Acalvio Deception and the NIST Cybersecurity Framework 1.1

Similar documents
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

How to Align with the NIST Cybersecurity Framework

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Securing an IT. Governance, Risk. Management, and Audit

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Cyber Information Sharing

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

NIST (NCF) & GDPR to Microsoft Technologies MAP

Cybersecurity Framework Manufacturing Profile

Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

In support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this

Framework for Improving Critical Infrastructure Cybersecurity

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

Cyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist

Cloud Threat Defense. Cloud Security Buyer s Guide Based on the. NIST Cybersecurity Framework

using COBIT 5 best practices?

K12 Cybersecurity Roadmap

Responsible Care Security Code

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

How AlienVault ICS SIEM Supports Compliance with CFATS

Why you should adopt the NIST Cybersecurity Framework

Track 4A: NIST Workshop

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Mapping and Auditing Your DevOps Systems

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Assurance over Cybersecurity using COBIT 5

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

NCSF Foundation Certification

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Kent Landfield, Director Standards and Technology Policy

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Framework for Improving Critical Infrastructure Cybersecurity

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Framework for Improving Critical Infrastructure Cybersecurity

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Designing and Building a Cybersecurity Program

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

ESG Lab Review High-fidelity Breach Detection with Acalvio Autonomous Deception

SIEM: Five Requirements that Solve the Bigger Business Issues

Automating the Top 20 CIS Critical Security Controls

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Cyber Resilience. Think18. Felicity March IBM Corporation

Using Metrics to Gain Management Support for Cyber Security Initiatives

CYBERSECURITY MATURITY ASSESSMENT

RSA NetWitness Suite Respond in Minutes, Not Months

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

RSA INCIDENT RESPONSE SERVICES

Appendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Cylance Axiom Alliances Program

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

RSA INCIDENT RESPONSE SERVICES

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Trustwave Managed Security Testing

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

RiskSense Attack Surface Validation for IoT Systems

Cyber security - why and how

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Attackers Process. Compromise the Root of the Domain Network: Active Directory

SIEM Solutions from McAfee

Device Discovery for Vulnerability Assessment: Automating the Handoff

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

THE EVOLUTION OF SIEM

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

IoT & SCADA Cyber Security Services

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Introducing Cyber Observer

align security instill confidence

THE POWER OF TECH-SAVVY BOARDS:

MITIGATE CYBER ATTACK RISK

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Gujarat Forensic Sciences University

Cybersecurity for Health Care Providers

NCSF Foundation Certification

Best Practices in ICS Security for System Operators

Cybersecurity Today Avoid Becoming a News Headline

Overview of the Cybersecurity Framework

Transcription:

Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018

The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving security and resilience. NIST Cybersecurity Framework 1.1, 2018 Background The NIST Cybersecurity Framework 1.1 (CSF) is being widely adopted by organizations of all types as they seek to minimize risk. The CSF provides a technology-neutral reference to define, implement, and report on cybersecurity posture. Acalvio solutions are well-suited to support the Cybersecurity Framework, in particular the requirements related to detection of threats and modeling of adversaries. NIST Cybersecurity Framework Background The NIST Cybersecurity Framework provides an approach to prioritize cybersecurity resources, make risk decisions, and take action to reduce risk. It was originally designed to be applied by operators of critical national infrastructure. However with technology becoming ubiquitous across industry sectors, organizations of all types are now leveraging the Framework to better organize, prioritize, and justify their IT security efforts. The CSF avoids specifying technologies to be deployed to minimize risk, and instead focuses on processes and outcomes. That is, it speaks to how an organization should approach cyber risk management, and enumerates activities that are likely to produce desired states corresponding to acceptable risk levels. The Framework is composed of three parts: Highlights The NIST Cyber Security Framework (CSF) provides a reference for building and executing an InfoSec security policy and control set. Although originally created for critical national infrastructure, the CSF is now applied broadly across numerous industry segments. Acalvio ShadowPlex supports 14 NIST CSF controls, especially those related to detection and threat characterization. Acalvio meets the NIST CSF detection and response requirements in a more cost-effective and operationally efficient manner than alternative approaches. Core: The key element of the Framework, the Core is a list of cybersecurity activities and controls that are relevant across all industries. Implementation Tiers: A set of four levels of rigor controls may be applied, ranging from Partial to Adaptive. Organizations should select the tier appropriate to the risks associated with the relevant assets, processes, or data being protected. ACALVIO TECHNOLOGIES Whitepaper l 1

Profiles: In the context of the CSF, a profile is a description of the state of cybersecurity controls across a subset of the organization s environment. It combines business requirements, risk tolerance, and resources with the Core controls. The CSF encourages the creation of both Current and Desired Profiles, so that a gap analysis can be performed to drive the roadmap for achieving the desired risk posture. Unlike the core controls and tiers, profiles are not explicitly defined in the CSF, but are created by the organization as it executes the framework. An organization may have multiple profiles, to reflect the variety of internal assets and the risk profile and resources associated with each. While compliance with the CSF is voluntary, adopting the framework establishes a solid and defensible basis for claiming a reasonable level of attention and diligence with respect to information security. Using the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment. NIST Cybersecurity Framework 1.1, 2018 Overview of CSF Core Controls The NIST Cybersecurity Framework 1.1 Core controls are organized into five Functions or high level outcomes: Identify, Protect, Detect, Respond, and Recover. Within these five functions are a total of 23 activity Categories, under which numerous activities and controls ( Subcategories ) are listed. The intent is that organizations will evaluate each of the controls within the Core against their assets and risk tolerance to arrive at their desired cybersecurity posture. Function Unique Identifier Function Category Unique Identifier ID.AM ID.BE ID.GV ID.RA ID.RM ID.SC Category Asset Management Business Environment ID Identify Governance Risk Assessment Risk Management Strategy Supply Chain Risk Management PR.AC Identity Management and Access Control PR.AT Awareness and Training PR.DS Data Security PR Protect Information Protection Processes and PR.IP Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events ACALVIO TECHNOLOGIES Whitepaper l 2

Function Unique Identifier RS RC Function Respond Recover Category Unique Identifier DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO Category Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications The NIST Cybersecurity Framework - Core Functions and Categories Acalvio Support for NIST Cybersecurity Framework Acalvio s ShadowPlex Distributed Deception Platform is extremely well suited to supports the goals of the NIST Cybersecurity Framework. Acalvio delivers Fast and accurate incident detection Adversary engagement and forensics Threat response to retard attack propagation Like the CSF, Acalvio starts with the premise that attacks will not just be initiated from outside the perimeter, but will be successful in penetrating the network. The key elements of the CSF are focused on detecting such events, which is exactly what Acalvio does. In fact it is difficult to imagine an effective CSF implementation without Acalvio, because there will otherwise inevitably be blind spots due to lack of complete coverage of possible attack methods and vectors. A crucial aspect of threat detection in the NIST Framework is speed. It is well understood that most attacks go undetected for weeks or months, allowing the adversary to do significant damage before there is any response or mitigation. It is also well documented that most attacks do leave some form of forensic trail behind the problem is that these clues are not obvious, and are drowned out in a sea of uncorrelated events and data. Acalvio solves this problem: events detected by ShadowPlex are very likely related to actual attacks, because the platform assets serve no legitimate purpose. This enables the rapid response essential to execute effective response and mitigation. Implementing Acalvio protects key assets by containing and controller the attacker early in the kill chain. Acalvio deception-based detection is superior to alternative approaches such as behavioral analytics because it is both more accurate (few false positives) and more efficient and easier to deploy. Furthermore, what separates Acalvio from all other detection solutions is operational efficiency at scale. Acalvio s technology supports broad application across the internal estate, while minimizing ACALVIO TECHNOLOGIES Whitepaper l 3

both capital and ongoing expenses and effort. Legacy Deception 1.0 honeypot solutions simply cannot be scaled or operated easily. Organizations do not have unlimited budgets for implementing cyber security, and the more efficiently they can deploy funds, the more effectively they can build a robust defensive architecture. Acalvio is also relevant in the Response and Recovery portions of the CSF. ShadowPlex includes services that can contain an attacker within a constrained environment where he cannot access production assets. It can also deploy fake but attractive assets (e.g. file shares) that obfuscate valuable data and retard an attacker s progress. The table below summarizes Acalvio s support for the NIST Cybersecurity Framework 1.1 controls. Acalvio supports 14 of the NIST CSF subcategories or controls, including four of the five high-level Functions. As Acalvio is primarily a detection solution, the major of support is in the Detect function, however controls are also supported in the Identify, Respond, and Recovery functional areas. NIST CSF 1.1 Subcategory (Control) Identify (ID) ID.RA-3: Threats, both internal and external, are identified and documented. ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Detect (DE) DE.AE-2: Detected events are analyzed to understand attack targets and methods Acalvio ShadowPlex Support Using Deception 2.0 breadcrumbs and lures, Acalvio detects attacker activity in systems, servers and endpoints. Acalvio is also able to detect such activity through attempted communication to Acalvio decoys. Full documentation of attack actions and methods is automatically gathered. Based on those inputs detailed forensic information is obtained through deep engagement of the attacker's identity, techniques and motives. Acalvio delivers network-wide data related to device inventory and real-time threat activity, allowing organizations to assess both likelihood and potential impact. Acalvio collects and correlates event data from honeypot services (variable interaction decoys); root cause analysis (through attacker engagement and full stack decoys); incident forensics and packet analysis (deep engagement). Fluid Deception delivers highly credible decoys; breadcrumbs are monitored using advanced techniques including file entropy. ACALVIO TECHNOLOGIES Whitepaper l 4

NIST CSF 1.1 Subcategory (Control) DE.AE-3: Event data are collected and correlated from multiple sources and sensors Acalvio ShadowPlex Support Acalvio Deception Farms scale to support thousands of data sources throughout the environment. Solution integrations allow this data to be blended with other sources (e.g. SIEM) to provide a unified picture of the attack. DE.AE-5: Incident alert thresholds are established. Benchmark of normal activity across the environment is provided to determine proper alert thresholds. DE.CM-1: The network is monitored to detect potential cybersecurity events. DE.CM-4: Malicious code is detected DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed DE.DP-3: Detection processes are tested Respond (RS) RS.AN-2: The impact of the incident is understood Acalvio decoys monitor network activity to detect all unusual events that suggest compromise. ShadowPlex Reflections Engines allow specialized systems (e.g. medical or SCADA devices) to be replicated virtually to enhance realism in non-standard, high-value networks. Deception Farms technology supports broad deployments with minimal operational overhead and cost. Acalvio detects malicious code via detection of anomalous activity targeted at decoys or lures. Connections, devices, and software activity on systems are all monitored by Acalvio. Red team or Penetration exercises can leverage Acalvio capabilities and integrations to test organizational detection efficacy. Acalvio Adversary Behavior Analytics (ABA) examines an identified attack to better understand impact, including attack origination, machines compromised, and current attacker posture within the environment. Acalvio provides a complete audit trail of the attack, making it trivial to determine the earliest date of compromise. ACALVIO TECHNOLOGIES Whitepaper l 5

NIST CSF 1.1 Subcategory (Control) RS.AN-3: Forensics are performed RS.MI-1: Incidents are contained RS.MI-2: Incidents are mitigated Recovery (RC) RC.RP-1: Recovery plan is executed during or after a cybersecurity incident Acalvio ShadowPlex Support Acalvio provides detailed information of subnets and hosts affected by an attack to inform the scope of forensics. It also provides detailed forensic information through deep engagement of the attacker's identity, techniques and motives. Depending on the type of attack and level of engagement, Acalvio can determine the external addresses or domains related to the incident. The Acalvio Shadow Network, or False Apparent Network, can contain an attacker and prevent compromise of sensitive assets. Acalvio can dynamically deploy lures relevant to an attacker s methods to obfuscate sensitive assets and delay attack propagation. The Acalvio Shadow Network can be used to allow deep continuous attacker engagement during the incident, without compromising the security of production assets. Acalvio also can deploy counter measures to slow an attack and limit damage. [The Framework] is applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT). NIST Cybersecurity Framework 1.1, 2018 ACALVIO TECHNOLOGIES Whitepaper l 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback