Welcome! Designing and Building a Cybersecurity Program

Transcription

1 Welcome! Designing and Building a Cybersecurity Program Note that audio will be through your phone. Please dial: Access code: The webcast will be 60 minutes in length with time allotted for responding to questions. An archive of the webinar will be available at or 2 Overview The Midwestern Higher Education Compact (MHEC) MHEC/EiQ Networks Master Price Agreement Justin Pennock, EiQ Special Guest: Larry Wilson, Information Security Lead, President s Office, UMass 1

2 Interstate Compacts MHEC 1991 NEBHE 1955 WICHE 1953 SREB What is a Compact? The compact statute creating MHEC makes MHEC an instrumentality of state government of each of its member states. This statutory language gives MHEC broad contracting authority to help carry out its mission. MHEC then enters into agreements for the benefit of its twelve member states, effectively letting institutions in one state pool their resources and expertise with different institutions in other states to gain advantages in the marketplace they otherwise would not be able to obtain. 5 Statutory Authority to Purchase from MHEC Contracts Illinois - Chapter 45 ILCS 155 Indiana - Chapter IC Iowa - Chapter 261D Kansas - Chapter 72-60b01 Michigan - Section Minnesota - Section 135A.20 Missouri - Section Nebraska - Section North Dakota - Chapter Ohio - Chapter South Dakota - Chapter 13-53C-1 Wisconsin - Chapter

3 Security Event & Information Management Competitively Sourced in 2011 Award to EiQ Networks Log Analysis Event Pattern Detection Compliance Automation Etc Contract Term: July 31, 2014 August 1, 2015 with three one-year renewals (2018). 7 Master Price Agreement Master Price Agreements Product and Services Price List Large Order Negotiations Terms and Conditions EULA g/files/ eiqnetworks_mstr_0.pdf 8 Who is eligible to purchase? Compacts: MHEC s 12 Midwestern states (ND & SD dual members) SREB s 16 Southeastern states WICHE s 15 Western states Higher Education K-12 districts and schools Cities, State and Local Governments 9 3

4 Contract Highlights

5 Contract Page MHEC Resources Contact Information: Nathan Sorensen Strategic Information Technology (IT) Procurement Officer Rob Trembath Vice President and General Counsel Mary Roberson Director of Communications & Marketing

6 Effective Cyber Security Monitoring & Compliance What is an effective security program? Process Technology People A set of processes and best practices developed and implemented Based on industry standards Immediate and comprehensive visibility into the Threat Remove silos and connect the dots Trained, experienced Information Security professionals Must be operational 24 x7 What EiQ s SOCVue Delivers: Process Technology People Council on Cyber Security & SANS Critical Security Controls Automation Continuously analyze your IT environment against Security best practice Identify weak Links in your security posture EiQ SecureVue Log Management & Security Monitoring Correlation & Forensic Analysis Compliance Reporting Asset Discovery EiQ SOCVue Service Certified Security & Product engineers 24x7 Monitoring Alert Notification and Remediation Guidance On Demand Investigation Daily/Monthly Reporting 1

7 Justin Pennock EiQ MHEC Account Manager

8 Designing & Building a Cybersecurity Program To protect our critical assets Our Controls Factory Midwestern Higher Education Compact Larry Wilson lwilson@umassp.edu October 23, The Challenge: To our Corporate and Government Leaders There is a global awakening among non technologists That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a fog of more More standards, more checklists, more devices, more things Where does your business stand on basic cybersecurity hygiene? Our Executives need to ask five basic questions Do we know what s connected to our systems and networks? Do we know what s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? Can you demonstrate all this to me, to our Board, and to our shareholders and customers today? Jane Holl Lute Council on Cybersecurity Served as Deputy Secretary for Homeland Security from April, 2009 to April 2013 Because. Having these basic safeguards in place will prevent 80% to 90% of the known attacks 2 Our Response: We Need to be Proactive. Manage or Risks Understand and establish a well developed risk management model Manage our Assets Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de provision, discover, manage changes, reconciliation, monitor & alert Because every security incident starts with a compromised asset Secure our Assets Alignment and Transparency Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time? 3 1

9 Manage our Risks The Risk Equation Risk = Threats X Vulnerabilities X Asset Value + Residual Risk Controls How do we calculate risk? Risk is based on the likelihood and impact of a cyber security incident or data breach (model) Threats involve the potential attack against IT resources and information assets (model) Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat (model) Asset Value is based on criticality of IT resources and information assets (assess) Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities (assess) Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets (model) 4 Manage our Assets Our Managed Assets ARE protected Our Unmanaged Assets ARE NOT protected Unmanaged Assets Identify and secure our managed assets We need to understand why security breaches occur And the steps to take to prevent them What is our managed asset portfolio? We need to build a portfolio of managed assets Identify and secure our unmanaged assets There are undetected problems not seen, not reported Our unmanaged assets become easy targets Ultimately leads to a breach from missing or ineffective controls What is our unmanaged asset portfolio? We need to secure our unmanaged assets and add them to our managed asset portfolio 5 Alignment and Transparency The Cybersecurity Controls Factory Current State As is Risk Environment Desired State To be Risk Environment 1.0 Threat Model 2.0 Controls Design 3.0 Controls Implementation 4.0 Controls Testing 1.1 Threats, Vulnerabilities Consequences 2.1 Controls Framework & Standards 3.1 Vendor Technologies & Services 4.1 Controls Testing Guidelines Unmanaged Assets* Input 1.2 The Cyber Attack Chain 2.2 The C³ Framework Components 3.2 Security Programs & Projects 4.2 Controls Testing Techniques Output Managed Assets* 1.3 Modeling Cyber Attacks 2.3. The Cybersecurity Controls Model 3.3 Security as a Service (SaaS) 4.3 Controls Assessment Procedures * The Assets 00: Master Blueprint Incorporates all programs and projects into single program blueprint 01: Endpoint Devices laptops, workstations, smart phones, tablets, point of sale terminals, etc. 02: Applications & Spreadsheets developing, implementing secure applications based on BSIMM V 03: Network Security including the perimeter, across the LAN, WAN, wireless networks 04: Data Center Systems securing servers in the data center (windows, linux, etc.). 05: Databases database applications or stored functions, database systems, database servers, et 06: Identity & Access Governance securing users, accounts, entitlements 07: Data Governance processes, technologies, and methods used by data stewards and data custodians to handle data 08: Monitoring & Response Center real time monitoring, correlation and expert analysis of security activity 6 2

10 1.0 The Threat Model 1.1 The Threats, Vulnerabilities, Consequences 1.2 The Cyber Attack Chain 1.3 Modelling Cyber Attacks Threats, Vulnerabilities, Consequences Threats Vulnerabilities Consequences The Cyber Attack Chain 9 3

11 1.3 Modelling Cyber Attacks Process for Attack Simulation and Threat Analysis (PASTA) The Controls Design 2.1 Controls Frameworks and Standards 2.2 The C³ Framework Components 2.3 The Cybersecurity Controls Model The Controls Frameworks and Standards NIST Cybersecurity Framework Core Functions Council on Cybersecurity Critical Security Controls (CSCs) ISO 27002: 2013 Code of Practice for Information Security Controls 12 4

12 2.2 The C³ Framework Components The Voluntary Framework is a set of Cybersecurity Activities, Desired Outcomes and Applicable References Function Unique Identifier Function (Basic activities) Category Unique Identifier Category (Cybersecurity outcomes) Subcategories (Specific outcomes of technical or management activities) Informative References (Specific sections of standards, guidelines, and best practices) ID PR DE RS Identify (24 activities) Protect (35 Activities) Detect (18 Activities) Respond (16 Activities) ID.AM Asset Management 6 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices ID.BE Business Environment 5 technical or management activities Align to ISO/IEC 27001:13 best practices ID.GV Governance 4 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RA Risk Assessment 6 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RM Risk Management Strategy 3 technical or management activities Align to ISO/IEC 27001:13 best practices PR.AC Access Control 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.AT Awareness & Training 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.DS Data Security 7 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.IP Information Protection Process 12 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.MA Maintenance 2 technical or management activities Align to ISO/IEC 27001:13 best practices PR.PT Protective Technology 4 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices DE.AE Anomalies and Events 5 technical or management activities Align to ISO/IEC 27001:13 best practices DE.CM Security Continuous Monitoring 8 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices DE.DP Detection Processes 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RS.RP Response Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RS.CO Communications 5 technical or management activities Align to ISO/IEC 27001:13 best practices RS.AN Analysis 4 technical or management activities Align to ISO/IEC 27001:13 best practices RS.MI Mitigation 3 technical or management activities Align to ISO/IEC 27001:13 best practices RS.IM Improvements 2 technical or management activities Align to ISO/IEC 27001:13 best practices RC.RP Recovery Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RC Recover RC.IM Improvements 2 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices (6 Activities) RC.CO Communications 3 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices Building a Cyber-security Cybersecurity Program 13 6/25/ Modeling Cybersecurity Controls Asset Governance Provisioning initial creation of the asset Reconciliation periodic recertification of the asset De provisioning removal of the asset from the environment Monitoring & Management generate alerts and reports Managed Asset Model Managed Assets Unmanaged Assets Start with all known assets Categorize assets by type and value Discover / Identify unknown assets Asset Discovery Scan, Monitor, Filter for unknown assets Update known assets with those discovered Security Controls Management & Communications Controls [MGT] Cyber security Controls [CSC] General Computer Controls [GCC] Asset Governance General Computer Controls Scan Unmanaged Assets Management & Cybersecurity Communications Controls Controls Monitor Filter Unmanaged Unmanaged Assets Assets Unmanaged Assets Managed Assets Known assets (per asset group) with controls applied 14 The Controls Model Managed Assets 1. Establish system of record Create initial baseline of known users, devices, applications, information assets, information owners 2. Update with known assets Add / remove assets following standard approach 3. Scan network for unknown assets Establish network scanning process to detect unknown devices. 4. Monitor network for unknown assets Establish traffic monitoring process to detect unknown devices. 5. Filter network access from unknown assets 802.1x, NAC, Client Certificates, Whitelist, Blacklist 6. Update system of record with known but unmanaged assets Discovered through scanning, monitoring and filtering 7. Apply security controls to known assets General Computer Controls [GCC], Cyber security Controls [CSC], Management & Communications Controls [MGT] 8. Generate real time alerts and management reports Alert management when suspicious activity is detected. 9. Update system of record with managed assets Update with known as well as unknown (discovered) devices 15 5

13 3.0 The Controls Implementation 3.1 Vendor Technologies and Services 3.2 Cybersecurity Programs and Projects 3.3 Security as a Service (SaaS) Vendor Technologies & Services TEC 01 TEC 02 TEC 03 TEC 04 TEC 05 TEC 06 TEC 07 TEC 08 TEC 09 TEC 10 TEC 11 TEC 12 TEC 13 TEC 14 TEC 15 TEC 16 TEC 17 Quest Software TEC 18 TEC 19 TEC 20 SVC 01 SVC 02 SVC Security Programs and Projects PRG 00: Master Blueprint PRG 01: Endpoint Security PRG 02: Application Security PRG 03: Network Security PRG 04: Data Center System Security PRG 05: Database Security PRG 06: Identity Governance PRG 07: Data Governance PRG 08: Monitoring & Alerting Center 18 6

14 3.3 Security as a Service (SaaS) Option 1: Corporate Security Operations Center (SOC) Option 2: Outsourced Managed Cybersecurity Services Option 3: Co Managed Cybersecurity Services Option 4: Hybrid Cybersecurity Services The Controls Testing 4.1 Controls Testing Guidelines 4.2 Controls Testing Techniques 4.3 Controls Assessment Procedures Controls Testing Guidelines Open Source Security Testing Methodology Manual (OSSTMM) Cybersecurity Assessments NIST : Technical Guide to Information Security Testing and Assessment Information Systems Security Assessment Framework (ISSAF) Critical Infrastructure Security Analysis (CRISALIS) Experimental Cyber Immersion Training & Exercises (EXCITE) 21 7

15 4.2 Controls Testing Techniques TST 01: Black Box Testing TST 02: Grey Box Testing TST 03: White Box Testing No TST 01: Black Box Testing TST 02: Grey Box Testing TST 03: White Box Testing 1 The Internal Workings of an application are not required to be known 2 Also known as closed box testing, data driven testing and functional testing 3 Performed by end users and also by testers and developers 4 Testing is based on external expectations. Internal behavior of the application is unknown Somewhat knowledge of the Internal Workings are known Another term for grey box testing is translucent testing as the tester has limited knowledge of the insides of the application Performed by end users and also by testers and developers Testing is done on the basis of high level database diagrams and data flow diagrams Tester has full knowledge of the Internal Workings of the application Also known as clear box testing, structural testing or code based testing Normally performed by testers and developers Internal workings are fully known and the tester can design data accordingly 5 This is the least time consuming and exhaustive Partly time consuming and exhaustive The most exhaustive and time consuming type of testing 6 Not suited to algorithm testing Not suited to algorithm testing Suited to algorithm testing 7 This can only be done by trial and error method Data domains and Internal boundaries can be Data domains and Internal boundaries tested, if known can be better tested Controls Assessments Procedures Perform Scoping Analysis Identify significant business applications, modules, line items and accounts Map processes and systems to significant accounts Determine locations / departments where significant business processes are performed (individual important, significant risk, significant when aggregated) Document Significant Business Processes & Controls Document process flows and develop control sets for all significant business processes and applications / IT Confirm location where significant processes are performed Evaluate Design of Controls Confirm control sets with business process owners Business units perform Self Assessments for all documented control activities Identify significant changes in processes and system quarterly Test Operating Effectiveness of Key Controls Design and develop test plans Determine level of testing for each location Execute test plans (Internal Audit, External Audit) Remediate Exceptions Identify control exception and root cause Work with business owners to determine remediation plan Analyze remediation items (individual and in aggregate) Implement remediation plan Monitor and track remediation progress Perform Year End Activities Define scope and approach for Q4 testing Perform '4Q / Update' testing (e.g., retesting of remediated items, high risk) Analyze remediation items (individual and in aggregate) Report on evaluation of internal controls 23 Cybersecurity Testing Center 1 8 Monitoring & Response Center Endpoint Devices Test Center Enterprise Applications Test Center 2 7 Data Governance Test Center Cybersecurity Controls Test Center Network Security Test Center 3 6 Identity Governance Test Center Database Security Test Center Data Center Systems Test Center

16 Controls Mapping Cybersecurity Controls Mapping Attack Phase Phase 1: Before an Attack Phase 2: During an Attack Phase 3: After an Attack 1 Attack Chain NIST Controls Framework Identify Protect Detect Respond Recover 2 Controls Standards General Computer Controls (ISO 27001:2013) Technical Controls (Council on Cyber security CSC) Management Controls (ISO 27001:2013) Technology & Services 3 Programs & Projects Database Security Endpoint Application Network Data Center Identity Data Security Operations Devices Security Security Systems Governance Governance 4 Testing Approach Cybersecurity Testing Guides, Techniques, Assessment Procedures Testing Center Cybersecurity Controls Testing Center Risk Management Approach FAIR Risk Model Factor Analysis of Information Risk (FAIR) Terminology: Risk The probable frequency and probable magnitude of future loss Loss Event Frequency The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset Loss Magnitude The magnitude of loss resulting from a loss event Threat Event Frequency The probable frequency, within a given timeframe, that a threat agent will act against an asset Vulnerability The probability that an asset will be unable to resist the actions of a threat agent Primary Loss Consists of asset loss factors and threat loss factors Secondary Loss Consists of organizational loss factors and external loss factors Contact Frequency Occurs when a threat agent establishes a physical or virtual (e.g., network) connection to an asset Probability of Action An act taken against an asset by a threat agent. Requires contact occur between the asset and threat agent Threat Capability The probable level of force that a threat agent is capable of applying against an asset. Resistive Controls The resistive strength of a control as compared to a baseline measure of force. 26 Cybersecurity Program Summary Threats Vulnerabilities The Risk = Unmanaged Assets Controls Our Assets Known Assets Managed Assets Managed Assets Managed Assets Cybersecurity Testing Center Where does our business stand on basic cybersecurity hygiene? 1. Do we know what s connected to our systems and networks? 2. Do we know what s running or trying to run on our systems and networks? 3. Are we limiting the number of people with administrative privileges to change, bypass or override the security settings? 4. Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? 5. Can you demonstrate all this to me, to our Board, and to our shareholders and customers today? 27 9

17 Thank You! Any Questions? 28 10