Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect
Agenda Overview Where to begin What the NIST CSF is and is not Limitations of CSF CSF overview and components Methods and ideas for alignment Outcomes and evolution Final points of consideration An example: User and management security awareness 2
The definition of genius is taking the complex and making it simple. - Albert Einstein Why do things seem so complicated? 3
Where to begin Control standards, regulations and risk-management methodologies
NIST CSF What it is and why National Institute of Standards and Technology Cybersecurity Framework Encompasses security-risk across people and process as well; Not just technologycentric Use is voluntary Tool and method for evaluating current as is and developing to be security profile which facilitates creating a roadmap to improve posture Guidance created based on existing standards and best-practices (private and public sector were involved in the creation) Establishes a common language and taxonomy; simplifies communications between technical staff and business leaders Common categories of security activities mapped back to cybersecurity standards The CSF is a living document Why? Released (Version 1.0) February 12, 2014, it is in direct response and support of President Obama's February 2013 Executive Order 13636 "Improving Critical Infrastructure Cybersecurity." Helps organizations to identify, understand, manage and reduce cybersecurity risks by prioritizing security investments 5
NIST CSF What it is not National Institute of Standards and Technology Cybersecurity Framework Prescriptive An IT governance framework like CoBIT A replacement for existing risk management methodologies (but can augment and compliment OR fill gap if none exists) Foolproof or a silver bullet. No, implementing the CSF does not mean your immune to being compromised! One size fits all approach A substitute for thoughtful review, evaluation and pragmatism in addressing risk concerns and priorities The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. Source: NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, page 2. 6
Limitations of CSF Progress, not perfection Lack of data privacy standards No consideration for organizational unique threat adversaries, motivations and data/information assets (targets) Regulatory, statutory, contractual obligations Technical debt Timeframe and resources to fully adopt This is where specific organizational context is required 7
CSF - Overview Three primary components: 1) Profile: Comprised of two views; current as is and target to be 2) Implementation Tiers (1 4): Partial, Risk Informed, Repeatable, Adaptive 3) Core: - Functions: Identify, Protect, Detect, Respond, Recover - Categories, subcategories and Informative References Source for slide content: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 8
CSF - Overview Implementation Tiers: Tier 1 Partial: Risk management process and program ad hoc, reactive. Cybersecurity activities and risk management visibility limited. Tier 2 Risk Informed: Risk management practices approved by management may not be fully established across organization. Cybersecurity activities and risk management concerns have some level of visibility but may not be all-encompassing across organization. Tier 3 Repeatable: Risk management practices are clearly approved and defined, adhered to and consistent methods in place to respond to and address risks across the organization. Tier 4 Adaptive: Organization adapts, evolves risk management, cybersecurity practices based on lessons learned and predictive analysis. Cybersecurity risk management is part of culture. Tiers can provide context for the organization relative to how they view and manage cybersecurity risks Source for slide content: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 9
CSF - Overview Implementation Tiers Intel Example Tier 1 Tier 2 Tier 3 Tier 4 Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 10
CSF - Overview Core - Functions Identify Understanding of assets, data, systems and capabilities to effectively apply and manage cybersecurity risks Protect Controls and safeguards (processes, methods) to protect against cybersecurity threats Detect Methods for proactive and continuous monitoring, alerts and events Respond Incident response activities, procedures Recover Business continuity, resilience and breach recovery processes Source for slide content: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 11
CSF - Overview Core - Categories Categories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements. Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 12
CSF - Overview Core Subcategories (getting more granular) Subcategories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 13
CSF - Overview Core References (control frameworks) References Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve COBIT APO01.06, BAI02.01 ISO/IEC 27001 A.15.1.3 COBIT APO01.06, BAI02.01 ISO/IEC 27001 A.15.1.3 CCS CSC 17 NIST SP 800-53 Rev 4 SC-28 Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 14
CSF - Overview The CSF provides a common method for organizations to: 1. Baseline and describe as is current posture 2. Describe to be target state 3. Identify and prioritize improvements 4. Assess progress 5. Communicate to stakeholders Source for slide content: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 15
CSF Methods and ideas for alignment Start small but think BIG: Identify stakeholders Core group Communicate Align on scope, expectations to pilot Tailor tiers (organizational context) SME s assess current state review, scores Create tool for assessment & identify SME s Validate targets with Core team Set Targets (profile) Compare current to targets Identify gaps Plan for drill down prioritization of strategy/plans Communicate recommendations 16
CSF Methods and ideas for alignment Recommend pilot of top level (categories) as starting point which will allow for: Identifying critical gap areas for further strategic investment, prioritization and focus Minimize getting bogged down by going too deep out of gate Create a consistent dialogue and vernacular within the organization relative to risk management and risk-posture baseline Crawl Walk then Run! Set expectations and align the organizational context to the CSF to maximize its use and benefit Starting point to better understand and articulate the complete risk picture across the organization Wash, rinse repeat. Lessons will be learned along the way. Make adjustments and keep the communication channels open 17
CSF Outcomes and evolution - examples SME roll-up of self-assessment (current profile against top-level categories): Evaluating by functional area provided greater insights Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 18
CSF Outcomes and evolution - examples SME roll-up of self-assessment (current profile against top-level categories) outliers and differences (gaps): Highlight outliers 1 1 Highlight major differences Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 19
CSF Outcomes and evolution - examples Results! Again, this in turn can be used for further strategic prioritization, resource investment and deeper assessment against specific and desired outcomes Category Actual Identify 3 Business Environment 2 Asset Management 2 Governance 4 Risk Assessment 2 Risk Management Strategy 2 Protect 2 Access Control 1 Awareness/Training 2 Data Security 2 Protective Process & Procedures 2 Maintenance 3 Protective Technologies 2 Detect 1 Anomalies/Events 3 Security Continuous Monitoring 4 Detection Process 2 Threat Intelligence 3 Respond 2 Response Planning 1 Communication 3 Analysis 2 Mitigations 2 Improvements 3 Recover 3 Recovery Planning 2 Improvements 2 Communications 4 Target Delta 3 0 2 0 2 0 3 1 2 0 4-2 2 0 1 0 3-1 2 0 2 0 4-1 2 0 1 0 2 1 4 0 2 0 4-1 2 0 1 0 3 0 2 0 2 0 4-1 3 0 4-2 2 0 4 0 THE RISK LANDSCAPE! ACTUAL 1 2 3 4 GAPS OVER Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Fina 20
Final points of consideration It is the start of a journey Enables continuity and continuous improvement Branch out and connect with partners and others who are taking this journey Keep it simple! Do not go too deep too fast or try to eat the elephant Understanding your cyber risk and managing cyber investment priorities allows for real advancements in your security program (quit playing Whac-a- Mole!) Leveraging the CSF can help drive better risk management, prioritized investments and foster better communication across state organizations 21
User and Management Security Awareness & Training 22
Every Organization has at least one Dave! 23
CSF Protect Awareness and training example Awareness and Training (PR.AT): The organization s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT-1: All users are informed and trained PR.AT-2: Privileged users understand roles & responsibilities PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities PR.AT-4: Senior executives understand roles & responsibilities PR.AT-5: Physical and information security personnel understand roles & responsibilities CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.7.2.2 NIST SP 800-53 Rev. 4 AT-2, PM-13 CCS CSC 9 COBIT 5 APO07.02, DSS06.03 ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 NIST SP 800-53 Rev. 4 AT-3, PM-13 CCS CSC 9 COBIT 5 APO07.03, APO10.04, APO10.05 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 NIST SP 800-53 Rev. 4 PS-7, SA-9 CCS CSC 9 COBIT 5 APO07.03 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP 800-53 Rev. 4 AT-3, PM-13 CCS CSC 9 COBIT 5 APO07.03 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP 800-53 Rev. 4 AT-3, PM-13 Source for slide content: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 24
CSF Protect Awareness and training example Subcategory - PR.AT-1: All users are informed and trained Informative References CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.7.2.2 NIST SP 800-53 Rev. 4 AT-2, PM-13 Source for slide content: http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf 25
References 26
References Intel RSA 2015 Presentation: https://www.rsaconference.com/writable/presentations/file_upload/strw01-implementing-the-us-cybersecurity-framework-at-intel-a-casestudy_final_v2.pdf Intel CSF white paper: http://www.intel.com/content/www/us/en/government/cybersecurityframework-in-action-use-case-brief.html NIST CSF Website: http://www.nist.gov/cyberframework NIST 800-53 Revision 4: http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf NIST Cybersecurity Framework Version 1.0 http://www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214.pdf 27
Thank, credits and contact info! To the Intel team! Blazing the trail and making the cyber world a safer place! Special thanks to Tim Casey (Tim.Casey@intel.com) for allowing me to borrow his work for this presentation. Thanks to Kent Landfield (Intel Security) for his review and input on the content and flow! Thank you to my Mom and Dad for bringing me into the world and my first picture being in a white hat. Coincidence? I think not! Contact info: David_Brezinski@mcafee.com, David.Brezinski@intel.com 28
.