Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Slides:



Advertisements
Similar presentations
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Advertisements

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cyber Security for Smart Grid George Gamble Cyber Security Architect Black & Veatch.
SANS Technology Institute - Candidate for Master of Science Degree Establishing a Security Metrics Program Tiger Team Final Report Chris Cain & Erik Couture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Tech Made Simple: Creating a Technology Plan for your Small Business.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
IT Priorities Minimize CAPEX Maximize employee productivity Grow the business Add new compute resources real- time to support growth Meet compliance requirements.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
SecSDLC Chapter 2.
2012 DHS/ACT-IAC Cybersecurity Awards The “Fed Cyber Cup” Concept Overview Cheryl Soderstrom, Programs Chair, Cybersecurity SIG.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Business Continuity Disaster Planning
Information Security tools for records managers Frank Rankin.
Value 4 Golf is formed by a group of professionals who have been all their life linked to the world of golf, and actively participating.
FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Managed IT Services JND Consulting Group LLC
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Security and resilience for Smart Hospitals Key findings
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Porter’s Competitive Forces
Cybersecurity - What’s Next? June 2017
Critical Security Controls
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Standard: “reasonable security”
Compliance with hardening standards
Leverage What’s Out There
Cyber Protections: First Step, Risk Assessment
NYBA 2017 Technology, Compliance &
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Implementing and Auditing the Critical Controls
NCHER Knowledge Symposium Federal Contractor/TPS Session
National Cyber Security
Cybersecurity ATD technical
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
Cybersecurity Threat Assessment
November 30, 2017 By: Richard D. Condello NRECA Senior Director
6. Application Software Security
IT Management Services Infrastructure Services
Presentation transcript:

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012

CXOs are accountable for IT security BUT. directly supervise only a small part of the systems actually in use. OBSTACLE 2

Nature of Attacks 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses 3

LOWERING RISK ACHIEVED BY : Correcting for “tunnel vision” seen in physiological studies of pilots Using math and statistics to accelerate corrective action Adapting market economics to daily risk calculation/priorities Automated patch distribution 4

WHILE NOT CHANGING : Structure of departments or agencies Decentralized technology management Structure of security program RATHER:  Focus on Return on Investment (ROI)  Integrate cyber security, operations, and top to bottom work force decisions 5

“Attack Readiness”. What time is spent on Faster action = lower potential risk 6

7 Organizations, Major Systems Contractor Performance

Addressing Information Overload 8 List Dominant Percentages of Risk

Results First 12 Months 9 Personal Computers and Servers

1/3 of Remaining Risk Removed 10 [Year 2: PC’s/Servers]

11

12. when charging 40 points % in seven (7) days % in 30 days

Case Study Results 89% reduction in risk after 12 months – personal computers & servers Mobilizing to patch worst IT security risks first – Mitigation across 24 time zones – Patch coverage 84% in 7 days; 93% in 30 days Outcome: – Timely, targeted, prioritized information – Actionable – Increased return on investment compared to an earlier implementation of FISMA 13

Lessons Learned When continuous monitoring augments snapshots required by FISMA: – Mobilizing to lower risk is feasible & fast (11 mo) – Changes in 24 time zones with no direct contact – Cost: 15 FTE above technical management base This approach leverages the wider workforce Security culture gains are grounded in fairness, commitment and personal accountability for improvement 14

Development Phase

Federal CIO and CISO Cyber Goals Protect information assets of the US gov’t – Availability, integrity and confidentiality Lower operational risk and exploitation of – national security systems –.gov networks, major systems & cloud services Increase situational awareness of cyber status Improve ROI of federal cyber investments Fulfill FISMA mandates

20 Critical Controls 1.Inventory of Authorized and Unauthorized Devices 2.Inventory of Authorized and Unauthorized Software 3.Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4.Continuous Vulnerability Assessment and Remediation 5.Malware Defenses 6.Application Software Security 7.Wireless Device Control 8.Data Recovery Capability (validated manually) 9.Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually) 10.Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11.Limitation and Control of Network Ports, Protocols, and Services 12.Controlled Use of Administrative Privileges 13.Boundary Defense 14.Maintenance, Monitoring, and Analysis of Security Audit Logs 15.Controlled Access Based on the Need to Know 16.Account Monitoring and Control 17.Data Loss Prevention 18.Incident Response Capability (validated manually) 19.Secure Network Engineering (validated manually) 20.Penetration Tests and Red Team Exercises (validated manually)

Continuous Diagnosis and Mitigation (CDM) “Full Operational Capability” (FOC) / Desired State: Minimum Time to FOC for CDM: 3 years; CDM Covers % of controls; Smaller attack surface/“risk” for.gov systems; Weaknesses are found and fixed much faster; Replaces much assessment work ($440M) – And most of the POA&M process ($1.05 B) Risk scores reflect: threat, vulnerability and impact – Used to make clear, informed risk-acceptance decisions Economies reduce total cost yet improve security.

Selection of First Year Priorities Implement CMWG focus areas for controls – NSA and CMWG collaboration put in pilots – Complete baseline survey of highest D/A risks Award task orders for sensors and services tailored to agency needs and risk profile Connect initial controls to dashboard – HW/SW asset management/white listing; vulnerability; configuration settings; anti-malware

Use of DHS Appropriated Funds Strategic Sourcing to buy – Sensors (where missing) – A Federal Dashboard – Services to operate the sensors and dashboard in the D/As Labor to mentor and train D/As to use the dashboard to reduce risk efficiently Processes to support CMWG (continuous C&A)

Stakeholder Consultation DHS and CMWG will consult on program direction and reflect stakeholder concerns of: – CIO Council/ISIMC, ISPAB – NSS, EOP, NIST, NSA – D/As and components – Industry – FFRDCs – Others

Continuous Monitoring (CM) Contract Element Beneficiary for FY13 Networks & COTS CM Software ($202M) Tools /Services as options for internal use Use diagnostic standards but may or may not purchase 1. Dashboard DHS pays for all government Department and Agencies Security reporting to Cyber Scope Can Purchase off of federal contract:.mil, Defense Industrial Base; others who use federal $; plus State, local gov’t Cloud Service providers for direct support of government dedicated cloud clients with cost embedded. CSP ‘s could buy dashboard. 2.Continuous Monitoring Tool Bundles (Multiple Award) DHS Pays for initial.gov Agencies & Departments who choose diagnostic capabilities Can Purchase off of federal contract:.mil, Defense Industrial Base; others who use federal $; plus State, local gov’t Cloud Service Providers offer direct support of government dedicated cloud clients with cyber testing cost embedded. CSP ‘s could buy tools. 3. Continuous Monitoring as a Service (CMaaS) DHS pays for initial.gov Agencies & Department who may choose a diagnostic service provider Department & Agencies (or others) pay for custom systems CM using internal C&A report money (diagnostics and feeds to Cyber Scope) Department & Agency custom systems using internal funds. CSP ‘s could buy CMaaS for use as 3 rd party Assessors. 4.Continuous monitoring data integration DHS pays to prepare.gov diagnostic reports & CyberScope feeds Department & Agencies (or others) pay Using DHS published standards using internal funds Using DHS published standards using internal funds 22 $440 M/yr Cloud

1 2,5 3, 10, , 8 Change to “plan for events” and “respond to events”. 12, 15 13, 17 14, 16, ,7 are assets: They require all the other capabilities applied to them. For an application, it’s HW, SW etc. must be managed, inside a boundary, configured and relatively free of vulnerabilities. One delta would be the extra analysis SW needs pre-operations. a b c d e i h g j k l m n o p P1 P2 P3 P3/4