Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Similar documents
Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Looking at the SANS 20 Critical Security Controls

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Critical Controls for Cyber Security.

Defending Against Data Beaches: Internal Controls for Cybersecurity

THE TOP 4 CONTROLS.

SANS Top 20 Critical Controls for Effective Cyber Defense

The Protection Mission a constant endeavor

White Paper: Consensus Audit Guidelines and Symantec RAS

Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Jumpstarting Your Security Awareness Program

Measure More, Spend Less. Better Security

CDM Hardware Asset Management (HWAM) Capability

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG)

Security Management. Keeping the IT Security Administrator Busy

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Top 20 Critical Security Controls

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009

Information Technology Risk Management

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SCAC Annual Conference. Cybersecurity Demystified

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Company Profile S Flores #205 San Antonio, TX

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Cyber Defense Operations Graduate Certificate

Check Point and Security Best Practices. December 2013 Presented by David Rawle

20 Critical Security Controls

The CAG An Earthquake in Security Compliance and How Security Is Measured ALAN PALLER DIRECTOR OF RESEARCH SANS INSTITUTE

5 Steps to Advanced Threat Protection

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Cybersecurity Continuous Monitoring at Fermilab. Irwin Gaines NLIT 4 May 2015

11th AMC Conference on Securely Connecting Communities for Improved Health

Goals. Understanding security testing

Critical Controls for Effective Cyber Defense

Assessing the Effectiveness of a Cybersecurity Program

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Cybersecurity: What CFO s Need to Know

How To Monitor Your Entire It Environment

Patch and Vulnerability Management Program

Concierge SIEM Reporting Overview

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

NERC CIP VERSION 5 COMPLIANCE

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Cisco Advanced Services for Network Security

How To Improve Nasa'S Security

Federal IPv6 Working Group Innovative IPv6 Implementation with Least Cost Funding

How To Audit The Mint'S Information Technology

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Cyber Security Management

FISMA / NIST REVISION 3 COMPLIANCE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Security Control Standard

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

The Role of Security Monitoring & SIEM in Risk Management

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Security Controls Implementation Plan

SECURITY. Risk & Compliance Services

VENDOR MANAGEMENT. General Overview

Office of Inspector General

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

The Importance of Cybersecurity Monitoring for Utilities

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

How To Get The Nist Report And Other Products For Free

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Strategic Plan On-Demand Services April 2, 2015

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

Transcription:

Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name in Information Security 1

About SANS Largest Security Training & Education Organization 95,000 alumni 60+ network security, app security and secure coding courses 150+ events annually 15,000 students per year Licensed, degree granting graduate education institution GIAC is an ANSI/ISO accredited certification body More than 26,000 certifications SANS Software Security Institute focuses on application layer attacks, defense and education Operates Internet Storm Center the open source early warning system Consensus research projects including Top Cyber Security Threats and Top 25 Programming Errors The Most Trusted Name in Information Security

What is going on with the boss? A CIO s Environment CIO mandates exceed time and resources available Cyber security is an enormously complex challenge there are very few true experts Security is not the only thing on the plate So Compliance, Compliance, Compliance Financial risk Embarrassment (personal/brand) risk It is time to focus on ways to make real improvements in security 3

Questions for Today 1. What is the landscape? 2. What should we automate? 3. Does automation work? 4. What tools do I need? 5. How do I get past the vendor sales pitch? 6. Won t it cost a lot? 7. What can I do right now? Focus investments by letting cyber offense inform defense! 4

Analogy of Current Cybersecurity Approach An ambulance shows up at a hospital emergency room with a bleeding patient Hospital gives inoculations for flu, tetanus, shingles, and vaccination updates Hospital tests for communicable diseases, high blood pressure, sends blood sample for cholesterol check, gives eye exam and checks hearing At some point, doctors address the cause of the bleeding OMB Policy Regarding FISMA Results in a Checklist Approach 5

Meanwhile, the patient is bleeding to death!! We Need Triage Not Comprehensive Medical Care But how to prioritize? 6

An Aha Moment! Scene: Briefing by NSA regarding latest penetration assessment of DoD systems Objective: Embarrass DoD CIOs for failure to provide adequate security. Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others Realization: Let s use NSA s offensive capabilities to guide security investments Let Offense Inform Defense! 7

A Quiz 8

Should You Spend Money Here? 9

Or Here? 10

Finding the Most Common Attacks and Critical Controls Engage the best security experts: NSA Offensive Guys NSA Defensive Guys DoD Cyber Crime Center (DC3) US CERT (plus 3 agencies that were hit hard) Top Commercial Pen Testers Top Commercial Forensics Teams JTF GNO AFOSI Army Research Laboratory DoE National Laboratories FBI and IC JTF Prioritize controls to match successful attacks mitigate critical risks Identify automation/verification methods and measures Engage CIOs, CISOs, Auditors, and Oversight organizations Coordinate with Congress regarding FISMA updates 11

Result: What is Actually Happening. The Top Attack Patterns* Attack boundary devices with damaged ACLs Attack without being detected and maintain long term access due to weak audit logs Attack web sites exploiting programming errors Attack client software and other applications Gain administrator privileges to control target machines Gain access to sensitive data that is not adequately protected Exploit vulnerabilities on machines not being monitored and managed Exploit inactive user accounts Exploit poorly configured network services Exploit weak security of wireless devices Attack systems or organizations that have no or poor attack response Exploit poorly trained or poorly skilled employees * Developed as a part of developing 20 Critical Controls and not in priority order 12

20 Critical Controls for Effective Cyber Defense (1 of 2) These are the controls that help defend against common attacks Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 13

20 Critical Controls for Effective Cyber Defense (2 of 2) Additional Critical Controls (not directly supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps 14

Example Critical Control #3 Secure Configurations for Hardware and Software on Laptops, Workstations and Servers Attacker Exploit: Automated search for improperly configured systems Control: QW: Define standard images that are hardened versions QW: Negotiate contracts for secure images Config/Hygiene: Monthly checks w/ executive metrics showing trends for systems meeting (and not) configuration guidelines Associated NIST SP 800 53 Rev 3 Priority 1 Controls: CM 1, CM 2 (1, 2), CM 3 (b, c, d, e, 2, 3), CM 5 (2), CM 6 (1, 2, 4), CM 7 (1), SA 1 (a), SA 4 (5), SI 7 (3), PM 6 Automated Support: Employ SCAP compliant tools to monitor/validate HW/SW/Network configurations Evaluation: Introduce improperly configured system to test response times/actions BP: Sandia National Labs takes the inventory a step further by requiring the name and contact information of a sysadmin responsible for each element in its inventory. Such information provides near instantaneous access to the people in a position to take action when a system at a given IP address is found to have been compromised. 15

Relevance of 20 Critical Controls to FISMA FISMA and NIST Guidelines Security protections commensurate with risk Implementation of minimum controls Product selection by agencies Periodic testing and evaluation of controls NIST Guidelines Risk assessment is foundation CAG based on government wide risk assessment Selection of controls based on risk CAG controls address top cyber risks 20 Critical Controls are subset of 800 53 controls 20 Critical Controls helps agencies to comply with FISMA! 16

Questions for Today 1. What is the landscape? 2. What should we automate? 3. Does automation work? 4. What tools do I need? 5. How do I get past the vendor sales pitch? 6. Won t it cost a lot? 7. What can I do right now? Focus investments by letting cyber offense inform defense! 17

Site Scoring Progress Configurations using SMS, Vulnerability Testing Domestic Sites Down 83% Risk Level Foreign Sites Down 84%

Questions for Today 1. What is the landscape? 2. What should we automate? 3. Does automation work? 4. What tools do I need? 5. How do I get past the vendor sales pitch? 6. Won t it cost a lot? 7. What can I do right now? Focus investments by letting cyber offense inform defense! 19

What Works For Automating the Critical Controls 1. Vendors assert that their tool automates a specific control 2. Vendor supplies federal or financial user who can verify they are using it to automate that control (and it works) 3. Results to be published November 12 in Government Computer News and FCW Summit on the Critical Controls 4. Labs can validate SCAP and ARF support 20

100+ Tools Being Validated 21

Cool Discovery 1 Network device configuration 1. Has your organization ever changed the access control list (ACL) on firewalls and/or routers to allow traffic for specific applications or events? Did you remember to change them all back? Are you sure? 2. Validating a full rule set on a major router takes 2 3 days of an extraordinary technology expert. 3. We found a tool that automates it fully. 22

Cool Discovery 2 Hardware Inventory (it is hard to protect systems that you don t know you own) 1. Most inventory tools use an active ping and miss a substantial portion of the assets and usually cannot tell you (real time) when a rogue machine is installed 2. We found two that can find almost all and alert you using passive discovery, router logs, and more, in addition to active pinging. 3. Huge time savings. 23

Final Thoughts We can t do everything We know where to focus We know what can be automated We can validate the tools that work Procurement can be leveraged to make it affordable We Need to Stop the Bleeding Now! 24

Bonus: Career Move What you can do right now. No one knows yet if this will replace FISMA Do the gap analysis Show it to your executives. They are thinking about compliance, risk and embarrassment. Show them you are too. It s not too hard and you need to do it anyway the Controls just save you time figuring out priorities Then when it comes, you are the expert 25

More on Controls and Tools Critical Controls URLs: www.sans.org/critical security controls/ http://csis.org/files/publication/twenty_critical_controls_for_effective_cyber_defense_cag.pdf FCW Critical Controls Tools Event http://1105govinfoevents.com/eventoverview.aspx?event=csc09 26

Contact Information Mason Brown mbrown@sans.org www.sans.org The Most Trusted Name in Information Security 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information