NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

Transcription

1 NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

2 Who am I? Brian Ventura Information Security Architect, SANS Instructor 20+ years in Information Technology, ranging from systems administration to project management and information security. Currently an Information Security Architect for the City of Portland, volunteer as the Director of Education for the Portland ISSA Chapter, and SANS Instructor. Brian holds his CISSP, GSEC, GCFA, and GCCC, as well as other industry certifications. As the ISSA Director of Education, Brian coordinates relevant local and online training opportunities. Timbers Army, Thorns Riveter, bike commuter, Land Cruiser enthusiast SEC440: Critical Security Controls: Planning, Implementing and Auditing SEC566: Implementing and Auditing the Critical Security Controls - In-Depth MGT414: SANS Training Program for CISSP Certification SEC401: Security Essentials Bootcamp Style

3 Goals Introduction to SANS, MS-ISAC and CIS NIST CyberSecurity Framework basics City of Portland use case, NIST CSF+

4 What is SANS SEC 401: Security Essentials Bootcamp Style SEC 504: Hacker Tools, Techniques, Exploits, and Incident Handling to SEC 562: CyberCity Hands-on Kinetic Cyber Range Exercise SEC 760: Advanced Exploit Development for Penetration Testers

5

6

7 The MS-ISAC is the focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, tribal and territorial (SLTT) governments. The MS-ISAC 24x7 cybersecurity operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response. Included in Membership INCIDENT RESPONSE SERVICES ADVISORY SERVICES THREAT NOTIFICATION VULNERABILITY ASSESSMENT INFORMATION SHARING AND COMMUNICATIONS EDUCATION AND AWARENESS DHS INITIATIVES COORDINATION Fee Based SECURITY DEVICE MONITORING: NETWORK MONITORING & ANALYSIS (ALBERT) SECURITY DEVICE MONITORING: MANAGED SECURITY SERVICES (MSS) VULNERABILITY ASSESSMENT SERVICES CONSULTING SERVICES

8 Goals Introduction to SANS, MS-ISAC and CIS NIST CyberSecurity Framework basics City of Portland use case, NIST CSF+

9 City of Portland Delivery of services and value to Bureaus Align security strategy with business risk

10 NIST Framework

11

12

13

14

15

16

17

18 Goals Introduction to SANS, MS-ISAC and CIS NIST CyberSecurity Framework basics City of Portland use case, NIST CSF+

19 NIST Framework+ City of Portland s Adoption of CSF Risk & remediation prioritization Maturity gaps and selective metrics Alignment of business risk to CSC Budget & resource prioritization

20 NIST Framework+

21 NIST Framework+ InfoSec Service Catalog Risk Management CSC Top Twenty Budget: - Actual - Unfunded - Projections 3 year plan Maturity Matrix - Current State - Challenges - Progress - Investment - Future State KPI Metrics 3-year Quarter by Quarter Project Roadmap

22 NIST Framework+

23 NIST Framework+ Service Catalog

24 NIST+ Risk and Critical Security Controls

25 NIST+ Budget

26 NIST+ Maturity

27 NIST Roadmap

28

29 Governance

30 Operations

31

32

33 NIST Functions Risk Priorities & Appetite - Internal/External Service Catalog Policy Alignment "Tiers" - Maturity Map Three Year Action Plan - NIST "Profiles" by Quarter NIST Cybersecurity Enterprise- Aligned Framework: - Risks - Service Catalog - Priorities - Maturity - Metrics - 3-Year Project, Program & Initiative Roadmap IT Service Function Identify Protect Detect Respond Recover CSC Top FY-15 Category InfoSec Service Catalog Risk 20 $ FY-16 $ FY-17 $ NIST Pol Ops. Sec. - Asset Management 4 $xxx DI Asset Management Asset Strategy Review Project 7A - Physical and Environmental 7 1,2 $xxx DM Business Governance - Regulatory, Legal, Budgets: AP Metrics Risk Program Environment Compliance All - $xxx Funded - Governance AU Governance Policy Dev. Policy Review - Security Information 5 - $xxx Unfunded PL- Risk Assessment Security and Risk Assessments 5a 4 $xxx $xxx AR Automashboard Risk Management Governance - Risk Management 5b - AR Integration Integration 1 Integration 2 3 Review Identity and Access Management CMM - Sample Projects (IAM) 5, 9 Key initiatives - IAM 2 11, 12 $xxx AC metrics Access Control - SSO 3 13, 14 $xxx nested and NAC SSO - Phase 0 IAM SSO - Phase 3 IA - NAC 6 15, 16 $xxx - RBAC 9 $xxx $xxx $xxx Awareness and Awareness and Training 10 5,17 $xxx AT Metrics Alignment Review Review Data Security Security Architecture and Design (Life 13 1,2 $xxx CA Report Report Report Information Protection Processes and Procedures Information Security Risk-Aligned Framework Maturity Model Action Plan FY2016Action Plan FY2017 Governance - Proactive Protection - - Policies, Standards, Guidelines - ITSM Process governance and maturity 11 Maintenance Operations Security - Asset Maintenance 14 Protective Operations Security Technology - Change Management 15 Anomalies and Monitor, Alerts and Reports - SIEM- Events Vuln 1b Security Continuous Monitor, Alerts and Reports Monitoring 1a 3, 4 7, 9 10, 11 18, 19 3,4 5, $xxx 5, 6 7, 8 $xxx $xxx $xxx 6, 9 12, 19 $xxx $xxx $xxx 4, 8 16, 19 $xxx $xxx $xxx $xxx $xxx $xxx MP PE SA SC MA CM Metrics (e-discovery) Challenges identified FY1 6- Q1 FY1 6- Q2 MD M ITS M FY1 6- Q3 FY1 6- Q4 FY1 7- Q1 IT Serv ice Man Ass et Man Cha nge SI Metrics Pen-Test Pen-Te Exte rnal Current State FY1 7- Q2 FY1 7- Q3 Pen-Test FY1 7- Q4 FY1 8- Q1 Revi ew Full Ass et Revi ew Exte rnal FY1 8- Q2 Expand 3 Expand 4 Expand 5 Detection Processes Monitor, Alerts and Reports - DLP DLP Phase 2 DLP Phase CISSP, CRISC Response Planning Gov. - Bus. Impact Analysis 5c 19 BIA - Phase 1 BIA - Phase 3 Future Communications Incident Response - Alignment 8d 19 Architecture Process Mapping Analysis Incident Response - Risk 8a 6,19 $xxx Risk Mapping Formal Review Formal Review Action Plan FY2018 Mitigation Incident Response IR CIRT Test 1 CIRT Full Test CIRT Test 3 8c 4,19 Improvements Incident Response - Maturity 8e 19,20 $xxx Extermediate External Risk Assessment Remediate Maturity - Recovery Planning Ops. Security - Bus. Continuity 8 10 $xxx $xxx CP DR Plan Test BC Plan Test BC Plan progress Stan Test Test Improvements Ops. Security - Downtime Mgmt. Document 8b 20 dard Dow Dow Communications Ops. Security - Svc. Alignment 12 - $xxx LMS ReviewMid-yearLMS ReviewMid-yearLMS ReviewMid-year FY1 8- Q3 Pen-Test NIST Cybersecurity Framework, adapted by Christopher Paidhrin, FY1 8- Q4 Aligned Standards Continuous Process and Service Improvement Business View / Priorities / Risk-Alignment

34 Questions?

35 SANS Security Awareness Training Recognition: Employees are vulnerable access point Short pulse, video training is mapped to the Critical Security Controls audit framework Available 24/7 Test question after each video Updated annually Supporting 25+ languages Phishing service 6.5 million end users from 1,500+ organizations Gartner Magic Quadrant Highest Ability to Execute SANS STH has been a blessing. We really are very thankful for the ease of use and access to the system. Having the ability to track all employees on our program and who has started or completed the training has helped in many ways. Nic Lee, Northrop Grumman IS 35

36 Links and Resources MS-ISAC: Center for Internet Security (CIS): NIST Cyber Security Framework (CSF): CSF planning spreadsheet: CIS Critical Security Controls (CSC): SANS: