Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF

CISACGEIT CSX CISMCRISC

Walk This Way:Using CIS Critical Security Controls and NIST

Cybersecurity Framework to accomplishCyber Threat Resilience – A Tools Approach

Robin Basham, Chief Compliance Officer, VP Information Security Risk & Compliance, Cavirin

Cybersecurity Essentials – E32

2016 SF ISACA FALL CONFERENCE – “SWEET 16”

Cyber Risk Recap: What could go wrong?• Reputation is a cyber target• Criminals value information – financial, health,

critical infrastructure• The pace of technology intensifies and blurs

dependencies• We can’t trace, never mind control our data • Exfiltration happens• The role of government and information custody is

flat out unclear

2


Cybersecurity Mission: Resilience• Know the critical assets and who’s

responsible for them• Get everyone involved in cyber-

resilience (discovery) • Assure they have the knowledge and

autonomy to make good decisions• Be prepared for both unsuccessful AND

successful attack• Prevent a cyber attack from throwing

the organization into complete chaos.

3

Define

Establish

ImplementAnalyze Report

Respond

Review Update

Continuous Monitoring



IT’S ALL GOOD,YOU’RE A ROCK STAR,

YOU’RE SUPERHUMAN – YOU CAN HERD CATS

4

Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin. We are inspired by his music.


Assessing Things SOC2 – PCI – NIST CSF – HITRUST – SOX

- FedRamp

Control Matrix –COSO – NIST 800

53r4 – Cobit –Risk Management Frameworks

Configuration Rules –CIS – DISA for

example, can be automated for

detection

Things – Servers –Routers –

Containers – Apps – all have

configuration values that can

pass or fail

5


Assessing Things – In RealityThings

Configuration

Rules

Controls

Assessment Models – SOC –

PCI – CSF –HITRUST – SOX -

FedRamp

6

xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators

To establish the recommend-ed configuration via GP, set the following UI path to AdministratorsComputer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers ImpactIf you remove the Load and unload device drivers user right from the Print Operators group or other accounts you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks will not be negatively affected.


CISOPCI DSS

SOC2

HITECH

Cyber Security

Framework

ISO27002

NIST 800-53 r4,

Appendix JCIC CSC Top 20

DISA STIGS

FedRamp

SIG Due Diligence

RMF, FAIR, COSO ERM

Security Roles - Environments - Measures

CISOBuild Business

Sell Security

Govern Security

Operate Securely

Identity & Access

Risk Management Legal

Interface

Compliance

Security Architecture

Budget Security

Roadmap

PMO Security Roadmap

7

IaaSPaaS

SaaSCloud

Hybrid

Cloud


Containers

RequirementsCIS Benchmark

DISA STIGS

NIST 800-53 v4

PCI DSS 3.2

SOC2 2016

HIPAA HITECH CSF

CSF Cyber Security

Framework

ISO27002 CIS CSC Top 20

RMF

FedRamp

CJIS

UK Cyber Essentials

FFIEC

GLBA

Rules run on Environments – are tagged to controls

8

IaaSPaaS

SaaSCloud

Data Centers

Hybrid

Cloud

AssessmentScore

WIN2008R1 & R2

WIN20012R1 & R2

CentOS 6

CentOS7

RHEL6

RHEL7

UBUNTU12 UBUNTU14

AWS EC2

ESX 5.5

Azure

Docker

Windows 7

Windows 10



CRAWL THIS WAY

9Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin..


Crawl: Top initiatives to provide most protection• Control Administrative Privileges• Limiting Workstation-to-Workstation

Communication• Antivirus File Reputation Services• Anti-Exploitation• Host Intrusion Prevention (HIPS) Systems• Secure Baseline Configuration!!!!!• Web Domain Name System (DNS)

Reputation• Patching: Take Advantage of Software

Improvements

• Segregate Networks and Functions• Application Whitelisting

• Think about your tools

10

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_ControlAdministrativePrivileges_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_LimitingWtWCommunication_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntivirusFileReputationServices.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntiExploitationFeatures_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_HostIntrusionPreventionSystems.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SecureHostBaseline_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_WebDomainNameSystemReputation_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SoftwareImprovements_Print.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SegregatingNetworksAndFunctions_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/SlickSheet_ApplicationWhitelisting_Standard.pdf


Tools (Solutions) are Overwhelming

11Credit to Monument Partners


Accountability + Compliance – crawl then walk• We fear false confidence in published assessment reports. • CIS Critical Security Controls (Top 20) and NIST Cybersecurity

framework make it possible to organize detected conditions, that left unchecked, would unravel both the company’s investments and controls.

• Using the 80/20 rule, crawl = secure host baseline, walk = CSC and NIST CSF

12

AWS, Azure, Docker (Cloud)

Ransomware & Data

Exfiltration

Cyber Insurance


From a cyber perspective, why does managing configuration baseline matter?To start, you have to• Understand your a kill chain• Handle changes to major US regulations• Transfer cyber risk accountability • Insurance requires evidence of due diligence, i.e. consistent

practice of risk assessment and remediation• Because lateral movement and exfiltration doesn’t care

which devices are in your audit scope. • Because there are too many environment and too many

things.

13

AWS, Azure, Docker, Google

(Cloud)

Ransomware & Data

Exfiltration

Cyber Insurance


A successful kill only requires 5 elements

Risk ScenariosEvents

Resources

Time

Threats

Actors

14


Let’s take out a targetGet access to the target’s outlook calendar (schedule)Discover the route they travel (location)Get fake uniforms so we blend in (identity)Distract the guards (opportunity)Interrupt the live camera feed so they don’t see us (time)Purchase a weapon that can’t be traced (malware, spyware…)Go – Go – Go: Take out the targetBurn down the structure so there’s nothing left, or just encrypt everything and sell the target their own key. (ransomware)

15


To disrupt a kill chain, what do we assess?• Environment is “hardened”

against types of threats• Limits to bad Actors –

technical behaviors • Time: environments

remain resilient to threats (Drift)

• Resources: engineers will not cause us to fail an audit.

16

Business Requirements

CIS Benchmark

DISA STIGS

NIST 53 v4

PCI DSS 3.2

SOC2 2016

HIPAA HITECH CSF CSF Cyber

Security Framework

ISO27002

CIS CSC Top 20

Risk Management Framework

FedRamp


Risk Assessments frame risk conversation• Assessments are industry focused and often repeat the same topics• “Risk” Assessments have context and use an industry approved

model (an abstraction) to organize many “things”• All industries struggle to gather technical evidence of implementing

their assessed controls.• Control bypass and poor process often make it impossible for

engineers to configure to the requirements of security and compliance – many times, the requirements are not understood

17

2016 SF ISACA FALL CONFERENCE – “SWEET 16” 19


Center for Internet Security Critical Security Controls v. 6.1• Updated by cyber experts based on actual attack data

pulled from a variety of public and private threat sources.

• CIS Controls are likely to prevent majority of cyber-attacks.

• Concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-attacks.

20


CIS CSC 6.1 Mapped to Rules for Configuration

21

Provide metrics for IT personnel to understand, continuously diagnose and mitigate risks, and automate defenses to ensure compliance with the controls.

With regard to Critical Security Controls, CSC “…failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Kamala Harris, Attorney General, CA Breach Report 2016


Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT Security Program at OS, Environment, Device levels

• Map compliance testing to assertions of good practice across enterprise environments

• Unmet criteria triggers notification with steps for remediation

23


NIST Cybersecurity Framework: The CHALLENGEUS Executive Order 13636 on Improving Critical Infrastructure Cybersecurity requires accountability to assure cybersecurity readiness. Financial, Communications, Manufacturing, Defense, Energy, Emergency Services, Food and Agriculture, Healthcare, IT, Utilities, Chemical, Water, Nuclear Reactors, Materials, & Waste and Transportation sectors are expected to initiate currently “voluntary” compliance with the NIST Cybersecurity Framework.

24


NIST CSF provides a cyber security functions model

IdentifyCMDB, People,

Process, Technology,

relationships, alignment to

controls

ProtectArchitecture,

Infrastructure, Monitoring

DetectDefined Sources,

Collection, Interpretation,

Reporting Methods

RespondRCA, Corrective

Action, Management

Meetings, Plans, Optimization

Targets

RecoverConfiguration

baselines, response plans, lessons learned,

Wiki, documentation,

BIA

25

2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26

Assessment Testing Ransomware Exfiltration Mapping QueryAU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA

AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES

PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH

SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS

SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION

SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION

SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION

Group controls to risks associated with their absence– Report under the assessment type that matters to your board

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


CIS CSC and NIST CSF Risk Assessment Context

• CIS Critical Security Controls AND NIST Cybersecurity security models play nicely

• You should understand DISA STIG and CIS Benchmarks in design of and implementation of secure configuration baseline

• You may need to consider if you are use case A or B

27


Use Case – A or B

Hi, I assess OS for non-government

systems.

Hi, I assess OS for government

systems.

I’m A I’m B


Use Cases – How to assess an Operating System

I do that too, but I use CIS Benchmarks

xccdf.

In government we examine system rules by scanning

with DISA STIG xccdf.

I run rule checks using OVALs, CCE,

CVE

I run rule checks using OVALs, CCE,

CVE too

I’m A I’m B


Use Cases – Do we need DISA?Nope, we just prioritize as

Level 1 and Level 2 and end user applies what they

want.

Cool! Do you classify your target

systems?

I’m A I’m B


Use Cases – Classified v. Non Classified

CIS Benchmarks enable a lot of assessments, like SOC, CIS CSC, NIST CSF, HITRUST CSF,

ISO27002, and PCI 3.2 for non classified environments.

FISMA requires us to use DISA and map to NIST. We have to classify our

endpoints.

I’m A I’m B

We also use USGCBs (United States Government Configuration Baseline) for baseline configurations on

Information Technology products widely deployed across federal agencies.


Business Requirements

CIS Benchmark

DISA STIGS

NIST 53 v4

PCI DSS 3.2

SOC2 2016

HIPAA HITECH CSF CSF Cyber

Security Framework

ISO27002

CIS CSC Top 20

Risk Management Framework

FedRamp

Customers come from lots of

industries, but solutions start by

asking one question.

YES, the target environment is

government classified? I’ll use

DISA

Is the target environment government classified?

For non classified assessment models, I’m going to use CIS

Benchmarks to evaluate our host baseline configurations

Industry and Data Classification


Center for Internet Security – states up to 80% of cyber attacks could be prevented by• Maintaining an inventory of authorized

and unauthorized devices• Maintaining an inventory of authorized

and unauthorized software• Developing and managing secure

configurations for all devices• Conducting continuous (automated)

vulnerability assessment and remediation• Actively managing and controlling the use

of administrative privileges

33

• 84 Docker Container Policies

• 43 AWS Cloud Policies published by CIS

AWS, Azure, Docker (Cloud)


Gartner Study and Recommendation for AWS

• Gartner’s Strategic Planning Assumption• Through 2020, 80% of cloud breaches will be due to customer

misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.

• The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand.

34

https://www.gartner.com/doc/reprints?id=1-2K4XVSV&ct=150729&st=sb


Automated Risk Analysis Platform must haves• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,

concurrency…)• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability

domains• Must work with Private, Hybrid, and Public Clouds• Support AWS, Azure, GCP (Google Cloud Platform)• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,

OVAL, CCI)• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS

Benchmark, DISA, CIS CSC, CSF)• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)• Be AWS Security Certified

20


According To Higher Education Information Security Council © 2015 EDUCAUSE

• Most institutions that purchase a cyber policy have limits of $5 million or less and deductibles of $50,000 or less.

• Policies require attestation to the maturity of information technology and information security programs

• Subject to Independent audit of your IT and IT security

• Inaccuracies may render claims invalid or provide an opportunity for the insurer to void the policy altogether.

36

Cyber Insurance


NACD National Association of Certified Directors– Cyber Handbook• How to disclose a cyber event• NIST Cyber Security Framework, voluntarily measure and

benchmark IT and Security Program effectiveness• Boards require active reporting on Cyber preparedness

– Understanding risk appetite– Exposure points

• Directors are exposed by third party dependencies, especially those dependencies that exist in the cloud

• Credit card issuers and Healthcare providers are increasingly experiencing recourses against Boards of Directors

3710/27/16


Resilience to Ransomware & Data Exfiltration

• Backup your data• Keep your anti-virus software current• Screen emails for phishing/malware• Authenticate the sources of email• Sandboxing suspicious software

• http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html

38

Ransomware & Data

Exfiltration

http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html


Endpoint – user access to sensitive data, at risk

employees• Increasing granularity of data

policies and controls• Start with most sensitive data

in high frequency locations like email, CRM, financial systems

Network – high volume, high risk protocols and

exit points• Increasing monitored

protocols and endpoints• Start with known

vulnerable algorithms and protocols (SSL 3, TLS 1.0, DES, RC4

Storage • Increasing allowable and

monitored locations for data• File servers, Exchange DB• SharePoint, Database Servers• Virtual Storage CIF• Web Servers

DLP PolicyMonitoring &

preventionDiscovery & protection

Crawl, Walk, Run

• Qualitative risk assessment

• Leverage existing BIA and Data Retention Strategy

• Information Security Threat analysis, and

• Integrate with Goals for enterprise IT

39


Crawl, walk, run – Be the force• Understand your environment• Identify open wounds, stop

bleeding• Factor risk against attention and

resource, tie out engineering to audit

• Gain consistency across devices, environments, businesses

• Achieve continuous automated risk assessment, stitch greatest risk into automation in your continuous compliance platform

40

About CavirinCavirin’s Automated Risk Analysis Platform (ARAP) is a scalable, extensible fabric that provides instant security visibility on cloud based (private, hybrid, and public) infrastructure, offering continuous risk assessment. Through its agentless discovery mechanism, ARAP deep scans very large sets of assets, applying rich “out-of-the-box” policy covering sought-after security standards, generating action oriented reports and aligning actual to best practice and regulatory compliance requirements. Its open “connector” architecture allows enterprises to deploy on a hyper-plane that integrates popular cloud-based assessment services such as Amazon Inspector, delivering a business and industry specific reporting enabled by Scripted Policy Framework.

10/27/16 41

Cavirin services are cloud agnostic, recently releasing Docker and Azure policy, is an Amazon Web Services Certified Security vendor, and an authorized partner for its Inspector service. The ARAP content library includes PCI DSS, DISA & CIS Benchmark, CIS Critical Security Controls, ISO 27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common Security Framework.

Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

About your speaker: Robin Basham, VP Information Security Risk and Compliance, & CCO

Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.

10/27/1642Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054

[email protected] https://www.linkedin.com/in/robinbasham

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

Technology

Transcript of Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule