Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Similar documents
Smart Grid Maturity Model

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Situational Awareness Metrics from Flow and Other Data Sources

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Using CERT-RMM in a Software and System Assurance Context

Advancing Cyber Intelligence Practices Through the SEI s Consortium

ARINC653 AADL Annex Update

Engineering Improvement in Software Assurance: A Landscape Framework

The CERT Top 10 List for Winning the Battle Against Insider Threats

Cyber Hygiene: A Baseline Set of Practices

Julia Allen Principal Researcher, CERT Division

Researching New Ways to Build a Cybersecurity Workforce

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

2013 US State of Cybercrime Survey

Modeling the Implementation of Stated-Based System Architectures

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

Defining Computer Security Incident Response Teams

Roles and Responsibilities on DevOps Adoption

Cyber Threat Prioritization

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Information Security Is a Business

The Insider Threat Center: Thwarting the Evil Insider

The Need for Operational and Cyber Resilience in Transportation Systems

Software Assurance Education Overview

Analyzing 24 Years of CVD

SEI/CMU Efforts on Assured Systems

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Fall 2014 SEI Research Review Verifying Evolving Software

Open Systems: What s Old Is New Again

The Confluence of Physical and Cyber Security Management

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Secure Coding Initiative

Panel: Future of Cloud Computing

Components and Considerations in Building an Insider Threat Program

Current Threat Environment

Architectural Implications of Cloud Computing

Verifying Periodic Programs with Priority Inheritance Locks

Automated Provisioning of Cloud and Cloudlet Applications

Providing Information Superiority to Small Tactical Units

THE POWER OF TECH-SAVVY BOARDS:

Evaluating a Partial Architecture in a ULS Context

SEI Research Program. Dr. Kevin Fall Deputy Director, Research, and CTO SSC Carnegie Mellon University

Design Pattern Recovery from Malware Binaries

Denial of Service Attacks

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

OSATE Analysis Support

Prioritizing Alerts from Static Analysis with Classification Models

An Incident Management Ontology

Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering

Encounter Complexes For Clustering Network Flow

Cyber Resilience. Think18. Felicity March IBM Corporation

Measuring the Software Security Requirements Engineering Process

CERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University

Passive Detection of Misbehaving Name Servers

TSP Secure. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA September 2009

CSIRT SERVICES. Service Categories

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Improving Software Assurance 1

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Inference of Memory Bounds

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Safety- and Security-Related Requirements for

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

Cybersecurity Overview

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

ISAO SO Product Outline

Certified Information Security Manager (CISM) Course Overview

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

Strip Plots: A Simple Automated Time-Series Visualization

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

NISTCSF Enterprise Training Solutions. By David Nichols & Rick Lemieux December 2018

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Time-Bounded Analysis of Real- Time Systems

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Semantic Importance Sampling for Statistical Model Checking

Role of BC / DR in CISRP. Ramesh Warrier Director ebrp Solutions

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

SOC for cybersecurity

Evaluating Security Risks Using Mission Threads

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

SAME Standard Package Installation Guide

Struggles at the Frontiers: Persistent Pursuit of Software Assurance in the Development and Sustainment of Defense Systems Dr. Kenneth E.

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

Elements of a Usability Reasoning Framework

Structuring Security for Success

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Sheltered Harbor protects public confidence in the financial system if a catastrophic event like a cyber attack causes your critical systems,

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Table of Contents. Sample

Transcription:

Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership, the SEI has expanded its research, doubled its staff and increased its impact in the software engineering community. The SEI now has over 500 valued partnerships with organizations extending its influence globally. Prior to joining SEI in 2004, he served in the U.S. Air Force, retiring as a major general and commander of Air Force research after 32 years of distinguished service. Nielsen is a member of the US National Academy of Engineering (NAE) and a Fellow of both the American Institute of Aeronautics and Astronautics (AIAA) and the Institute for Electrical and Electronics Engineers (IEEE).

Software and Complexity

The Rise of Complexity Scale Interconnectedness Autonomy Time criticality Security Safety Regulation

How to Handle Complexity Models Process Architecture Risk assessment Resiliency Evolution People

Complex Systems at the SEI The SEI is at the nexus of systems and complexity: We study them side-by-side For 25 years, we ve been helping engineers design and manage software systems It s our job to ring the bell on the importance of managing complexity We also appreciate risk and the importance of managing it Continuous risk management Mosaic suite of risk management tools Multi-view models Mission Success in Complex Environments

Security and Risk

Rising Tide of Vulnerabilities, Risk Recent Pandalabs Analysis of Malware, Viruses in Circulation Unique Vulnerabilities (from CERT and NIST NVD data)

How to Handle Cyber Security Issues Secure Coding Malware Identification and Analysis Network Situational Awareness Recognizing Insider Threats Modeling Resiliency and Continuity

Resiliency and Continuity

Key Principles of Resiliency (1) Resilience At SEI, both is the organizational ability to provide and and software: maintain an acceptable level of service in the face of faults and challenges Resilience to normal Maturity operation. Model (RMM) Security Quality Requirements Engineering (SQUARE) security built in Current blog series topic (http://blog.sei.cmu.edu/) failure scenarios understood, planned for redundancy is provided for in key areas capability remains available under adverse conditions resilience

Continuity A key aim of resiliency (and managing operational risk) Business Functions: Developing and executing continuity plans, recovery plans, and restoration plans IT Function: Developing, implementing, and managing processes to deliver IT services and manage IT infrastructures

Resiliency Maturity Model (1) What is CERT-RMM? CERT-RMM is a maturity model for managing and improving operational resilience. Guides implementation and management of operational resilience activities Converges key operational risk management activities: security, business continuity/disaster recovery, and IT operations Defines maturity through capability levels (like CMMI) Improves confidence in how an organization responds in times of operational stress

Connecting the Dots Today s presentations include: Understanding and coping with complexity & cyber security CMMI-SVC: The Strategic Landscape for Service Software Acquisition Program Dynamics Architectural Implications of Cloud Computing The Insider Threat: Lessons Learned from Actual Insider Attacks Dealing with the smart grid, resiliency and software development Smart Grid Maturity Model Agile Development and Architecture: Understanding Scale and Risk Measuring Operational Resilience Team Software Process (TSP)

NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013.

Contact Information Paul Nielsen Director and CEO Software Engineering Institute Telephone: +1 412-268-7740 Email: nielsen@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback