What The Workforce Needs To Know - NIST€¦ · Situational Awareness Action Decision Intelligence...

What The Workforce Needs To Know

Equipping the workforce to buildand maintain cyber resilience systems.

Greg Jaeger, Senior Program MangerAdvanced Technology International

SSCA 2018 Spring Forum

July 2013 Event Analysis

39 17 11 30 302

patchdetect

CERT

first exploit

vendor alertexploit

shutdownrecoveryoperation

A Preventable Event – Must Self-Initiate Changes

••••

Team Challenge

“What can we do to use the existing data

and tools to become more aware of the

system’s cyber resilience in order to make

smart, risk-based decisions that best

utilize the finite resources?”

Situational Awareness

Action Decision Intelligence

System

Workforce

CybersecuritySDLCOperationsLeaders

Perception Comprehension Projection

Workforce & Situational Awareness*

* modified Endsley Model (1995)

Cross-Domain FeedbackCollab Code Build/Test Deploy Monitor

Continuous Collaboration → Proactive

Component Scans

Logging ChangesTriggers

Client Responses

Risk Repository

Situational Awareness

Action Decision Intelligence

Perception Comprehension ProjectionSystem

WorkforceCybersecuritySDLCOperationsLeadership

Cross-Domain Collaboration

Amplified Situational Awareness*

* modified Endsley Model (1995)

2013 vs 2017 Events vs Equifax

39 17 11 30 30

4 1 3 2 10

2

1

patchdetect

CERT

2013

2017

first exploit

Leadership Over Resources

5 DB: 75 (5/13-6/30)65 (3/8-5/12)Equifax

vendor alertexploit

shutdownrecoveryoperation

Who/How to Teach• Managers, IT (developers,

engineers, quality, testing, network, database, etc.), contracting, executive leadership

• Collaborative environment• Team facilitation and

elicitation• Rapid forensics and root-

cause analysis • Foreign system design, code,

components, • Risk decision making• Log dissection, correlation

and gap analysis• Limited tools for

resourcefulness

Education Gaps• Project Management with SDLC,

Operations, and DevOps• Real-world application of skills• Cross-domain collaboration• Team self awareness• Risk management• Data distillation and

normalization• System awareness• Library decomposition/analysis• Dataflow mapping• Software stack interface layers• Discerning valid / anomalous

traffic• Assessing vulnerability reports• Meaningful cybersecurity metrics

to senior leadership on system/program security posture

What Works• Engaged leadership

• Balance of all requirements

• System Knowledge

• Process feedback loops and refinement

• Quantitative, qualitative, and predictive analyses

• Actor, tactic, and component profiling

• Tactical and Strategic mitigation plans

• Repetitive team synthesis and experience is greater than individual roles (i.e., Bloom’s taxonomy of learning)

• Experience is a cross-domain multiplier

What Doesn’t Work• Waiting on alerts, patches, and

information sharing

• Compliance as the end-goal

• Disengaged Penetration Testing

• Software scans without context

• Awaiting third party and external one-directional communications

• Stovepipe stakeholders

• Regarding cyber reliance as an Information Technology, Developer, or Cybersecurity Division problem

• Contracts void of collaboration requirements

• Contract-mandated certifications

• Over-emphasis on tools, hacking, and compliance checklists

• Solicitations with inadequate emphasis of cybersecurity

QUESTIONS

?? ? ?

Greg JaegerSenior Program Managergreg.jaeger@ati.org

o: 843.760.3216c: 843.297.1341

Brian EleazerSenior System Engineerbrian.eleazer@ati.org

o: 843.760.3317c: 843.297.0740

Backups

Stakeholder Information Exchange

SystemOwner

HostProvider

System Manager

12