Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016
Designing & Building a Cybersecurity Program Agenda Part 1: The Threat Situation Part 2: The Risk Equation Part 3: Protecting the Assets Part 4: The Program Deliverables 2
Part 1: The Threat Situation 3
Data is the New Oil 4
The Problem: Data is Ever ywhere Growing attack surface Consumerization of IT Public, private, hybrid cloud Mobile applications Privileged accounts Internet of Things. 5
The Challenges: Business, Technology, Compliance, Skills The Key Business Challenges The Key Technology Challenges Legal, Regulatory, Compliance Challenges The Key Workforce Challenges 7 6
The Possible Consequences Cyber Attacks Could Put Humans and Infrastructure at Risk 7
We have executive attention.. Now What? 8
The UMASS Cybersecurity Program Approach 1 The Asset Inventory Network Diagrams / Data Flow Diagrams Asset Inventory, Configuration, Vulnerabilities Endpoints Devices Data Center Systems (Servers, Databases) Network Devices Key Business Applications Confidential Data Inventory List of Users with Administrative Accounts X The Security Technologies 2 Network Technologies Firewalls, IPS, URL Filtering, Wireless, NAC Vulnerability Management Directory Service Endpoint / Server / Database Technologies Hardware / Software / Configuration Management Security Incident & Event Management (SIEM) Anti-Virus, Data Loss Protection, etc. Application Security Web App Scanning, Web App Firewall 3 Industry Standard Controls 4 Current & Target Security Profile Current Profile Target Score Roadmap Target Profile Target Score Score Score Critical Security Controls Critical Security Controls 9
Part 2: The Risk Equation 10
Calculating Risk Managed Assets Unmanaged Assets Risk = Threats X Vulnerabilities X Asset Value + Threats X Vulnerabilities X Asset Value Strong Controls Weak Controls How do we calculate risk? Risk is based on the likelihood and impact of a cyber-security incident or data breach Threats involve the potential attack against IT resources and information assets Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat Asset Value is based on criticality of IT resources and information assets Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities Managed assets = strong controls; unmanaged assets = weak controls 11
Unmanaged vs. Managed Assets Our Unmanaged Assets ARE NOT protected Our Managed Assets ARE protected Our unmanaged assets There are undetected problems not seen, not reported Our unmanaged assets become easy targets Which lead to a breach from missing or ineffective controls Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a portfolio of managed assets 12
The Asset Families The Networks Family The Systems Family Switches, routers, firewalls, etc. The Applications Family Endpoints, mobile, workstations, servers, etc. The Critical Assets Privileged User Access Critical Information Assets Applications, databases, etc. 13
The NIST Cybersecurity Framework Functions IDENTIFY Framework Core Categories Subcategories Informative References Control-1 Control-2 Control-3 Framework Tiers Tier 1: Partial Ad hoc risk management Limited cybersecurity risk awareness Low external participation Weak Controls Current Profile Framework Profile Current state of alignment between core elements and organizational requirements, risk tolerance, & resources Where am I today relative to the Framework? PROTECT Control-4 Control-5 Control-6 Control-7 Tier 2: Risk Informed Some risk management practices Increased awareness, no program Informal external participation Roadmap Control-8 Control-9 DETECT RESPOND Control-10 Control-11 Control-12 Control-13 Control-14 Control-15 Tier 3: Repeatable Formalized risk management Organization-wide program Receives external partner info Strong Controls Target Profile Desired state of alignment between core elements and organizational requirements, risk tolerance, & resources RECOVER Control-16 Control-17 Control-18 Control-19 Tier 4: Adaptive Adaptive risk management practice Cultural, risk-informed program Actively shares information Where do I aspire to be relative to the Framework? Control-20 14
The Critical Security Controls The 20 Critical Security Controls CSC 1.0 CSC 2.0 CSC 3.0 CSC 4.0 CSC 5.0 Inventory of Authorized & Unauthorized Devices Inventory of Authorized & Unauthorized Software Secure Configurations for Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment & Remediation Controlled Use of Administration Privileges (6 Controls) (4 Controls) (7 Controls) (8 Controls) (9 Controls) CSC 6.0 CSC 7.0 CSC 8.0 CSC 9.0 CSC 10.0 Maintenance, Monitoring & Analysis of Audit Logs Email & Web Browser Protection Malware Defenses Limitation and Control of Network Ports, Protocols, Services Data Recovery Capability (6 Controls) (8 Controls) (6 Controls) (6 Controls) (4 Controls) CSC 11.0 CSC 12.0 CSC 13.0 CSC 14.0 CSC 15.0 Secure Configurations for Network Devices (Firewalls, Routers, Switches) Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control (7 Controls) (10 Controls) (9 Controls) (7 Controls) (9 Controls) CSC 16.0 CSC 17.0 CSC 18.0 CSC 19.0 CSC 20.0 Account Monitoring & Control Security Skills Assessment & Training to Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises (14 Controls) (5 Controls) (9 Controls) (7 Controls) (8 Controls) 15
How the Controls Work (Part 1) They map to the Assets Security Technology Algorithms Managed Assets CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software Algorithms Security Technology Managed Assets CSC 3: Secure Configuration of Endpoints, Servers, Workstations CSC 4: Continuous Vulnerability Assessment and Remediation 16
How the Controls Work (Part 2) They map to the Framework Cybersecurity Framework (CSF) Core CIS Critical Security Controls (V 6.0) Asset Family IDENTIFY PROTECT DETECT RESPOND RECOVER CSC-01: Inventory of Authorized and Unauthorized Devices Systems AM CSC-02: Inventory of Authorized and Unauthorized Software Systems AM CSC-03: Secure Configuration of Endpoints, Servers, etc. Systems IP CSC-04: Continuous Vulnerability Assessment and Remediation Systems RA CM MI CSC-05: Controlled Use of Administrative Privileges Systems AC CSC-06: Maintenance, Monitoring and analysis of Audit Logs Systems AE AN CSC-07: Email and Web Browser Protections Systems PT CSC-08: Malware Defenses Systems PT CM CSC-09: Limitation and Control of Ports, Protocols, Services Systems IP CSC-10: Data Recovery Capability Systems RP CSC-11: Secure Configuration of Network Devices Networks IP CSC-12: Boundary Defense Networks DP CSC-13: Data Protection Applications DS CSC-14: Controlled Access Based on Need to Know Networks AC CSC-15: Wireless Access Control Networks AC CSC-16: Account Monitoring and Control Applications AC CM CSC-17: Security Skills Assessment and Appropriate Training Applications AT CSC-18: Application Software Security Applications IP CSC-19: Incident Response and Management Applications AE RP CSC-20: Penetration Tests and Red Team Exercises Applications IM IM 17
Part 3: Protecting the Assets 18
Today s Cybersecurity Programs Are Closed or Proprietary The Cisco Cybersecurity Framework The Oracle Cybersecurity Framework EY s Cyber Program Management (CPM) Framework Deloitte Cyber Risk Management Strategy Cyber Risk as a Strategic Issue Develop Policies and Frameworks Secure Vigilant Resilient Spread Awareness and Education Invest in Effective Implementation 19
The UMASS Cybersecurity Program Is Open and Freely Available The Controls Factory 3 4 Input Unmanaged Assets 2 Output Managed Assets P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels 5 P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels 1 6 1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications 20
The Functional Requirements Inside the Controls Factory 1. Threats Exposure Input Unmanaged Assets 2. Controls Safeguards 1 st Line of Defense 3. Technology Algorithms 2 nd Line of Defense Output Managed Assets P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels 4. Monitoring Visibility 5. Testing Assurance 3 rd Line of Defense 4 th Line of Defense P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels 6. Risk Management 1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications 21
The Technical Requirements Inside the Controls Factory The Design, Build, Run, Test Area Intel Qualys Palo Alto Dell Kace Bit9 Microsoft HP Input Output Unmanaged Assets Unmanaged Endpoints Unmanaged Servers Unmanaged Networks Managed Assets P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels CheckPoint Oracle Tenable Cisco EiQ Veracode IBM P1: System Family P2: Network Family P3: Applications Family P4: Crown Jewels Design Center Technology Center Monitoring Center Testing Center 1 Threat Office: Threats, Vulnerabilities, IOCs, Attack Chain, Threat & Attack Risk Vectors 2. Design Center: Internal Controls, Controls Framework, Controls Standards 3. Technology Center: Design Guides, Build Guides, Run Guides 4. Monitoring Center: Asset / Configuration Monitoring, Netflow / Packet Monitoring, Syslog / Event Monitoring 5. Testing Center : Controls / Risk Assessment, Technology / Services Assessment, Operations Assessment 6. Risk Office: Cybersecurity Program, Policy & Training, Program Deliverables / Roadmap / Communications 22
The UMASS Controls Factory Model The Current Profile (Before the Factory) The Target Profile (After the Factory) The Threat Area The Design, Build, Run, Test Area The Risk Area Threats, Vulnerabilities, IOCs Internal Controls Process Design Guides Asset, Software, Configuration Monitoring Controls & Risk Assessment The Risk Management Practice Input Unmanaged Assets Actionable Threat Intelligence Controls Framework Build Guides Threat, Vulnerability, IOC Monitoring Technology & Services Assessment Policy, Training & Awareness Output Managed Assets The Cyber Attack Chain Controls Standards Run Guides Netflow, Packet, Security Event Monitoring Operations Assessment Deliverables, Communication, Roadmap Threat Office Design Center Technology Center Monitoring Center Testing Center Risk Office 23
The Threat Office Threats, Vulnerabilities, IOCs Actionable Threat Intelligence BitSight Threat Categories The Cyber Attack Chain Mapping Threats to the Asset Families Networks Systems Applications Critical Assets 24
The Design Center Internal Controls Process The Controls Framework The Controls Standards Mapping Controls to the Asset Families Networks Systems Applications Critical Assets 25
The Technology Center Design Guides Build Guides Cybersecurity Technology Design Guide Cybersecurity Technology Build Guide Run Guides Mapping Technology Solutions to the Asset Families Cybersecurity Technology Run Guide Networks Systems Applications Critical Assets 26
The Monitoring Center Asset, Software, Configuration Monitoring Threats, Vulnerabilities, IOC Monitoring T Netflow, Packet, Security Event Monitoring E Mapping Cybersecurity Operations to the Asset Families Networks Systems Applications Critical Assets 27
The Testing Center Controls / Risk Assessments Technology Assessments Operations Assessments Mapping Cybersecurity Testing to the Asset Groups Networks Systems Black Box Testing Applications Gray Box Testing Penetration Testing Methodology White Box Testing Critical Assets 28
The Risk Office Cyber Risk Practice The Security Policies Program Deliverables, Communications & Roadmap Mapping Cyber Risk Practices to Asset Families Networks Systems Applications Critical Assets 29
Part 4: The Program Deliverables 30
The Controls Factory Threat Office Design Center Technology Center Monitoring Center Testing Center Risk Office P4 Crown Jewels Program Input P3 Applications Family Program Output Unmanaged Assets P2 Networks Family Program Managed Assets P1 Systems Family Program Attack Vectors Controls Design Technology Build Operations Run QA Test Risk Management (1 st Line Defense) (2 nd Line Defense) (3 rd Line Defense) (4 th Line Defense) 31
P1: The Systems Security Program 1. The Assets 2. The Controls 3. The Technical Solutions 4. The Monitoring 5. The Testing 6. The Risk Office 32
P2: The Network Security Program 1. The Assets 2. The Controls 3. The Technical Solutions 4. The Monitoring 5. The Testing 6. The Risk Office 33
P3: The Applications Security Program 1. The Assets 2. The Controls 3. The Technical Solutions 4. The Monitoring 5. The Testing 6. The Risk Office 34
P4: The Crown Jewels Program 1. The Assets 2. The Controls 3. The Technical Solutions 4. The Monitoring 5. The Testing 6. The Risk Office 35
The Program Mapping Unmanaged Asset Groups Before the Attack During the Attack After the Attack Cyber Attack Chain 1 2 3 4 5 6 7 NIST Controls Framework Identify Protect Detect Respond Recover Controls Standards Management Controls (ISO 27001:2013) Operations Controls (ISO 27001:2013) Technical Controls (Council on Cyber-security CSC) Technologies & Services Continuous Monitoring Asset, Software, Configuration Monitoring Threat & Vulnerability Monitoring Netflow, Packet, Event Monitoring Assessments & Testing Controls / Risk Assessment Technology / Services Assessment Operations Assessment Managed Asset Groups Managed Systems Family Managed Networks Family Managed Applications Family Managed Crown Jewels 36
The Maturity Scorecard The Current Profile P1: Systems Security Program P2: Network Security Program P3: Application Security Program 100% Controls Maturity 75% Target Score = 75%? 50% 25% 0% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Critical Security Controls Note: Target Score (by control) and implementation timeline (by control) to be determined 37
The Program Roadmap Priority Summary of Findings / Recommendations Critical Security Control Mapping Implementation Start 1 Review / update as needed network architecture based on Palo Alto recommendation CSC-12: Boundary Defense Q1, 2016 2 Fully utilize Endpoint Management, SIEM, Vulnerability Scanner to establish device inventory, software inventory, standard device configurations. Implement 2F authentication, jump box, and a Log Management program (SIEM) for privileged accounts Consider purchasing a SIEM or subscribing to Managed Security Monitoring Services for device monitoring. CSC-01: Inventory of Authorized and Unauthorized Devices CSC-02: Inventory of Authorized and Unauthorized Software CSC-03: Secure Configuration of Endpoints, Servers, etc. CSC-05: Controlled Use of Administrative Privileges CSC-06: Maintenance, Monitoring and analysis of Audit Logs CSC-11: Secure Configuration of Network Devices Q2, 2016 3 Use DLP Solution to locate, classify, manage, remove PII and critical business data CSC-13: Data Protection Q2, 2016 4 Implement a Threat and Vulnerability Management program, a Log Management program (SIEM) Block known C2 domains via DNS restrictions (NextGen FW) Implement malicious URL filtering (NextGen FW) Limit use of ports, protocols and services to only those that are necessary (Port Scanning) CSC-04: Continuous Vulnerability Assessment & Remediation CSC-08: Malware Defenses CSC-09: Limitation and Control of Ports, Protocols, Services Q4, 2016 5 Implement formal Security Awareness and Security Skills Assessment Program CSC-17: Security Skills Assessment and Appropriate Training Q4, 2016 6 Establish, document, implement, maintain Incident Response & Forensics Program CSC-19: Incident Response and Management Q4, 2016 38
UMASS Cybersecurity Services No. Cybersecurity Service Service Description 1 Threat and Vulnerability Management Practice Provide our customers with the latest threat and vulnerability intelligence information through collaboration and sharing with our service partners. 2 Cybersecurity Program Design and Build Service Help our customers design, implement and maintain their cybersecurity program based on the NIST Cybersecurity Framework and 20 Critical Security Controls. 3 Cybersecurity Operations and Incident Response Service Provide 24x7 continuous security monitoring, alerting and escalation; ensuring incidents are detected, investigated, communicated, remediated and reported. 4 Cybersecurity Risk Management Practice TBD To Be Defined. Possibly based on the DHS Cyber Resilience Review 5 Cybersecurity Education, Training, Awareness Includes CAE-2Y, CAE-4Y, CAE-R, Industry Certification training (work with ISACA and ISC2), Designing and Building a Cybersecurity Program based on the NIST Framework, Cybersecurity Awareness and Skills Training. 6 Sponsored Projects, Testing, Student Internships Sponsored projects from ACSC members and other industry partners defined and delivered through a Statement of Work (SOW). Using University security lab services, delivered and managed by students internships under supervision of the University President s Office and campus IT departments. 39