The Future Is SECURITY THAT MAKES A DIFFERENCE. Implementing the 20 Critical Controls

Similar documents
K12 Cybersecurity Roadmap

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

Cyber Protections: First Step, Risk Assessment

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

WHO AM I? Been working in IT Security since 1992

CyberSecurity: Top 20 Controls

ISE North America Leadership Summit and Awards

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Healthcare HIPAA and Cybersecurity Update

Designing and Building a Cybersecurity Program

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Tripwire State of Cyber Hygiene Report

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

IPLocks Vulnerability Assessment: A Database Assessment Solution

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Building Secure Systems

Automating the Top 20 CIS Critical Security Controls

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Threat-Based Metrics for Continuous Enterprise Network Security

QUALYS SECURITY CONFERENCE Qualys CertView. Managing Digital Certificates. Jimmy Graham Senior Director, Product Management, Qualys, Inc.

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Industry Best Practices for Securing Critical Infrastructure

June 2012 First Data PCI RAPID COMPLY SM Solution

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Take Risks in Life, Not with Your Security

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CoreMax Consulting s Cyber Security Roadmap

Information Security Architecture Gap Assessment and Prioritization

Secrets to Success! Accountability in Global Organizations. Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

CS 356 Operating System Security. Fall 2013

INTRODUCING SOPHOS INTERCEPT X

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

PowerSC AIX VUG. Stephen Dominguez June 2018

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Department of Management Services REQUEST FOR INFORMATION

Microsoft Security Management

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

INTRODUCING CISCO SECURITY FOR AWS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Integrigy Consulting Overview

MARCH Secure Software Development WHAT TO CONSIDER

Cyber Security 2010 THE THREATS! THE FUTURE!

BERGRIVIER MUNICIPALITY

The New Security Heroes. Alan Paller

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

Cybersecurity is a Team Sport

CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

Critical Hygiene for Preventing Major Breaches

THE TRIPWIRE NERC SOLUTION SUITE

RiskSense Attack Surface Validation for IoT Systems

the SWIFT Customer Security

Product Versioning and Back Support Policy

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

TEL2813/IS2621 Security Management

Total Protection for Compliance: Unified IT Policy Auditing

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

Get BitDefender Client Security 2 Years 30 PCs software suite ]

One Hospital s Cybersecurity Journey

Comprehensive Mitigation

Cyber Fraud What can you do about it?

Cybersecurity Session IIA Conference 2018

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Jordan Levesque Making sure your business is PCI compliant

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Forecast to Industry Program Executive Office Mission Assurance/NetOps

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

McAfee Security Connected Integrating epo and MVM

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

Skybox Security Vulnerability Management Survey 2012

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Total Security Management PCI DSS Compliance Guide

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

A CMMS CASE STUDY: NEXGEN BOOSTS MAINTENANCE EFFICIENCY AND LABOR PRODUCTIVITY FOR CMSA

Managed Security Services - Endpoint Managed Security on Cloud

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Daxko s PCI DSS Responsibilities

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Transcription:

The Future Is SECURITY THAT MAKES A DIFFERENCE Implementing the 20 Critical Controls

Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical controls is key. The controls are prescriptive The controls can be automated

Getting Started With Implementation What do you need? What am I trying to protect? What are my gaps? What are my priorities? Where can I automate? How can my vendor partners help? Where can I learn more?

Data Driven Decisions 90 80 70 60 50 40 Control 1 Score Control 2 Score Control 3 Score Control 4 Score Number of Breaches 30 20 10 0 Project 1 Project 2 Project 3 Project 4 Project 5 Project 6 Project 7

Track Progress 6 5 4 3 Project 1 Project 2 2 1 0 Jan Feb March April May June July August Sept Oct Nov Dec

Understand the Environment 10.10. 5.x 10.10. 5.3 10.10. 5.9 2 2 8 5 4 1 Sendmail 5 0 3 4 Apache 8.12.10 3 Expn VRFY input 1.3.26 buffer allowed overfl ow 10.10. 5.10 8 0

Rule 1: Fix the Problem Not the Symptoms Critical Controls Starting Point Critical Controls 20: Penetration Test Critical Controls 4: Continuous Vulnerability Assessment and Remediation

Understanding the Problem PrivacyRights.org (updated weekly) Here are some that are reported (most are not) Just a small sample (organization/records breached): Heartland Payment Systems (130+ million 1/2009) Oklahoma Dept of Human Services (1 million 4/2009) Oklahoma Housing Finance Agency (225,000 4/2009) University of California (160,000 5/2009) Network Solutions (573,000 7/2009) U.S. Military Veterans Administration (76 million 10/2009) BlueCross BlueShield Assn. (187,000 10/2009)

Rule 2: Understand the Problem Critical Controls Starting Point Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations

What is the Adversary After

Rule 3: Focus on the Data Critical Controls Starting Point Critical Control 15: Controlled Access Based on Need to Know Critical Control 17: Data Loss Prevention

Understand How the Adversary Works

Rule 4: Implement a Multi-Dimensional Approach to Security Critical Controls Starting Point Critical Control 5: Malware Defense Critical Control 6: Application Security Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs

Performing Gap Analysis Create a spreadsheet with the following columns Critical Control Current State Ideal State (18 months) Subtract the two columns Maturity 0 No sub-controls Maturity 1 - Quick Wins (QW) Maturity 2 - Improved Visibility and Attribution (Vis/Attrib) Maturity 3 - Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) Maturity 4 - Advanced (Adv)

Gap Analysis Drives Plan

Implementing the Controls Sample Implementation Control 2 Inventory of Authorized and Unauthorized Software Kaspersky Anti Virus tool Software inventory report lists software and version number Microsoft System Center Configuration Manager (SCCM) Inventory software and services on each system Windows Management Instrumentation Console (WMIC) Ability to script and automate the process

Implementing the Controls Sample Implementation Control 4 Continuous Vulnerability Assessment and Remediation QualysGuard Enterprise Suite Comprehensive vulnerability scanning Includes critical control 1 and 2 plus more.

Starting with Implementation The Top 5 The First Five cover (1) software white listing (2) secure standard configurations (3) application security patch installation within 48 hours (4) system security patch installation within 48 hours (5) ensuring administrative privileges are not active while browsing the web or handling email.

ER Diagram Drives Implementation Entity Relationship Diagram (ERD) One of the 14 types of UML diagrams (structure) Also referred to as a Class Diagram Type of static structure diagram that describes the structure of a system by showing the system's classes, their attributes, and the relationships between the classes. Wikipedia

Sample ER Diagram (Critical Control #1)

Potential Result: A Consolidated ERD

Summary: Plan for Success Perform Initial Gap Assessment determining what has been implemented and where gaps remain for each control and sub-control. Develop an Implementation Roadmap selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations. Implement the First Phase of Controls identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training. Integrate Controls into Operations focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations. Report and Manage Progress against the Implementation Roadmap developed.

THANK YOU for your time Dr. Eric Cole Twitter: drericcole ecole@secureanchor.com eric@sans.org www.securityhaven.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback