Implementing a Framework

Transcription

1 Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) V## Goes Here 1 1

2 Outline What is a Framework? Why is a Framework so Important? Introduce the Risk Management Process Introduce the CyberSecurity Framework (CSF) Implementation of the CyberSecurity Framework Identify Protect Detect Respond Recover 2

3 Something to Think About How do I know what to protect? How do I prioritize security decisions? How much security is enough? 3

4 Something to Think About How do I know what to protect? How do I prioritize security decisions? How much security is enough? Implement A Framework! 4

5 What is a Framework? A framework is not a set of security controls. A framework is a structure or process that uses security controls to provide minimum security. A framework provides organizations with a structure to apply to today s multiple approaches to cybersecurity There are a lot of valid approaches to cybersecurity but without a framework the approach lacks guidance, direction, and communication flow Enables organizations to apply the principles and best practices of risk management to improve the security and resilience of their enterprise 5

6 Frameworks require organizations to: Understand the Business Impact if an information type were compromised Business Impact Analysis What is a Framework? Understand the value of their data Categorization Understand the Cyber Threat Level Risk Assessment Identify threat sources Who is targeting me? Identify threat events What can they do? (Physical damage, Theft of Data, etc) Determine impact on the organization If a vulnerability was executed successfully, what would be the impact to the Confidentiality, Integrity, or Availability of my data? 6

7 Frameworks require organizations to: Document Policies and Procedures Policies communicate the business priority, risk tolerance, and available resources from the executive level to the rest of the organization Procedures ensure a continuity of operations Assign Roles and Responsibilities Eliminates ambiguity Implement security The act of implementing security features that align with the organizations categorization, business impact analysis, and risk assessment Validate the effectiveness of their security Cybersecurity Assessment Security Controls Assessment Penetration Testing Continuously monitor What is a Framework? Ensure the implemented security is still providing an acceptable level of risk 7

8 Why is a Framework so important? Provides a context for implementing risk management Reduces the possibility of over or under securing your data Ensures continuity of solutions at all 3 levels of the organization Executive Level Focus: Organizational Risk Actions: Risk Decision and Priorities Operations Level Focus: Infrastructure Risk Management Actions: Selects Profile, and Allocates Budget Implementation Level Focus: Securing Infrastructure Actions: Implements Profile A framework will not eliminate the possibility of a breach. However, implementing a framework will give you a highly effective defensive posture that meets the criterion of Due Diligence 8

9 Risk Management Process 9

10 Introduction Developed in collaboration with industry Voluntary Framework designed to provide a: Prioritized Flexible Repeatable Performance-based Cost-effective approach to manage CyberSecurity risks Intended for use by any organization that wants to enhance their management of CyberSecurity risks 10

11 Introduction Function Category Subcategory References Identify Risk Management Strategy - The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Risk management processes are established, managed, and agreed to by organizational stakeholders Organizational risk tolerance is determined and clearly expressed The organization s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02 ISA : NIST SP Rev. 4 PM-9 COBIT 5 APO12.06 ISA : NIST SP Rev. 4 PM-9 NIST SP Rev. 4 PM-8, PM-9, PM-11, SA-14 IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Process CSF Implement based on specific cybersecurity outcomes 11 RESPOND Response Planning Communications Analysis Mitigation Improvements RECOVER Recovery Planning Improvements Communications

12 Prioritize and Scope CyberSecurity Framework (CSF) Implementation Determine business objectives Identify organizational priorities Business Impact Assessment Orient Identify regulatory requirements Determine risk approach Risk Mitigation Strategy Create a Current Profile Which outcomes are currently being achieved Conduct a Risk Assessment Identify current vulnerabilities Determine likelihood and impact of a cybersecurity event Risk Assessment 12

13 Implementation Create a Target Profile What are the organizations desired cybersecurity outcomes Determine, Analyze, and Prioritize Gaps Compare current profile to target profile to identify gaps Develop an action plan that s driven by the outcome of Step 1 Identify resources necessary to achieve the Target Profile Implement Action Plan Implement security controls necessary to achieve the outcomes identified in the Target Profile Continuous monitoring 13

14 Function Category Subcategory References Identify Risk Management Strategy - The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Risk management processes are established, managed, and agreed to by organizational stakeholders Organizational risk tolerance is determined and clearly expressed The organization s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02 ISA : NIST SP Rev. 4 PM-9 COBIT 5 APO12.06 ISA : NIST SP Rev. 4 PM-9 NIST SP Rev. 4 PM-8, PM-9, PM-11, SA-14 IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Process CSF Implement based on specific cybersecurity outcomes 14 RESPOND Response Planning Communications Analysis Mitigation Improvements RECOVER Recovery Planning Improvements Communications

15 Identify What information or assets need protection? Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy CSF Implement based on specific cybersecurity outcomes 15

16 Identify Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Actively Manage Hardware and Software Inventories The first two critical security controls identified by the SANS Institute Business Environment The organization s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions Perform a Business Impact Analysis to: Identify network segmentation points Predict the consequences of disruption of a business function or process Enable the development of recovery strategies Provide the basis for investment in prevention and mitigation strategies 16

17 Identify Governance The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Formally document Policies and Procedures Risk Assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Perform a Formal Risk Assessment Risk Management The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Develop a Formal Risk Management Strategy 17

18 What safeguards are available? CyberSecurity Framework (CSF) Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Supports the ability to limit or contain the impact of a potential cybersecurity event. IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology CSF Implement based on specific cybersecurity outcomes 18

19 Protect Access Control Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Restrict Administrative Privileges Disable Local Administrator Accounts or Remove Local Admin Rights for users and implement Password Management (such as Microsoft Pwd Mgr or CyberArk) Limit and Secure Remote Access to your Network Implement Network Segmentation Eliminate Shared Passwords/Group Accounts Awareness and Training The organization s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Ensure all employees receive Security Awareness Training Annually Invite CyberSecurity Analysts to provide presentations to the organization 19

20 Protect Data Security Information and records (data) are managed consistent with the organization s risk strategy to protect the confidentiality, integrity, and availability of information. Implement Application Whitelisting (Microsoft s Software Restriction Policies) Patch Applications Patch Operating Systems At least 85% of all targeted cyber intrusions could have been prevented if these 3 security controls, along with Restricting Administrative Privileges had been implemented! Information Protection Processes and Procedures Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Formally assign roles and responsibilities to key Information Security Personnel 20

21 Protect Maintenance Maintenance and repairs of operational and information system components is performed consistent with policies and procedures. Actively Manage Maintenance Activities of 3 rd Party Vendors Implement Strict Configuration Management Don t Allow Vulnerable Services to Run Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Harden System Configurations on both Workstations and Servers Harden Application Configurations Implement OS Generic Exploit Mitigation Technologies such as: Enhanced Mitigation Experience Toolkit (EMET) Data Execution Prevention (DEP) Address Space Layout Randomization (ASLR) 21

22 Detect What techniques can detect incidents? Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Enables timely discovery of cybersecurity events IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Process CSF Implement based on specific cybersecurity outcomes 22

23 Detect Anomalies and Events Anomalous activity is detected in a timely manner and the potential impact of events is understood. Implement Auditing (Microsoft s Sysmon) Implement HIDS (Host-based Intrusion Detection System) and NIDS (Networkbased Intrusion Detection System) Capture and Store PCAP (Packet Capture) Data Provide Strong Protection of this Data Ensure Active Analysis and Alerting Security Continuous Monitoring The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. Insist on 3 rd Party Assessments that include: Social Engineering Vulnerability Assessment Penetration Testing 23

24 Detect Detection Processes Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Must be Thoroughly Tested (Can be in conjunction with a 3 rd Party Assessment) Continuous Improvement is Paramount 24

25 Respond What techniques can contain impacts of incidents? Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Supports the ability to contain the impact of a potential cybersecurity event IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Process CSF Implement based on specific cybersecurity outcomes 25 RESPOND Response Planning Communications Analysis Mitigation Improvements

26 Respond Response Planning Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Respond according to a Formally Documented Incident Response Plan Communications Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis Ensure the Incident is Properly Reported Ensure Proper Coordination with all Stakeholders Analysis is conducted to ensure adequate response and support recovery activities. Ensure All Notifications from Detection Systems are Investigated Ensure you Understand the Total Impact of the Incident Perform Forensics Ensure the Response is consistent with your Incident Response Plan 26

27 Respond Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Ensure Incidents are Contained Ensure Incidents are Mitigated Improvements Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Perform After-the-Fact Analysis to Identify Lessons Learned During the Response Update Response Strategies based on Lessons Learned 27

28 Recover What techniques can restore capabilities? Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Supports timely recovery to normal operations to reduce the impact from a cybersecurity event IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Process CSF Implement based on specific cybersecurity outcomes 28 RESPOND Response Planning Communications Analysis Mitigation Improvements RECOVER Recovery Planning Improvements Communications

29 Recover Recovery Planning Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Implement Recovery according to a Formally Documented Recovery Plan Improvements Recovery planning and processes are improved by incorporating lessons learned into future activities. Perform After-the-Fact Analysis to Identify Lessons Learned During Recovery Update Recovery Strategies based on Lessons Learned Communications Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs (CyberSecurity Incident Response Team), and vendors. Manage Public Relations Repair Reputation of the Organization Communicate Recovery Activities with Internal Stakeholders and Executive and Management teams 29

30 Prioritize and Scope CyberSecurity Framework (CSF) Implementation Determine business objectives Identify organizational priorities Business Impact Assessment Orient Identify regulatory requirements Determine risk approach Risk Mitigation Strategy Create a Current Profile Which outcomes are currently being achieved Conduct a Risk Assessment Identify current vulnerabilities Determine likelihood and impact of a cybersecurity event Risk Assessment 30

31 Implementation Create a Target Profile What are the organizations desired cybersecurity outcomes Determine, Analyze, and Prioritize Gaps Compare current profile to target profile to identify gaps Develop an action plan that s driven by the outcome of Step 1 Identify resources necessary to achieve the Target Profile Implement Action Plan Implement security controls necessary to achieve the outcomes identified in the Target Profile Continuous monitoring 31

32 Questions? Implementing a Framework, such as the CyberSecurity Framework, allows you to answer the questions How do I know what to protect? How do I prioritize security decisions? How much security is enough? PO Box 5500 Huntsville, AL Greg Jackson Sr. Cyber Security Analyst 1004 Explorer Blvd Huntsville, AL Office: Mobile: greg.jackson@dynetics.com Dynetics is an employee-owned company. We hold the State s contract for Information Systems Assessment Services (ISAS) 32

33 Cyber Threat Level Dynetics Cyber RiskScope Cyber RiskScope is a new risk management methodology from Dynetics that provides visual, easy-to-grasp information for managing and responding to cyber risks. Cyber RiskScope focuses on three key risk indicators (KRIs): Business Impact, Cyber Threat, and Cybersecurity. When these KRI s are plotted on our innovative 3D Cyber Risk Profile, it is easy to visualize and analyze cyber risk. Recommended Minimum CsL Level 5 Target Level 4 Current Level 3 Level 2 Current Target (Z) Business Impact Level Cybersecurity Level (CsL) Circle size indicates financial impact. 33

34 Managed Security Monitoring Services NetAlert Core Capabilities Intrusion Detection System Honeypot Full Packet Capture at Internet Edge Benefits Increased visibility into what is happening on the wire Ability to notice and respond to threats quicker Additional Features More visibility primarily at the endpoint level Requirements: Logs Customer environment modifications Sysmon (process/network connections at the host level) EMET (exploit prevention) SRP (whitelisting) Snare (Windows Event Logs) Cisco Firewall (syslog) 34

35 Contact Information PO Box 5500 Huntsville, AL Greg Jackson Sr. Cyber Security Analyst 1004 Explorer Blvd Huntsville, AL Office: Mobile: Dynetics is an employee-owned company. 35