May 18, 2016

John M. Gilligan

Is Cyber Resilience Really That Difficult?

6th Cyber Resiliency Workshop

Cyber Resilience: A Personal Journey

• The Early Days

• Chasing the Dream

• The Dark Ages of Cybersecurity

• Dawn of the Internet

• The “Cat is Out of the Bag”

• Everyone’s Challenge

2

Personal Conclusions

• Achieving original dream of resilience is a (very) long term objective

• Cyber resiliency is a complex, system of systems engineering challenge

• Cyber risk management requires knowledge most organizations do not possess

• Market forces are not well aligned to achieve resiliency

• Weak focus by IT development and operations communities hampers progress toward resilience

3

A Useful Framework For Addressing Cyber Resilience

Sophisticated

Unsophisticated

Low High MISSION/FUNCTION CRITICALITY

THREAT

4

A Top Level Resilience Strategy

Accept Risk

(Low Risk)

Deploy Targeted Advanced Security Controls/Methods

Implement Comprehensive Baseline of Security

Controls (“Good Hygiene”)

Low High

MISSION/FUNCTION CRITICALITY

Sophisticated

Unsophisticated

THREAT

5

Implementing Resilience

Step 2: Expand control coverage/augment methods to address sophisticated threats and reduce risk footprint as appropriate

Deploy Targeted Advanced Security Controls/Methods

Implement Comprehensive Baseline of Security

Controls

Step 1: Build CSS Baseline

High Low MISSION/FUNCTION

CRITICALITY

Sophisticated

Unsophisticated

THREAT

6

Accept Risk

Comprehensive Baseline of Security Controls (CIS Critical Security Controls – Version 6)

7

Comprehensive Baseline of Security Controls (CIS Critical Security Controls – Version 6)

Basic Hygiene: 80+% of Threats!*

8 * Australian Signals Directorate Study

Cybersecurity Resiliency Framework: Economic Considerations*

Sophisticated

Unsophisticated

MISSION/FUNCTION CRITICALITY

Investment in Cyber Operations and Security (High Return for Modest or No Investment)

THREAT

Low High

Targeted Investment

(Careful Risk-Return Analysis)

No Investment

*See also “The Economics of Cyber Security: Part I and Part II”, AFCEA Cyber Committee, October 2013 and April 2014. 9

Cybersecurity Resilience Maturity Framework* Maturity

Level Employment of Security

Controls

Security Tailored to Mission

Participate in Information Sharing (threat/vul)

Response to Cyber Threats

Resilience to Cyber Attack s

Level 5: Resilient Augment CSC Based on Mission

Mission Assurance Focused

Real Time Response to Inputs

Anticipate Threats

Operate Through Sophisticated Attack

Level 4: Dynamic Augment CSC Based on Mission

Mission Focused Real Time Response to Inputs

Rapid Reaction To Threats

Able to respond to Sophisticated Attack

Level 3: Managed CSC Integrated and Continuously

Monitored

Partially Mission Focused

Respond to Information Inputs

Respond to Attacks After the Fact

Protection against Unsophisticated Attack

Level 2: Performed

Foundational/ Critical Security Controls (CSC) Implemented

Mission Agnostic Inconsistent Response to Information Inputs

Respond to Attacks After the Fact

Some Protection Against Unsophisticated Attacks

Level 1: No Resilience

Inconsistent Deployment of

Security Controls

None None

Step 1: Implement CSC Baseline

Step 2: Address Sophisticated Attacks

Most Organizations

Today

*Reference Robert Lentz “Cyber Security Maturity Model”, Presentation 2011

10

Characteristics • Security controls are implemented in an ad hoc or fragmented manner • Response to threats/attacks is as a result of outside stimulus (e.g., CERT notification of successful attack) • Intermittent participation in sharing of threat and vulnerability information • No discrimination of protection among missions • Unsophisticated attacks have high probability of success

Maturity Level

Employment of Security

Controls

Mission Tailoring

Information Sharing

(threat/vul.)

Threat Response

Cyber Attack Response

Level 1: No Resilience

Inconsistent Deployment of

Security Controls

None None No Response Susceptible to Unsophisticated

Attacks

Level 1: No Resilience

11

Maturity Level

Employment of Security

Controls

Mission Tailoring

Information Sharing

(threat/vul.)

Threat Response

Cyber Attack Response

Level 2: Performed

Foundational/ Critical Security Controls (CSC) Implemented

Mission Agnostic

Inconsistent Response to Information

Inputs

Respond to Attacks After the

Fact

Some Protection Against

Unsophisticated Attacks

Characteristics • Critical Security Controls implemented across the organization but in a delegated or fragmented approach

• Organization implements critical security controls although implementation is “tailored” by sub organizations and/or implementation of critical controls is incomplete

• Mission Agnostic • All missions are protected equally

• Inconsistent Response to Information Inputs • Inconsistent or periodic engagement and response to malware/CERT community updates on threats/vulnerabilities

• Respond to Attacks (after the fact) • Organizations deploy countermeasures as they are available and they have the opportunity to respond

• Some protection against unsophisticated attack • Critical Security Controls that are implemented will be effective against most unsophisticated attacks • Overlapping and inconsistent implementation of critical security controls leave protection “gaps” that could be

exploited by relatively unsophisticated attacks

Level 2: Performed

12

Maturity Level

Employment of Security

Controls

Mission Tailoring

Information Sharing

(threat/vul.)

Threat Response

Cyber Attack Response

Level 3: Managed

CSC Integrated and Continuously

Monitored

Partially Mission Focused

Respond to Information

Inputs

Respond to Attacks After

the Fact

Protection against

Unsophisticated Attack

Characteristics • Critical Security Controls integrated across enterprise with continuous monitoring

• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls

• Partially Mission Focused • Clear understanding of mission critical information and systems • Protection focused on most critical mission capabilities

• Respond to Information Inputs • Cooperation with larger malware/CERT community for updates on threats/vulnerabilities

• Respond to Attacks (after the fact) • Deploy countermeasures as they are available

• Protection against unsophisticated attack • Critical Security Controls will be effective against 80+% of attacks • Continuous monitoring and threat/vulnerability information sharing will provide ability to respond to some

sophisticated attacks

Level 3: Managed

13

Maturity Level

Employment of Security

Controls

Mission Tailoring

Information Sharing

(threat/vul.)

Threat Response

Cyber Attack Response

Level 4: Dynamic

Augment CSC Based on Mission

Mission Focused

Real Time Response to

Inputs

Rapid Reaction To Threats

Respond to Sophisticated

Attack

Characteristics • Augment Critical Security Controls based on Mission

• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls

• Mission Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for cyber protection/restoral • The architecture of the organization implements boundaries between

• Real Time Response to Inputs • Cyber intelligence program (Multiple Sources, Disciplined Indications and Warning, Good understanding of sector-

specific threats) • Incident response baked into defensive posture

• Rapid Reaction To Threats • Cooperation with larger malware/CERT community • Deploy countermeasures as they are available

• Respond to sophisticated attack • After recognizing attack, assess impact and implement response (e.g., disconnect/shut down system, block attack, etc.) • Ability to respond to most sophisticated attacks

Level 4: Dynamic

14

Level 5: Resilient Maturity

Level Employment of Security

Controls

Mission Tailoring

Information Sharing

(threat/vul.)

Threat Response

Cyber Attack Response

Level 5: Resilient

Augment CSC Based on Mission

Mission Assurance Focused

Real Time Response to

Inputs

Anticipate Threats

Operate Through Sophisticated

Attack

Characteristics • Augment Critical Security Controls based on Mission

• Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls

• Mission Assurance Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for protection and how to

assure continued operation in the face of cyber attacks • Real Time Response to Inputs

• Cyber intelligence program (Multiple Sources: Both classified and unclassified, Disciplined Indications and Warning, Good understanding of sector-specific threats)

• Cyber Operators and Development team working together (also relevant to operating through attacks) • Incident response baked into defensive posture

• Anticipate Threats • Malware/Attack Pattern Analysis Program with large repository of samples from which to extract unique signatures

(potential use of Honeypots to gain attack insights) • Cooperation with larger malware/CERT community

• Operate through sophisticated attack • Workforce culture of “cyber warfare” ensures real time response to attacks and preservation of priority missions

during attack by a “nation state” class of threat 15

Cybersecurity Resilience Maturity Framework Maturity

Descriptor Employment of Security

Controls

Security Tailored to

Mission

Participate in Information

Sharing (threat/vul.)

Response to Cyber Threats

Resilience to Cyber Attacks

Level 5: Resilient Augment CSC Based on Mission

Mission Assurance Focused

Real Time Response to

Inputs

Anticipate Threats

Operate Through Sophisticated Attack

Level 4: Dynamic Augment CSC Based on Mission

Mission Focused Real Time Response to

Inputs

Rapid Reaction To Threats

Able to respond to Sophisticated Attack

Level 3: Managed CSC Integrated and Continuously

Monitored

Partially Mission Focused

Respond to Information

Inputs

Respond to Attacks After

the Fact

Protection against Unsophisticated

Attack

Level 2: Performed

Foundational/ Critical Security Controls (CSC) Implemented

Mission Agnostic Inconsistent Response to Information

Inputs

Respond to Attacks After

the Fact

Some Protection Against

Unsophisticated Attacks

Level 1: No Resilience

Inconsistent Deployment of

Security Controls

None None No Response Susceptible to Unsophisticated

Attacks

Step 1: Implement CSC Baseline

Step 2: Address Sophisticated Attacks

16

Summary

• Achieving high resilience is possible today

• High levels of resilience can be achieved without additional cost

• Resilience must be a structured journey, not a random walk

• Fundamental improvements in resiliency of HW and SW necessary to get ahead of sophisticated attacks

17

Contact Information

John M. Gilligan Center for Internet Security (CIS)

John.gilligan@cisecurity.org

703-503-3232

518-266-3460

18