Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 1 June, 2015 1
About the Class This course covers the essential elements for planning, building and managing a cybersecurity program Lesson 1 The Controls Factory The Fundamentals Understanding the Risks The Controls Factory The Cybersecurity Programs The Vision Lesson 2 Controls Factory Components The Threat Office The Controls Office The Technology Center The Operations Center The Testing Center The Program Office The GRC Office Lesson 3 - Building the Program Step 1: Establish Goals, Objectives, Approach, Deliverables Step 2: Get Management Support Step 3: Establish Budget, Resources, Scope, Funding, Timeline Step 4: Establish Program, Asset, Controls Roadmap Step 5: Select Controls, Technologies, Services Step 6: Build Master Plan and Program Mapping Step 7: Prioritize Deliverables Step 8: Conduct Program, Asset, Controls Review Step 9: Establish Program, Asset, Controls Risk Dashboard Step 10: Program Summary: End to End Security Lesson 4: Case Study: The South Carolina DOR Data Breach Part 1: The State Government Information Security Initiative Part 2: The Mandiant Report Part 3: The Deloitte Initial Report Part 4: The Deloitte Interim Report Part 5: The Deloitte Final Report 2
About the Instructor Larry Wilson, Information Security Lead - University of Massachusetts Design, build, manage UMASS Written Information Security Program (WISP) Based on industry standard controls: ISO 27002, Council on Cybersecurity, NIST Cybersecurity Framework Implemented consistently across all university campuses Prior to UMASS Vice President, Network Security Engineering Manager at State Street - I designed their program IT Audit Manager for Deloitte working on the MasterCard account I assessed their program Education and Certifications MS in Structural Engineering from University of New Hampshire. Industry certifications include PE, CISSP, CISA and PCI ISA Develop and Deliver Training Classes Secure World Expo (Building a Cybersecurity Program) ISACA New England (CISA certification training) Executive Recognition (2013) ISE Executive Award Finalist Northeast Region, North America SANS Person Who Made a Difference in Cybersecurity UMASS Security Program Recognition (2013, 2014) ISE Project Award Winner North America SANS 20 Critical Controls Poster - Featured Program 3
Lesson 1: The Controls Factory Part 1: The Fundamentals Data is the New Oil Data is Everywhere The Key Business Challenges The Key Technology Challenges The High Risk of Data Breaches The Challenge to Our executives The Response: Need to be Proactive Part 2: Understanding the Risks The Risk Equation What are you Trying to Protect? What are you Afraid of Happening? How Could the Threat Occur? What is Currently Reducing the Risk? What is the Impact to the Business? How Likely is the Threat given the Controls? Part 3: The NIST Framework The Framework Core The Framework Profile The Framework Implementation Tiers Cyber Resilience Review Who s Using the Framework Part 4: The Controls Factory The Problem Statement The Solution Approach Protecting the Assets The Factory Offices / Centers Part 5: The Cybersecurity Programs P1: The Infrastructure Security Program P2: The Application Security Program P3: The Data Governance Program P4: The Identity Governance Program P5: The Critical Assets Program Part 6: The Vision / Next Steps Where We Were - Yesterday Where We Are - Today Where We re Going - Tomorrow 2015 Cybersecurity Predictions Building an Effective Program 4
Part 1: The Fundamentals Why doesn t everyone have a BRICK House? Did everyone NOT read the 3 little Pigs? 5
Data is the New Oil 6
Data is Everywhere Growing attack surface Consumerization of IT Public, private, hybrid cloud Mobile applications Privileged accounts Internet of Things. 7
The Key Business Challenges 8
The Key Technology Challenges 9
The Threat Situation Continuing serious cyber attacks on information systems, large and small; targeting key federal, state, local, and private sector operations and assets. Threat Actors Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of compromising your information systems Effective deployment of malicious software causing significant exfiltration of sensitive information (including intellectual property) and potential for disruption of critical information systems / services. -- Dr. Ron Ross NIST, Computer Security Division Information Technology Laboratory 10
The Cyber Threat Landscape 11
The Possible Consequences Cyber Attacks Could Put Humans and Infrastructure at Risk 12
How Data Breaches Occur 13
The Carbanak Attack 14
The Dyre Wolf Attack 15
The Target Attack 16
Global State of Information Security Survey 2015 Key findings and trends (PWC) 17
The Challenge: To Corporate and Government Leaders. Where does your business stand on basic cybersecurity hygiene? There is a global awakening among non technologists That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a fog of more More standards, more checklists, more devices, more technology, more things Our Executives need to ask five basic questions Do we know what s connected to our systems and networks? Do we know what s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? Can you demonstrate all this to me, to our Board, and to our shareholders and customers today? Because. Having these basic safeguards in place will prevent 80% to 90% of the known attacks Jane Holl Lute Council on Cybersecurity Served as Deputy Secretary for Homeland Security from April, 2009 to April 2013 18
The Response: We Need to be Proactive. Manage our Risks Understand and establish a well developed risk management model Apply controls to our assets Because every security incident starts with a compromised asset Manage our Assets Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de-provision, discover, manage changes, reconciliation, monitor & alert Manage our Programs Understand the essential building blocks And how they relate Alignment and Transparency Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time? 19
We have executive attention.. So now what? 20
Part 2: Understanding the Risks 21
The Risk Equation Risk = Threats X Vulnerabilities X Asset Value + Residual Risk Controls How do we calculate risk? Risk is based on the likelihood and impact of a cyber-security incident or data breach Threats involve the potential attack against IT resources and information assets Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat Asset Value is based on criticality of IT resources and information assets Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets + missing controls 22
Assets: What are you trying to protect? What are the assets? Where are the Assets? How are the Assets Managed? Which Assets are Critical? 23
Threats: What are you afraid of happening? What are the threats? Where are the threats? How have the threats changed? How are attacks staged? 24
Vulnerabilities: How could the threat occur? What is a vulnerability? What are the Vulnerabilities? How are the Vulnerabilities Managed? How are vulnerabilities remediated? 25
Mitigation: What is currently reducing the risk? What is a control? What is a controls framework? What are the controls types? How are controls measured? MGT-01 MGT-02 TEC-01 TEC-02 TEC-03 TEC-04 MGT-03 MGT-04 MGT-05 MGT-06 TEC-05 TEC-06 TEC-07 TEC-08 MGT-07 MGT-08 OPS-01 OPS-02 OPS-03 OPS-04 OPS-05 OPS-06 OPS-07 OPS-08 TEC-09 TEC-11 OPS-09 OPS-10 OPS-11 OPS-12 TEC-10 OPS-15 OPS-16 OPS-17 Critical Assets TEC-12 OPS-13 OPS-14 OPS-18 OPS-19 OPS-20 MGT-09 MGT-10 TEC-13 TEC-14 TEC-15 TEC-16 MGT-11 MGT-12 MGT-13 MGT-14 TEC-17 TEC-18 TEC-19 TEC-20 MGT-15 MGT-16 26
Impact: What is the impact to the business? 27
Probability: How likely is the threat given the controls? 28
Cybersecurity Approach Cybersecurity Risk & Consulting Services EY s Cyber Program Management (CPM) Framework Deloitte Cyber Risk Services: Secure. Vigilant. Resilient KPMG Cyber Security Framework PWC Cybersecurity Services 29
Cybersecurity Approach Cybersecurity Technology Providers HP Cybersecurity Framework EMC/RSA Cybersecurity Framework Cisco Cybersecurity Framework Oracle Security Approach 30
Cybersecurity Approach Managed Security Services Providers (MSSPs) Symantec Security Solutions Dell Secureworks IBM Managed Security Services AT&T Security Services 31
Part 3: The NIST Cybersecurity Framework 32
Part 3: The NIST Cybersecurity Framework 33
The NIST Cybersecurity Framework 34
The NIST Cybersecurity Framework 35
The NIST Cybersecurity Framework Cybersecurity Program Steps The Cybersecurity Resilience Approach Step 1: Prioritize and Scope. Step 2: Orient. Step 3: Create a Current Profile. Step 4: Conduct a Risk Assessment. Step 5: Create a Target Profile. Step 6: Determine, Analyze, and Prioritize Gaps. Step 7: Implement Action Plan. 36
The NIST Cybersecurity Framework NIST Definition of cyber resilience the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents 37
DHS Cyber Resilience Review Areas of Focus 1 Asset Management - The purpose of Asset Management is to identify, document, and manage assets during their life cycle to ensure sustained productivity to support critical 2 Controls Management - The purpose of Controls Management is to identify, analyze, and manage controls in a critical service s operating environment. 3 Configuration and Change Management - The purpose of Configuration and Change Management is to establish processes to ensure the integrity of assets using change control and change control audits. 4 Vulnerability Management - The purpose of Vulnerability Management is to identify, analyze, and manage vulnerabilities in a critical service s operating environment. 5 Incident Management - The purpose of Incident Management is to establish processes to identify and analyze events, detect incidents, and determine an organizational response. 6 Service Continuity Management - The purpose of Service Continuity Management is to ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other disruptive event. 7 Risk Management - The purpose of Risk Management is to identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services. 8 External Dependencies Management - The purpose of External Dependencies Management is to establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities. 9 Training and Awareness - The purpose of training and awareness is to promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational sustainment and protection. 10 Situational Awareness - The purpose of Situational Awareness is to actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture. 38
The NIST Cybersecurity Framework The Framework Benefits 39
Fact Sheet White House Summit on Cybersecurity and Consumer Protection - February 13, 2015 The following corporations are announced a commitment to using the NIST Cybersecurity Framework. Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract. Apple is incorporating the Framework as part of the broader security protocols across its corporate networks. Bank of America will announce that it is using the Framework and will also require it of its vendors. U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework. AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small businesses and will use the framework to help customers identify gaps in their approach to cybersecurity. QVC is announcing that it is using the Cybersecurity Framework in its risk management. Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and measuring risk. Kaiser Permanente is committing to use the Framework. 40
Part 3: The Controls Factory 41
The Problem Statement Our Unmanaged Assets ARE NOT protected Our Managed Assets ARE protected Our unmanaged assets There are undetected problems not seen, not reported Our unmanaged assets become easy targets Which lead to a breach from missing or ineffective controls Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a portfolio of managed assets 42
The Solution Approach The Controls Factory 4 3 Enter Unmanaged Assets 2 5 Exit Managed Assets 6 7 1 1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance 43
The Solution Approach Cybersecurity Delivery Life Cycle (CSDLC) The Controls Factory Enter Unmanaged Assets 1. Requirements 2. Design 3. Implementation 4. Operations 5. Verification 6. Program Management Exit 7. Risk Management Managed Assets 1. Threats: Threats, Vulnerabilities, IOCs, Attack Chain 2. Controls : Framework, Types, Standards 3. Technologies: Architecture, Design, Build & Run 4. Operations: Approach, Design, Build & Run 5. Testing : Threat Model, Controls Testing, Operations Testing 6. Programs: Approach, Design, Build & Run 7. GRC: Governance, Risk Management, Compliance 44
The Controls Factory The Current Profile (Before the Factory) The Target Profile (After the Factory) Design Area Build & Run Area Management Area Threats, Vulnerabilities, IOCs Controls Definition Technology Architecture Cybersecurity Operations Center Threat Modeling The WISP Organizational Model Input Unmanaged Assets Threat Intelligence Controls Framework Technology Design Security Administration Center Controls & Technology Testing Program Deliverables Assurance & Audit Output Managed Assets The Cyber Attack Chain Controls Standards Technology Build & Run Resilience, Response, Forensics Operations & Incident Testing Program Roadmap Compliance Initiatives F1 F2 F3 F4 F5 F6 F7 Threat Office Control Office Technology Center Operations Center Testing Center Program Office GRC Office 45
F1: The Threat Office Threats & Vulnerabilities Threat Sharing The Cyber Attack Chain Mapping Attacks to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 46
F2: The Controls Office The NIST Cybersecurity Framework The Controls Types NIST Cybersecurity Framework The Controls Standards Mapping Controls to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 47
F3: The Technology Center Technology Architecture Technology Design Technology Build & Run Mapping Cybersecurity Technology to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 48
F4: The Operations Center Cybersecurity Operations Center (CSOC) Cybersecurity Administration Center Resilience, Response and Forensics Mapping Cybersecurity Operations to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 49
F5: The Testing Center Threat Modeling Controls Testing Assets The C 3 Test Analyzer Controls Endpoints Network Systems Databases Applications Identities Data Crown Jewels Identify Protect Detect Respond Recover COBIT 5.0 ISO 27001 20 CSC IEC 62443 NIST 800-53 BSIMM V5 PCI DSS HIPAA 201 CMR 17 Operations Testing Mapping Testing / QA to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 50
F6: The PMO Office Program Management Principles Program Management Methodology Program Tracking and Reporting Dashboard Mapping Cybersecurity Programs to Assets Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels Asset Inventory 51
F7: The GRC Office GRC Principles GRC Methodology GRC Tracking & Reporting Dashboard Mapping Cybersecurity Governance to Assets Asset Inventory Endpoint Devices Network Devices Data Center Systems Databases & File Shares Applications & Programs Identity & Access Governance Data Governance Crown Jewels 52
Part 4: The Cybersecurity Programs 53
The Program Model Threat Office Controls Office Technology Center Operations Center Testing Center PMO Office GRC Office P5 Crown Jewels Program (Deliverables: Managed Critical Assets) Input P4 Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements) Output Unmanaged Assets P3 Data Governance Program (Deliverables: Managed Information) Managed Assets P2 Application Security Program (Deliverables: Managed Applications) P1 Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases) Attack Models Controls Design Technology Build & Run Operations Build & Run Testing Build & Run Programs Build & Run Risk Reporting 54
P1: The Infrastructure Program 1. The Assets 2. The Controls 3. The Solutions 4. The Operations 5. The Testing 6. The Assessments & Reporting Program Engine The C 3 Test Analyzer Controls Engine Crown Jewels Identities Information Applications Infrastructure Identify Protect Detect Respond Recover COBIT 5.0 ISO 27001 CSC CSC IEC 62443 NIST 800-53 BSIMM V5 PCI DSS HIPAA 201 CMR 17 55
P2: The Application Program 1. The Assets 2. The Controls 3. The Solutions 4. The Operations 5. The Testing 6. The Assessments & Reporting Program Engine The C 3 Test Analyzer Controls Engine Crown Jewels Identities Information Applications Infrastructure Identify Protect Detect Respond Recover COBIT 5.0 ISO 27001 CSC CSC IEC 62443 NIST 800-53 BSIMM V5 PCI DSS HIPAA 201 CMR 17 56
P3: The Data Governance Program 1. The Assets 2. The Controls 3. The Solutions 4. The Operations / Administration 5. The Testing 6. The Assessments & Reporting Program Engine The C 3 Test Analyzer Controls Engine Crown Jewels Identities Identify Protect COBIT 5.0 ISO 27001 CSC CSC Information Applications Infrastructure Detect Respond IEC 62443 NIST 800-53 BSIMM V5 PCI DSS Recover HIPAA 201 CMR 17 57
P4: The Identity Governance Program 1. The Assets 2. The Controls 3. The Solutions 4. The Operations / Administration 5. The Testing 6. The Assessments & Reporting Program Engine The C 3 Test Analyzer Controls Engine Crown Jewels Identities Identify Protect COBIT 5.0 ISO 27001 CSC CSC Information Applications Infrastructure Detect Respond IEC 62443 NIST 800-53 BSIMM V5 PCI DSS Recover HIPAA 201 CMR 17 58
P5: The Critical Assets Program 1. The Assets 2. The Controls 3. The Solutions 4. The Operations / Administration 5. The Testing 6. The Assessments & Reporting Program Engine The C 3 Test Analyzer Controls Engine Crown Jewels Identities Identify Protect COBIT 5.0 ISO 27001 CSC CSC Information Applications Infrastructure Detect Respond IEC 62443 NIST 800-53 BSIMM V5 PCI DSS Recover HIPAA 201 CMR 17 59
The Program Summary Build a Cybersecurity Program Unmanaged Assets [Programs] 1 2 3 4 5 6 7 8 Endpoint Network Data Center Database Application Identity Data Devices Security Systems Security Security Governance Governance Crown Jewels Cyber Attack Chain 1 2 3 4 5 6 7 NIST Controls Framework Identify Protect Detect Respond Recover Controls Standards & Mapping Operations Controls (ISO 27001:2013) Technical Controls (Council on Cyber-security CSC) Management Controls (ISO 27001:2013) Technologies & Services Operations & Administration Cybersecurity Operations Center Cybersecurity Administration Center Incident Response Team Testing & Reporting Cybersecurity Controls Testing & Reporting Cybersecurity Technology Testing & Reporting Cybersecurity Operations Testing & Reporting Managed Assets [Programs] 1 2 3 4 5 6 7 8 Endpoint Devices Network Security Data Center Systems Database Security Application Security Identity Governance Data Governance Crown Jewels
Part 5: The Factory Vision 61
Where were we? - Yesterday The early days (2010) Defense in Depth GRC Governance, Risk, Compliance Threats & Vulnerabilities Applications Infrastructure TVM PDP AIS IAM Data People & Identities IOS Six Security Programs PRG1: Governance, Risk, Compliance (GRC) PRG2: Threat & Vulnerability Management (TVM) PRG3: Privacy and Data Protection (PDP) PRG4: Application Integrity and Security (AIS) PRG5: Identity & Access Management (IAM) PRG6: Infrastructure &Operations Security (IOS) The Controls Layers: GRC: Program Governance, Risk Management and Compliance Threat & Vulnerability: Internal & External threats & weaknesses Network & Server Assets: Core Infrastructure Application Assets: Provides authorized user access to the data Data Layer: Where information resides People & Identities: Authorized vs. Unauthorized user access to data 62
Where are we? - Today The Current Profile (Before the Factory) The Target Profile (After the Factory) Design Area Build & Run Area Management Area Threats, Vulnerabilities, IOCs Controls Definition Technology Architecture Cybersecurity Operations Center Threat Modeling The WISP Organizational Model Input Unmanaged Assets Threat Intelligence Controls Framework Technology Design Security Administration Center Controls & Technology Testing Program Deliverables Assurance & Audit Output Managed Assets The Cyber Attack Chain Controls Standards Technology Build & Run Resilience, Response, Forensics Operations & Incident Testing Program Roadmap Compliance Initiatives F1 F2 F3 F4 F5 F6 F7 Threat Office Control Office Technology Center Operations Center Testing Center Program Office GRC Office 63
Where are we going? - Tomorrow Factory in a Can Academic / Research Factory Staging / Test Factory AR ST Corporate / Enterprise Factory Cloud / Partner Factory CE CP 64
Summary: Building an Effective Security Program The NIST Golden Rules Develop an enterprise-wide information security strategy and game plan Get corporate buy in for the enterprise information security program effective programs start at the top Build information security into the infrastructure of the enterprise Establish a level of due diligence for information security Focus initially on mission/business case impacts bring in threat information only when specific and credible Create a balanced information security program with management, operational, and technical security controls Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data Harden the target; place multiple barriers between the adversary and enterprise information systems Be a good consumer beware of vendors trying to sell single point solutions for enterprise security problems Don t be overwhelmed with the enormity or complexity of the information security problem take one step at a time and build on small successes Don t tolerate indifference to enterprise information security problems And finally Manage enterprise risk don t try to avoid it! 65
Questions? 66