Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Similar documents
RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RSA INCIDENT RESPONSE SERVICES

Sustainable Security Operations

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

White Paper. View cyber and mission-critical data in one dashboard

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

RiskSense Attack Surface Validation for IoT Systems

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Continuous protection to reduce risk and maintain production availability

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

align security instill confidence

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

NEXT GENERATION SECURITY OPERATIONS CENTER

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

MITIGATE CYBER ATTACK RISK

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Symantec Security Monitoring Services

Managed Endpoint Defense

CYBER RESILIENCE & INCIDENT RESPONSE

locuz.com SOC Services

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

Are we breached? Deloitte's Cyber Threat Hunting

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Accelerate Your Enterprise Private Cloud Initiative

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

CA Security Management

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Incident Response Services

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

SIEM Solutions from McAfee

RSA ADVANCED SOC SERVICES

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security in India: Enabling a New Connected Era

Automating the Top 20 CIS Critical Security Controls

Cisco Start. IT solutions designed to propel your business

Securing Your Digital Transformation

What It Takes to be a CISO in 2017

CYBERSECURITY MATURITY ASSESSMENT

Ensuring System Protection throughout the Operational Lifecycle

Security. Made Smarter.

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Industrial Defender ASM. for Automation Systems Management

SIEM: Five Requirements that Solve the Bigger Business Issues

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

THE POWER OF TECH-SAVVY BOARDS:

Nebraska CERT Conference

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

deep (i) the most advanced solution for managed security services

Copyright 2016 EMC Corporation. All rights reserved.

Vulnerability Assessments and Penetration Testing

FOR FINANCIAL SERVICES ORGANIZATIONS

TRUE SECURITY-AS-A-SERVICE

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Why you should adopt the NIST Cybersecurity Framework

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

CYBER SOLUTIONS & THREAT INTELLIGENCE

Security by Default: Enabling Transformation Through Cyber Resilience

Reinvent Your 2013 Security Management Strategy

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Intelligent Cybersecurity for the Real World Scott Lovett Vice President, Global Security Sales

Transcription:

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported breaches provide testament to the evolving threat landscape elevating cybersecurity concerns all the way to the board room. Security executives tasked with preventing their organization from being the next victim headlining the news must evaluate the current state of their cybersecurity posture and then execute a sustainable plan to mature that posture. What does success look like? We ve outlined key considerations across thirteen key process areas with a description of an ideal 4.0 state for each domain. KEY PROCESS AREA CONSIDERATIONS IDEAL STATE / LEVEL 4 Organization and Mission ffhow is the team organized? ffwhat is the organization s overall mission? ffare there other drivers that either impact or enhance the overall mission? ffhow is the threat landscape understood across the enterprise? Executive Support ffwhat type of leadership support exists for the security organization? ffhow far up the organization does this support go? ffis there sufficient funding to support the mission of the organization? Security entities within the enterprise are established and the cybersecurity mission and vision is aligned to roles and responsibilities of personnel, securing the enterprise, and actively defending it. The threat landscape is understood by security stakeholders; and creating, understanding, analyzing, and leveraging threat intelligence of broad-based and sophisticated Advanced Persistent Threats (APTs) is executed to defend the enterprise against such threats. Management has a full understanding of the threats and how the associated risk affects the organization, driving elements of governance and risk management. Management has an established trust with the security organization and has empowered them to implement critical mitigations in real-time. Financial and technical support is aligned with mission and threat profile. There is adequate balance of business impact and security need. 2

Architecture and Engineering ffhow is the perimeter protected? ffare all entry points known and documented? ffwhat are the drivers for the perimeter protection strategy? ffdoes the enterprise have a cloud strategy aligned to internal capabilities? ffdoes architecture direct and implement a thorough network segmentation model? ffhow are network and endpoint infrastructure baselines hardened and maintained? Security Technology ffare network malware detonation tools a part of security operations? ffhow is network intrusion detection and prevention leveraged? ffis Full Packet Capture used for historical network analysis? ffwhat capabilities are in place for email hygiene and malware analysis? ffhow is web traffic controlled, both for inbound services and outbound connectivity? ffwhat are the drivers for the endpoint protection strategy? ffwho has admin access to the endpoints and host devices? ffwhat is the strategy for implementing protections? The network and perimeter security strategy includes best practices and regulatory requirements driven by a holistic understanding of the adversary Tactics, Techniques, and Procedures (TTPs) and emerging threat intelligence. Organization possesses a comprehensive understanding of the network topology, boundaries, and security controls thorough documentation and technical mechanisms, providing observation of key network flows across the perimeter and throughout the enterprise. Perimeter devices are tightly integrated with enterprise log collection and management capabilities, policies and rule-based controls are dynamic and tailored to specific threats, and there is multi-level analysis of all cross-perimeter traffic flows. Foundational endpoint management practices and hardening are defined and operationalized for all systems and broad-based vulnerabilities are minimized to reduce threat vectors. For cloud footprints, parallel capabilities for detection and response are established and standardized under the enterprise framework. Network, email, web, and endpoint security tools are deployed with visibility, detection, and prevention factors used to drive decisions. Security solutions protect both external connectivity and internal network segments from attackers. Assets are balanced between Commercial Off-the-Shelf (COTS) technology and custom capabilities to address broad-based and advanced attackers. 3

Enterprise User Awareness ffwhat user training and awareness programs exist? ffare they general in nature or focused on specific threats? ffwhat metrics are captured from awareness and training initiatives? Enterprise Visibility and Monitoring ffhow is network visibility achieved? ffis the security team aware of all network boundaries and enclaves? ffwhat types of detections occur? ffwhat are the detections based on? ffwhere do the indicators for these detections come from? ffare the indicators used as-is or customized to the specific network topology? ffwhat occurs when a detection triggers? ffis the action manual or automatic? ffwhat is done when a false positive detection occurs? ffwhat types of logs are kept? ffwhat is the retention policy? ffhow are the logs managed? ffwho has immediate access to log data? ffare the logs stored centrally or distributed? ffhow are the logs correlated? Malware Analysis ffis malware analysis performed on suspected malware? ffis the analysis performed in-house within the organization, outsourced to a different organization, or externally? ffwhat are the malware analysis capabilities of the analysts? In a mature, intelligence-enabled organization, training initiatives and campaigns include general awareness, compliance, and focused training based on observed attack activity. High-risk users receive specific training to help them identify potential adversarial activity and avoid risky behaviors. Finally, proactive testing of the user base is performed, producing metrics that gauge the training program s effectiveness at increasing user awareness and the overall security posture. Enterprise has a log management strategy with comprehensive visibility into network and system assets. Use cases are defined for audit, compliance, and operations. Historical and real-time use cases specific to defending the enterprise are defined and prioritized. Visibility provides complete situational awareness of the enterprise networks and observes and tracks adversarial activity. Enterprise detection capabilities are identified, configured, and assessed based on emerging threat intelligence. Detections go beyond traditional alerts and include correlations between disparate technologies and external threat intelligence. Maturity of detection technologies and processes is measured via detailed metrics and proactive testing. Log and event data from security controls, infrastructure devices, endpoints, and applications are collected, aggregated in a central location, and correlated against threat intelligence feeds providing enhanced detection capabilities and detailed situational awareness. Event data is readily accessible to the team tasked with monitoring and responding to alerts, enabling rapid event reconstruction and historical analysis. Malware analysis and reverse engineering is critical during incident investigations to understand fully the adversary s TTPs and intentions. Includes a malware analysis function whose primary responsibility is to derive intelligence by decomposing malware artifacts and populating the intelligence management system with all discovered intelligence and indicators of compromise. Malware analysts should be integrated with Investigation Teams but able to focus on the primary mission of extracting indicators from capture malware samples. 4

Response and Mitigations ffis host based forensics performed on compromised assets? ffis network-based forensics performed on compromised assets? ffis the forensics performed in-house within the organization, outsourced to a different organization, or externally? ffwhat are the forensics capabilities of the analysts? ffwhat types of mitigations are used? ffwhere and how are the mitigations used? ffare the mitigations customized and/or configured to the specific network topology? ffonce a mitigation is put in place, are there periodic reviews to see if it is still applicable or useful? Analysis Process and Skills ffis there a consistent methodology that is followed when performing computer network defense? ffwhat is the process? ffwhat occurs after an adversary is stopped? ffwhat information is collected from successful intrusions? ffdo the analysts know and understand the individual adversaries? ffdo the analysts follow an analysis methodology? ffdo the analysts understand the topology of the network being defended? Proactive incident response plays a critical part in event investigations and actions taken as a result. Execute consistent processes and procedures tailored to attack vectors and the organization's threat exposure producing a significant opportunity for application and extraction of threat intelligence. Extract indicators from compromised assets and network flows to leverage network and host-based forensics, in conjunction with a structured analysis framework, allows analysts to fully decompose the attack and gain insight into the adversary s TTPs and intent. Enterprise mitigations and countermeasures are identified, selected, and assessed based on emerging threat intelligence, and thorough understanding of the adversary. Threat intelligence framework is leveraged to proactively implement mitigations before attacks occur and ensure mitigations against each step of the adversary s attack. Effectiveness of these mitigations is measured via detailed metrics and proactive testing. Mitigation processes include analysis of opportunities to increase situational awareness and produce further threat intelligence. Common and specialty skill sets are balanced across the team, aligned to the core functions of security operations, including threat monitoring, network and system forensics, incident response, threat intelligence specialization, malware reverse engineering, signature creation, coding and scripting, etc. Analysis is performed within an established analysis framework, which facilitates threat intelligence through the discovery and documentation of each stage of the adversary s TTPs observed during an incident. A formalized analysis process is followed by each member of the Detection and Response Team and continues after the adversary has been stopped. Each analyst fully understands the organization s threat intelligence mission and leverages a common framework during analysis activities. A common understanding of adversary TTPs is shared among the team and evolves through production and dissemination of threat intelligence. Each analyst is able to gather, document, and communicate incident data to the team and partners, and possesses a strong understanding of the enterprise and how specific threats affect risk. 5

Defender Operations ffwhat types of capabilities are in place to drive automation and orchestration? ffare network defender tools and data isolated and controlled from the rest of the enterprise? ffhow is the network defense team structured? ffare there formally defined analyst roles, responsibilities, and onboarding plans to support analyst training and growth? ffare there longer term security projects and initiatives that cross sub-organizational boundaries? ffhow are these initiatives identified, funded, and managed? ffhow are the initiatives aligned to the current threat? Intelligence Management ffwhat type of intelligence is received from internal and external sources? ffhow is received intelligence tagged/labeled? ffhow is intelligence searched? ffhow is the intelligence information managed? ffhow is the intelligence utilized? ffwhat type of collaboration occurs:»» within the organization?»» with industry peers?»»...with government and/or intelligence community? ffwhat types of information sharing agreements are in place? ffwhat tools exist to help facilitate sharing? 24x7 dedicated monitoring and response analysts who fulfill the mission of computer network defense. Analysts work collaboratively with other teams through defined communications to support foundational and advanced capabilities necessary to provide an agile response to the ever-changing threat. This includes external partnerships to bi-directionally share cyber best practices and threat intelligence. Cybersecurity workforce management focused on establishing and maintaining onboarding plans, training and growth plans, procedures, and workflows to build up and maintain cybersecurity talent. To effectively deploy large-scale security capabilities across the enterprise aligned with emerging threats and recognized gaps, organizations must include a mechanism for capturing, tracking, and communicating enterprise security strategies and initiatives. Roadmaps, projects, and proposed capabilities are evaluated and prioritized against intelligence of attack trends, adversary TTPs, and identified weaknesses in the enterprise security posture. Process is formalized, documented, and accessible so each member of the team can understand the current posture and make informed decisions and recommendations. Assimilate both internal and external intelligence in a central repository that is easily searchable and accessible by the security team. Analysts can fuse intelligence from disparate incidents into Campaigns that identify broader actor trends. Utilizes available metadata to gain intelligence. Utilizes internal and partner intelligence and detections beyond what has already occurred to predict what may happen and build additional defenses. Significant internal and external collaboration resulting in detailed situational awareness. Established collaboration agreements and personal relationships to gain intelligence that can be fused with internal data. An industry leader that is sought out for opinion and analysis. Tools, technology, and facilities that enable effective collaboration among team members and with the rest of the organization. Structured framework to ensure pertinent information is exchanged and captured. 6

Metrics and Measuring Success ffwhat types of metrics are captured? ffwhat analysis is performed on the metrics? ffhow are the metrics and analysis used? ffhow well do the metrics and analysis reflect what is happening with the system? Supporting Programs ffhow are assets identified, tracked, and decommissioned as part of a system development lifecycle? ffis a comprehensive vulnerability management program in place to identify, track, and remediate weaknesses within the organization? ffwhat security testing programs or policies exist? ffdoes a dedicated insider risk program exist? ffdoes physical security defenses integrate with logical network strategies? Uses metrics to understand the effectiveness of deployed detections and mitigations and to identify gaps in the security posture. Metrics are meaningful at all levels of the security organization and provide alignment of defenses with emerging threats, identify opportunity for efficiency and provide validation of security investment. A matrix that tracks effectiveness of deployed mitigations against specific known adversary TTPs only becomes possible once an organization advances maturity in many of the other domains measured in this assessment. Foundational security programs are crucial to the success of securing the enterprise, so defending the enterprise is more effective and focused. Dedicated entities and programs have direct correlations with cybersecurity including areas such as asset management, vulnerability management, assessments and security testing, insider risk, and physical security. Above and beyond industry best practices and compliance-driven security programs, our Unified Enterprise Defense framework has proven successful and been adopted by network defenders around the globe. An evaluation like no other, the Leidos Cyber Defense Maturity Evaluation considers the how rather than the what, helping organizations engineer and align themselves to defend, sustain, and outpace evolving attackers. Talk to a cybersecurity expert today! 7

XX-LH:V0 FOR MORE INFORMATION 855-56-CYBER / cyber.security@leidos.com cyber.leidos.com Leidos. All Rights Reserved. / 17-LEIDOS-0703-1783

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback