twistlock can identify the software installation process from within a running container (e.g. apt-get, yum, etc).

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

Host Policy

Defend > Runtime > Host Policy

/api/v1/policies/runtime/host

Disable | Alert | Prevent

CM-11(1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS

Anomalous app detection Twistlock learns the normal set of apps running on your hosts and automatically identifies apps added abnormally. Monitor general activities, Docker commands, sshd and sudo commands Service capabilities are Twistlock-curated units of process and file system actions that express the things that services routinely need to do. They can be independently enabled or disabled on a per-service basis, and provide fine-grained control over what a service can and cannot do.

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

|

CP - 2 Contingency Plan

https://nvd.nist.gov/800-53/Rev4/control/CP-2

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value

Policy

Resource Filter

Defend > all policies

Container | Host | Images | Labels

CP-2(8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS

CP-2(8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS

All Twistlock rules have resource filters that let you target specific resources in your environment. You can identify the critical assets within your environment and apply specific policies to the assets.

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html#resource-filters

|

CP - 9: Information System Backup

https://nvd.nist.gov/800-53/Rev4/control/CP-9

PR.IP-4: Backups of information are conducted, maintained, and tested

Backup & Restore

System Backups

Manage > System > Backup & Restore > System Backups

/api/v1/recovery/backup

daily | weekly monthly

CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY

CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY

Automatic process, restoration can be performed from the Twistlock UI

https://docs.twistlock.com/docs/latest/configure/disaster_recovery.html#restoring-backups-from-the-console-ui

Manual Backups

Manage > System > Backup & Restore > Manual Backups

/api/v1/recovery/backup

on demand backup

CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY

CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY

Manual backup and recovery via API call

https://docs.twistlock.com/docs/latest/configure/disaster_recovery.html#restoring-backups-from-twistcli

|

IA - 2: Identification and Authentication

https://nvd.nist.gov/800-53/Rev4/control/IA-2

Authentication

SAML 2.0 Federation

Manage > Authentication > SAML

/api/v1/settings/saml

Enabled | Disabled

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

Enforce Multi-factor authentication at SAML Identity Provider

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_saml_post

Active Directory and OpenLDAP

Manage > Authentication > LDAP

/api/v1/settings/ldap

Enabled | Disabled

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

Enforce Mutli-factor authentication at LDAP Identity Provider

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_ldap_post

x.509 Smartcard authentication

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS & IA-2(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS

IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS & IA-2(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS

Supports x.509 smartcard based authentication. PIV and CaC supported

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post

Console and API Access

TLS HSTS

IA-2(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

IA-2(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

Twistlock Console and API enforces HTTP Strict Transport Security

https://docs.twistlock.com/docs/latest/download/releases.html#2-3-78

|

IA - 5: Authenticator Management

https://nvd.nist.gov/800-53/Rev4/control/IA-5

Authentication

Require strong passwords for local accounts

Manage > Authentication > Logon

/api/v1/settings/logon

On | Off

IA-5(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION

IA-5(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION

Password should be at least 8 characters long and contain at least: one digit, one uppercase letter and one lowercase letter

x.509 Smartcard authentication

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs

IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION

IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION

DoD CAC card Issuing CAs

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post

Enable certificate revocation checking

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

on|off

IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION

IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION

CRL and OCSP supported. Only enable when Twistlock Console is able to reach CDP endpoints

https://docs.twistlock.com/docs/latest/configure/custom_certs_console_access.html

|

IA - 8: Identification and Authentication (non-organizational users)

https://nvd.nist.gov/800-53/Rev4/control/IA-8

x.509 Smartcard authentication

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs

IA-8(1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

IA-8(1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

Multiple smartcard Issuing CAs can be imported allowing smartcard from different organizations to authenticate to the Twistlock Console and API

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post

|

IR - 4 Incident Handling

https://nvd.nist.gov/800-53/Rev4/control/IR-4

DE.AE-2: Detected events are analyzed to understand attack targets and methods

Runtime

Container Policy

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Disable | Alert | Prevent | Block

IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES

IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES

Container runtime policy can take immediate action when an event is triggered. This will stop incidents while they are occurring.

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

Host Policy

Defend > Runtime > Host Policy

/api/v1/policies/runtime/host

Disable | Alert | Prevent

IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES

IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES

Host runtime policy can take immediate action when an event is triggered. This will stop incidents while they are occurring.

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

IR - 5: Incident Monitoring

https://nvd.nist.gov/800-53/Rev4/control/IR-5

Runtime

Incident Explorer

Monitor > Runtime > Incident Explorer

/api/v1/audits/incidents

IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS

DE.AE-5: Incident alert thresholds are established

IR-5 INCIDENT MONITORING

Incident Explorer elevates raw audit data to actionable security intelligence, enabling a more rapid and effective response to incidents. Rather than having to manually sift through reams of audit data, Incident Explorer automatically correlates individual events generated by the firewall and runtime sensors to identify unfolding attacks.

https://docs.twistlock.com/docs/latest/runtime_defense/incident_explorer.html

IR - 6: Incident Reporting

https://nvd.nist.gov/800-53/Rev4/control/IR-6

DE.AE-5: Incident alert thresholds are established

Alerts

Alert Profiles

Manage > System > Alerts > Alert Labels

/api/v1/settings/alerts

Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor

IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING

IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING

Twistlock Alert Profiles can send the various type of alerts (runtime, firewall, host, etc.) to the Incident Response stakeholder responsible to the type of incident.

https://docs.twistlock.com/docs/latest/audit/annotate_audits.html

Logging

Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity

Manage > System > Logging

/api/v1/settings/logging

Syslog: Enabled | Disabled Stdout: Enabled | Disabled Prometheus instrumentation: Enabled | Disabled

IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING

IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING

Twistlock Syslog, Stdout and Prometheus instrumentation events can be captured by security information and event management system

https://docs.twistlock.com/docs/latest/audit/syslog_integration.html

IR - 8: Incident Response Plan

https://nvd.nist.gov/800-53/Rev4/control/IR-8

RS.RP-1: Response plan is executed during or after an incident

Runtime

Container Policy

Defend > Runtime > Container Policy

/api/v1/policies/runtime/container

Disable | Alert | Prevent | Block

Organization IR Plan can be expressed within a container runtime policy

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html

Host Policy

Defend > Runtime > Host Policy

/api/v1/policies/runtime/host

Disable | Alert | Prevent

Organization IR Plan can be expressed within a host runtime policy

https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html

MA - 4: Nonlocal Maintenance

https://nvd.nist.gov/800-53/Rev4/control/MA-4

Intelligence Stream

Enable operators to upload support logs directly to Twistlock

Manage > System > Intelligence

/api/v1/settings/intelligence

On | Off

Used for Twistlock Support. Information concerning maintenance issue and be performed through other methods (e.g. screen share session, telephone communication, etc.)

RA - 2: Security Categorization

https://nvd.nist.gov/800-53/Rev4/control/RA-2

Projects

Tenant Project

System > Projects

/api/v1/settings/projects

Tenant Project

Twistlock Tenant Projects can be used to catalogize instances of Twistlock based upon their security assessment level.

https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html

RA - 3: Risk Assessment

https://nvd.nist.gov/800-53/Rev4/control/RA-3

Custom Feeds

CVE Allow List

Manage > System > Custom Feeds > CVE Allow List

api/v1/feeds/custom/cve-allow-list

Ability to control the reporting of vulnerabilities based upon risk assessment. Allow CVEs to existing for a specified period of time, after time expires the vulnerability will be alerted and rules can be based upon the CVE. System wide exception.

https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list

Vulnerabilities

Image Policy CVE Exception

Defend > Vulnerabilities > Images : Policy > Advanced Settings

/api/v1/policies/vulnerability/images

Allow CVE exception within individual image vulnerability rules

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

RA - 5: Vulnerability Scanning

https://nvd.nist.gov/800-53/Rev4/control/RA-5

Intelligence Stream

Enable automatic Twistlock Intelligence Stream Updates

Manage > System Intelligence > Enable online updates of Intelligence Stream

/api/v1/settings/intelligence

On | Off

RA-5(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

RA-5(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY

Recommend setting to "On." Twistlock can be deployed in a completely offline environment

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

Update frequency

RA-5(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

RA-5(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

Twistlock Intelligence Stream is updated at least once every 24 hours and will update when a vulnerability is posted by the upstream provider

Vulnerability

Defender architecture

RA-5(5) VULNERABILITY SCANNING | PRIVILEGED ACCESS

DE.CM-8: Vulnerability scans are performed

RA-5(5) VULNERABILITY SCANNING | PRIVILEGED ACCESS

Twistlock Defender performs vulnerability scanning and runs as a container. Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares; typical load is ~1-2% CPU and 20-40MB RAM

https://docs.twistlock.com/docs/latest/technology_overviews/defender_architecture.html

SA - 4: Acquisition Process

https://nvd.nist.gov/800-53/Rev4/control/SA-4

Documentation

Twistlock Customer Documentation

SA-4(1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

SA-4(1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

Access to Twistlock documentation requires authentication with the customer’s Twistlock License Access Token. Every page within the Twistlock Console has a"?" icon in the top right corner. This will open a new browser tab, authenticate to the documentation site and render the documentation pertaining to the current Twistlock Console screen.

Documentation

Twistlock Reference Architecture Guide

SA-4(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS & SA-4(9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE

SA-4(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS & SA-4(9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE

Twistlock Reference Architecture Guide is available upon request.

Authentication

x.509 Smartcard authentication

Manage > Authentication > System Certificates > Advanced Features > Console Authentication

/api/v1/settings/trusted-certificates

Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs

SA-4(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS

SA-4(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS

PIV and CaC smartcard authentication is supported

https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post

SA - 10: Developer Configuration Management

https://nvd.nist.gov/800-53/Rev4/control/SA-10

Release

SHA-256 hash of Twistlock release tar file

SA-10(1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION

SA-10(1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION

Twistlock Release site includes the SHA-256 for all releases. This can be used to validate the integrity of the Twistlock release tar.

https://docs.twistlock.com/docs/latest/download/releases.html

SC - 2: Application Partitioning

https://nvd.nist.gov/800-53/Rev4/control/SC-2

Collections

Assigned Collections

Manage > Collections

/api/v1/collections

Multi-valued rule

Defender Manager, Auditor, DevOps User, Access User and CIUser roles can be assigned a collection thus only rendering data in the UI and via the API based upon the Collection Filter configured. Can be applied to Groups.

https://docs.twistlock.com/docs/latest/configure/collections.html

Access Control

User Roles

Manage > Authentication > Users

/api/v1/users

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

All Twistlock users are assigned a role

https://docs.twistlock.com/docs/latest/access_control/user_roles.html

Access Control

Assign Roles

Manage > Authentication > Groups

/api/v1/groups

Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User

Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied

https://docs.twistlock.com/docs/latest/access_control/assign_roles.html

SI - 2: Flaw Remediation

https://nvd.nist.gov/800-53/Rev4/control/SI-2

Intelligence Stream

Enable automatic Twistlock Intelligence Stream Updates

Manage > System Intelligence > Enable online updates of Intelligence Stream

/api/v1/settings/intelligence

On | Off

SI-2(2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

SI-2(2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS

Twistlock Intelligence Stream provides software publishers' vulnerability status and remediation version.

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

Custom Feeds

CVE Allow List

Manage > System > Custom Feeds > CVE Allow List

api/v1/feeds/custom/cve-allow-list

SI-2(3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS

System wide ability to assign a time to remediate a vulnerability

https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list

Vulnerabilities

Image Policy CVE Exception

Defend > Vulnerabilities > Images : Policy > Advanced Settings

/api/v1/policies/vulnerability/images

SI-2(3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS

Ability to assign a time to remediate a vulnerability to an individual or group of images.

https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html

SI - 3: Malicious Code Protection

https://nvd.nist.gov/800-53/Rev4/control/SI-3

DE.CM-4: Malicious code is detected

Custom Feeds

Malware

Manage > System > Custom Feeds > Malware

/api/v1/feeds/custom/malware

Process / filename name | MD5 Hash

SI-3(1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT

SI-3(1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT

List of suspicious or high risk IP endpoints. Supplement the Twistlock Intelligence Stream with your own list of banned IP addresses

https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#banned-ip-addresses

Intelligence Stream

Enable automatic Twistlock Intelligence Stream Updates

Manage > System Intelligence > Enable online updates of Intelligence Stream

/api/v1/settings/intelligence

On | Off

SI-3(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES

SI-3(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES

Twistlock Intelligence Stream includes signatures of known malware (e.g. crypto-miners). Malware data is sourced from commercial providers, Twistlock Labs, and open source lists.

https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html

SI - 5: Security Alerts, Advisories and Directives

https://nvd.nist.gov/800-53/Rev4/control/SI-5

Alerts

Alert Providers

Manage > System > Alerts

/api/v1/settings/alerts

Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor

SI-5(1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES

SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES

Twistlock can disseminate alerts based upon the type of alert and the alert method of the audit owner

https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html