LAB2 R12: Optimize Your Supply Chain Cyber Security

Similar documents
Combating Cyber Risk in the Supply Chain

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Cyber Resilience - Protecting your Business 1

External Supplier Control Obligations. Cyber Security

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

align security instill confidence

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Designing and Building a Cybersecurity Program

CCISO Blueprint v1. EC-Council

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Sage Data Security Services Directory

CloudSOC and Security.cloud for Microsoft Office 365

10 FOCUS AREAS FOR BREACH PREVENTION

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Are we breached? Deloitte's Cyber Threat Hunting

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity The Evolving Landscape

A company built on security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

What It Takes to be a CISO in 2017

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Changing the Game: An HPR Approach to Cyber CRM007

ANATOMY OF AN ATTACK!

locuz.com SOC Services

NEN The Education Network

ISE North America Leadership Summit and Awards

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Security Architecture

Information Technology General Control Review

Carbon Black PCI Compliance Mapping Checklist

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Cyber Protections: First Step, Risk Assessment

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

THE ACCENTURE CYBER DEFENSE SOLUTION

CYBERARK GDPR ADVISORY. SECURE CREDENTIALS. SECURE ACCESS. A PRIVILEGED ACCOUNT SECURITY APPROACH TO GDPR READINESS

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Getting Started with Cybersecurity

NEXT GENERATION SECURITY OPERATIONS CENTER

THE POWER OF TECH-SAVVY BOARDS:

Teradata and Protegrity High-Value Protection for High-Value Data

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Nebraska CERT Conference

Information Security Policy

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Protect Your Organization from Cyber Attacks

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

From Managed Security Services to the next evolution of CyberSoc Services

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Cyber security tips and self-assessment for business

2017 Annual Meeting of Members and Board of Directors Meeting

WHITE PAPER. HELPING BANKS SECURE DATA DURING AND AFTER DIGITIZATION An Infosys solution

Objectives of the Security Policy Project for the University of Cyprus

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Keys to a more secure data environment

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

K12 Cybersecurity Roadmap

Securing Your Most Sensitive Data

Security Solutions. Overview. Business Needs

SECURITY & PRIVACY DOCUMENTATION

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

deep (i) the most advanced solution for managed security services

Secure the value chain. Risk management in the omnichannel consumer and retail environment

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Total Security Management PCI DSS Compliance Guide

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

AT&T Endpoint Security

Defensible Security DefSec 101

Office 365 Buyers Guide: Best Practices for Securing Office 365

ForeScout Extended Module for Splunk

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Department of Management Services REQUEST FOR INFORMATION

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Onapsis: The CISO Imperative Taking Control of SAP

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Business continuity management and cyber resiliency

Security Gaps from the Field

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

SIEM: Five Requirements that Solve the Bigger Business Issues

Daxko s PCI DSS Responsibilities

CYBERSECURITY RISK LOWERING CHECKLIST

Secure Access & SWIFT Customer Security Controls Framework

THREAT INTELLIGENCE: UNDERSTANDING WHAT IT IS AND WHY YOU NEED IT

Cylance Axiom Alliances Program

Transcription:

LAB2 R12: Optimize Your Supply Chain Cyber Security Post Conference Summary Allan Thomson Jamison M. Day, Ph.D.

Table of Contents INTRODUCTION... 3 SUPPLY CHAIN CYBER SECURITY TRENDS... 4 Outsourcing Increases Threat Surface Area... 4 Increase in Use of Supply Chain Partner Threat Vector... 4 Scarce Resources for Internal Detection and Defense... 4 Recently Publicized Supply Chain Cyber Incidents... 5 CYBER SECURITY IN SUPPLIER SELECTION EFFORTS... 6 Supplier Selection: Cyber Security Best Practices... 6 Vendor & Service Provider Contracts: Cyber Security Best Practices... 6 SUPPLY CHAIN CYBER STRATEGY MATRIX 4 QUADRANTS... 7 Recommended Threat Management Activities for All Quadrants... 8 Quadrant I Maturity & Access... 9 Quadrant II Maturity & Access... 9 Quadrant III Maturity & Access... 9 Quadrant IV Maturity & Access... 9 METRICS FOR SUPPLY CHAIN CYBER SECURITY... 10 2

Introduction Thank you for spending some of your valuable time at RSA Conference 2017 attending our Learning Lab, Optimize Your Supply Chain Cyber Security. There were so many great sessions, and your participation in our Lab means a lot to us. We hope you found it as engaging and educational as we did, and that your Lab interactions provided some valuable ideas to take back to your organization. This summary is designed to recap the concepts we discussed together during the Learning Lab. The issues relating supply chain management and cyber security are complex and varied, and two hours was barely enough time to scratch the surface. We both felt that many people contributed key insights that will help mature cyber security awareness and overall enterprise security posture vis à vis supply chain partners. Both of us were glad to see such enthusiastic and insightful participation from this Lab s participants. If you have any follow up questions on our lab please feel free to contact us directly. Thank you. Allan Thomson Jamison M. Day, Ph.D. 3

Supply Chain Cyber Security Trends Outsourcing Increases Threat Surface Area Supports focus on core competencies Extends information system endpoints beyond organization cyber defense perimeter Hackers are increasingly exploiting this Increase in Use of Supply Chain Partner Threat Vector Up 22% from 2014 to 2015 o (http://www.pwc.com/us/en/cfodirect/issues/cyber security/information security survey.html) 80% of breaches originate in supply chain o (http://blogs.rsa.com/the growing need to manage third party and vendor risk/) Scarce Resources for Internal Detection and Defense 79% of U.S. companies lack the tools & resources for effective internal cyber security o (http://trust.brandprotect.com/download ponemon executive study) Monitoring the extended information supply chain presents an even greater burden Efficient allocation of cyber security resources often requires triage decisions 4

Recently Publicized Supply Chain Cyber Incidents COGENT HEALTHCARE BREACH (2013) (http://www.healthcarebusinesstech.com/vendor mistake causes data breach/) Transcription provider stored notes on a website Failure to activate a firewall left patients personal information exposed AT&T BREACH (2014) (http://www.itbusinessedge.com/blogs/data security/att breach by vendor awakens new insider threat concerns.html) Employees at a service provider violated privacy & security guidelines Accessed accounts to obtain codes that unlock phones for sale in other markets GOODWILL BREACH (2014) (https://krebsonsecurity.com/2014/09/breach at goodwill vendor lasted 18 months/) Retail POS vendor compromised by malicious hackers Installation of infostealer.rawpos malware (undetectable til Sep 5, 2014) Affected more than 330 Goodwill locations for over 18 months Allowed theft of customer credit card information TARGET BREACH (2013) (https://krebsonsecurity.com/2015/09/inside target corp days after 2013 breach/) External defenses were found to be robust at detecting and blocking attacks Heating & Air Conditioning provider compromised by malware (via email) Target VPN credentials obtained Poor network segmentation allowed access to every POS registers in every store Password policies not being enforced/followed Default passwords in some internal systems Services/systems missing critical security patches Vulnerability scanning program in place, but no or slow remediation was taken U.S. OFFICE OF PERSONNEL MANAGEMENT (2014) (https://krebsonsecurity.com/2015/06/catching up on the opm breach/ & https://krebsonsecurity.com/2016/09/congressional report slams opm on data breach/) Background check providers hacked by Chinese; credentials used to access OPM Exploited enterprise management software vulnerability Loaded keystroke logging malware on workstations of database administrators Exfiltration included: background investigation, personnel, fingerprint OPM lacked: o Comprehensive cyber asset inventory o Vulnerability scanning program o Multi factor authentication o Visibility on network traffic 5

Cyber Security in Supplier Selection Efforts Supplier Selection: Cyber Security Best Practices CYBER ASSET INVENTORY Obtain a list of IPs, CIDRs, ASNs, etc. being used by the company. If they do not know what assets need protection, they are unlikely to be very secure. CYBER SECURITY CERTIFICATIONS Review any certification documentation to assess cyber security assurance practices o ISO 27001 o Cyber Essentials o PCI Compliance (where applicable) 3 RD PARTY RISK ASSESSMENT Examine company practices for o Security patches o Spam & malicious email o Employee cyber security training o Access control permissions o Intrusion detection o Equipment (clear chain of custody / firmware validation) o Network architecture o Brand security PENETRATION TESTING Have a 3 rd party perform a penetration test. Examine corrective actions taken from previous tests and after presenting the results of the current test. THREAT INTELLIGENCE RESEARCH Analyze available intel from o Threat Intelligence Feeds o Vulnerability scans (e.g. Nessus) o Domain reputation monitoring o Content in social media, dark web, forums, chat channels, Pastebin, etc. BUILD CYBER SECURITY TEAM RELATIONSHIP Initiate direct communication between your cyber security teams to assess threat management maturity. Vendor & Service Provider Contracts: Cyber Security Best Practices Consider requiring: o Cyber security insurance o Rapid notification of any breach o Collaboration in cyber defense activities 6

Supply Chain Cyber Strategy Matrix 4 Quadrants Each of your supply chain partners is different; some require access to sensitive systems or data while others don t, and some have strong approaches to managing cyber security while others struggle. The following matrix provides a generalized framework for allocating your cyber security resources among a diverse range of supply chain partners. Our session also discussed the importance of supply chain partner criticality. That is, the importance of and/or the lack of alternatives to a supply chain partner. In these cases, it may be important to elevate the level of threat management effort. 7

Recommended Threat Management Activities for All Quadrants For every partner, regardless of what quadrant they are in, your company should employ automated and passive defense solutions (which do not require continuous activity to keep in place) whenever possible to reduce the manual effort required from your cyber security team. UNIQUE VPN KEYS SEGMENTED DMZS Since every partner is a potential attack vector, be sure to use segmented demilitarized zones (DMZs) and unique VPN keys for each partner. Not only does this allow for more tailored management across a variety of attack surfaces, but it appropriately quarantines any critical threat arising from another organization without affecting others ability to interact with your company. Deliberating for days or weeks on how to deal with a threat after learning about one gives attackers time to gain a greater foothold into your networks and/or exfiltrate more information. Therefore, determine in advance what situations justify cutting off vendor access, and set up the processes for doing so. FIREWALLS ANTI MALWARE ANTI VIRUS INTRUSION DETECTION SYSTEMS INTRUSION PREVENTION SYSTEMS ADVANCED AUTHENTICATION The proper use of firewalls, anti malware, anti virus, intrusion detection systems, intrusion prevention systems, and multi factor authentication require little on going effort and provide a significant increase in security. 3 RD PARTY THREAT MONITORING The cyber asset inventory obtained during supplier selection should provide a list of IP ranges and domain names that can be monitored with alerts. As threat intelligence feeds report significant indicators of compromise associated with those addresses, your cyber security team can contact the affected partner to ask them how they are responding to the security vulnerability and therefore your own and how they are going to address the issue and make improvements. 8

Quadrant I Maturity & Access Risk: est Actions: o Assess more often than contract renewal o Ensure sound cyber security practices are maintained Relationship: o Preferably establish direct ties between security operations center teams (if willing) o Otherwise, via ISAC/ISAO Quadrant II Maturity & Access Risk: Moderate Actions o Regular sharing of suspicious activity, IOCs, threat intel o Engage for response and remediation o Joint red team and penetration testing efforts Relationship o Most valuable supply chain cyber security allies o Strong regular connection between security operations center teams o Leverage cooperation and collaboration whenever possible Quadrant III Maturity & Access Risk: Moderate Actions o Regular vulnerability scans (e.g. Nessus) o Monitor access and use Relationship o Communicate when unsafe practices are identified o Encourage awareness of the need for cyber security Quadrant IV Maturity & Access Risk: est Actions o Enforce stringent access policies o Remain alert for indications of unauthorized activity o Employ active defense techniques (network activity monitoring, behavioral analysis, APT defense) o Pre define policies and procedures for quickly severing access Relationship o Ensure your cyber security team is involved in vendor performance reviews o Regularly update your understanding of threat risk & weigh it against value obtained from the vendor 9

Metrics for Supply Chain Cyber Security Unfortunately, coordinating supply chain management and cyber security management is often difficult and traditional organizational incentive structures are not helping. Supply chain organizations typically evaluate performance based on total cost savings while the value of cyber security efforts is seldom understood until there is an incident. However, as information related supply chain interactions continue to expand the surface area subject cyber threat beyond controlled organizational boundaries, this coordination is increasingly important. Our discussion suggested that developing valuation metrics for cyber security that can inform total cost of ownership (TCO) may provide the missing link for incentivizing inter departmental activities that enhance supply chain cyber security. Even simple estimates of expected value (likelihood * estimated impact) could provide a useful starting point for evolving the relationship as well as a better understanding of the return on investment from cyber security efforts. 10

SESSION ID: LAB2-R12 Optimize Your Supply Chain Cyber Security Jamison M. Day, Ph.D. Principal Data Scientist LookingGlass Cyber Solutions @jamisonday Allan Thomson CTO LookingGlass Cyber Solutions @tweet_a_t

Chatham House Rules Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

In Supply Chains, Success & Security are Interdependent Outsourcing and strategic partnerships allow your organization to focus on improving its core competencies As others provide supporting functions necessary to your business, you extend information system endpoints outside your own defense perimeter Hackers not only know this, they are exploiting it!

Important Breach Trends Up to 80% of Breaches now Originate in the Supply Chain Howarth, Fran. The Growing Need to Manage Third Party and Vendor Risk. RSA Blog on Mar 31, 2015. Cyber Incidents Involving Business Partners Up 22% 2014 to 2015 PWC: 2017 Global State of Information Security

Recent Vendor-Originating Cyber Incidents

DISCUSSION: Your Nightmare Scenarios Summarize your top three (3) supply chain cyber incident nightmare scenarios Consider financial performance Brand reputation customer loyalty Estimate your organization s expected financial loss from each scenario

Streamlining Your Supply Chain Cyber Security Monitoring your extended supply chain s information systems is an additional burden 79% of U.S. companies lack the resources & tools for internal detection and defense Ponemon Institute 2016 External Threats Report For efficient allocation of cyber security resources, triage effort based on partners Access to sensitive systems/data Cyber security maturity

Contracts Don t Guarantee Cyber Security Each new supply chain partner increases your organization s attack surface area Integrating cyber security into your supply contracts does not make you safe! Each day presents new opportunities for threat actors Cyber security teams must efficiently allocate limited resources

Cyber Security in Supplier Selection Practices Cyber Asset Inventory Cyber Security Certifications ISO 27001 Cyber Essentials PCI compliance (where applicable) 3 rd Party Risk Assessment - Examine Practices for: Security patches Spam & malicious email Employee cyber security training Access control permissions Intrusion detection Equipment Network architecture Brand security 3 rd Party Penetration Testing Examine corrective actions taken Threat Intelligence Research Threat intelligence feeds Vulnerability scans (e.g. Nessus) Domain reputation monitoring Content in online channels Forums, Pastebin, dark web, social media, etc. Build relationship with supplier s cyber security team Contractually require cyber security insurance, rapid notification of any breach, and collaboration in cyber defense activities

Discussion: Supply Chain Partner Cyber Security Evaluation What steps does your company take to evaluate the cyber risk associated with candidate supply chain partners? How and when is your cyber security team made aware of new supply chain partners? How might you alter the supplier selection practices at your organization to enhance its cyber security?

Cyber Maturity / Trust in Partner LookingGlass Supply Chain Cyber Strategy Matrix I. Periodic Assessment II. Collaborative Encourage All Partners Towards Cyber Maturity III. Continuous Monitoring IV. 3 rd Party Integrated Outsourcing Drives Greater Need for Access Partner Access / Impact to Company Systems / Data

Maturity Exercise: Supply Chain Partner Classification Identify several of your organization s supply chain partners Categorize each of them into one of the four quadrants Try to identify at least three within each quadrant I. Periodic Assessment III. Continuous Monitoring Access II. Collaborative IV. 3 rd Party Discuss the characteristics of at least 4 different partners and why you feel they should be categorized in the quadrant you placed them in.

Actions for All Quadrants (I, II, III, IV) Automated & Passive Defense Solutions Unique VPN keys & segmented DMZs for each partner Allows tailored management & provides rapid quarantine capability Firewalls Anti-malware Anti-virus Advanced authentication Intrusion detection systems Intrusion prevention systems Advanced authentication 3 rd party threat monitoring Great way to encourage cyber maturity Rate and discuss your organization s maturity in applying each of these cyber security solutions Does your organization use any other supply chain cyber defense solutions for securing itself from all partners? What steps could your organization take to enhance its ability to use all of these solutions?

Maturity Quadrant I: Periodic Assessment Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant I III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?

Maturity Periodic Assessment Profile Risk: est I. Periodic Assessment II. Collaborative Actions: Assess more often than contract renewal Ensure sound cyber security practices are maintained III. Continuous Monitoring Access IV. 3 rd Party Relationship: Preferably establish direct ties between security operations center teams (if willing) Otherwise, via ISAC/ISAO

Maturity Quadrant II: Collaborative Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant II III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?

Maturity Collaborative Profile Risk: Moderate I. Periodic Assessment II. Collaborative Actions Regular sharing of suspicious activity, IOCs, threat intel Engage for response and remediation Joint red-team and penetration testing efforts III. Continuous Monitoring Access IV. 3 rd Party Relationship Most valuable supply chain cyber security allies Strong regular connection between security operations center teams Leverage cooperation and collaboration whenever possible

Maturity Quadrant III: Continuous Monitoring Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant III III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?

Maturity Continuous Monitoring Profile Risk: Moderate I. Periodic Assessment II. Collaborative Actions Regular vulnerability scans (e.g. Nessus) Monitor access and use III. Continuous Monitoring Access IV. 3 rd Party Relationship Communicate when unsafe practices are identified Encourage awareness of the need for cyber security

Maturity Quadrant IV: 3 rd Party Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant IV III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?

Maturity 3 rd Party Profile Risk: est I. Periodic Assessment II. Collaborative Actions Enforce stringent access policies Remain alert for indications of unauthorized activity Employ active defense techniques (network activity monitoring, behavioral analysis, APT defense) Pre-define policies and procedures for quickly severing access III. Continuous Monitoring Access IV. 3 rd Party Relationship Ensure your cyber security team is involved in vendor performance reviews Regularly update your understanding of threat risk & weigh it against value obtained from the vendor

Exercise: Supply Chain Cyber Security Metrics How does your company measure the value of supply chain cyber security? How might your company improve these metrics? Review your list of potential organization improvements Which of these are most likey and least likely to provide a good return on investment?

Discussion: Conclusions What were the most valuable insights that surfaced during this session? How do you hope to change the supply chain and cyber security practices in your organization?

Apply What actions will you take within the next 3 weeks? What actions will you take within the next 3 months?

Go Ahead Connect Your Organization. SAFELY!!!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback