welcome! []...conference 2018 global context global annual cybercrime will cost the world in excess...
TRANSCRIPT
Conference 2018Conference 2018
Welcome!
Getting to Defensible: Your Roadmap to Maturing Defensible Security in your Organization
Conference 2018
Global Context§ globalannualcybercrimewillcosttheworldin
excessof$6trillionannuallyby2021- this is an increase from $400 billion in early 2015
§ globalspendingoncybersecuritydefenceisprojectedtoexceed$1trillionoverthenext5years
§ U.S.hasdeclaredanationalemergencytodealwiththecyberthreat
§ globalshortageofcybersecurityprofessionalsisexpectedtoreach2millionby2019- now expected to be 3.5 million by 2021- Canada’s share expected to be 62-65,000
* source: Herjavec 2016 Cybercrime Report
Conference 2018
Key Messages§ incidentsareincreasinginfrequencyandare
moresophisticatedandtargetedthanever
§ noorganizationgloballyisimmunetoattack
§ doingthebasicswellwillstop80%oftheproblems
§ organizationswillbejudgednotonlyontheirabilitytopreventbutdetectandrespond
§ securityisnotjustanITproblem,it’sbusinessenterpriserisk
§ securityisatopissueofconcernforexecutivesandBoardsofDirectorsglobally
Conference 2018
Questions the CEO/Board are Asking
1. doyouknowwhatourcriticalsystemsanddataare?
2. whatarethesecuritycontrolsinplace?
3. arethecontrolssufficienttomitigaterisktoanacceptablelevel?
Conference 2018
Questions the CEO/Board Should Answer
1. whatarethekeycybersecurityrisksaffectingyourindustry/organization?
2. isyourorganizationalignedwithanexistingindustrysecuritystandard(ie.ISOorNIST)
3. whatisyourcurrentcapability/maturityrating?(0– NotImplemented,1– Initial,2– Repeatable,3– Defined,4– Managed,5– Optimized)
4. whatisyourdesiredcapability/maturityrating?
5. doyouhaveaplantoreachthedesiredlevel?
6. howfrequentlydoyoureceiveplanupdates?
7. issecurityarecurringitemontheboardagenda?
Conference 2018
Approach§ pickastandardrelevanttoyourorganizationand
industry(eg.ISO,NIST,NERC)§ developyoursecurityprogramconsistentwiththe
standard§ performaself-assessment§ determinefuturestate§ performgapanalysis§ plan,prioritize,execute§ considerthirdpartyassessment
Conference 2018
Consider Maturity LevelMaturity Approach Steps
Low Risk register 1. identify key risks2. rate inherent risk and trend3. identify controls in place4. rate residual risk5. compare with risk appetite
Medium Standards-basedcompliance
1. identify an appropriate standard for your organization2. assess present state3. determine desired target state based on appropriate
controls4. gap analysis5. plan, prioritize6. execute
High Capability-based 1. review trends in environment2. focus on changes in risk posture 3. consider relevant updates in standards4. augment with increased capabilities
Conference 2018
Defensible Security
8
world-class
risk-basedsecurity
compliance
hygiene
defensible
§ whatisit§ whereitcamefrom§ whyisitneeded§ nextsteps
Conference 2018
DefSec Triage
Prerequisites
Dire
ctiv
es
Respiration
DN
A
Security PrerequisitesExecutive SupportRoles & ResponsibilitiesCrown JewelsRisk Appetite & RegisterRisk AssessmentSecurity Assessment
Security DirectivesAsset Management & DisposalChange ManagementIncident ManagementBusiness Continuity Plan (BCP)Disaster Recovery Plan (DRP)Security Incident ResponseInfo Security Policy
Security Embedding (DNA)
ControlsInfo Security Program
Info Security ClassificationSecurity Awareness
Security Governance
Security Respiratory
ControlsBackup & RetentionLogging & Monitoring
Physical Security & Visible IDCriminal Record Checks
Vendor Security RequirementsAccess Control
“DiD” for Endpoints & NetworksVM & Patching
“Covering the organization end-to-end”
Conference 2018
Raise the Water Level§ increasethesecuritycapability
acrossourprovincetoanacceptablelevel
Conference 2018
Hygiene Controls (Procedural)Security ControlsInformation Security Policy
Identifywhatemployeesmayandmaynotdothatwillimpact risktosystemsanddata
Risk Register Consciousidentificationandtreatmentof physicalandlogicalriskstosystemsanddata
Risk Assessments Reviewriskeachtimeanewsystemisintroducedoruponmaterialchangetoanexistingsystem
Incident Response Plan
Respond toinevitablesecurityincidentsinaconsistentandscalableway
Incident Response Team
Team thatisdedicated,virtual,oronretainerwiththirdpartyprovidertorespondtosecurityincidents
Security Education and Awareness
Humansrepresenttheeasiestmethodforattackerstogainunauthorizedaccesstosystemsanddata
Conference 2018
Hygiene Controls (Technical)Security Controls
Firewall Modernversion designedtopreventillegitimatenetworktraffic
Intrusion Prevention
Sensorstoprevent unauthorizedaccesstonetworksanddata
Website Content Filtering
Systemtodetectemployeeaccesstoinappropriateandinfectedwebsites
Email Content Filtering
Systemtodetectinfectedemailandspammessages
Anti-virus/Malware Softwareto detectmalwareandvirusesonworkstationsandservers
Conference 2018
Defensible Security
13
Cybersecurity has never been as imperative as it is today. Most organizations have failed to invest at a rate that has sustained previously achieved capability levels. Others have never reached a level of security maturity adequate to mitigate risks to an acceptable level. Organizations must target a level at or above risk-based security. It is critical to ensure hygiene and compliance level controls are in effect. Public sector organizations have a responsibility to apply appropriate safeguards and maintain a defensible level of security.
Defensible security is at or above
hygiene + compliance
Conference 2018
Pre-requisitesThe following are pre-requisites to success for security:
q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to
existingq Conduct security assessments regularly against an established security standard
Conference 2018
Defensible SecurityOrganizations must have documented, followed, reviewed, updated, and tested:
q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Backup & Retentionq Logging & Monitoringq Physical Security &
Visible Identification
The following practices must be in effect:
q Access Controlq Defence in Depth for Endpoints
and Networks
q Security Incident Responseq Information Security Policyq Information Security Programq Information Security Classificationq Criminal Record Checksq Security Awareness Program &
Courseq Vendor Security Requirements
q Security Governanceq Vulnerability Management
& Patching
Conference 2018
Defensible SecurityDurations are based on an average-sized organization and intended as a guide. Whether an organization must invest more or less time will depend on scope, volume, and maturity.
W
H
M
hours
week(s)
month+
hazard
hygiene
Conference 2018
Defensible Security
Conference 2018
Defensible Security
Conference 2018
Present State1 2 3 4 5 6
Exec Roles Crown Risk Risk Securityawareness responsibilities jewels appetite assessments assessments
7 8 9 10 11 12 13 14
Asset Change Incid BCP DRP Backup Logging Physicalmanagement management management & retention & monitoring & visible ID
15 16 17 18 19 20 21
Incid Policy Prog Info Crim Aware Vendorresponse (security) (security) classification record checks program/course requirements
22 23 24 25
Access DiD Security VMcontrol for end-points governance & patching
& network
Notes:- self assessments are notorious for being too generous- third party assessment provides independence- may use third party as a baseline to show improvement- otherwise may prefer to remediate self-assessed gaps first
complete or substantially completepartially complete or in progressincomplete or substantially incomplete
Conference 2018
Future State1 2 3 4 5 6
Exec Roles Crown Risk Risk Securityawareness responsibilities jewels appetite assessments assessments
7 8 9 10 11 12 13 14
Asset Change Incid BCP DRP Backup Logging Physicalmanagement management management & retention & monitoring & visible ID
15 16 17 18 19 20 21
Incid Policy Prog Info Crim Aware Vendorresponse (security) (security) classification record checks program/course requirements
22 23 24 25
Access DiD Security VMcontrol for end-points governance & patching
& network
Notes:- self assessments are notorious for being too generous- third party assessment provides independence- may use third party as a baseline to show improvement- otherwise may prefer to remediate self-assessed gaps first
Conference 2018
3-Step Plan
1. achieve Defensible Security for Public Sector Organizations
2. celebrate the accomplishment
3. embrace a maturity model or selectively choose capabilities for additional investment
Conference 2018
Eating the Elephant: Bites 1-6The following are pre-requisites to success for security:
q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to existingq Conduct security assessments regularly against an established security standard
§ cultureandsupportforsecuritycomesfromthetop§ ensurecommonunderstandingofthethreat§ howdoyoufindoutif
youhavesupport?
Conference 2018
Engagement
Assess findingsAll supporting documents stay within the sector/ministry on their SharePoint site. We access the documents from the SharePoint site and don’t take ownership of any document.
Closeout meetingWe present a straight-forward report comprising of pre- and post-DefSec dashboards, statistics on control changes, recommendations, and next steps. This is an in-person, face-to-face meeting with the MISO(s) and Director(s).
Engage stakeholdersOnce stakeholders for each control element are identified, we suggest MISOs inform them of the engagement. We then schedule meetings with each stakeholder, providing templates and assistance to improve control element ratings.
Kick-off meetingThis is an in-person, face-to-face meeting with the MISO(s) and Director(s). We begin with a brief introduction on DefSec, outline the project plan, and validate current state. At the end of the meeting, we should have a completed Stakeholder list and a Critical Systems list. Also we suggest creating a SharePoint site for the engagement.
Next sector/ministryWe proceed to the next sector/ministry (and repeat steps) while providing ongoing support to previously assessed sectors/ministries.
Conference 2018
Example: Risk RegisterVersion 1.0
Identify risks, rate inherent risk and trendIdentify key risk mitigation strategies and residual riskReview quarterly
Risk Definition Inherent risk
Risk trend
Key risk mitigation strategies
Residual risk
Owner
Network Security
Insufficiently proactive approach on identification of threats and vulnerabilities in network infrastructure and timely mitigation may result in network outages and exposure
H ↑
•
Data Security
Insufficient application of adequate security controls, heightened by increased risks from ransomware and profit-driven cyber criminals results in an inability to identify and mitigateunauthorized access, disclosure, modification, deletion of sensitive data
H ↑
•
Conference 2018
Eating the Elephant: Bites 7-13Organizations must have documented, followed, reviewed, updated, and tested:
q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Security Incident Responseq Information Security Policy
Conference 2018
Example: Asset Management
Asset name Owner Location Criticality
Version 1.0
Identify scope Asset inventoryProcess to add assets when purchased and commissionedProcess to remove assets when decommissioned and disposed of
Conference 2018
Eating the Elephant: Bites 14-18Organizations must have documented, followed, reviewed, updated, and tested:
q Backup & Retentionq Logging & Monitoringq Physical Security & Visible Identificationq Criminal Record Checksq Security Awareness Program & Course
Conference 2018
Eating the Elephant: Bites 19-25The following practices must be in effect:
q Access Controlq Defence in Depth for Endpoints and Networksq Security Governanceq Vulnerability Management & Patching
Mature organizations have:
q Information Security Classificationq Vendor Security Requirementsq Information Security Program
Conference 2018
Building the PlanThe following are pre-requisites to success for security:
q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to existingq Conduct security assessments regularly against an established security standard
q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Security Incident Responseq Information Security Policy
q Backup & Retentionq Logging & Monitoringq Physical Security & Visible Identificationq Criminal Record Checksq Security Awareness Program & Course
q Access Controlq Defence in Depth for Endpoints and Networksq Security Governanceq Vulnerability Management & Patching
q Information Security Classificationq Vendor Security Requirementsq Information Security Program
Conference 2018
Building the Plan (way too long)Month1 Month2 Month3 Month4 Month5 Month6 Month7 Month8 Month9 Month10 Month11 Month12
EnsuretheimportanceofcybersecurityisrecognizedbyexecutivesInformationSecurityrolesandresponsibilitiesareidentifiedandassignedIdentifycriticalsystemsanddataasthecrownjewelsoftheorganizationOrganization’sriskappetiteisknownandariskregisterisreviewedquarterly quarterlyRiskassessmentsareconductedfornewsystemsandmaterialchangestoexisting ongoingConductsecurityassessmentsregularlyagainstanestablishedsecuritystandard annual
AssetManagement&Disposal annualChangeManagement weeklyIncidentManagement daily/annualBusinessContinuityPlan(BCP) annualDisasterRecoveryPlan(DRP) annualSecurityIncidentResponse annualInformationSecurityPolicy annual
Logging&Monitoring ongoingBackup&Retention annualPhysicalSecurity&VisibleIdentification annualCriminalRecordChecks ongoingSecurityAwarenessProgram&Course monthly/annual
AccessControl ongoing&annualMultifactorauthenticatoinDefenceinDepthforEndpointsandNetworksSecurityGovernance on-demandVulnerabilityManagement&Patching annual
InformationSecurityClassification ongoingVendorSecurityRequirements annualInformationSecurityProgram annual
Conference 2018
Building the Plan (large organization)September October November December January February March
Sector 1
Sector 2
Sector 3
Sector 4
Sector 5
Sector 6
Sector 7
Project Close out
Start Current progress End
Conference 2018
Summary
Securityprogramswillbesuccessfulwhentheyare:§ supportedbyexecutive§ alignedwithgovernmentandministrygoals§ risk-based,alignedwithbusinessandriskappetite§ standards-based,evolveovertime§ capturepresentandtargetstateaccurately§ plansarerealisticandactionable§ resourcedeffectively§ focusedonbuildingsecurityinfromthegroundup§ measured/monitored§ continuousimprovement§ communicatedappropriately§ executedon
Conference 2018
Asks§ reviewriskregisterquarterlytoensureresidualriskalignswithrisk
appetiteandaugmentcontrolswhereitdoesnot
§ participateinanannualsecurityassessmentandanalyzeresultsforopportunities
§ buildaninformationsecurityprogramthatisriskbased,compliancebased,orcapabilitybased
§ buildandexerciseincidentresponseplan(BCPaswell)
§ leverageoversightauthorityandcollaboratewithotherstoensureadefensiblesecuritylevel
§ takeadvantageoftheDefensibleSecurityforPublicSectorOrganizations(DefSec)initiativeandridethewave…
Conference 2018Conference 2018
Questions?