NIST Critical Security Framework (CSF)

Critical Security Framework MEASURING Security

Dick Bussiere | Technical Director | Asia Pacific

Agenda

Some Opening Observations What is the NIST Cybersecurity

Framework? Why YOU should care? How would I apply it? How would I measure my

effectiveness?

Would you drive BLINDFOLDED?

Things to Ponder

205 Days until breach detected (APAC Average)?

Can you say with certainty that you are 100% Secure?

Do you know with certainty that you have NOT been breached?

Heard on the street…Of organizations believe security should be a top or high priority of the business

Of CEO’s view security as a top or high priority to the business

Of organizations completely agree that the business has the ability to defend itself from security attacks

88%

68%

16%

A false sense of security?

Yet breaches continue to increase at an unprecedented

rate

Companies spent

$76.9B

in 2015 on information security

Without a Security Framework…

Heard on the street…Of organizations believe security should be a top or high priority of the business

Of CEO’s view security as a top or high priority to the business

Of organizations completely agree that the business has the ability to defend itself from security attacks

88%

68%

16%

IF YOU CAN’TMEASUREYOU CAN’TITCONTROL

IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE

The Survey Says…

Security Frameworks guide the way…•84% Leverage a security framework•Broad range of company sizes

Wide Range of Frameworks Utilized•44% used more than one framework•EOY 2016 - CSF (43%), CIS (44%) ISO (44%)

Best practice & requirements drive CSF adoption•70% adopted CSF because they consider it best practice•29% adopted CSF because a partner required it

Security Framework Adoption is a Journey•Only 1 in 5 rank their organization as very mature•More than half of CSF adopters require significant investment to fully conform

Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US

Executive Order 13636

Why Cyber Security Framework? Asks the question “what are you doing to improve”

rather than “did you implement control XYZ” Results in a shift from compliance to action and specific

outcomes Business oriented

Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it

more appealing to business

Repeatable Flexible Technology

Neutral Cost Effective Measurable!

Common Language

Why Cyber Security Framework?

Objectives of CSF in a nutshell

Describe Current Security Posture

Describe Target

Security Posture

Continuous Improvement

Assess Progress towards Target Posture

Communicate Risk

A Framework of Frameworks

ISO/IEC 27001

CCS CSC1 ISA 62443

NIST SP 800-53 COBIT 5

NIST CYBERSECURITY FRAMEWORK

Framework Profile(Where you are and where

you want to go)

Framework Implementation

Tiers(How you view cybersecurity)

CSF Core(What it does)

•Defines (measures) current state

•Defines (measures) desired state

•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization

•Required Tier based on perceived risk/benefit analysis

•Identify•Protect•Detect•Restore•Recover

The Cyber Security Framework at 40,000 feet…

CSF Component 1 – Framework Core

Framework Core

Identify

Detect

Respond

Recover

Protect

5 Core CSF Functions Explained…

Identify• Understand what’s important to the business and what the risks are

Protect• Develop safeguards to ensure CIA

Detect• Find bad things

Respond• What you do when bad things happen

Recover• How to restore what the bad guys broke

Structure

Function Unique Identifier

FunctionCategory Unique Identifier

Category Subcategory

Informative References

ID Identify

ID.AM-1 Asset Management

Physical devices

within the organization

are inventoried

• CCS-CSC1

• COBIT 5• ISA-

62443-2-1:2009

ID.AM-2 Asset Management

Software Platforms and Applications within the organization are inventoried

• CCS-CSC1

• COBIT 5• ISA-

62443-2-1:2009

Structure Example

Everything kinda looks the same…

Risk Profile, Requirements & Resources

ISO/IEC27001

Tailored Control Framework

NISTCybersecurity

Framework

ISA62443

Use CSF as ingredient to Custom Control Framework

Risk Profile, Requirements & Resources

ISO/IEC27001

NIST Cybersecurity Framework

CIS CriticalSecurity Controls

ISA62443

“Normalization Layer”

Use CSF to “Normalize to Common Language

Existing Frameworks

CSF Component 2 – Framework Implementation Tiers

PartialRisk Informed

Repeatable

Adaptable

How cybersecurity risks and processes are viewed within organization

Soph

isti

cati

on

CSF Component 3 – Framework Profile

Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources

Used to define current state and desired state Can help measure progress...

A Common Language for All LevelsPriorities

Risk AppetiteBudget

Framework Profile

Implementation Progress

Vulnerabilities, Threats, Assets

Status, Changes in

Risk

Executive LevelFocus: Organizational risk

Actions: Risk Decision/Priority

Operations LevelFocus: Risk Management

ImplementationActions: Secure Infrastructure,

Implement Profile

Process LevelFocus: Risk Management

Actions: Select Profile, Allocate Budget

Process

Prioritize and

ScopeBusiness Objective

sPriorities Strategy

Orient Related Systems Assets Regulatio

ns

Risk Assessme

ntExposure Tolerance

Create Current Profile

Where you are

now

Create Target Profile

Where you need

to be

Gap Analysis

Delta between

Current/Target

Action Plan MEASURE

How is CSF Different?

Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –

can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls

while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity

effectiveness independent of existing framework

CSF helps you to do all these great things…

How does CSF help you?

Reduce chance of breach, liability

Ability to know status “on the fly”

Communicate adherence to business, business partners, customers and auditors

Meet contractual obligations

Prioritize, evaluate security investments

Reduce resource drain and impact of multiple audits

*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821

The CSF is an absolute minimum

of guidance for new or existing cybersecurity

risk programs…

“ ”Gartner Says…

By 2020, more than 50 percent of organizations will use the NIST

Cybersecurity Framework, up from the current 30 percent in 2015

Gartner predicts:

“ ”*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821

To MEASURE, you need DATA…

…and MORE DATA...

Endpoint Assessment

Network Monitoring

Analytics

Event Monitoring

Ingredients to Measuring Compliance

Three Year Action Plan Tool..

http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool

Contact me:[email protected]

Websitehttp://www.tenable.com

blog.tenable.com tenable.com/podcast youtube.com/tenablesecurity discussions.nessus.org

Thank You Dick Bussiere |Technical Director |Asia

Pacific