1

Designing & Building a Cybersecurity Program

Based on the NIST Cybersecurity Framework (CSF)

Larry Wilson Lesson 1 June, 2015

2

Lesson 1 – The Controls Factory The Fundamentals Understanding the Risks The Controls Factory The Cybersecurity Programs The Vision

Lesson 2 – Controls Factory Components The Threat Office The Controls Office The Technology Center The Operations Center The Testing Center The Program Office The GRC Office

About the Class

This course covers the essential elements for planning, building and managing a cybersecurity program

Lesson 3 - Building the Program Step 1: Establish Goals, Objectives, Approach, Deliverables Step 2: Get Management Support Step 3: Establish Budget, Resources, Scope, Funding, Timeline Step 4: Establish Program, Asset, Controls Roadmap Step 5: Select Controls, Technologies, Services Step 6: Build Master Plan and Program Mapping Step 7: Prioritize Deliverables Step 8: Conduct Program, Asset, Controls Review Step 9: Establish Program, Asset, Controls Risk Dashboard Step 10: Program Summary: End to End Security

Lesson 4: Case Study: The South Carolina DOR Data Breach Part 1: The State Government Information Security Initiative Part 2: The Mandiant Report Part 3: The Deloitte Initial Report Part 4: The Deloitte Interim Report Part 5: The Deloitte Final Report

3

About the Instructor

Larry Wilson, Information Security Lead - University of Massachusetts Design, build, manage UMASS Written Information Security Program (WISP) Based on industry standard controls: ISO 27002, Council on Cybersecurity, NIST Cybersecurity Framework Implemented consistently across all university campuses

Prior to UMASS Vice President, Network Security Engineering Manager at State Street - I designed their program IT Audit Manager for Deloitte working on the MasterCard account – I assessed their program

Education and Certifications MS in Structural Engineering from University of New Hampshire. Industry certifications include PE, CISSP, CISA and PCI ISA

Develop and Deliver Training Classes Secure World Expo (Building a Cybersecurity Program) ISACA New England (CISA certification training)

Executive Recognition (2013) ISE Executive Award Finalist – Northeast Region, North America SANS Person Who Made a Difference in Cybersecurity

UMASS Security Program Recognition (2013, 2014) ISE Project Award Winner – North America SANS 20 Critical Controls Poster - Featured Program

4

Lesson 1: The Controls Factory

Part 1: The Fundamentals Data is the New Oil Data is Everywhere The Key Business Challenges The Key Technology Challenges The High Risk of Data Breaches The Challenge to Our executives The Response: Need to be Proactive

Part 2: Understanding the Risks The Risk Equation What are you Trying to Protect? What are you Afraid of Happening? How Could the Threat Occur? What is Currently Reducing the Risk? What is the Impact to the Business? How Likely is the Threat given the Controls?

Part 3: The NIST Framework The Framework Core The Framework Profile The Framework Implementation Tiers Cyber Resilience Review Who’s Using the Framework

Part 4: The Controls Factory The Problem Statement The Solution Approach Protecting the Assets The Factory Offices / Centers

Part 5: The Cybersecurity Programs P1: The Infrastructure Security Program P2: The Application Security Program P3: The Data Governance Program P4: The Identity Governance Program P5: The Critical Assets Program

Part 6: The Vision / Next Steps Where We Were - Yesterday Where We Are - Today Where We’re Going - Tomorrow 2015 Cybersecurity Predictions Building an Effective Program

5

Part 1: The Fundamentals

Why doesn’t everyone have a BRICK House?

Did everyone NOT read the 3 little Pigs?

6

Data is the New Oil

7

Data is Everywhere

Growing attack surface Consumerization of IT Public, private, hybrid cloud …

Mobile applications Privileged accounts Internet of Things….…

8

The Key Business Challenges

9

The Key Technology Challenges

The Threat Situation

Continuing serious cyber attacks on information systems, large and small; targeting key federal, state, local, and private sector operations and assets …. Attacks are organized, disciplined, aggressive, and well resourced; many are

extremely sophisticated Adversaries are nation states, terrorist groups, criminals, hackers, and

individuals or groups with intentions of compromising your information systems

Effective deployment of malicious software causing significant exfiltration of sensitive information (including intellectual property) and potential for disruption of critical information systems / services.

-- Dr. Ron Ross NIST, Computer Security Division Information Technology Laboratory

Threat Actors

10

11

The Cyber Threat Landscape

12

Cyber Attacks Could Put Humans and Infrastructure at Risk

The Possible Consequences

13 13

How Data Breaches Occur

14

The Carbanak Attack

15 15

The Dyre Wolf Attack

16 16

The Target Attack

17

Global State of Information Security Survey 2015

Key findings and trends (PWC)

18

The Challenge:

To Corporate and Government Leaders ….

Where does your business stand on basic cybersecurity hygiene? There is a global awakening among non technologists That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a “fog of more” …… More standards, more checklists, more devices, more technology, more things …

Our Executives need to ask five basic questions Do we know what’s connected to our systems and networks? Do we know what’s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override

the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most

breaches, rapidly detect all that do succeed and minimize damage to our business and customers?

Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?

Because …. Having these basic safeguards in place will prevent 80% to 90% of the known attacks

Jane Holl Lute Council on Cybersecurity

Served as Deputy Secretary for Homeland Security from April,

2009 to April 2013

19

Manage our Risks Understand and establish a well developed risk management model Apply controls to our assets Because every security incident starts with a compromised asset

Manage our Assets Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de-provision, discover, manage

changes, reconciliation, monitor & alert

Manage our Programs Understand the essential building blocks And how they relate

Alignment and Transparency Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time?

The Response:

We Need to be Proactive ….

20

We have executive attention …..

So now what?

21

Part 2: Understanding the Risks

The Risk Equation

How do we calculate risk?

Risk is based on the likelihood and impact of a cyber-security incident or data breach

Threats involve the potential attack against IT resources and information assets

Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat

Asset Value is based on criticality of IT resources and information assets

Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities

Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets + missing controls

Risk Threats

=

Asset Value

Vulnerabilities X X

Controls

+ Residual Risk

22

23 23

Assets: What are you trying to protect?

Where are the Assets?

How are the Assets Managed?

What are the assets?

Which Assets are Critical?

24 24 24

Threats: What are you afraid of happening?

What are the threats? Where are the threats?

How are attacks staged? How have the threats changed?

25

Vulnerabilities: How could the threat occur?

What are the Vulnerabilities?

How are the Vulnerabilities Managed?

What is a vulnerability?

How are vulnerabilities remediated?

26

Mitigation: What is currently reducing the risk?

What is a controls framework?

How are controls measured?

MGT-01 MGT-02 TEC-01 TEC-02 TEC-03 TEC-04 MGT-03 MGT-04

MGT-05 MGT-06 TEC-05 TEC-06 TEC-07 TEC-08 MGT-07 MGT-08

OPS-01 OPS-02 OPS-03

Critical Assets

OPS-04 OPS-05 OPS-06

OPS-07 OPS-08 TEC-09 TEC-11 OPS-09 OPS-10

TEC-12 OPS-13 OPS-14 OPS-11 OPS-12 TEC-10

OPS-18 OPS-19 OPS-20 OPS-15 OPS-16 OPS-17

MGT-09 MGT-10 TEC-13 TEC-14 TEC-15 TEC-16 MGT-11 MGT-12

MGT-13 MGT-14 TEC-17 TEC-18 TEC-19 TEC-20 MGT-15 MGT-16

What are the controls types?

What is a control?

27

Impact: What is the impact to the business?

28 28

Probability: How likely is the threat given the controls?

28 28

29

Cybersecurity Approach

Cybersecurity Risk & Consulting Services

EY’s Cyber Program Management (CPM) Framework

KPMG Cyber Security Framework

Deloitte Cyber Risk Services: Secure. Vigilant. Resilient

PWC Cybersecurity Services

30

Cybersecurity Approach

Cybersecurity Technology Providers

Cisco Cybersecurity Framework Oracle Security Approach

EMC/RSA Cybersecurity Framework HP Cybersecurity Framework

31

Cybersecurity Approach

Managed Security Services Providers (MSSPs)

Dell Secureworks

IBM Managed Security Services

Symantec Security Solutions

AT&T Security Services

32

Part 3: The NIST Cybersecurity Framework

33

Part 3: The NIST Cybersecurity Framework

34

The NIST Cybersecurity Framework

35 35

The NIST Cybersecurity Framework

36 36 36

Cybersecurity Program Steps

Step 1: Prioritize and Scope. Step 2: Orient. Step 3: Create a Current Profile. Step 4: Conduct a Risk Assessment. Step 5: Create a Target Profile. Step 6: Determine, Analyze, and Prioritize Gaps. Step 7: Implement Action Plan.

The Cybersecurity Resilience Approach

The NIST Cybersecurity Framework

37

The NIST Cybersecurity Framework

NIST Definition of cyber resilience “… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”

38 38

1 Asset Management - The purpose of Asset Management is to identify, document, and manage assets during their life cycle to ensure sustained productivity to support critical 2 Controls Management - The purpose of Controls Management is to identify, analyze, and manage controls in a critical service’s operating environment. 3 Configuration and Change Management - The purpose of Configuration and Change Management is to establish processes to ensure the integrity of assets using change control and change control audits. 4 Vulnerability Management - The purpose of Vulnerability Management is to identify, analyze, and manage vulnerabilities in a critical service’s operating environment. 5 Incident Management - The purpose of Incident Management is to establish processes to identify and analyze events, detect incidents, and determine an organizational response. 6 Service Continuity Management - The purpose of Service Continuity Management is to ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other disruptive event. 7 Risk Management - The purpose of Risk Management is to identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services. 8 External Dependencies Management - The purpose of External Dependencies Management is to establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities. 9 Training and Awareness - The purpose of training and awareness is to promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational sustainment and protection. 10 Situational Awareness - The purpose of Situational Awareness is to actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture.

DHS Cyber Resilience Review – Areas of Focus

39

The Framework Benefits

The NIST Cybersecurity Framework

40 40

Fact Sheet

White House Summit on Cybersecurity and Consumer Protection - February 13, 2015

The following corporations are announced a commitment to using the NIST Cybersecurity Framework. Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.

Apple is incorporating the Framework as part of the broader security protocols across its corporate networks.

Bank of America will announce that it is using the Framework and will also require it of its vendors.

U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework.

AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small

businesses and will use the framework to help customers identify gaps in their approach to cybersecurity.

QVC is announcing that it is using the Cybersecurity Framework in its risk management.

Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and measuring risk.

Kaiser Permanente is committing to use the Framework.

41

Part 3: The Controls Factory

The Problem Statement

42

Our Managed Assets ARE protected

Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a portfolio of managed assets

Our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets Which lead to a breach from missing or ineffective controls

Our Unmanaged Assets ARE NOT protected

43

Unmanaged Assets

Managed Assets

The Solution Approach

1

2

3

4

5

6

7

Enter

Exit

The Controls Factory

1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance

44

1. Requirements

2. Design

3. Implementation

4. Operations

5. Verification

6. Program Management

7. Risk Management

The Solution Approach

Cybersecurity Delivery Life Cycle (CSDLC)

The Controls Factory

Unmanaged Assets

Enter

Managed Assets

Exit

1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance

The Controls Factory

45

Technology Design

Controls Framework

Technology Architecture

Control Office

Technology Center

Operations Center

Controls Standards

Technology Build & Run

Security Administration

Center

Cybersecurity Operations

Center

Program Office

Resilience, Response, Forensics

Input Output

The Current Profile (Before the Factory)

The Target Profile (After the Factory)

Program Deliverables

The WISP

Program Roadmap

Testing Center

Controls & Technology

Testing

Threat Modeling

Operations & Incident Testing

Threats, Vulnerabilities,

IOCs

Threat Intelligence

The Cyber Attack Chain

Threat Office

Unmanaged Assets

Assurance & Audit

Organizational Model

Compliance Initiatives

GRC Office

Design Area Build & Run Area Management Area

Managed Assets

F1 F2 F3 F4 F5 F6 F7

Controls Definition

F1: The Threat Office

46

Threats & Vulnerabilities Threat Sharing

The Cyber Attack Chain Mapping Attacks to Assets

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

47

F2: The Controls Office

The NIST Cybersecurity Framework The Controls Types

The Controls Standards Mapping Controls to Assets

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

NIST Cybersecurity

Framework

48

F3: The Technology Center

48

Technology Architecture Technology Design

Technology Build & Run Mapping Cybersecurity Technology to Assets

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

49

F4: The Operations Center

49

Cybersecurity Operations Center (CSOC) Cybersecurity Administration Center

Resilience, Response and Forensics Mapping Cybersecurity Operations to Assets

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

50

F5: The Testing Center

50

Controls Testing Threat Modeling

Mapping Testing / QA to Assets

Endpoints Network Systems Databases Applications Identities Data Crown Jewels

Assets Controls

COBIT 5.0

ISO 27001

20 CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

Operations Testing

51

F6: The PMO Office

Program Management Principles Program Management Methodology

Program Tracking and Reporting Dashboard Mapping Cybersecurity Programs to Assets

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

Asset Inventory

52 52

F7: The GRC Office

GRC Tracking & Reporting Dashboard

GRC Principles GRC Methodology

Mapping Cybersecurity Governance to Assets

Asset Inventory

Endpoint Devices

Network Devices

Data Center Systems

Databases & File Shares

Applications & Programs

Identity & Access Governance

Data Governance

Crown Jewels

53

Part 4: The Cybersecurity Programs

The Program Model

54

Crown Jewels Program (Deliverables: Managed Critical Assets)

Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)

Data Governance Program (Deliverables: Managed Information)

Application Security Program (Deliverables: Managed Applications)

Controls Office

Technology Center

Operations Center

Testing Center

PMO Office

Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)

Threat Office

Input

Unmanaged Assets

Output

Managed Assets

GRC Office

Controls Design

Technology Build & Run

Operations Build & Run

Testing Build & Run

Programs Build & Run

Attack Models

Risk Reporting

P1

P2

P3

P4

P5

55

P1: The Infrastructure Program

1. The Assets 2. The Controls 3. The Solutions

4. The Operations 5. The Testing 6. The Assessments & Reporting

Crown Jewels Identities Information Applications Infrastructure

Program Engine

Controls Engine

COBIT 5.0

ISO 27001

CSC CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

56 56

P2: The Application Program

1. The Assets 2. The Controls 3. The Solutions

4. The Operations 5. The Testing 6. The Assessments & Reporting

Crown Jewels Identities Information Applications Infrastructure

Program Engine

Controls Engine

COBIT 5.0

ISO 27001

CSC CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

57 57 57

P3: The Data Governance Program

1. The Assets 2. The Controls 3. The Solutions

4. The Operations / Administration 5. The Testing

Crown Jewels Identities Information Applications Infrastructure

Program Engine

Controls Engine

COBIT 5.0

ISO 27001

CSC CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

6. The Assessments & Reporting

58

P4: The Identity Governance Program

1. The Assets 2. The Controls 3. The Solutions

4. The Operations / Administration 5. The Testing

Crown Jewels Identities Information Applications Infrastructure

Program Engine

Controls Engine

COBIT 5.0

ISO 27001

CSC CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

6. The Assessments & Reporting

59

P5: The Critical Assets Program

1. The Assets 2. The Controls 3. The Solutions

4. The Operations / Administration 5. The Testing

Crown Jewels Identities Information Applications Infrastructure

Program Engine

Controls Engine

COBIT 5.0

ISO 27001

CSC CSC

IEC 62443

NIST 800-53

BSIMM V5

PCI DSS

HIPAA

201 CMR 17

The C Test Analyzer

Identify

Protect

Detect

Respond

Recover

3

6. The Assessments & Reporting

Build a Cybersecurity Program The Program Summary

Identify NIST Controls Framework

Cyber Attack Chain

1 2 3 4 5 6 7

Management Controls (ISO 27001:2013)

Technical Controls (Council on Cyber-security CSC)

Operations Controls (ISO 27001:2013)

Controls Standards & Mapping

Unmanaged Assets [Programs]

Technologies & Services

Application

Security

Crown Jewels

1 2 3 4 5 6 7 8

Endpoint Devices

Network Security

Data Center Systems

Database Security

Identity Governance

Data Governance

Managed Assets [Programs]

Testing & Reporting

Protect Detect Respond Recover

Cybersecurity Operations Testing & Reporting

Cybersecurity Technology Testing & Reporting

Cybersecurity Controls Testing & Reporting

Application

Security

Crown Jewels

1 2 3 4 5 6 7 8

Endpoint Devices

Network Security

Data Center Systems

Database Security

Identity Governance

Data Governance

Incident Response Team

Cybersecurity Administration Center

Cybersecurity Operations Center

Operations & Administration

61

Part 5: The Factory Vision

62

Where were we? - Yesterday

The early days (2010)

TVM PDP AIS IAM

IOS

GRC

Six Security Programs

PRG1: Governance, Risk, Compliance (GRC)

PRG2: Threat & Vulnerability Management (TVM)

PRG3: Privacy and Data Protection (PDP)

PRG4: Application Integrity and Security (AIS)

PRG5: Identity & Access Management (IAM)

PRG6: Infrastructure &Operations Security (IOS)

Defense in Depth

Data

Infrastructure

Applications

Threats & Vulnerabilities

Governance, Risk, Compliance

People & Identities

The Controls Layers:

GRC: Program Governance, Risk Management and Compliance

Threat & Vulnerability: Internal & External threats & weaknesses

Network & Server Assets: Core Infrastructure

Application Assets: Provides authorized user access to the data

Data Layer: Where information resides

People & Identities: Authorized vs. Unauthorized user access to data

63

Where are we? - Today

Technology Design

Controls Framework

Technology Architecture

Control Office

Technology Center

Operations Center

Controls Standards

Technology Build & Run

Security Administration

Center

Cybersecurity Operations

Center

Program Office

Resilience, Response, Forensics

Input Output

The Current Profile (Before the Factory)

The Target Profile (After the Factory)

Program Deliverables

The WISP

Program Roadmap

Testing Center

Controls & Technology

Testing

Threat Modeling

Operations & Incident Testing

Threats, Vulnerabilities,

IOCs

Threat Intelligence

The Cyber Attack Chain

Threat Office

Unmanaged Assets

Assurance & Audit

Organizational Model

Compliance Initiatives

GRC Office

Design Area Build & Run Area Management Area

Managed Assets

F1 F2 F3 F4 F5 F6 F7

Controls Definition

64

Where are we going? - Tomorrow

Factory in a Can

Academic / Research Factory Staging / Test Factory

Corporate / Enterprise Factory

AR ST

CE CP

Cloud / Partner Factory

Summary: Building an Effective Security Program

The NIST Golden Rules

Develop an enterprise-wide information security strategy and game plan

Get corporate “buy in” for the enterprise information security program—effective programs start at the top

Build information security into the infrastructure of the enterprise

Establish a level of “due diligence” for information security

Focus initially on mission/business case impacts—bring in threat information only when specific and credible

Create a balanced information security program with management, operational, and technical security controls

Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk

Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data

Harden the target; place multiple barriers between the adversary and enterprise information systems

Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems

Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes

Don’t tolerate indifference to enterprise information security problems

And finally…

Manage enterprise risk—don’t try to avoid it!

65

66 66

Questions?