How To Understand And Manage Cybersecurity Risk

Transcription

1 White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S.

2 Executive Summary Critical infrastructures underpin national and economic security in the United States. Increasing onslaughts of cybercrime necessitate ever-greater urgency with regard to their resilience and protection. The operations and management of the most critical infrastructures hinge on reliable connectivity, which makes these resources especially vulnerable to cyber attacks. Also vulnerable are the finances and reputations of the private sector, which owns and operates about 85% of the nation s critical infrastructure. An Executive Order issued by President Obama in February 2013 spawned the creation of a new Framework for Improving Critical Infrastructure Cybersecurity to help gauge the effectiveness of cyber defenses and let business drivers cost-effectively guide an organization s risk management process. The new Cybersecurity Framework helps executives to clearly understand cyber risks to their organization and ensure that business priorities steer selection of cybersecurity solutions and operations. The National Institute of Standards and Technology (NIST) created the Framework in collaboration with the government and private sector. It leverages existing risk management models such as COBIT and ISO/IEC by presenting three simplified parts: (1) a Framework Core of standard cybersecurity controls, (2) Implementation Tiers that provide context on how an organization views cybersecurity risk and the processes used to manage that risk, and (3) Profiles representing present and future risk outcomes based on business needs that are identified in parts 1 and 2. The Profiles serve as an organization s blueprint for cost-effectively protecting critical infrastructure. This paper presents an overview of the Cybersecurity Framework as a useful executive tool for managing risk. Cyphort is providing this assessment because, as part of deploying our Advanced Threat Cyber Defense Platform solution, we have discovered that the organizations that achieve the best defense are those that actively manage risk from an executive level. This summary is designed to help enterprise leaders leverage effective tools for improving resilience of critical infrastructures under their watch while fulfilling the additionally vital role of protecting the national and economic security of the United States. 2

3 Framework Controls Risk Management by Business Priorities Critical Infrastructure Sectors* Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems *Source: Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience Overview of NIST s Cybersecurity Framework On 12 February 2013 President Barack Obama issued Executive Order , Improving Critical Infrastructure Security. He directed NIST to develop a Cybersecurity Framework to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. To ensure public trust and simplify operations across legal regimens, the Framework was to include a methodology for protecting individual privacy and civil liberties during the implementation of cybersecurity programs and activities. President Obama also directed the establishment of a voluntary program to support adoption of the Framework. Primary targets are the 16 critical infrastructure sectors (see sidebar) that are foundational to the national and economic security of the United States. NIST published Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity on 12 February The Framework is technology-neutral and is based on a variety of existing standards, guidelines, and practices for risk management and cybersecurity. It complements these, and is not meant to replace them but the Framework may be used in lieu of these if an organization does not have an existing cybersecurity risk management program in place. The Framework is not industry-specific, so it may be adapted as appropriate to the particular requirements of organizations in different critical infrastructure sectors. NIST states that the Framework is intended to be a living document and will be updated and improved as industry provides feedback on implementation. According to the Framework (p. 4), its common taxonomy and mechanism allows organizations to: 1. Describe their current cybersecurity posture; 2. Describe their target state for cybersecurity; 3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4. Assess progress toward the target state; 5. Communicate among internal and external stakeholders about cybersecurity risks. 3

4 Summaries of the Framework s Core, Implementation Tiers, Profiles, and use of the Framework are provided below. Framework Core Functions The Framework formally defines its Core as a set of cybersecurity activities, desired outcomes, and applicable references across critical infrastructure sectors. The Core consists of standard cybersecurity controls slotted into a taxonomy of five Functions, 22 Categories or subdivisions of the Functions, and 98 Subcategories along with applicable Informative References that are familiar to cybersecurity practitioners. Core Functions form the operational culture that addresses cybersecurity risks. The Core Functions are: Identify Identify Functions are foundational; they help an organization understand how to manage cybersecurity risk to systems, assets, data, and capabilities. Relating these to a business context is critical for prioritizing efforts. Categories include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy. Protect Protect Functions are the safeguards that ensure delivery of critical infrastructure services. In terms of ensuring resilience, these safeguards help to limit or contain the impact of a cybersecurity event. Categories include Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. Detect Detect Functions identify the occurrence of a cybersecurity event. Categories include Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Cyphort s solution falls under the Detect and Respond Functions. Respond Respond Functions allow an organization to take action on a detected cybersecurity event. The goal of Respond Functions is to contain the impact of a cybersecurity event and remediate vulnerabilities. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Cyphort s solution falls under the Detect and Respond Functions. Recover Recover Functions are for resilience planning particularly the restoration of capabilities or services impaired by a cybersecurity event. Categories include Recovery Planning, Improvements, and Communications. 4

5 Informative References for Framework Core COBIT Control Objectives for Information and Related Technology CCS CSC Council on CyberSecurity Top 20 Critical Security Controls ANSI/ISA ( )-2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program ANSI/ISA ( )-2013 Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels ISO/IEC 27001:2013 Information technology Security techniques Information security management systems Requirements: NIST SP Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations ISACA s framework for managing and governing information technology. Bridges control requirements, technical issues and business risks. Subset of controls in NIST SP , prioritizing those that are effective against Advanced Targeted Threats by emphasizing what works. ANSI/ISA s standard on cybersecurity focused on industrial automation and control systems. ANSI/ISA s standard on cybersecurity focused on industrial automation and control systems. ISO/IEC s international standard on cybersecurity focused on industrial automation and control systems. NIST s catalog of security controls for all U.S. federal information systems except those used in national security. Framework Implementation Tiers Implementation Tiers frame the context for how an organization views cybersecurity risks and which processes it uses to manage those risks. Four Tiers range from lower to greater rigor and sophistication as part of an organization s approach to managing risk. Tiers incorporate an organization s business requirements and other aspects of cybersecurity including degrees of privacy and civil liberties considerations used by an organization to manage and respond to cybersecurity risk. They also consider an organization s business and mission objectives, constraints of the organization, and legal and regulatory requirements. The latter may have heavy weight for certain critical infrastructure sectors. Guidance from federal resources, Information Sharing and Analysis Centers (ISACs), and other sources can help inform an organization on a desirable Tier. For example, REN-ISAC for education, FS-ISAC for financial services, and others, provide a range of services including risk mitigation, incident response, alerts and information/intelligence sharing. The ISACs goal is to provide critical infrastructure owners and operators with accurate, actionable, and relevant information. Cyphort believes that continuous threat monitoring, context-relevant detection, and practical mitigation actions are critical for effective protection of critical infrastructure. Cyphort s threat protection platform helps organizations to achieve higher Implementation Tier functionality by enabling a comprehensive security ecosystem with open interfaces to incorporate threat intelligence sharing from ISACs. The Strategy for Implementation Tiers is to weigh the considerations above and determine which Tier is appropriate for your organization both for meeting enterprise requirements as well as those of U.S. national and economic security. The Framework encourages organizations to progress to higher Tiers to reduce cybersecurity risk while managing cost effectiveness. Success is measured by achieving outcomes specified in an organization s Target Profile(s), not by Tier determination. 5

6 Framework Implementation Tiers Tiers Risk Management Process Integrated Risk Management Program External Participation 1: Partial Informal, ad hoc, reactive 2: Risk Informed Approved but policy not established; prioritization is informed by risk and business requirements 3: Repeatable Formally approved and expressed as policy; regularly updated based on risk and business requirements 4: Adaptive Practices are adapted based on lessons learned and predictive indicators; continuous, active improvement to meet evolving and sophisticated threats in timely manner Limited awareness, no organizational process Awareness established but without implementation of an organization-wide approach; processes are ready to go Organization-wide approach established, continuously reviewed and updated; personnel are fully trained to perform their roles and responsibilities Organization-wide approach uses riskinformed policies, processes, and procedures; risk management is in the organization s cultural DNA No coordination or collaboration Aware of role in ecosystem but no formal process established Dependencies are understood; information sharing is implemented for collaboration and risk-based management decisions in response to events Proactively manages risk and shares information to improve cybersecurity before an event occurs C3 Voluntary Cyber Community Program The Department of Homeland Security has partnered with the critical infrastructure community in a voluntary program to encourage the use of the Cybersecurity Framework. It s called the Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program. The program is the coordination point between infrastructure owners and operators and the federal government. C3 has three goals: 1) Support the critical infrastructure industry in strengthening its cyber resilience; 2) increase awareness and use of the Framework; and 3) encourage organizations to manage cybersecurity as part of an allhazards approach to enterprise risk management. During its first year, the C3 voluntary program will focus on developing sector-specific guidance on how to implement the Framework. It will provide outreach and communications via DHS and other public and private sector resources, and coordinate feedback on the Framework and its implementation. Resources and Engagement Channels C3 Voluntary Program resources are available via a US-CERT Gateway at Engagement channels include: Regionally located DHS personnel from Cyber Security Advisor (CSA) and Protective Security Advisor (PSA) programs. The Critical Infrastructure Partnership Advisory Council (CIPAC) Framework. Direct engagement between the C3 Voluntary Program and interested organizations via ccubedvp@hq.dhs.gov. Requests for Information (RFI) by the general public. 6

7 Framework Profiles Profiles get barely a half-page of coverage in the Framework but from a functional perspective, they may be the most important part as they specify the roadmap from an organization s current cybersecurity posture to where it needs be. The Profile aligns everything Functions, Categories, and Subcategories with the organization s business requirements, risk tolerance, and resources. A complex organization may require multiple Profiles to cover its unique requirements. Comparing the Current Profile(s) and Target Profile(s) may reveal material gaps requiring action by cybersecurity risk management stakeholders. Typical gaps may come from weaknesses in threat detection and response especially from Advanced Persistent Threats, targeted attacks, and zero-day threats. Remediating gaps like these require prioritization gauged by an organization s business needs and risk management processes. The Department of Homeland Security plans to release guidance on Profiles in conjunction with its Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program, described in the sidebar. Using the NIST Framework Organizations may use the Framework to systematically guide their process of evaluating and managing cybersecurity risk. The Framework is not meant to replace existing processes, and may be used in tandem with existing processes to help determine gaps and roadmap development. The essence of using the Framework is creating and evolving a Current Profile to a meaningful, costefficient Target Profile that describes desirable outcomes for strengthening cybersecurity of critical infrastructure owned or operated by an organization. The process will help senior executives and other stakeholders to clearly understand basic levels of cybersecurity risk, how these are managed, and how their organization can excel in protecting its assets. In particular, the process can help reveal an organization s posture toward emerging risks such as targeted Advanced Persistent Threats, targeted attacks, and zero-day threats and answer the question: How are we doing? This knowledge allows stakeholders to clarify policy and practices for strengthening cybersecurity practices. Using the Framework entails a continuous seven-step process of review and recalibration. 7

8 Learn More To learn more about NIST s Cybersecurity Framework, we urge you to read President Obama s Executive Order , Improving Critical Infrastructure Security and NIST s Framework for Improving Critical Infrastructure Cybersecurity. Resources for implementing the Framework are available from the Department of Homeland Security s Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program (see sidebar for details and links). Finally, Cyphort would be pleased to help your risk management team understand how to defend your organization s critical infrastructure against emerging Advanced Persistent Threats, targeted attacks, and zero day vulnerabilities. To learn more, please visit our website at n About the authors Gus Hunt, former CTO of the CIA Mr. Gus Hunt currently serves as President and CEO of Hunt Technology, LLC, a consulting company focused on strategic IT planning, IT effectiveness and efficiency, cyber security, data-centric protection, and the cloud. He is a recently retired federal government senior executive having served 28 years with the Central Intelligence Agency (CIA). Mr. Hunt retired from CIA as their Chief Technology Officer. As CTO, he set the information technology strategic direction and future technology investment plan for CIA. He was the motivating force behind CIA s decision to acquire a copy of both the Amazon cloud and IBM s Watson. Dr. Fengmin Gong, Co-founder and Chief Architect Dr. Fengmin Gong is an entrepreneur and security veteran with more than 25 years of security industry experience. Before founding Cyphort, he served as Chief Scientist and Head of Next-Gen Security Product Development at Huawei-Symantec, and before that as Chief Security Content Officer at FireEye. He also was a Co-founder and Chief Scientist at Palo Alto Networks, Chief Scientist and Director of Intrusion Detection Technologies at McAfee, and Co-Founder of IntruVert Networks (acquired by McAfee), and Director of Advanced Networking Research at MCNC. Fengmin holds 12 patents in networking security areas and has published more than 40 technical papers. His academic background includes a professorial appointment at Carolina State University and research roles at Washington University. He holds a D.Sc. and M.S. in Computer Science from Washington University in St. Louis and a B.Eng. and M.Eng. in Computer Science from Xi an Jiaotong University in China. About Cyphort Founded in 2011 by a team of security experts, Cyphort advanced threat defense goes beyond malware detection to reveal the true intent of an attack and the risk it poses to your organization while offering prioritized and expedited remediation. Our software-based approach combines best-in-class malware detection with knowledge of threat capabilities and your organizational context to cut through the avalanche of security data to get at the threats that matter so you can respond with velocity, in hours not days. Cyphort empowers enterprises with the three C s of security reduced resolution time and cost for easy deployment across your entire network, virtual and cloud infrastructure; comprehensive coverage via a distributed software model; and a context-based approach to Advanced Persistent Threats (APTs). CYPHORT, Inc Great America Pkwy Suite 225 Santa Clara, CA P: (408) F: (408) Customer Support (tel) MALWARE (tel) (fax) support@cyphort.com 8 Copyright 2014 Cyphort, Inc. All rights reserved.