Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF)
Larry Wilson [email protected] ISACA Breakfast Meeting January, 2016
Agenda Part 1: The Threat Situation
Part 2: The Risk Equation
Part 3: Protecting the Assets
Part 4: The Program Deliverables
Designing & Building a Cybersecurity Program
2
Part 1: The Threat Situation
3
Data is the New Oil
4
The Problem: Data is Everywhere
Growing attack surface Consumerization of IT Public, private, hybrid cloud …
Mobile applications Privileged accounts Internet of Things….…
5
7
The Challenges: Business, Technology, Compliance, Skills
The Key Business Challenges The Key Technology Challenges
The Key Workforce Challenges Legal, Regulatory, Compliance Challenges
6
Cyber Attacks Could Put Humans and Infrastructure at Risk
The Possible Consequences
7
We have executive attention ….. Now What?
8
X
The UMASS Cybersecurity Program Approach
Industry Standard Controls
Network Diagrams / Data Flow Diagrams Asset Inventory, Configuration, Vulnerabilities Endpoints Devices Data Center Systems (Servers, Databases) Network Devices Key Business Applications Confidential Data Inventory
List of Users with Administrative Accounts
Network Technologies • Firewalls, IPS, URL Filtering, Wireless, NAC • Vulnerability Management • Directory Service
Endpoint / Server / Database Technologies
• Hardware / Software / Configuration Management • Security Incident & Event Management (SIEM) • Anti-Virus, Data Loss Protection, etc.
Application Security
• Web App Scanning, Web App Firewall
The Security Technologies
Current & Target Security Profile
The Asset Inventory
1
4
2
Critical Security Controls
Scor
e
Target Score
Current Profile
Critical Security Controls
Scor
e
Target Score
Target Profile Roadmap
3
9
Part 2: The Risk Equation
10
Calculating Risk
How do we calculate risk? Risk is based on the likelihood and impact of a cyber-security incident or data breach
Threats involve the potential attack against IT resources and information assets
Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat
Asset Value is based on criticality of IT resources and information assets
Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities
Managed assets = strong controls; unmanaged assets = weak controls
11
Risk
Threats
=
Asset Value Vulnerabilities X X
Strong Controls
+
Managed Assets
Threats Asset Value Vulnerabilities X X
Weak Controls
Unmanaged Assets
Unmanaged vs. Managed Assets
Our Managed Assets ARE protected
Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a portfolio of managed assets
Our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets Which lead to a breach from missing or ineffective controls
12
Our Unmanaged Assets ARE NOT protected
The Asset Families The Systems Family
Endpoints, mobile, workstations, servers, etc.
The Networks Family
Switches, routers, firewalls, etc.
The Applications Family
Applications, databases , etc.
The Critical Assets
Critical Information Assets Privileged User Access
13
The NIST Cybersecurity Framework
14
Functions Cate
gorie
s
Subc
ateg
orie
s
Info
rmat
ive
Re
fere
nces
IDENTIFY
Control-1
Control-2
Control-3
Control-4
PROTECT
Control-5
Control-6
Control-7
Control-8
DETECT
Control-9
Control-10
Control-11
Control-12
RESPOND
Control-13
Control-14
Control-15
Control-16
RECOVER
Control-17
Control-18
Control-19
Control-20
Framework Core
Tier 1: Partial Ad hoc risk management Limited cybersecurity risk awareness Low external participation
Tier 2: Risk Informed Some risk management practices Increased awareness, no program Informal external participation
Tier 3: Repeatable Formalized risk management Organization-wide program Receives external partner info
Tier 4: Adaptive Adaptive risk management practice Cultural, risk-informed program Actively shares information
Framework Tiers
Current Profile Current state of alignment between core elements and organizational requirements, risk tolerance, & resources Where am I today relative to the Framework?
Target Profile Desired state of alignment between core elements and organizational requirements, risk tolerance, & resources Where do I aspire to be relative to the Framework?
Roadmap
Framework Profile Weak Controls
Strong Controls
The Critical Security Controls
15
CSC 1.0 Inventory of Authorized & Unauthorized Devices (6 Controls)
CSC 2.0 Inventory of Authorized & Unauthorized Software (4 Controls)
CSC 3.0 Secure Configurations for Mobile Devices, Laptops, Workstations, and Servers (7 Controls)
CSC 4.0 Continuous Vulnerability Assessment & Remediation (8 Controls)
CSC 5.0 Controlled Use of Administration Privileges (9 Controls)
CSC 6.0 Maintenance, Monitoring & Analysis of Audit Logs (6 Controls)
CSC 7.0 Email & Web Browser Protection (8 Controls)
CSC 8.0 Malware Defenses (6 Controls)
CSC 9.0 Limitation and Control of Network Ports, Protocols, Services (6 Controls)
CSC 10.0 Data Recovery Capability (4 Controls)
CSC 11.0 Secure Configurations for Network Devices (Firewalls, Routers, Switches) (7 Controls)
CSC 12.0 Boundary Defense (10 Controls)
CSC 13.0 Data Protection (9 Controls)
CSC 14.0 Controlled Access Based on the Need to Know (7 Controls)
CSC 15.0 Wireless Access Control (9 Controls)
CSC 16.0 Account Monitoring & Control (14 Controls)
CSC 17.0 Security Skills Assessment & Training to Fill Gaps (5 Controls)
CSC 18.0 Application Software Security (9 Controls)
CSC 19.0 Incident Response and Management (7 Controls)
CSC 20.0 Penetration Tests and Red Team Exercises (8 Controls)
The 20 Critical Security Controls
How the Controls Work (Part 1) They map to the Assets
CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configuration of Endpoints, Servers, Workstations CSC 4: Continuous Vulnerability Assessment and Remediation
Security Technology
Managed Assets
Algorithms
Security Technology
Managed Assets
Algorithms
16
Cybersecurity Framework (CSF) Core
CIS Critical Security Controls (V 6.0) Asset Family IDENTIFY PROTECT DETECT RESPOND RECOVER
CSC-01: Inventory of Authorized and Unauthorized Devices Systems AM
CSC-02: Inventory of Authorized and Unauthorized Software Systems AM
CSC-03: Secure Configuration of Endpoints, Servers, etc. Systems IP
CSC-04: Continuous Vulnerability Assessment and Remediation Systems RA CM MI
CSC-05: Controlled Use of Administrative Privileges Systems AC
CSC-06: Maintenance, Monitoring and analysis of Audit Logs Systems AE AN
CSC-07: Email and Web Browser Protections Systems PT
CSC-08: Malware Defenses Systems PT CM
CSC-09: Limitation and Control of Ports, Protocols, Services Systems IP
CSC-10: Data Recovery Capability Systems RP
CSC-11: Secure Configuration of Network Devices Networks IP
CSC-12: Boundary Defense Networks DP
CSC-13: Data Protection Applications DS
CSC-14: Controlled Access Based on Need to Know Networks AC
CSC-15: Wireless Access Control Networks AC
CSC-16: Account Monitoring and Control Applications AC CM
CSC-17: Security Skills Assessment and Appropriate Training Applications AT
CSC-18: Application Software Security Applications IP
CSC-19: Incident Response and Management Applications AE RP
CSC-20: Penetration Tests and Red Team Exercises Applications IM IM
How the Controls Work (Part 2) They map to the Framework
17
Part 3: Protecting the Assets
18
Today’s Cybersecurity Programs Are “Closed or Proprietary”
The Cisco Cybersecurity Framework
EY’s Cyber Program Management (CPM) Framework Deloitte Cyber Risk Management Strategy
Cyber Risk as a Strategic Issue
Develop Policies and Frameworks
Spread Awareness and
Education
Invest in Effective
Implementation
Secure
Vigilant
Resilient
The Oracle Cybersecurity Framework
19
Unmanaged Assets
Managed Assets
The UMASS Cybersecurity Program Is “Open and Freely Available”
1
2
3
4
5
6
The Controls Factory
1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications
20
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
Input Output
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
The Functional Requirements
1. Threats Exposure
2. Controls Safeguards
3. Technology Algorithms
4. Monitoring Visibility
5. Testing Assurance
6. Risk Management
Inside the Controls Factory
Unmanaged Assets
Managed Assets
1st Line of Defense
21
2nd Line of Defense
3rd Line of Defense
4th Line of Defense
Input
Output
1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
The Technical Requirements
Inside the Controls Factory
Unmanaged Assets
Input
Managed Assets
Output
22
Design Center
Technology Center
Monitoring Center
Testing Center
The Design, Build, Run, Test Area
Qualys Palo Alto Dell Kace Bit9 Microsoft
Oracle Tenable Cisco EiQ Veracode IBM CheckPoint
Intel HP
Unmanaged Networks
Unmanaged Servers
Unmanaged Endpoints
1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels
The UMASS Controls Factory Model
Controls Framework
Design Center
Technology Center
Monitoring Center
Controls Standards
Threat, Vulnerability, IOC
Monitoring
Asset, Software, Configuration
Monitoring
Risk Office
Netflow, Packet, Security Event
Monitoring
Input Output
The Current Profile (Before the Factory) The Target Profile
(After the Factory)
Policy, Training & Awareness
The Risk Management
Practice
Deliverables, Communication,
Roadmap
Testing Center
Controls & Risk Assessment
Operations Assessment
Threats, Vulnerabilities,
IOCs
Threat Office
Unmanaged Assets
The Threat Area The Design, Build, Run, Test Area The Risk Area
Managed Assets
Internal Controls Process
Technology & Services
Assessment
Design Guides
Build Guides
Run Guides
23
The Cyber Attack Chain
Actionable Threat
Intelligence
The Threat Office Threats, Vulnerabilities, IOCs Actionable Threat Intelligence
Mapping Threats to the Asset Families
Applications
Systems
Networks
Critical Assets
The Cyber Attack Chain
24
BitSight Threat Categories
The Design Center
Internal Controls Process The Controls Framework
The Controls Standards Mapping Controls to the Asset Families
Applications
Systems
Networks
Critical Assets
25
The Technology Center
Build Guides
Mapping Technology Solutions to the Asset Families
Design Guides
Applications
Systems
Networks
Critical Assets
Run Guides
Cybersecurity Technology Design Guide
Cybersecurity Technology Build Guide
Cybersecurity Technology Run Guide
26
The Monitoring Center Asset, Software, Configuration Monitoring Threats, Vulnerabilities, IOC Monitoring
Netflow, Packet, Security Event Monitoring
E
Mapping Cybersecurity Operations to the Asset Families
T
Applications
Systems
Networks
Critical Assets
27
The Testing Center
Controls / Risk Assessments Technology Assessments
Operations Assessments Mapping Cybersecurity Testing to the Asset Groups
Black Box Testing
Penetration Testing
Methodology
Gray Box Testing
White Box Testing
Applications
Systems
Networks
Critical Assets
28
The Risk Office Cyber Risk Practice
Mapping Cyber Risk Practices to Asset Families Program Deliverables, Communications & Roadmap
The Security Policies
Applications
Systems
Networks
Critical Assets
29
Part 4: The Program Deliverables
30
The Controls Factory
Crown Jewels Program
Applications Family Program
Networks Family Program
Systems Family Program
Design Center
Technology Center
Monitoring Center
Testing Center
Risk Office
Threat Office
Input
Unmanaged Assets
Output
Managed Assets
Controls Design
Technology Build
Operations Run
QA Test
Risk Management
Attack Vectors
P1
P2
P3
P4
31
(1st Line Defense) (2nd Line Defense) (3rd Line Defense) (4th Line Defense)
P1: The Systems Security Program
1. The Assets 2. The Controls 3. The Technical Solutions
4. The Monitoring 5. The Testing 6. The Risk Office
32
P2: The Network Security Program
1. The Assets 2. The Controls 3. The Technical Solutions
4. The Monitoring 5. The Testing 6. The Risk Office
33
P3: The Applications Security Program
1. The Assets 2. The Controls 3. The Technical Solutions
4. The Monitoring 5. The Testing 6. The Risk Office
34
P4: The Crown Jewels Program
1. The Assets 2. The Controls 3. The Technical Solutions
4. The Monitoring 5. The Testing 6. The Risk Office
35
The Program Mapping
Identify NIST Controls Framework
Cyber Attack Chain
1 2 3 4 5 6 7
Management Controls (ISO 27001:2013)
Technical Controls (Council on Cyber-security CSC)
Operations Controls (ISO 27001:2013)
Controls Standards
Unmanaged Asset Groups
Technologies & Services
Managed Asset Groups
Assessments & Testing
Protect Detect Respond Recover
Netflow, Packet, Event Monitoring Threat & Vulnerability Monitoring Asset, Software, Configuration Monitoring Continuous Monitoring
Before the Attack During the Attack After the Attack
Managed Systems Family
Managed Networks Family
Managed Applications Family
Managed Crown Jewels
Controls / Risk Assessment Technology / Services Assessment Operations Assessment
36
The Maturity Scorecard
37
The Current Profile
100%
75%
50%
25%
0% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Controls Maturity
Critical Security Controls
Target Score = 75%?
P1: Systems Security Program P2: Network Security Program P3: Application Security Program
Note: Target Score (by control) and implementation timeline (by control) to be determined
The Program Roadmap
Priority Summary of Findings / Recommendations Critical Security Control Mapping Implementation Start
1 • Review / update as needed network architecture based on
Palo Alto recommendation CSC-12: Boundary Defense Q1, 2016
2
• Fully utilize Endpoint Management, SIEM, Vulnerability Scanner to establish device inventory , software inventory, standard device configurations.
• Implement 2F authentication, jump box, and a Log Management program (SIEM) for privileged accounts
• Consider purchasing a SIEM or subscribing to Managed Security Monitoring Services for device monitoring.
CSC-01: Inventory of Authorized and Unauthorized Devices CSC-02: Inventory of Authorized and Unauthorized Software CSC-03: Secure Configuration of Endpoints, Servers, etc. CSC-05: Controlled Use of Administrative Privileges CSC-06: Maintenance, Monitoring and analysis of Audit Logs CSC-11: Secure Configuration of Network Devices
Q2, 2016
3 • Use DLP Solution to locate, classify, manage, remove PII and
critical business data CSC-13: Data Protection Q2, 2016
4
• Implement a Threat and Vulnerability Management program, a Log Management program (SIEM)
• Block known C2 domains via DNS restrictions (NextGen FW) • Implement malicious URL filtering (NextGen FW) • Limit use of ports, protocols and services to only those that
are necessary (Port Scanning)
CSC-04: Continuous Vulnerability Assessment & Remediation CSC-08: Malware Defenses CSC-09: Limitation and Control of Ports, Protocols, Services
Q4, 2016
5 • Implement formal Security Awareness and Security Skills
Assessment Program CSC-17: Security Skills Assessment and Appropriate Training Q4, 2016
6 • Establish, document, implement, maintain Incident
Response & Forensics Program CSC-19: Incident Response and Management Q4, 2016
38
39
UMASS Cybersecurity Services No. Cybersecurity Service Service Description
1 Threat and Vulnerability Management Practice
Provide our customers with the latest threat and vulnerability intelligence information through collaboration and sharing with our service partners.
2 Cybersecurity Program Design and Build Service
Help our customers design, implement and maintain their cybersecurity program based on the NIST Cybersecurity Framework and 20 Critical Security Controls.
3 Cybersecurity Operations and Incident Response Service
Provide 24x7 continuous security monitoring, alerting and escalation; ensuring incidents are detected, investigated, communicated, remediated and reported.
4 Cybersecurity Risk Management Practice TBD – To Be Defined. Possibly based on the DHS Cyber Resilience Review
5 Cybersecurity Education, Training, Awareness
Includes CAE-2Y, CAE-4Y, CAE-R, Industry Certification training (work with ISACA and ISC2), Designing and Building a Cybersecurity Program based on the NIST Framework, Cybersecurity Awareness and Skills Training.
6 Sponsored Projects, Testing, Student Internships
Sponsored projects from ACSC members and other industry partners defined and delivered through a Statement of Work (SOW). Using University security lab services, delivered and managed by students internships under supervision of the University President’s Office and campus IT departments.