Download presentation
Presentation is loading. Please wait.
1
The Cybersecurity Framework
Jerry Beasley, CISM Security Services Manager Presented to NASCUS/CUNA Cybersecurity Symposium 2017
2
Overview Today’s session will explore: The Threat Landscape
Defense Strategies Defense Frameworks Implementing the NIST Cybersecurity Framework
3
Threat Landscape Threat Landscape
Attacks ARE increasing: According to Symantec’s 2016 Internet Security Threat Report: 42% increase in targeted attacks 5,585 new vulnerabilities discovered 55% increase in phishing campaigns 415 new vulnerabilities on mobile operating systems 54 zero-day vulnerabilities (up 125%) – no warning before exploit 43% of targeted attacks aimed at businesses with < 250 employees 3
4
Threat Landscape Threat Landscape
Cyber Crime is Growing: Attack distribution for 2015/16 (as reported by hackmageddon.com): 4
5
Threat Landscape Threat Landscape
Cybercrime costs the global economy up to US$575 billion annually according to a recent report by BofA Merrill Lynch Global Research. Another new record was set near the end of the year when 191 million identities were exposed, surpassing the previous record for the largest single data beach. 2017 promises to easily break these records. 5
6
Threat Landscape Threat Landscape Does it make you “WannaCry” ? 6
7
What is Cybersecurity? INFORMATION SECURITY Background
Cyber ~ “computer” “computer network” “virtual” In our practical application, it is synonymous with: INFORMATION SECURITY
8
DEFENSE STRATEGIES Information/Cyber Security Lessons Learned
We cannot rely solely on firewalls and anti-malware Attack vectors are present at all layers of an organization / infrastructure Attack defenses must address all of these (Defense in Depth) Aggressive testing can help identify undiscovered weaknesses Vulnerability or Penetration Testing alone cannot prevent a breach Successful organizations have a plan and establish a framework
9
DEFENSE STRATEGIES Defense in Depth An information assurance concept in which multiple layers of security controls (defense) are placed throughout an IT system The strategy is to provide redundancy so that if one layer of defense fails, another layer may thwart or further delay attacks 9
10
People, Policies & Procedures
Defense in Depth Firewall IDS / IPS NAC Permissions HIDS Anti-malware People, Policies & Procedures Updates User Training Analogy – layers of an onion. I like this slide better than the previous – they’ll get this. DiD is an important term… Encryption Backups Physical 10
11
Building People, Policies, and Procedures: Existing Models
DEFENSE STRATEGIES Building People, Policies, and Procedures: Existing Models NIST Risk Management Framework (SP , A) CIS 20 Critical Security Controls ISO/IEC 27001 The Cybersecurity Framework Version 1.0 /1.1 (draft) CAREFUL!!! This will open questions like “which one(s) does FP use? What do you audit against, which is best? I’d highlight that these are all guidelines to help make our jobs easier to cover everything.
12
NIST Risk Management Framework
13
CIS 20 Critical Security Controls
Is a compilation of 20 critical controls providing: Controls mapped to specific attack types Specific actions that organizations are taking to implement, automate, and measure effectiveness Recommended procedures and tools to enable implementation The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 13
14
CIS 20 Critical Security Controls
The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 14
15
ISO/IEC 27001/27002 Code of practice for information security controls: 15
16
DEFENSE STRATEGIES A National Cybersecurity Framework
With executive order 13636, the President initiated the Framework for Improving Critical Infrastructure Cybersecurity A general framework for mass consumption Uses business drivers to focus efforts on the security agenda Use is voluntary, but the framework is gaining steam Flexible – not a “one size fits all” approach Founded on risk management principles
17
Who is part of this community?
National Cybersecurity Framework Who is part of this community? Entities with a role in securing the nation’s infrastructure Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems…”
18
NIST Implementation The National Institute of Standards and Technology (NIST) Implementation NIST developed the initial implementation guidance: “Framework for Improving Critical Infrastructure Cybersecurity” Also known as, “The Cybersecurity Framework” or CSF
19
Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others
The Cybersecurity Framework Industry Adoption Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others
20
The Cybersecurity Framework
FFIEC Cybersecurity Assessment Tool (CSAT) Management tool for evaluating framework implementation
21
The Cybersecurity Framework
Designing your program around the NIST Cybersecurity Framework provides: A framework to implement a defense-in-depth strategy (risk reduction) An method to assure alignment with regulatory guidance (compliance)
22
The Cybersecurity Framework
The framework aligns with the common Cybersecurity functions:
23
The Cybersecurity Framework
The framework provides the required program elements (high-level controls).
24
The Cybersecurity Framework
The framework introduces the concept of “Implementation Tiers” or the degree of implementation. FFIEC’s CSAT translates this concept into “Maturity Levels”
25
The Cybersecurity Framework
The framework maps to implementation guidance
26
The Cybersecurity Framework
A recommended starting point is the Framework Core 98 controls/practices that should be common to most organizations These will be adapted and supplemented based on your needs
27
The Cybersecurity Framework
SO…if you’ve implemented another standard (ISO, CIS 20 Critical Controls, COBIT, etc.)… …You can still use the implementation details within the CSF.
28
The Cybersecurity Framework
Is intended to be integrated into a Risk Management program Source: Cybersecurity Framework Version 1.0
29
IMPLEMENTATION STRATEGY
Risk Assessment Existing Program Inventory Modeling New Program Measuring Progress Adapting Source: Cybersecurity Framework Version 1.0
30
IMPLEMENTATION STRATEGY
Risk Assessment Determine what you are protecting Determine the type and likelihood of threats Determine if your current controls are adequate to reduce the risk Provides prioritization for control implementation Source: Cybersecurity Framework Version 1.0
31
IMPLEMENTATION STRATEGY
Existing Program Inventory Gap Analysis CSAT provides a good program-level view and helps determine the degree of implementation required May also be derived from existing Risk or Compliance Assessments This documents “current” profile Elements of the CSF you already have in place Source: Cybersecurity Framework Version 1.0
32
IMPLEMENTATION STRATEGY
Model New Program Translate functions into strategies Translate categories into roles / responsibilities Translate sub-categories into plans of action Establish your “target” profile Source: Cybersecurity Framework Version 1.0
33
IMPLEMENTATION STRATEGY
Monitor & Re-assess How do you know it’s working? Risk Assessments Audit and Compliance Testing and Exercises New CSAT to determine changes in inherent risk or maturity Source: Cybersecurity Framework Version 1.0
34
IMPLEMENTATION STRATEGY
Adapt Add to or modify the CSF core to ensure effective: Identification – knowing what you have Protection – establishing defense-in-depth Detection – awareness of cybersecurity events Response – knowing what to do when events happen Recovery – having the means to recover from events Source: Cybersecurity Framework Version 1.0
35
Tier 4 Tier 3 Tier 2 Tier 1 Where to go from here?
Improve and optimize Identify Protect Tier 1 Tier 2 Tier 3 Tier 4 Detect IMPROVE/ADAPT Respond Recover
36
Innovative Advanced Intermediate Evolving Baseline
Where to go from here? Improve and optimize Identify Baseline Evolving Intermediate Advanced Innovative Protect Detect IMPROVE/ADAPT Respond Recover
37
Summary Today we discussed: The Threat Landscape Defense Strategies
The Need for Defense in Depth Defense Frameworks Common Frameworks Employing the Cybersecurity Framework
38
Summary QUESTIONS?
39
References Executive Order Improving Critical Infrastructure Cybersecurity NIST Framework for Improving Critical Infrastructure Cybersecurity CIS Critical Controls for Effective Cyber Defense NIST Special Publication , Security and Privacy Controls for Federal Information Systems and Organizations Symantec’s 2016 Internet Security Threat Report NSA Whitepaper “Defense in Depth”
40
Learn more and request a TraceCSO Demo.
Questions? Clean up the “extra” slides now…. Learn more and request a TraceCSO Demo.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.