Building Security In:

#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015

A Little About Me Twenty years in cybersecurity, enterprise software, networking, and telecommunications Security Specialist for the US Public Sector Security Product Manager Security Sales Engineer and Certified Instructor Network Engineer and Systems Administrator Combination of business and technical education MBA / Virginia Tech BS EE / Penn State CISSP# 56364 March 2004

Federal CIO Tony Scott Cloud Computing Forum & Workshop VIII July 7, 2015 On adding security later: Like duct-taping airbags to a 1965 Mustang Even if you could do it, the result would probably be pretty ugly It s expensive, hard to do... you end up with something no one wants Security By Design: Ensure that security is built into every layer Source: Federal Computing Week, July 7, 2015

California: A Cybersecurity Leader Brookings Institution characterizes States with strong cybersecurity plans: Characteristic Acknowledge the cybersecurity problem Implement strategic and multi-faceted cybersecurity plans Collect and act on cybersecurity metrics Rely on NIST standards rather than locally-developed plans State of CA Yes Yes Yes Partly

California Information Security Office (CISO) Chapter 5300 Section 5300.5 Information Security Minimum Security Controls California has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 as minimum information security control requirements to support implementation and compliance with the Federal Information Processing Standards (FIPS) Each state entity shall use the FIPS and NIST SP 800-53 in the planning, development, implementation, and maintenance of their information security programs

SAM Chapter 5300 77 pages Over 40 sections Maintained by the State Updated every 3 years Painstakingly mapped to NIST SP 800-53 California-specific

NIST Special Publication 800-53 460 pages with 18 control families Hundreds of individual security controls Now on its fourth revision

DoD and NIST: Closer Alignment DoDI replaces DIACAP with the NIST Risk Management Framework (RMF) The cybersecurity requirements for DoD information technologies will be managed through the RMF consistent with the principals established in National Institute of Standards and Technology (NIST) SP 800-37 NIST Risk Management Framework

Maybe there s a better way?

Imagine a simple yet effective framework... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your existing cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activities

It s Here. It s the NIST Cybersecurity Framework. And Other States Are Doing It. The State of Texas has aligned the Framework Functions to its agency security plan. Texas has developed a statewide framework that covers cybersecurity best practices and is mapped to the Framework subcategories. To mitigate supplier risk, the state also uses a vendor alignment template that is rooted in the Framework core. NIST Newsletter Update on the Cybersecurity Framework (July 1, 2015)

Framework Background

State CIO Priorities

National Institute of Standards and Technology Breadth and depth across vast subject areas Information Technology, telecommunications, energy, chemistry, math, physics, public safety, nanotechnology -- and much more Information Technology publications and best practices Computer Security Resource Center (CSRC) Cybersecurity Framework Cloud Computing Information Technology Laboratory Smart Grid National Strategy for Trusted Identities in Cyberspace (NSTIC) Mission To promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life

Improving Critical Infrastructure Cybersecurity Executive Order 13636 February 2013 It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.

NIST Cybersecurity Framework Outcome of Executive Order 13636, and result of collaboration between public and private sectors Manages cybersecurity risks in a cost-effective way, while protecting privacy and civil liberties References the globally accepted standards (COBIT, ISO/IEC, ISA, NIST, CCS) that are working well today Intended for worldwide adoption -- not US only Uses common terminology to discuss cybersecurity risk Ensures business drivers guide cybersecurity activities Considers cybersecurity risks as part of organization s overall risk management process

Promoting Cybersecurity Best Practices People Process Technology Framework covers all three

People Addressing the Role of People Framework helps organizations optimize their cybersecurity activities Aligns cybersecurity activities with business risk Prioritizes activities that are most important for critical service delivery Maximizes the impact of cybersecurity spending

People Facilitating Communication Framework uses a common language to discuss cybersecurity risk Improves communication among cybersecurity experts and senior leadership within an organization Improves communication with external vendors, partners, and contractors Aligns the Information Technology (IT) and Operations Technology (OT) teams

Process Complementing Existing Processes Framework works with existing risk management programs ISO 31000:20093 ISO/IEC 27005:20114 NIST SP 800-39 Electricity Subsector Cybersecurity Risk Management Process (RMP) More...

Technology Future-Proofing Framework ensures future extensibility and enables technical innovation Remains technology-agnostic Evolves with technical advances and new business requirements Acknowledges global nature of cybersecurity risks Scales across borders

Applying to Everyone Framework enables all organizations to improve security and resilience Any size or type of organization Both public and private sectors Any degree of cybersecurity risk Any level of cybersecurity sophistication Anywhere in the world

Framework Basics

Framework Components Set of activities, desired outcomes, and applicable references common across critical infrastructure sectors 1 Framework Core 3 Framework Profile Alignment of Framework Core structure with the specific business requirements of a particular organization 2 Framework Implementation Tiers An organization s view on how well it manages risk, ranging from Partial (Tier 1) to Adaptive (Tier 4)

Framework Core: Four Parts Core Functions Categories Subcategories Informative Resources Identify 1 2 3 4 Protect Detect Respond Recover

Core Part 1: Functions Core Functions Categories Subcategories Informative Resources Identify 1 Protect Detect High-level cybersecurity Respond goals Recover

Core Part 2: Categories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 2 Subdivide Functions into specific activities

Core Part 3: Subcategories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 3 Subdivide Categories into desired outcomes

Core Part 4: Informative Resources Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 4 Standards references to achieve the outcomes

Functions: High-Level Goals Core Functions ID PR DE Identify Protect Detect Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event RS RC Respond Recover Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

Categories: Specific Activities Core Function Categories ID.AM Asset Management (AM) The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Identify (ID) ID.BE ID.GV Business Environment (BE) Governance (GV) The organization s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber risk. ID.RA Risk Assessment (RA) The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RM Risk Management Strategy (RM) The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Subcategories: Specific Outcomes Core Function Category Subcategories ID.AM-1 Physical devices and systems within the organization are inventoried ID.AM-2 Software platforms and applications within the organization are inventoried Identify (ID) Asset Management (ID.AM) ID.AM-3 ID.AM-4 Organizational communication and data flows are mapped External information systems are catalogued ID.AM-5 Resources (hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (suppliers, customers, partners) are established

Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 International standards references Council on CyberSecurity (CCS) Control Objectives for Information and Related Technology (COBIT) International Society of Automation (ISA) International Organization for Standardization (ISO) International Electrotechnical Commission (IEC)

Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8

Tiers Tiers Reflect how an organization views cybersecurity risk and the processes in place to manage that risk Tier Tier Tier Tier 4 3 2 1 Adaptive: Practices fully established and continuously improved Repeatable: Practices approved and established by organizational policy Risk Informed: Practices approved but not completely established by policy Partial: Informal, ad hoc, reactive responses

Profiles Profiles The alignment of the Framework core with an organizations business requirements, risk tolerance, and resources Describes the current state and desired future state Reveals gaps that can flow into action plan development Facilities a roadmap for reducing cybersecurity risk

Core Functions & Categories Core Know what you have Secure what you have Spot threats quickly Take action immediately Restore operations

Technology Doesn t Cover Everything Only half of the Framework s Categories are addressed by technology Highlights the importance of both people and process in cybersecurity

Using the Framework

Ways to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders Identifying Opportunities for Updated Informative References Methodology to Protect Privacy and Civil Liberties How well are we doing today? Can we assess and improve? Can we speak the same language? What else should we consider? Can we protect data better? Let s focus here

Improving a Cybersecurity Program Implement Action Plan Start Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile 5 4 3 Create Current Profile Conduct Risk Assessment

1 Prioritize and Scope Identify business/mission objectives and high-level organizational priorities Make strategic decisions on cybersecurity Determine scope of systems and assets that support the mission Assess risk tolerance

Orient 2 Identify related systems, regulatory requirements, and overall risk approach Identify threats to systems and assets Identify vulnerabilities associated with systems and assets

Create Current Profile 3 Function Category Subcategory Current Profile Physical device inventories (ID.AM-1) Tier 1 Manual, spreadsheet-based system is insufficient and lacks network visibility. Software inventories (ID.AM-2) Tier 1 Asset management system cannot detect new software applications being deployed. Identify (ID) Asset Management (ID.AM) Communication/data flow maps (ID.AM-3) External system catalogs (ID.AM-4) Tier 2 Unused Flow maps are documented and approved but needs to be formalized by policy. Current business model does not require external system catalogs. Resource prioritization (ID.AM-5) Tier 4 Prioritization system is working well for our needs today. Roles/responsibilities clarification (ID.AM-6) Tier 3 New cybersecurity responsibilities need to be formalized by policy.

Conduct Risk Assessment 4 Fxn. Cat. Sub. Current Profile Risk Assessment ID.AM-1 ID.AM-2 Tier 1 Tier 1 Unacceptably high risks ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Acceptable risks at this time ID.AM-6 Tier 3

Create Target Profile 5 Fxn. Cat. Sub. Target Profile This is where we want to be Physical device and software inventories at Tier 4, Adaptive Practices fully established, continuously improved, and built into our overall risk management program ID ID.AM ID.AM-1 ID.AM-2 ID.AM-3 ID.AM-4 ID.AM-5 ID.AM-6 Tier 4 Tier 4 Tier 2 Unused Tier 4 Tier 3

Analyze Gaps 6 Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile ID.AM-1 Tier 1 ID.AM-1 Tier 4 ID.AM-2 Tier 1 ID.AM-2 Tier 4 ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Enables a prioritized action plan ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 ID.AM-6 Tier 3 ID.AM-6 Tier 3

7 Develop Action Plan: Informative Resources Fxn. Cat. Sub. Informative Resources NIST SP 800-53 Revision 4 CCS CSC 1 CM-8 / Information System Component Inventory ID ID.AM ID.AM-1 ID.AM-2 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]

Develop Action Plan: Device Inventory 7?? We need an accurate device inventory......but how can we know what devices we have?

Implement Action Plan: Device Discovery 7 Cisco Identity Services Engine (ISE) Discovers and accurately identifies devices connected to wired, wireless, and virtual private networks IS E NIST SP 800-53 Revision 4 CM-8 / Information System Component Inventory Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]

Continuous Improvement: Not Once and Done! Implement Action Plan Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile 5 4 3 Create Current Profile Conduct Risk Assessment

Cisco Security: Supporting the Framework

Cisco s Threat Centric Security Model Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Email and Web Point in Time Continuous

Cisco s Threat Centric Security Model Aligning with the Framework Core Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Identify Protect Detect Respond Recover

Technology Cisco Security Supports the Framework Security Products

People Process Cisco Security Supports the Framework Security Services

Conclusion

Building Security In: Let s see those airbags in the new Mustang... Security By Design: Security built into every layer Source: Federal Computing Week, July 7, 2015

NIST Cybersecurity Framework Enables... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activates

What s Next NIST Roadmap for Improving The Framework Aligning the Cybersecurity Framework and the Risk Management Framework (RMF) Promoting better identification and authentication solutions (NSTIC pilots) Standardizing, automating, and sharing of threat information across sectors Developing and training the cybersecurity workforce of tomorrow (NICE initiative)

Call To Action Learn more about the Cybersecurity Challenge Learn more about the Threat-Centric Security Model Learn more about the Cybersecurity Framework Cisco Security Report http://www.cisco.com/go/securityreport Cisco Threat-Centric Security http://www.cisco.com/go/security NIST Cybersecurity Framework http://www.nist.gov/cyberframework

Stop by the Cisco booth!