Upload
duongthuy
View
217
Download
2
Embed Size (px)
Citation preview
1
Designing & Building a Cybersecurity Program
Based on the NIST Cybersecurity Framework (CSF)
Larry Wilson Lesson 1 June, 2015
2
Lesson 1 – The Controls Factory The Fundamentals Understanding the Risks The Controls Factory The Cybersecurity Programs The Vision
Lesson 2 – Controls Factory Components The Threat Office The Controls Office The Technology Center The Operations Center The Testing Center The Program Office The GRC Office
About the Class
This course covers the essential elements for planning, building and managing a cybersecurity program
Lesson 3 - Building the Program Step 1: Establish Goals, Objectives, Approach, Deliverables Step 2: Get Management Support Step 3: Establish Budget, Resources, Scope, Funding, Timeline Step 4: Establish Program, Asset, Controls Roadmap Step 5: Select Controls, Technologies, Services Step 6: Build Master Plan and Program Mapping Step 7: Prioritize Deliverables Step 8: Conduct Program, Asset, Controls Review Step 9: Establish Program, Asset, Controls Risk Dashboard Step 10: Program Summary: End to End Security
Lesson 4: Case Study: The South Carolina DOR Data Breach Part 1: The State Government Information Security Initiative Part 2: The Mandiant Report Part 3: The Deloitte Initial Report Part 4: The Deloitte Interim Report Part 5: The Deloitte Final Report
3
About the Instructor
Larry Wilson, Information Security Lead - University of Massachusetts Design, build, manage UMASS Written Information Security Program (WISP) Based on industry standard controls: ISO 27002, Council on Cybersecurity, NIST Cybersecurity Framework Implemented consistently across all university campuses
Prior to UMASS Vice President, Network Security Engineering Manager at State Street - I designed their program IT Audit Manager for Deloitte working on the MasterCard account – I assessed their program
Education and Certifications MS in Structural Engineering from University of New Hampshire. Industry certifications include PE, CISSP, CISA and PCI ISA
Develop and Deliver Training Classes Secure World Expo (Building a Cybersecurity Program) ISACA New England (CISA certification training)
Executive Recognition (2013) ISE Executive Award Finalist – Northeast Region, North America SANS Person Who Made a Difference in Cybersecurity
UMASS Security Program Recognition (2013, 2014) ISE Project Award Winner – North America SANS 20 Critical Controls Poster - Featured Program
4
Lesson 1: The Controls Factory
Part 1: The Fundamentals Data is the New Oil Data is Everywhere The Key Business Challenges The Key Technology Challenges The High Risk of Data Breaches The Challenge to Our executives The Response: Need to be Proactive
Part 2: Understanding the Risks The Risk Equation What are you Trying to Protect? What are you Afraid of Happening? How Could the Threat Occur? What is Currently Reducing the Risk? What is the Impact to the Business? How Likely is the Threat given the Controls?
Part 3: The NIST Framework The Framework Core The Framework Profile The Framework Implementation Tiers Cyber Resilience Review Who’s Using the Framework
Part 4: The Controls Factory The Problem Statement The Solution Approach Protecting the Assets The Factory Offices / Centers
Part 5: The Cybersecurity Programs P1: The Infrastructure Security Program P2: The Application Security Program P3: The Data Governance Program P4: The Identity Governance Program P5: The Critical Assets Program
Part 6: The Vision / Next Steps Where We Were - Yesterday Where We Are - Today Where We’re Going - Tomorrow 2015 Cybersecurity Predictions Building an Effective Program
5
Part 1: The Fundamentals
Why doesn’t everyone have a BRICK House?
Did everyone NOT read the 3 little Pigs?
7
Data is Everywhere
Growing attack surface Consumerization of IT Public, private, hybrid cloud …
Mobile applications Privileged accounts Internet of Things….…
8
The Key Business Challenges
The Threat Situation
Continuing serious cyber attacks on information systems, large and small; targeting key federal, state, local, and private sector operations and assets …. Attacks are organized, disciplined, aggressive, and well resourced; many are
extremely sophisticated Adversaries are nation states, terrorist groups, criminals, hackers, and
individuals or groups with intentions of compromising your information systems
Effective deployment of malicious software causing significant exfiltration of sensitive information (including intellectual property) and potential for disruption of critical information systems / services.
-- Dr. Ron Ross NIST, Computer Security Division Information Technology Laboratory
Threat Actors
10
18
The Challenge:
To Corporate and Government Leaders ….
Where does your business stand on basic cybersecurity hygiene? There is a global awakening among non technologists That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a “fog of more” …… More standards, more checklists, more devices, more technology, more things …
Our Executives need to ask five basic questions Do we know what’s connected to our systems and networks? Do we know what’s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override
the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most
breaches, rapidly detect all that do succeed and minimize damage to our business and customers?
Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
Because …. Having these basic safeguards in place will prevent 80% to 90% of the known attacks
Jane Holl Lute Council on Cybersecurity
Served as Deputy Secretary for Homeland Security from April,
2009 to April 2013
19
Manage our Risks Understand and establish a well developed risk management model Apply controls to our assets Because every security incident starts with a compromised asset
Manage our Assets Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de-provision, discover, manage
changes, reconciliation, monitor & alert
Manage our Programs Understand the essential building blocks And how they relate
Alignment and Transparency Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time?
The Response:
We Need to be Proactive ….
20
We have executive attention …..
So now what?
21
Part 2: Understanding the Risks
The Risk Equation
How do we calculate risk?
Risk is based on the likelihood and impact of a cyber-security incident or data breach
Threats involve the potential attack against IT resources and information assets
Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat
Asset Value is based on criticality of IT resources and information assets
Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities
Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets + missing controls
Risk Threats
=
Asset Value
Vulnerabilities X X
Controls
+ Residual Risk
22
23 23
Assets: What are you trying to protect?
Where are the Assets?
How are the Assets Managed?
What are the assets?
Which Assets are Critical?
24 24 24
Threats: What are you afraid of happening?
What are the threats? Where are the threats?
How are attacks staged? How have the threats changed?
25
Vulnerabilities: How could the threat occur?
What are the Vulnerabilities?
How are the Vulnerabilities Managed?
What is a vulnerability?
How are vulnerabilities remediated?
26
Mitigation: What is currently reducing the risk?
What is a controls framework?
How are controls measured?
MGT-01 MGT-02 TEC-01 TEC-02 TEC-03 TEC-04 MGT-03 MGT-04
MGT-05 MGT-06 TEC-05 TEC-06 TEC-07 TEC-08 MGT-07 MGT-08
OPS-01 OPS-02 OPS-03
Critical Assets
OPS-04 OPS-05 OPS-06
OPS-07 OPS-08 TEC-09 TEC-11 OPS-09 OPS-10
TEC-12 OPS-13 OPS-14 OPS-11 OPS-12 TEC-10
OPS-18 OPS-19 OPS-20 OPS-15 OPS-16 OPS-17
MGT-09 MGT-10 TEC-13 TEC-14 TEC-15 TEC-16 MGT-11 MGT-12
MGT-13 MGT-14 TEC-17 TEC-18 TEC-19 TEC-20 MGT-15 MGT-16
What are the controls types?
What is a control?
28 28
Probability: How likely is the threat given the controls?
28 28
29
Cybersecurity Approach
Cybersecurity Risk & Consulting Services
EY’s Cyber Program Management (CPM) Framework
KPMG Cyber Security Framework
Deloitte Cyber Risk Services: Secure. Vigilant. Resilient
PWC Cybersecurity Services
30
Cybersecurity Approach
Cybersecurity Technology Providers
Cisco Cybersecurity Framework Oracle Security Approach
EMC/RSA Cybersecurity Framework HP Cybersecurity Framework
31
Cybersecurity Approach
Managed Security Services Providers (MSSPs)
Dell Secureworks
IBM Managed Security Services
Symantec Security Solutions
AT&T Security Services
36 36 36
Cybersecurity Program Steps
Step 1: Prioritize and Scope. Step 2: Orient. Step 3: Create a Current Profile. Step 4: Conduct a Risk Assessment. Step 5: Create a Target Profile. Step 6: Determine, Analyze, and Prioritize Gaps. Step 7: Implement Action Plan.
The Cybersecurity Resilience Approach
The NIST Cybersecurity Framework
37
The NIST Cybersecurity Framework
NIST Definition of cyber resilience “… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”
38 38
1 Asset Management - The purpose of Asset Management is to identify, document, and manage assets during their life cycle to ensure sustained productivity to support critical 2 Controls Management - The purpose of Controls Management is to identify, analyze, and manage controls in a critical service’s operating environment. 3 Configuration and Change Management - The purpose of Configuration and Change Management is to establish processes to ensure the integrity of assets using change control and change control audits. 4 Vulnerability Management - The purpose of Vulnerability Management is to identify, analyze, and manage vulnerabilities in a critical service’s operating environment. 5 Incident Management - The purpose of Incident Management is to establish processes to identify and analyze events, detect incidents, and determine an organizational response. 6 Service Continuity Management - The purpose of Service Continuity Management is to ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other disruptive event. 7 Risk Management - The purpose of Risk Management is to identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services. 8 External Dependencies Management - The purpose of External Dependencies Management is to establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities. 9 Training and Awareness - The purpose of training and awareness is to promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational sustainment and protection. 10 Situational Awareness - The purpose of Situational Awareness is to actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture.
DHS Cyber Resilience Review – Areas of Focus
40 40
Fact Sheet
White House Summit on Cybersecurity and Consumer Protection - February 13, 2015
The following corporations are announced a commitment to using the NIST Cybersecurity Framework. Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.
Apple is incorporating the Framework as part of the broader security protocols across its corporate networks.
Bank of America will announce that it is using the Framework and will also require it of its vendors.
U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework.
AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small
businesses and will use the framework to help customers identify gaps in their approach to cybersecurity.
QVC is announcing that it is using the Cybersecurity Framework in its risk management.
Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and measuring risk.
Kaiser Permanente is committing to use the Framework.
The Problem Statement
42
Our Managed Assets ARE protected
Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a portfolio of managed assets
Our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets Which lead to a breach from missing or ineffective controls
Our Unmanaged Assets ARE NOT protected
43
Unmanaged Assets
Managed Assets
The Solution Approach
1
2
3
4
5
6
7
Enter
Exit
The Controls Factory
1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance
44
1. Requirements
2. Design
3. Implementation
4. Operations
5. Verification
6. Program Management
7. Risk Management
The Solution Approach
Cybersecurity Delivery Life Cycle (CSDLC)
The Controls Factory
Unmanaged Assets
Enter
Managed Assets
Exit
1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance
The Controls Factory
45
Technology Design
Controls Framework
Technology Architecture
Control Office
Technology Center
Operations Center
Controls Standards
Technology Build & Run
Security Administration
Center
Cybersecurity Operations
Center
Program Office
Resilience, Response, Forensics
Input Output
The Current Profile (Before the Factory)
The Target Profile (After the Factory)
Program Deliverables
The WISP
Program Roadmap
Testing Center
Controls & Technology
Testing
Threat Modeling
Operations & Incident Testing
Threats, Vulnerabilities,
IOCs
Threat Intelligence
The Cyber Attack Chain
Threat Office
Unmanaged Assets
Assurance & Audit
Organizational Model
Compliance Initiatives
GRC Office
Design Area Build & Run Area Management Area
Managed Assets
F1 F2 F3 F4 F5 F6 F7
Controls Definition
F1: The Threat Office
46
Threats & Vulnerabilities Threat Sharing
The Cyber Attack Chain Mapping Attacks to Assets
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
47
F2: The Controls Office
The NIST Cybersecurity Framework The Controls Types
The Controls Standards Mapping Controls to Assets
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
NIST Cybersecurity
Framework
48
F3: The Technology Center
48
Technology Architecture Technology Design
Technology Build & Run Mapping Cybersecurity Technology to Assets
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
49
F4: The Operations Center
49
Cybersecurity Operations Center (CSOC) Cybersecurity Administration Center
Resilience, Response and Forensics Mapping Cybersecurity Operations to Assets
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
50
F5: The Testing Center
50
Controls Testing Threat Modeling
Mapping Testing / QA to Assets
Endpoints Network Systems Databases Applications Identities Data Crown Jewels
Assets Controls
COBIT 5.0
ISO 27001
20 CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
Operations Testing
51
F6: The PMO Office
Program Management Principles Program Management Methodology
Program Tracking and Reporting Dashboard Mapping Cybersecurity Programs to Assets
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
Asset Inventory
52 52
F7: The GRC Office
GRC Tracking & Reporting Dashboard
GRC Principles GRC Methodology
Mapping Cybersecurity Governance to Assets
Asset Inventory
Endpoint Devices
Network Devices
Data Center Systems
Databases & File Shares
Applications & Programs
Identity & Access Governance
Data Governance
Crown Jewels
53
Part 4: The Cybersecurity Programs
The Program Model
54
Crown Jewels Program (Deliverables: Managed Critical Assets)
Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)
Data Governance Program (Deliverables: Managed Information)
Application Security Program (Deliverables: Managed Applications)
Controls Office
Technology Center
Operations Center
Testing Center
PMO Office
Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)
Threat Office
Input
Unmanaged Assets
Output
Managed Assets
GRC Office
Controls Design
Technology Build & Run
Operations Build & Run
Testing Build & Run
Programs Build & Run
Attack Models
Risk Reporting
P1
P2
P3
P4
P5
55
P1: The Infrastructure Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations 5. The Testing 6. The Assessments & Reporting
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
56 56
P2: The Application Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations 5. The Testing 6. The Assessments & Reporting
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
57 57 57
P3: The Data Governance Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
58
P4: The Identity Governance Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
59
P5: The Critical Assets Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
Build a Cybersecurity Program The Program Summary
Identify NIST Controls Framework
Cyber Attack Chain
1 2 3 4 5 6 7
Management Controls (ISO 27001:2013)
Technical Controls (Council on Cyber-security CSC)
Operations Controls (ISO 27001:2013)
Controls Standards & Mapping
Unmanaged Assets [Programs]
Technologies & Services
Application
Security
Crown Jewels
1 2 3 4 5 6 7 8
Endpoint Devices
Network Security
Data Center Systems
Database Security
Identity Governance
Data Governance
Managed Assets [Programs]
Testing & Reporting
Protect Detect Respond Recover
Cybersecurity Operations Testing & Reporting
Cybersecurity Technology Testing & Reporting
Cybersecurity Controls Testing & Reporting
Application
Security
Crown Jewels
1 2 3 4 5 6 7 8
Endpoint Devices
Network Security
Data Center Systems
Database Security
Identity Governance
Data Governance
Incident Response Team
Cybersecurity Administration Center
Cybersecurity Operations Center
Operations & Administration
62
Where were we? - Yesterday
The early days (2010)
TVM PDP AIS IAM
IOS
GRC
Six Security Programs
PRG1: Governance, Risk, Compliance (GRC)
PRG2: Threat & Vulnerability Management (TVM)
PRG3: Privacy and Data Protection (PDP)
PRG4: Application Integrity and Security (AIS)
PRG5: Identity & Access Management (IAM)
PRG6: Infrastructure &Operations Security (IOS)
Defense in Depth
Data
Infrastructure
Applications
Threats & Vulnerabilities
Governance, Risk, Compliance
People & Identities
The Controls Layers:
GRC: Program Governance, Risk Management and Compliance
Threat & Vulnerability: Internal & External threats & weaknesses
Network & Server Assets: Core Infrastructure
Application Assets: Provides authorized user access to the data
Data Layer: Where information resides
People & Identities: Authorized vs. Unauthorized user access to data
63
Where are we? - Today
Technology Design
Controls Framework
Technology Architecture
Control Office
Technology Center
Operations Center
Controls Standards
Technology Build & Run
Security Administration
Center
Cybersecurity Operations
Center
Program Office
Resilience, Response, Forensics
Input Output
The Current Profile (Before the Factory)
The Target Profile (After the Factory)
Program Deliverables
The WISP
Program Roadmap
Testing Center
Controls & Technology
Testing
Threat Modeling
Operations & Incident Testing
Threats, Vulnerabilities,
IOCs
Threat Intelligence
The Cyber Attack Chain
Threat Office
Unmanaged Assets
Assurance & Audit
Organizational Model
Compliance Initiatives
GRC Office
Design Area Build & Run Area Management Area
Managed Assets
F1 F2 F3 F4 F5 F6 F7
Controls Definition
64
Where are we going? - Tomorrow
Factory in a Can
Academic / Research Factory Staging / Test Factory
Corporate / Enterprise Factory
AR ST
CE CP
Cloud / Partner Factory
Summary: Building an Effective Security Program
The NIST Golden Rules
Develop an enterprise-wide information security strategy and game plan
Get corporate “buy in” for the enterprise information security program—effective programs start at the top
Build information security into the infrastructure of the enterprise
Establish a level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in threat information only when specific and credible
Create a balanced information security program with management, operational, and technical security controls
Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems
Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes
Don’t tolerate indifference to enterprise information security problems
And finally…
Manage enterprise risk—don’t try to avoid it!
65
66 66
Questions?