Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
-
Upload
enterprisegrc-solutions-inc -
Category
Technology
-
view
1.547 -
download
5
Transcript of Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSX CISMCRISC
Walk This Way:Using CIS Critical Security Controls and NIST
Cybersecurity Framework to accomplishCyber Threat Resilience – A Tools Approach
Robin Basham, Chief Compliance Officer, VP Information Security Risk & Compliance, Cavirin
Cybersecurity Essentials – E32
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cyber Risk Recap: What could go wrong?• Reputation is a cyber target• Criminals value information – financial, health,
critical infrastructure• The pace of technology intensifies and blurs
dependencies• We can’t trace, never mind control our data • Exfiltration happens• The role of government and information custody is
flat out unclear
2
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cybersecurity Mission: Resilience• Know the critical assets and who’s
responsible for them• Get everyone involved in cyber-
resilience (discovery) • Assure they have the knowledge and
autonomy to make good decisions• Be prepared for both unsuccessful AND
successful attack• Prevent a cyber attack from throwing
the organization into complete chaos.
3
Define
Establish
ImplementAnalyze Report
Respond
Review Update
Continuous Monitoring
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSX CISMCRISC
IT’S ALL GOOD,YOU’RE A ROCK STAR,
YOU’RE SUPERHUMAN – YOU CAN HERD CATS
4
Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin. We are inspired by his music.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things SOC2 – PCI – NIST CSF – HITRUST – SOX
- FedRamp
Control Matrix –COSO – NIST 800
53r4 – Cobit –Risk Management Frameworks
Configuration Rules –CIS – DISA for
example, can be automated for
detection
Things – Servers –Routers –
Containers – Apps – all have
configuration values that can
pass or fail
5
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things – In RealityThings
Configuration
Rules
Controls
Assessment Models – SOC –
PCI – CSF –HITRUST – SOX -
FedRamp
6
xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators
To establish the recommend-ed configuration via GP, set the following UI path to AdministratorsComputer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers ImpactIf you remove the Load and unload device drivers user right from the Print Operators group or other accounts you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks will not be negatively affected.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CISOPCI DSS
SOC2
HITECH
Cyber Security
Framework
ISO27002
NIST 800-53 r4,
Appendix JCIC CSC Top 20
DISA STIGS
FedRamp
SIG Due Diligence
RMF, FAIR, COSO ERM
Security Roles - Environments - Measures
CISOBuild Business
Sell Security
Govern Security
Operate Securely
Identity & Access
Risk Management Legal
Interface
Compliance
Security Architecture
Budget Security
Roadmap
PMO Security Roadmap
7
IaaSPaaS
SaaSCloud
Hybrid
Cloud
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Containers
RequirementsCIS Benchmark
DISA STIGS
NIST 800-53 v4
PCI DSS 3.2
SOC2 2016
HIPAA HITECH CSF
CSF Cyber Security
Framework
ISO27002 CIS CSC Top 20
RMF
FedRamp
CJIS
UK Cyber Essentials
FFIEC
GLBA
Rules run on Environments – are tagged to controls
8
IaaSPaaS
SaaSCloud
Data Centers
Hybrid
Cloud
AssessmentScore
WIN2008R1 & R2
WIN20012R1 & R2
CentOS 6
CentOS7
RHEL6
RHEL7
UBUNTU12 UBUNTU14
AWS EC2
ESX 5.5
Azure
Docker
Windows 7
Windows 10
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSX CISMCRISC
CRAWL THIS WAY
9Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin..
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl: Top initiatives to provide most protection• Control Administrative Privileges• Limiting Workstation-to-Workstation
Communication• Antivirus File Reputation Services• Anti-Exploitation• Host Intrusion Prevention (HIPS) Systems• Secure Baseline Configuration!!!!!• Web Domain Name System (DNS)
Reputation• Patching: Take Advantage of Software
Improvements
• Segregate Networks and Functions• Application Whitelisting
• Think about your tools
10
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Tools (Solutions) are Overwhelming
11Credit to Monument Partners
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Accountability + Compliance – crawl then walk• We fear false confidence in published assessment reports. • CIS Critical Security Controls (Top 20) and NIST Cybersecurity
framework make it possible to organize detected conditions, that left unchecked, would unravel both the company’s investments and controls.
• Using the 80/20 rule, crawl = secure host baseline, walk = CSC and NIST CSF
12
AWS, Azure, Docker (Cloud)
Ransomware & Data
Exfiltration
Cyber Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
From a cyber perspective, why does managing configuration baseline matter?To start, you have to• Understand your a kill chain• Handle changes to major US regulations• Transfer cyber risk accountability • Insurance requires evidence of due diligence, i.e. consistent
practice of risk assessment and remediation• Because lateral movement and exfiltration doesn’t care
which devices are in your audit scope. • Because there are too many environment and too many
things.
13
AWS, Azure, Docker, Google
(Cloud)
Ransomware & Data
Exfiltration
Cyber Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
A successful kill only requires 5 elements
Risk ScenariosEvents
Resources
Time
Threats
Actors
14
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Let’s take out a targetGet access to the target’s outlook calendar (schedule)Discover the route they travel (location)Get fake uniforms so we blend in (identity)Distract the guards (opportunity)Interrupt the live camera feed so they don’t see us (time)Purchase a weapon that can’t be traced (malware, spyware…)Go – Go – Go: Take out the targetBurn down the structure so there’s nothing left, or just encrypt everything and sell the target their own key. (ransomware)
15
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
To disrupt a kill chain, what do we assess?• Environment is “hardened”
against types of threats• Limits to bad Actors –
technical behaviors • Time: environments
remain resilient to threats (Drift)
• Resources: engineers will not cause us to fail an audit.
16
Business Requirements
CIS Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA HITECH CSF CSF Cyber
Security Framework
ISO27002
CIS CSC Top 20
Risk Management Framework
FedRamp
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Risk Assessments frame risk conversation• Assessments are industry focused and often repeat the same topics• “Risk” Assessments have context and use an industry approved
model (an abstraction) to organize many “things”• All industries struggle to gather technical evidence of implementing
their assessed controls.• Control bypass and poor process often make it impossible for
engineers to configure to the requirements of security and compliance – many times, the requirements are not understood
17
18
2016 SF ISACA FALL CONFERENCE – “SWEET 16” 19
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security Critical Security Controls v. 6.1• Updated by cyber experts based on actual attack data
pulled from a variety of public and private threat sources.
• CIS Controls are likely to prevent majority of cyber-attacks.
• Concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-attacks.
20
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC 6.1 Mapped to Rules for Configuration
21
Provide metrics for IT personnel to understand, continuously diagnose and mitigate risks, and automate defenses to ensure compliance with the controls.
With regard to Critical Security Controls, CSC “…failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Kamala Harris, Attorney General, CA Breach Report 2016
22
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT Security Program at OS, Environment, Device levels
• Map compliance testing to assertions of good practice across enterprise environments
• Unmet criteria triggers notification with steps for remediation
23
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST Cybersecurity Framework: The CHALLENGEUS Executive Order 13636 on Improving Critical Infrastructure Cybersecurity requires accountability to assure cybersecurity readiness. Financial, Communications, Manufacturing, Defense, Energy, Emergency Services, Food and Agriculture, Healthcare, IT, Utilities, Chemical, Water, Nuclear Reactors, Materials, & Waste and Transportation sectors are expected to initiate currently “voluntary” compliance with the NIST Cybersecurity Framework.
24
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST CSF provides a cyber security functions model
IdentifyCMDB, People,
Process, Technology,
relationships, alignment to
controls
ProtectArchitecture,
Infrastructure, Monitoring
DetectDefined Sources,
Collection, Interpretation,
Reporting Methods
RespondRCA, Corrective
Action, Management
Meetings, Plans, Optimization
Targets
RecoverConfiguration
baselines, response plans, lessons learned,
Wiki, documentation,
BIA
25
2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26
Assessment Testing Ransomware Exfiltration Mapping QueryAU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES
PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH
SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS
SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION
Group controls to risks associated with their absence– Report under the assessment type that matters to your board
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC and NIST CSF Risk Assessment Context
• CIS Critical Security Controls AND NIST Cybersecurity security models play nicely
• You should understand DISA STIG and CIS Benchmarks in design of and implementation of secure configuration baseline
• You may need to consider if you are use case A or B
27
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Case – A or B
Hi, I assess OS for non-government
systems.
Hi, I assess OS for government
systems.
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – How to assess an Operating System
I do that too, but I use CIS Benchmarks
xccdf.
In government we examine system rules by scanning
with DISA STIG xccdf.
I run rule checks using OVALs, CCE,
CVE
I run rule checks using OVALs, CCE,
CVE too
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Do we need DISA?Nope, we just prioritize as
Level 1 and Level 2 and end user applies what they
want.
Cool! Do you classify your target
systems?
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Classified v. Non Classified
CIS Benchmarks enable a lot of assessments, like SOC, CIS CSC, NIST CSF, HITRUST CSF,
ISO27002, and PCI 3.2 for non classified environments.
FISMA requires us to use DISA and map to NIST. We have to classify our
endpoints.
I’m A I’m B
We also use USGCBs (United States Government Configuration Baseline) for baseline configurations on
Information Technology products widely deployed across federal agencies.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Business Requirements
CIS Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA HITECH CSF CSF Cyber
Security Framework
ISO27002
CIS CSC Top 20
Risk Management Framework
FedRamp
Customers come from lots of
industries, but solutions start by
asking one question.
YES, the target environment is
government classified? I’ll use
DISA
Is the target environment government classified?
For non classified assessment models, I’m going to use CIS
Benchmarks to evaluate our host baseline configurations
Industry and Data Classification
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security – states up to 80% of cyber attacks could be prevented by• Maintaining an inventory of authorized
and unauthorized devices• Maintaining an inventory of authorized
and unauthorized software• Developing and managing secure
configurations for all devices• Conducting continuous (automated)
vulnerability assessment and remediation• Actively managing and controlling the use
of administrative privileges
33
• 84 Docker Container Policies
• 43 AWS Cloud Policies published by CIS
AWS, Azure, Docker (Cloud)
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Gartner Study and Recommendation for AWS
• Gartner’s Strategic Planning Assumption• Through 2020, 80% of cloud breaches will be due to customer
misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.
• The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand.
34
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Automated Risk Analysis Platform must haves• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,
concurrency…)• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability
domains• Must work with Private, Hybrid, and Public Clouds• Support AWS, Azure, GCP (Google Cloud Platform)• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,
OVAL, CCI)• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS
Benchmark, DISA, CIS CSC, CSF)• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)• Be AWS Security Certified
20
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
According To Higher Education Information Security Council © 2015 EDUCAUSE
• Most institutions that purchase a cyber policy have limits of $5 million or less and deductibles of $50,000 or less.
• Policies require attestation to the maturity of information technology and information security programs
• Subject to Independent audit of your IT and IT security
• Inaccuracies may render claims invalid or provide an opportunity for the insurer to void the policy altogether.
36
Cyber Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NACD National Association of Certified Directors– Cyber Handbook• How to disclose a cyber event• NIST Cyber Security Framework, voluntarily measure and
benchmark IT and Security Program effectiveness• Boards require active reporting on Cyber preparedness
– Understanding risk appetite– Exposure points
• Directors are exposed by third party dependencies, especially those dependencies that exist in the cloud
• Credit card issuers and Healthcare providers are increasingly experiencing recourses against Boards of Directors
3710/27/16
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Resilience to Ransomware & Data Exfiltration
• Backup your data• Keep your anti-virus software current• Screen emails for phishing/malware• Authenticate the sources of email• Sandboxing suspicious software
• http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html
38
Ransomware & Data
Exfiltration
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Endpoint – user access to sensitive data, at risk
employees• Increasing granularity of data
policies and controls• Start with most sensitive data
in high frequency locations like email, CRM, financial systems
Network – high volume, high risk protocols and
exit points• Increasing monitored
protocols and endpoints• Start with known
vulnerable algorithms and protocols (SSL 3, TLS 1.0, DES, RC4
Storage • Increasing allowable and
monitored locations for data• File servers, Exchange DB• SharePoint, Database Servers• Virtual Storage CIF• Web Servers
DLP PolicyMonitoring &
preventionDiscovery & protection
Crawl, Walk, Run
• Qualitative risk assessment
• Leverage existing BIA and Data Retention Strategy
• Information Security Threat analysis, and
• Integrate with Goals for enterprise IT
39
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl, walk, run – Be the force• Understand your environment• Identify open wounds, stop
bleeding• Factor risk against attention and
resource, tie out engineering to audit
• Gain consistency across devices, environments, businesses
• Achieve continuous automated risk assessment, stitch greatest risk into automation in your continuous compliance platform
40
About CavirinCavirin’s Automated Risk Analysis Platform (ARAP) is a scalable, extensible fabric that provides instant security visibility on cloud based (private, hybrid, and public) infrastructure, offering continuous risk assessment. Through its agentless discovery mechanism, ARAP deep scans very large sets of assets, applying rich “out-of-the-box” policy covering sought-after security standards, generating action oriented reports and aligning actual to best practice and regulatory compliance requirements. Its open “connector” architecture allows enterprises to deploy on a hyper-plane that integrates popular cloud-based assessment services such as Amazon Inspector, delivering a business and industry specific reporting enabled by Scripted Policy Framework.
10/27/16 41
Cavirin services are cloud agnostic, recently releasing Docker and Azure policy, is an Amazon Web Services Certified Security vendor, and an authorized partner for its Inspector service. The ARAP content library includes PCI DSS, DISA & CIS Benchmark, CIS Critical Security Controls, ISO 27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common Security Framework.
Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham
About your speaker: Robin Basham, VP Information Security Risk and Compliance, & CCO
Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.
10/27/1642Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
[email protected] https://www.linkedin.com/in/robinbasham