How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity Why is the NIST framework important? GOH Seow Hiong Executive Director, Global Policy & Government Affairs, Asia Pacific Cisco Systems December 2017
As board members Does your company s management report to the Board on cybersecurity? Regularly? Do you know when was the latest breach in the company? Do you know the damage from the last breach? Do you know the extent of the breach?
THE EVOLVING THREAT LANDSCAPE What threats do I face?
Evolving business needs Dynamic threat landscape Complexity and fragmentation Security Challenges Shortage of cyber security experts Changing regulations and business models Widening IT/Board communication gap Attack surface Threat actors Attack sophistication Fragmented security Not interoperable Not open Talent crunch Niche security skills Increased costs
THE BIGGEST PROBLEM Do I know if I ve been compromised?
Cyber Attack No If but When Source: Verizon 2012 Data Breach Investigation Report
Whack-a-mole Approach
Recognizing Malware is Difficult and Not Enough
How easy is it to breach?
MY IT GUYS ARE ON IT! How are they managing security?
Management Nightmare
Complexity is a Significant Obstacle to Security Business Constraints Complexity 35% Budget (-4%) 28% Compatibility Issues (-4%) 1-5 (45%) 6-10 (29%) 11-20 (18%) 21-50 (7%) Over 50 (3%) Vendor 55% of organizations use 6 to >50 security vendors 2016 (n=2,850) 25% Lack of Trained Personnel (+3%) 25% Certification Requirements (+/-0%) 1-5 (35%) 6-10 (29%) Products 65% of organizations use 6 to >50 security products (Change from 2015) 11-20 (21%) 21-50 (11%) Over 50 (6%) 2016 (n=2,860)
Device enrollment challenges await. 374 new devices per second 10 min to connect and define policy 7.8 person-days of effort per second 245.8M person-days of effort per year
How do deal with the challenges? Holistic not piecemeal approach
Evolution of defensive tactics Medieval defense Modern defense
Analogy with Airport security Identity Check AnyConnect No Entry for Unauthorized OpenDNS Boarding pass ISE Security Inspection Firepower/AMP Immigration Check ASA Luggage Check ESA/WSA Luggage Check In Talos Isolates Electronic Device ThreatGrid Boarding on plane TrustSec Security Check StealthWatch
Effective security requires integrated threat defense Integrated threat defense Firewall and security infrastructure Leverage the network Advanced threat intelligence Governance processes Before During After
NIST Cybersecurity Framework Voluntary, open, transparent drafting process Voluntary, consensus-based standards leveraged Voluntary use of Framework by private sector Input to regulation & government procurement
NIST Cybersecurity Framework Recovery planning; Improvements; Communications Recover Identify Asset management; Business environment; Governance; Risk assessment; Risk Management strategy Protect Access control; Awareness training; Data security; Information protection processes & procedures; Protective technology Response planning; Communications; Analysis; Mitigation; Improvements Respond Detect Anomalies and events; Security continuous monitoring; Detection processes
How do I measure? Metrics
Metrics Mean time to detect Mean time to contain Mean time to recovery Does your management measure these?
Detection is key Current average time-to-detect: 100-200 days Cisco in 2015: time-to-detect at 2 days Today: Cisco Time-to-detect at 6 hours Cisco in independent tests (NSS) 70% of breaches detected < 1 min 90% of breaches in 3 minutes 99% detection within 6 hours 100% in 24 hours
Looking forward
Collaborating with Partners Governments International bodies Private sectors and customers
Cisco THREAT INTEL Per Day INTEL SHARING 250+ Full Time Threat Intel Researchers Internet-Wide Scanning Product Telemetry 1.5 MILLION Daily Malware Samples Vulnerability Discovery (Internal) 20 BILLION Threats Blocked *Google : 3.5B searches/day 600 BILLION Daily Email Messages, 86% SPAM Open Source Communities 16 BILLION Daily Web Requests Honeypots Customer Data Sharing Programs Industry Sharing Partnerships (ISACs) 500+ Participants 3 rd Party Programs (MAPP) Service Provider Coordination Program Open Source Intel Sharing MILLIONS Of Telemetry Agents 4 Global Data Centers 100+ Threat Intelligence Partners 1100+ Threat Traps
Address the Entire Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Network as a Sensor Network as an Enforcer Total visibility + Minimum time to detect + Fast containment.
Security is a Journey, Not a Destination Risk-based Decisions People + Processes + Technology Ongoing self-examination Continuous Improvement Dynamic Threats Complexity is the Enemy
Email: shgoh@cisco.com