Because Security Gives Us Freedom

Transcription

1 Because Security Gives Us Freedom

2 PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection and Response Security Orchestration Cybersecurity Leadership is a professional service, custom-tailored to the needs and goals of your organization, designed to augment the leadership necessary to build a mature cybersecurity operation, from the ground up. The service assists your organization with Assessment, Governance and Compliance, Security Readiness, and CISO Services. Managed Security Systems for the enterprise, inclusing our own SIEM and NIDS platforms.

3 SECURITY IS A PROCESS NOT A PRODUCT

4 CONFUSION

5 MOST LIKELY SIEM IDS SHELFWARE MAIN REASONS LACK OF STAFF LACK OF CLARITY COMPLIANCE ONLY Source: 451 Research

6 POINT OF ACTIVITY LACKING CLARITY SCOPE

7 SOLUTION FRAGMENTATION

8 INCONSISTENT TERMS

9 UNCLEAR SCOPE

10 SCOPE FRAGMENTATION

11 SOLUTION FRAGMENTATION

12 POINT GAPS

13 SCOPE GAPS

14 LACKING INTEGRATION

15 SCOPE GAPS

16 UNCLEAR CLAIMS

17 PARTIAL OR COMPLETE?

18 NEED COMPLIANCE INFO

19 MAGNIFICENT 7 LITTLE STANDARDIZATION OF TERMS ENCRYPTION SIEM VULNERABILITY MANAGEMENT IDS/IPS AV FIREWALLS/NGFWS MONITORING (GENERAL) Source: 451 Research

20 MAGNIFICENT 7 LITTLE STANDARDIZATION OF TERMS ENCRYPTION SIEM VULNERABILITY MANAGEMENT IDS/IPS AV FIREWALLS/NGFWS MONITORING (GENERAL) Source: 451 Research

21 NO AUTHORITY INDUSTRY DOESN T HAVE INCENTIVE STANDARDS DON T HAVE AUTHORITY

22 NIST Special Publication (Rev. 4) USE A MODEL Security Controls and Assessment Procedures for Federal Information Systems and Organizations NOT NIST Framework for Improving Critical Infrastructure Cybersecurity

23 PRODUCT THE SOLUTION: MAPPING PROCESS SERVICE AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 ACCESS CONTROL POLICY- PROCEDURES ACCOUNT MANAGEMENT ACCESS ENFORCEMENT INFORMATION FLOW ENFORCEMENT SEPARATION OF DUTIES LEAST PRIVILEGE UNSUCCESSFUL LOGON ATTEMPTS SYSTEM USE NOTIFICATION PREVIOUS LOGON NOTIFICATION CONCURRENT SESSION CONTROL SESSION LOCK SESSION TERMINATION SUPERVISION AND REVIEW - ACCESS PERMITTED ACTIONS WITHOUT ID AUTOMATED MARKING SECURITY ATTRIBUTES REMOTE ACCESS WIRELESS ACCESS ACCESS CONTROL FOR MOBILE DEVICES USE OF EXTERNAL INFORMATION SYSTEM INFORMATION SHARING PUBLICLY ACCESSIBLE CONTENT DATA MINING PROTECTION ACCESS CONTROL DECISIONS REFERENCE MONITOR

24 NIST Security Controls (NIST Special Publication (Rev. 4)) A TINY BIT ABOUT NIST Control Families AC - Access Control AU - Audit and Accountability AT - Awareness and Training CM - Confguration Management CP - Contingency Planning IA - Identifcation and Authentication IR - Incident Response MA - Maintenance MP - Media Protection PS - Personnel Security PE - Physical and Environmental Protection PL - Planning PM - Program Management RA - Risk Assessment CA - Security Assessment and Authorization SC - System and Communications Protection SI - System and Information Integrity SA - System and Services Acquisition

25 SC-5 DENIAL OF SERVICE PROTECTION Control Description The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]. NIST IS COMPREHENSIVE Control Enhancements SC-5(1) DENIAL OF SERVICE PROTECTION RESTRICT INTERNAL USERS The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems. SC-5(2) DENIAL OF SERVICE PROTECTION EXCESS CAPACITY / BANDWIDTH / REDUNDANCY The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks. SC-5(3) DENIAL OF SERVICE PROTECTION DETECTION / MONITORING The organization: SC-5 (3)(a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and SC-5 (3)(b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.

26 AC-5 SEPARATION OF DUTIES MANY ARE PURELY POLICY Control Description The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties.

27 Access Control AC-4 INFORMATION FLOW ENFORCEMENT AC-5 SEPARATION OF DUTIES AC-20 USE OF EXTERNAL INFORMATION SYSTEMS AC-21 INFORMATION SHARING ONSHORE MDR Incident Response IR-4 INCIDENT HANDLING IR-5 INCIDENT MONITORING IR-6 INCIDENT REPORTING IR-7 INCIDENT RESPONSE ASSISTANCE IR-9 INFORMATION SPILLAGE RESPONSE IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM

28 ONSHORE SIEM Access Control AC-3 ACCESS ENFORCEMENT AC-5 SEPARATION OF DUTIES AC-7 UNSUCCESSFUL LOGON ATTEMPTS AC-8 SYSTEM USE NOTIFICATION AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-10 CONCURRENT SESSION CONTROL AC-11 SESSION LOCK AC-12 SESSION TERMINATION AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION AC-20 USE OF EXTERNAL INFORMATION SYSTEMS AC-21 INFORMATION SHARING AC-24 ACCESS CONTROL DECISIONS AC-25 REFERENCE MONITOR Incident Response IR-4 INCIDENT HANDLING IR-5 INCIDENT MONITORING IR-6 INCIDENT REPORTING IR-7 INCIDENT RESPONSE ASSISTANCE IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM

29 COMPLETE QUALIFIERS PARTIAL SUPPORTS

30 IN-SOURCE VS. OUT-SOURCE CONSIDERATIONS POINT OF ACTIVITY

31 REVIEW It can be difficult to understand cybersecurity offerings and gaps that may remain because of the lack of a way to compare functions against a complete stack model and because of the lack of standardized terminology. NIST can be used as a model of completeness and mapping solutions to NIST controls both provides clarity and identifcation of gaps. Using the model involves determining which NIST controls the solution satisfes and to what degree. This can be done by simply posing the question to the vendor. Additional factors to consider involve in-sourcing versus out-sourcing in the context of risk. Point of activity should also be determined to understand gaps in scope not refected in the NIST controls.

32 Jim Burnham Six Nines IT CREDITS Steve Kent onshore s CTO Chris Johnson onshore s Security Compliance Strategist

33 QUESTIONS Stel Valavanis CEO onshore Security