A Cybersecurity Strategy How Stop Worrying and Love the Cybersecurity Strategy Lockdown 2015 University of Wisconsin Madison 2
Elements of a Cybersecurity Strategy 1. Have a commonly agreed to purpose 2. Be understood by the community 3. Establish a governance model 4. Assign accountability 5. Have a communications plan 6. Be flexible and adaptable to change 7/16/2015 University of Wisconsin Madison 3
Cybersecurity Panel Discuss the importance of long-term planning to achieve resilience across the IT and business organizations. Elaine Gerke UW-Health Director IS Systems Security Max Babler Madison Gas & Electric Director Information Security UW System Administration Chief Information Security Officer Bob Turner UW-Madison Chief Information Security Officer Nicholas Davis 7/16/2015 University of Wisconsin Madison 4
Introduction Question How are you planning cybersecurity strategies and initiatives? 7/16/2015 University of Wisconsin Madison 5
UW Health IS Systems Security Cybersecurity Strategy in a Healthcare HIPAA Covered Environment Understanding the Business of Healthcare Both clinical care and research, the work must go on! Understanding Cyber Vulnerabilities and Threats Keep a current inventory. Know what belongs in your environment and what doesn t. Be the gatekeeper! Monitoring logs, automated alerts, and pursuing a SIEM solution for correlation of event logs Conducting regular vulnerability assessments and penetration testing, and use different vendors. Coordination and collaboration of intelligence sharing (UW Campus, State of Wisconsin, FBI, etc.) Exploring the possibility of shared expertise in the event of a cyber attack Conducting Root Cause Analysis of events, get staff thinking outside the box, not only about remediations, but preventative strategies Tracking events, both large and small Having consistent policies and procedures to handle events
UW Health IS Systems Security Cybersecurity Strategy in a Healthcare HIPAA Covered Environment Cont. The Balancing Act - Securing our patient s data while allowing appropriate access Technical guardrails Know your data What it is, and where it lives External facing servers housed in DMZ with limited access Locking down endpoints, and limiting elevated privilege accounts Segregation of duties Restriction of traffic where possible for DLP (ports, protocols, services, and requirement of administrative rights to move the data, etc.) Use of Blacklisting. and Application Whitelisting (current FY project) Secure Compute Environment VDI with honest broker as gatekeeper Securing the Human / Training and Education of Staff Annual required training Use every opportunity to reinforce security education Run Phishing Campaigns Understanding HIPAA requirements and liability in our environment Multi-factor Authentication
Who am I? Maxwell Babler Director of Information Security - Madison Gas and Electric Staff of 10 security professionals and managers 18 + years in IT Developer / Server Operations Enterprise Architecture / Site Audit / Management MGE Community Focused Serve primarily in Madison area including this building Diverse generation portfolio including Gas, Wind and Solar One of the smallest publicly traded utilities in the US 7/16/2015 University of Wisconsin Madison 9
Where am I on Strategy? Working to establish the first 5 year strategic roadmap for Security Established Service domains to measure against Assessed functions with CMMI rankings Industry and Gartner scoring Arranged efforts based on priority, tied to improvement areas My role: Responsible for leading the creation of the security strategy Play key role in socialization and outreach for the strategy itself IT Areas Wider Business Partners (Engineering & Operations) Sr. Leadership Board of Directors 7/16/2015 University of Wisconsin Madison 10
What guides my Strategy? Values: CIAS Confidentiality. Integrity. Availability. Safety. PBR Plan. Build. Run. SMS Simple. Manageable. Secure. CBTS Customer. Business. Technology. Security. Compliant, but then secure Goals: Deter attacker as much as possible keeping the business use in mind Have a robust and fast incident response Have a flexible, fast and inclusive business continuity plan Frameworks: NIST National Institute of Standards and Technology SOX Sarbanes Oxley Act NERC CIP National Electric Reliability Council, Critical Infrastructure Protection Domains: Data Management Consulting Identity Access Management Risk and Compliance Infrastructure Network Endpoint Business Resiliency and Continuity 7/16/2015 University of Wisconsin Madison 11
Nick Davis Areas of expertise Security Awareness: The knowledge and attitude members of an organization possess regarding the protection of the physical and especially, information assets of that organization. Cryptosystem: Any sort of methodology for encoding data so that only a desired party is capable of decoding and accessing it. Information Assurance: The practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and systems. Notable Achievements Lecturer of Information Security courses at both the undergraduate and graduate level, at UW-Madison, Cardinal Stritch University and Madison Area Technical College. Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) Member, FBI Infragard: InfraGard is a non-profit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation. 7/16/2015 University of Wisconsin Madison 12
My First 100 Days (a.k.a. the firehose treatment) Higher Education is a whole new world Things I really liked (for the most part ) Organization we were aligned for success in critical competencies Staff were performing relevant and meaningful cybersecurity tasks Incident Response Metrics and Trends Threat Intel and Reporting Security Education and Training Things that surprised me!!!! Vulnerability scanning & analysis is inconsistent / infrequent Lack of periodic (comprehensive) security assessments Tangled funding sources for staff engagements Inconsistent security engineering and formal approval for connecting or operating information systems Decentralized governance of security functions 7/15/2015 University of Wisconsin Madison 13
Why build a strategy? Last strategic plan was five years old and never formally adopted by leadership Newer technology breeds newer and more sophisticated threats Well engineered and professional looking malware Zero Day attacks continue to increase in volume (24 tracked in 2014)* Total Days of Exposure for malware was over 295 in 2014* Threat Actors are more clever and the stakes are higher Campaigns such as Dragonfly, Waterbug, and Turla infiltrated industrial systems, embassies, and other sensitive targets* Volume and Complexity of Threat Activity Increasing Spear-Phishing Options: attempts Detection increased or Prevention by 8% and more sophisticated Increased State Sponsored cyberespionage and greater focus on Higher Education* Well engineered and professional looking malware Optimized risk management requires cybersecurity approaches that center on the data * = From Symantec s 2015 Internet Security Threat Report Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat. 7/15/2015 University of Wisconsin Madison - Sun Tzu (Ancient Chinese Military Strategist) 14
Getting to work Know what you want at the end of the run This is more than a Gap Analysis and Cybersecurity is more than a service function Understand the assets and the need for protection Be prepared to dovetail business risk to the security plans Know where you are and where you want to be it s that simple!!! The mindset you need to create a useful strategy: Executive Buy-In Support from the CIO and other C-Leaders plus VPs Discussions that align guidance to business strategy Speak in a Common Language Options: Detection or Prevention Level set the definitions of risk, vulnerability and threat Understand how the business works and how managers talk Do not be the Merchant of No! Learn the fastest way to get to YES! It has to be a team effort involving domain leaders and key performers Security Teams must demonstrate the ability to view business problems from different or multiple perspectives. Gus Agnos (VP Strategy & Operations at Synack) 7/15/2015 University of Wisconsin Madison 15
Where is our focus? Incident Response Metrics and Trends Data Data Classification Cybersecurity Incident Response Cycle 7/15/2015 University of Wisconsin Madison 16
Components of UW-Madison Cybersecurity Strategy Preparation is key! You cannot do this alone! Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc) Cybersecurity Leadership Team Executive and Department/College/Business Unit Buy-In Cost, Schedule, Performance Governance and Collaboration UW-Madison Cybersecurity Strategy Strategic Elements Data Governance and Information Classification Plan Enabling Objectives Retain previous strategy s actions ( find it/delete it/protect it ) Establish the UW-Madison Risk Management Framework Enable & support culture to value cybersecurity & reduce risk Options: Detection or Prevention Build community of experts/improve user competence (SETA) Establish Restricted Data Environments Consolidate Security Operations & institute best practices Improve Cyber Threat Analysis/Dissemination /Remediation Optimize Services, Security Metrics, Compliance & CDM Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea) Central data collection/aggregation to analyze security events Identify and seek sources of repeatable funding Identify UW-Madison compliance issues (FERPA, HIPAA, PCI- DSS, Red Flags Rule, etc.) Develop and refine sustainable security ops/risk assessments Develop & implement a marketing and communications plan 7/15/2015 University of Wisconsin Madison 17
Question of Purpose What is the purpose of having an IT Security Strategy? 7/16/2015 University of Wisconsin Madison 18
Developing a Strategy What are the components of and IT Security Strategy? How are those components developed? 7/16/2015 University of Wisconsin Madison 19
Metric vs. Imperial How is the success of an IT Security Strategy measured? 7/16/2015 University of Wisconsin Madison 20
Holding the Bag Who is reasonable for the strategy? What help may they request? 7/16/2015 University of Wisconsin Madison 21
Thoughts & Questions 7/16/2015 University of Wisconsin Madison 22