Conference 2018Conference 2018

Welcome!

Getting to Defensible: Your Roadmap to Maturing Defensible Security in your Organization

Conference 2018

Global Context§ globalannualcybercrimewillcosttheworldin

excessof$6trillionannuallyby2021- this is an increase from $400 billion in early 2015

§ globalspendingoncybersecuritydefenceisprojectedtoexceed$1trillionoverthenext5years

§ U.S.hasdeclaredanationalemergencytodealwiththecyberthreat

§ globalshortageofcybersecurityprofessionalsisexpectedtoreach2millionby2019- now expected to be 3.5 million by 2021- Canada’s share expected to be 62-65,000

* source: Herjavec 2016 Cybercrime Report

Conference 2018

Key Messages§ incidentsareincreasinginfrequencyandare

moresophisticatedandtargetedthanever

§ noorganizationgloballyisimmunetoattack

§ doingthebasicswellwillstop80%oftheproblems

§ organizationswillbejudgednotonlyontheirabilitytopreventbutdetectandrespond

§ securityisnotjustanITproblem,it’sbusinessenterpriserisk

§ securityisatopissueofconcernforexecutivesandBoardsofDirectorsglobally

Conference 2018

Questions the CEO/Board are Asking

1. doyouknowwhatourcriticalsystemsanddataare?

2. whatarethesecuritycontrolsinplace?

3. arethecontrolssufficienttomitigaterisktoanacceptablelevel?

Conference 2018

Questions the CEO/Board Should Answer

1. whatarethekeycybersecurityrisksaffectingyourindustry/organization?

2. isyourorganizationalignedwithanexistingindustrysecuritystandard(ie.ISOorNIST)

3. whatisyourcurrentcapability/maturityrating?(0– NotImplemented,1– Initial,2– Repeatable,3– Defined,4– Managed,5– Optimized)

4. whatisyourdesiredcapability/maturityrating?

5. doyouhaveaplantoreachthedesiredlevel?

6. howfrequentlydoyoureceiveplanupdates?

7. issecurityarecurringitemontheboardagenda?

Conference 2018

Approach§ pickastandardrelevanttoyourorganizationand

industry(eg.ISO,NIST,NERC)§ developyoursecurityprogramconsistentwiththe

standard§ performaself-assessment§ determinefuturestate§ performgapanalysis§ plan,prioritize,execute§ considerthirdpartyassessment

Conference 2018

Consider Maturity LevelMaturity Approach Steps

Low Risk register 1. identify key risks2. rate inherent risk and trend3. identify controls in place4. rate residual risk5. compare with risk appetite

Medium Standards-basedcompliance

1. identify an appropriate standard for your organization2. assess present state3. determine desired target state based on appropriate

controls4. gap analysis5. plan, prioritize6. execute

High Capability-based 1. review trends in environment2. focus on changes in risk posture 3. consider relevant updates in standards4. augment with increased capabilities

Conference 2018

Defensible Security

8

world-class

risk-basedsecurity

compliance

hygiene

defensible

§ whatisit§ whereitcamefrom§ whyisitneeded§ nextsteps

Conference 2018

DefSec Triage

Prerequisites

Dire

ctiv

es

Respiration

DN

A

Security PrerequisitesExecutive SupportRoles & ResponsibilitiesCrown JewelsRisk Appetite & RegisterRisk AssessmentSecurity Assessment

Security DirectivesAsset Management & DisposalChange ManagementIncident ManagementBusiness Continuity Plan (BCP)Disaster Recovery Plan (DRP)Security Incident ResponseInfo Security Policy

Security Embedding (DNA)

ControlsInfo Security Program

Info Security ClassificationSecurity Awareness

Security Governance

Security Respiratory

ControlsBackup & RetentionLogging & Monitoring

Physical Security & Visible IDCriminal Record Checks

Vendor Security RequirementsAccess Control

“DiD” for Endpoints & NetworksVM & Patching

“Covering the organization end-to-end”

Conference 2018

Raise the Water Level§ increasethesecuritycapability

acrossourprovincetoanacceptablelevel

Conference 2018

Hygiene Controls (Procedural)Security ControlsInformation Security Policy

Identifywhatemployeesmayandmaynotdothatwillimpact risktosystemsanddata

Risk Register Consciousidentificationandtreatmentof physicalandlogicalriskstosystemsanddata

Risk Assessments Reviewriskeachtimeanewsystemisintroducedoruponmaterialchangetoanexistingsystem

Incident Response Plan

Respond toinevitablesecurityincidentsinaconsistentandscalableway

Incident Response Team

Team thatisdedicated,virtual,oronretainerwiththirdpartyprovidertorespondtosecurityincidents

Security Education and Awareness

Humansrepresenttheeasiestmethodforattackerstogainunauthorizedaccesstosystemsanddata

Conference 2018

Hygiene Controls (Technical)Security Controls

Firewall Modernversion designedtopreventillegitimatenetworktraffic

Intrusion Prevention

Sensorstoprevent unauthorizedaccesstonetworksanddata

Website Content Filtering

Systemtodetectemployeeaccesstoinappropriateandinfectedwebsites

Email Content Filtering

Systemtodetectinfectedemailandspammessages

Anti-virus/Malware Softwareto detectmalwareandvirusesonworkstationsandservers

Conference 2018

Defensible Security

13

Cybersecurity has never been as imperative as it is today. Most organizations have failed to invest at a rate that has sustained previously achieved capability levels. Others have never reached a level of security maturity adequate to mitigate risks to an acceptable level. Organizations must target a level at or above risk-based security. It is critical to ensure hygiene and compliance level controls are in effect. Public sector organizations have a responsibility to apply appropriate safeguards and maintain a defensible level of security.

Defensible security is at or above

hygiene + compliance

Conference 2018

Pre-requisitesThe following are pre-requisites to success for security:

q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to

existingq Conduct security assessments regularly against an established security standard

Conference 2018

Defensible SecurityOrganizations must have documented, followed, reviewed, updated, and tested:

q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Backup & Retentionq Logging & Monitoringq Physical Security &

Visible Identification

The following practices must be in effect:

q Access Controlq Defence in Depth for Endpoints

and Networks

q Security Incident Responseq Information Security Policyq Information Security Programq Information Security Classificationq Criminal Record Checksq Security Awareness Program &

Courseq Vendor Security Requirements

q Security Governanceq Vulnerability Management

& Patching

Conference 2018

Defensible SecurityDurations are based on an average-sized organization and intended as a guide. Whether an organization must invest more or less time will depend on scope, volume, and maturity.

W

H

M

hours

week(s)

month+

hazard

hygiene

Conference 2018

Defensible Security

Conference 2018

Defensible Security

Conference 2018

Present State1 2 3 4 5 6

Exec Roles Crown Risk Risk Securityawareness responsibilities jewels appetite assessments assessments

7 8 9 10 11 12 13 14

Asset Change Incid BCP DRP Backup Logging Physicalmanagement management management & retention & monitoring & visible ID

15 16 17 18 19 20 21

Incid Policy Prog Info Crim Aware Vendorresponse (security) (security) classification record checks program/course requirements

22 23 24 25

Access DiD Security VMcontrol for end-points governance & patching

& network

Notes:- self assessments are notorious for being too generous- third party assessment provides independence- may use third party as a baseline to show improvement- otherwise may prefer to remediate self-assessed gaps first

complete or substantially completepartially complete or in progressincomplete or substantially incomplete

Conference 2018

Future State1 2 3 4 5 6

Exec Roles Crown Risk Risk Securityawareness responsibilities jewels appetite assessments assessments

7 8 9 10 11 12 13 14

Asset Change Incid BCP DRP Backup Logging Physicalmanagement management management & retention & monitoring & visible ID

15 16 17 18 19 20 21

Incid Policy Prog Info Crim Aware Vendorresponse (security) (security) classification record checks program/course requirements

22 23 24 25

Access DiD Security VMcontrol for end-points governance & patching

& network

Notes:- self assessments are notorious for being too generous- third party assessment provides independence- may use third party as a baseline to show improvement- otherwise may prefer to remediate self-assessed gaps first

Conference 2018

3-Step Plan

1. achieve Defensible Security for Public Sector Organizations

2. celebrate the accomplishment

3. embrace a maturity model or selectively choose capabilities for additional investment

Conference 2018

Eating the Elephant: Bites 1-6The following are pre-requisites to success for security:

q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to existingq Conduct security assessments regularly against an established security standard

§ cultureandsupportforsecuritycomesfromthetop§ ensurecommonunderstandingofthethreat§ howdoyoufindoutif

youhavesupport?

Conference 2018

Engagement

Assess findingsAll supporting documents stay within the sector/ministry on their SharePoint site. We access the documents from the SharePoint site and don’t take ownership of any document.

Closeout meetingWe present a straight-forward report comprising of pre- and post-DefSec dashboards, statistics on control changes, recommendations, and next steps. This is an in-person, face-to-face meeting with the MISO(s) and Director(s).

Engage stakeholdersOnce stakeholders for each control element are identified, we suggest MISOs inform them of the engagement. We then schedule meetings with each stakeholder, providing templates and assistance to improve control element ratings.

Kick-off meetingThis is an in-person, face-to-face meeting with the MISO(s) and Director(s). We begin with a brief introduction on DefSec, outline the project plan, and validate current state. At the end of the meeting, we should have a completed Stakeholder list and a Critical Systems list. Also we suggest creating a SharePoint site for the engagement.

Next sector/ministryWe proceed to the next sector/ministry (and repeat steps) while providing ongoing support to previously assessed sectors/ministries.

Conference 2018

Example: Risk RegisterVersion 1.0

Identify risks, rate inherent risk and trendIdentify key risk mitigation strategies and residual riskReview quarterly

Risk Definition Inherent risk

Risk trend

Key risk mitigation strategies

Residual risk

Owner

Network Security

Insufficiently proactive approach on identification of threats and vulnerabilities in network infrastructure and timely mitigation may result in network outages and exposure

H ↑

•

Data Security

Insufficient application of adequate security controls, heightened by increased risks from ransomware and profit-driven cyber criminals results in an inability to identify and mitigateunauthorized access, disclosure, modification, deletion of sensitive data

H ↑

•

Conference 2018

Eating the Elephant: Bites 7-13Organizations must have documented, followed, reviewed, updated, and tested:

q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Security Incident Responseq Information Security Policy

Conference 2018

Example: Asset Management

Asset name Owner Location Criticality

Version 1.0

Identify scope Asset inventoryProcess to add assets when purchased and commissionedProcess to remove assets when decommissioned and disposed of

Conference 2018

Eating the Elephant: Bites 14-18Organizations must have documented, followed, reviewed, updated, and tested:

q Backup & Retentionq Logging & Monitoringq Physical Security & Visible Identificationq Criminal Record Checksq Security Awareness Program & Course

Conference 2018

Eating the Elephant: Bites 19-25The following practices must be in effect:

q Access Controlq Defence in Depth for Endpoints and Networksq Security Governanceq Vulnerability Management & Patching

Mature organizations have:

q Information Security Classificationq Vendor Security Requirementsq Information Security Program

Conference 2018

Building the PlanThe following are pre-requisites to success for security:

q Ensure the importance of cybersecurity is recognized by executivesq Information Security roles and responsibilities are identified and assignedq Identify critical systems and data as the crown jewels of the organizationq Organization’s risk appetite is known and a risk register is reviewed quarterlyq Risk assessments are conducted for new systems and material changes to existingq Conduct security assessments regularly against an established security standard

q Asset Management & Disposalq Change Managementq Incident Managementq Business Continuity Plan (BCP)q Disaster Recovery Plan (DRP)q Security Incident Responseq Information Security Policy

q Backup & Retentionq Logging & Monitoringq Physical Security & Visible Identificationq Criminal Record Checksq Security Awareness Program & Course

q Access Controlq Defence in Depth for Endpoints and Networksq Security Governanceq Vulnerability Management & Patching

q Information Security Classificationq Vendor Security Requirementsq Information Security Program

Conference 2018

Building the Plan (way too long)Month1 Month2 Month3 Month4 Month5 Month6 Month7 Month8 Month9 Month10 Month11 Month12

EnsuretheimportanceofcybersecurityisrecognizedbyexecutivesInformationSecurityrolesandresponsibilitiesareidentifiedandassignedIdentifycriticalsystemsanddataasthecrownjewelsoftheorganizationOrganization’sriskappetiteisknownandariskregisterisreviewedquarterly quarterlyRiskassessmentsareconductedfornewsystemsandmaterialchangestoexisting ongoingConductsecurityassessmentsregularlyagainstanestablishedsecuritystandard annual

AssetManagement&Disposal annualChangeManagement weeklyIncidentManagement daily/annualBusinessContinuityPlan(BCP) annualDisasterRecoveryPlan(DRP) annualSecurityIncidentResponse annualInformationSecurityPolicy annual

Logging&Monitoring ongoingBackup&Retention annualPhysicalSecurity&VisibleIdentification annualCriminalRecordChecks ongoingSecurityAwarenessProgram&Course monthly/annual

AccessControl ongoing&annualMultifactorauthenticatoinDefenceinDepthforEndpointsandNetworksSecurityGovernance on-demandVulnerabilityManagement&Patching annual

InformationSecurityClassification ongoingVendorSecurityRequirements annualInformationSecurityProgram annual

Conference 2018

Building the Plan (large organization)September October November December January February March

Sector 1

Sector 2

Sector 3

Sector 4

Sector 5

Sector 6

Sector 7

Project Close out

Start Current progress End

Conference 2018

Summary

Securityprogramswillbesuccessfulwhentheyare:§ supportedbyexecutive§ alignedwithgovernmentandministrygoals§ risk-based,alignedwithbusinessandriskappetite§ standards-based,evolveovertime§ capturepresentandtargetstateaccurately§ plansarerealisticandactionable§ resourcedeffectively§ focusedonbuildingsecurityinfromthegroundup§ measured/monitored§ continuousimprovement§ communicatedappropriately§ executedon

Conference 2018

Asks§ reviewriskregisterquarterlytoensureresidualriskalignswithrisk

appetiteandaugmentcontrolswhereitdoesnot

§ participateinanannualsecurityassessmentandanalyzeresultsforopportunities

§ buildaninformationsecurityprogramthatisriskbased,compliancebased,orcapabilitybased

§ buildandexerciseincidentresponseplan(BCPaswell)

§ leverageoversightauthorityandcollaboratewithotherstoensureadefensiblesecuritylevel

§ takeadvantageoftheDefensibleSecurityforPublicSectorOrganizations(DefSec)initiativeandridethewave…

Conference 2018Conference 2018

Questions?