Building and Measuring a Cybersecurity Program

Michael Miranda

Michael Miranda

• Assistant Professor, Information Security, UH West Oahu

• Principal Consultant, SPARTIX

• Director of Information Security, Hawaiian Telcom

• Program Manager – Cybersecurity, Referentia

• Cybersecurity, Programmer – Northrop Grumman, Verizon – DoD Contractor

• Attorney

• GCFA, GSNA, GCIA, GREM

• Gonzaga U., UH Manoa, U of Central Florida

• Maryknoll Grad

Step 1

• Focus on YOU

• Don’t chase threats…yet

• YOU means YOU, whatever your current position in the organization is and wherever you have influence

• You do not need to wait for some other voice above to start executing the basics of cybersecurity

A cybersecurity program is the sum of all the efforts of all the stakeholders in the organization.

Management

and Admin

Planning,

Design and

Engineering

Operations

and Field

Policy,

Procedure

and Risk

Management

Plan and

Design with

Security from

the Start

Always

execute using

cybersecurity

best practices

There is no

magic here.

No need to

reinvent the

wheel.

Step 2

• Leverage Published Standards

• There is security guidance for nearly every aspect of cybersecurity.

Management and Admin

• NIST Cybersecurity Framework• Identify

• Protect

• Detect

• Respond

• Recover

• Center for Internet Security• Top 20 Controls

Operations and Field

• NIST Computer Security Incident Handling Guide

• MITRE Ten Strategies of a World-Class Cybersecurity Operations Center

• Cyber Incident Handling Program – Chairman of the Joint Chiefs of Staff Manual

• Cybersecurity Technical Training is For All• SANS

• Offensive Security

Planning, Design and Engineering

• Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies

• Secure network design of a critical infrastructure network

• Center for Internet Security• Benchmarks – secure configuration guidelines for

various technology (e.g. workstations, servers, operating systems, applications)

• Account Policies

• Local Policies

• Security Options

• Accounts, Audit, DCOM, Devices

• Domain Controller, Domain

Member, Microsoft Network

Client, Microsoft Network Server,

Network Access, Network

Security, Recovery Console,

Shutdown, System Cryptography,

System Objects, System

Settings, User Account Control

• Event Log

• Restricted Groups

• System Services

• Registry

• File System

• Wired Network Policies

• Windows Firewall with Advanced

Security

• Network List Manager Policies, etc.

“If you can’t measure it, you can’t improve it.”

-- Peter Drucker

Step 3

• Measure your activities

• SMART Milestones• Specific

• Measurable (percentage, YES/NO)

• Assignable (accountable)

• Realistic

• Time-related

• Goal is to ascertain overall risk

Which Models for

Metrics?

Everyone has ideas…

CIS Controls V7Measures & Metrics

• Active Device Discovery System

• Anti-Spam Gateway

• Application Aware Firewall

• Asset Inventory System

• Backup / Recovery System

• Data Inventory / Classification System

• Dedicated Administration Systems

• DNS Domain Filtering System

• Endpoint Protection System

• Host Based Data Loss Prevention (DLP) System

• Host Based Firewall

• Identity & Access Management System

• Incident Management Plans

• Log Management System / SIEM

• Multi-Factor Authentication System

• Network Based Data Loss Prevention (DLP) System

• Network Based Intrusion Detection System (NIDS)

• Network Based Intrusion Prevention System (IPS)

• Network Device Management System

• Network Firewall / Access Control System

• Network Level Authentication (NLA)

• Network Packet Capture System

• Network Time Protocol (NTP) Systems

• Network URL Filtering System

• Passive Device Discovery System

• Patch Management System

• Penetration Testing Plans

• Privileged Account Management System

• Public Key Infrastructure (PKI)

• SCAP Based Vulnerability Management System

• Secure Coding Standards

• Software Application Inventory

• Software Vulnerability Scanning Tool

• Software Whitelisting System

• System Configuration Baselines & Images

• System Configuration Enforcement System

• Training / Awareness Education Plans

• Web Application Firewall (WAF)

• Whole Disk Encryption System

• Wireless Intrusion Detection System (WIDS)

CIS Controls V7Measures & Metrics

What percentage of the organization's unauthorized assets have not been removed from the network, quarantined or added to the inventory in a timely manner?

• Inventory all assets (physical and on the network)

• Process for identifying authorized devices

• Process for removing, isolating or adding to the official inventory

• Determination based on risk on how long it should take for the activity occur

• Who does each activity enumerated above?

CIS Controls V7 Measures & Metrics

CIS Controls V7 Measures & Metrics

Summary

1. Focus on YOU and your sphere of influence and control• Management and Administration

• Planning, Design and Engineering

• Operations and Field

2. Leverage published standards and to implement cybersecurity

3. Measure your activities

IF YOU DON’T HAVE A CISO, YOU CAN STILL DO THIS TO PROTECT OUR WATER SYSTEMS