ISACA Arizona May 2016 Chapter Meeting

Transcription

1 ISACA Arizona May 2016 Chapter Meeting Suzanne Farr / Carlos A. Villalba

2 Agenda Introduction Preliminary questions CCM Preliminaries Definition Benefits Challenges Beyond Templates Questions 1

3 Background FS Technology Jefferson Wells Pacificare Health CSC ACS Allied Signal Digital Equipment Cyber Defense Institute Syracuse University Electrónica de Computación C&V C.A. CORPORATE FACTS Founded in 2008 by Cyber Security, Risk, Compliance Executives & Experts Headquartered in Phoenix Arizona (40 FTEs) Security, Risk, Compliance Consulting One of the Largest PCI QSA in Arizona Hundreds of Engagements Performed Across Multiple Continents Annually Invested Millions of Dollars, Thousands of Hours Developing TruSOC - Managed Security Service TruSOC utilized by customers across the U.S. Ongoing Investments in Services Portfolio, Technologies, Sales & Distribution Channels 2

4 Credentials

5 Summary Continuous control monitoring is challenging, taxing, and has multiple layers of complexity. Out of the box technologies and solutions promising to be the one-stop solution often fall short of the promise of tackling this challenge. There is no onerecipe for all to a successful CCM implementation and execution. This presentation covers pitfalls and outlines strategies to optimize continuous controls monitoring. 4

6 Preliminary questions Is your company required to be compliant with multiple regulations? Have you completed an enterprise risk assessment? Have you completed an inventory of all existing controls? Have you assessed your controls effectiveness? Are you considering implementing a new process control environment? 5

7 CCM preliminaries ipost U.S. State Department created its own model for CM called ipost. CAESARS / CAESARS (FE) Continuous Asset Evaluation, Situational Awareness, and Risk Scoring NISTIRs The NISTIRs 7756, 7799 and 7800 NIST SP NIST SP describes steps to develop and implement a CM program 6

8 What is CCM? NIST definition for CM: maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Also known as: ISCM, CM, CCM, C&A, A&A 7

9 More on CCM NIST ISCM Information security continuous monitoring (ISCM) defined in NIST SP BTW There is no consensus on the frequency and methodology that should be used for an effective and comprehensive continuous control monitoring strategy. 8

10 CCM Benefits Enables management to: Assessment the effectiveness of controls Improve business processes Quantitative and qualitative risk related decisions Cost-effectiveness of controls 9

11 CCM Challenges Network Security Vs Continuous Monitoring Solutions Framework Metrics Integration Costs 10

12 Challenges: Continuous, constant and automated OMB cycle is 3 years SSAE16 cycle NIST data collection There is not consensus on these three, why? Automation challenges 11

13 Challenges: Automated Vs Manual Automated should be assessed as often as useful. Around 64+ NIST r4 controls. Variants count as a separate control (900). 700 and 800 controls cannot be automated. Domains that can t be automated: AT - Awareness and Training, CP - Contingency Planning, MP - Media Protection, and PS - Personnel Security Planning 12

14 Beyond templates: Simplifying the NIST recipe 13

15 Beyond templates: lessons from the field Marketing and buzz words. All-in-one solutions Fundamentals first Governance investment ROI 14

16 Beyond templates: lessons from the field Business Impact Assessments Competitive advantages. Metrics 15

17 Beyond templates: NIST Guidance A little guidance from NIST SP

18 Beyond templates: Automating domains 17

19 Automation Domain Tools and Technologies NIST Guidelines 1 - Vulnerability Management Vulnerability scanners NIST SP Creating a Patch 2 - Patch Management Patch management tools and Vulnerability Management Program 3 - Event Management Intrusion detection/ NIST SP , Computer 4 - Incident Management prevention systems and logging Security Log Management mechanisms NIST SP , Guide IDPS 5 - Malware Detection Antivirus/ Malware detection mechanisms NIST SP , Malware Incident Prevention and Handling 6 - Configuration Management SCAP, SEIM, Dashboards NIST SP r2 The Technical Specification for SCAP Version 1.2 SP

20 Automation Domain Tools and Technologies 7 - Asset Management System configuration, network management, and license management tools 8 - Network Management Host discovery, inventory, change control, performance monitoring, and other network device management capabilities 9 - License Management License management tools 10 - Information Management Data Loss Prevention (DLP) Tools: network analysis software, application firewalls, and intrusion detection and prevention systems SP

21 Beyond templates: specific activities Key domain Asset Management Key activity Inventory and classify hardware, software, applications, networks, locations. Configuration Management Event Management Incident Management Information Management License Management Malware Detection Network Management Patch Management Software Assurance Vulnerability Management Baseline configurations and validate using scanning tools. Centralize log repositories Actionable information from event management. Data classification, access control Vulnerability scans with software inventories Antivirus Access controls, segmentation, Criticality based patching GPO policies Vulnerability scans 20

22 Beyond templates: practical recipe Define Governance, Metrics, Acceptable Risk Inventory Hardware, Software, Applications Establish Baselines Secure Configurations for Hardware and Software Boundary Defense Security Awareness Enforce Access Control Administrative Privileges Access Based on Need to Know Account Monitoring and Control Data Protection Monitor and detect Vulnerability Assessment Maintenance, Monitoring, and Analysis of Audit Logs Application Software Security Malware Defenses Account Monitoring and Control Respond Incident Response and Management Vulnerability Remediation Tests Penetration Tests and Red Team Exercises 21

23 Beyond templates: Optimize commonality SOX POLICIES, PROCEDURES AND STANDARDS COMMON CONTROLS HIPAA PCI 22

24 Beyond templates: Pragmatic frequency Critical frequency Manual assessment frequency Frequencies appropriateness 23

25 Beyond templates: Key Challenges Compliance with multiple regulations FDA, SOX, HIPAA,NIST, GLBA, BASEL II, PCI (Currently 400+ regulations) Lack of clear ownership and accountability for risk management Multiple compliance efforts in multiple business areas Policies, standards, procedures and documentation Overall reactive approach 24

26 Beyond templates: one solution optimize With or without a GRC or SIEM tool if you optimize: Your processes Your documentation Your control analysis And the orchestration of it all, You will be closer to your own tailored GRC/CCM solution 25

27 Final question of the day What s the # 1 most overlook control in all organizations? 26

28 Suzanne Suzanne E. Farr, Partner & COO Carlos A. Villalba, VP Solutions & Delivery