The New Security Heroes. Alan Paller

Similar documents
Building Secure Systems

MINIMUM SECURITY CONTROLS SUMMARY

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Because Security Gives Us Freedom

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

NIST Special Publication

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

SAC PA Security Frameworks - FISMA and NIST

Using Metrics to Gain Management Support for Cyber Security Initiatives

INFORMATION ASSURANCE DIRECTORATE

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

CSAM Support for C&A Transformation

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

Using ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

SYSTEMS ASSET MANAGEMENT POLICY

NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

FISMA Cybersecurity Performance Metrics and Scoring

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

ISE North America Leadership Summit and Awards

Designing and Building a Cybersecurity Program

Cybersecurity: Incident Response Short

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

INFORMATION ASSURANCE DIRECTORATE

Smart Grid Standards and Certification

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

USGv6: US Government. IPv6 Transition Activities 11/04/2010 DISCOVER THE TRUE VALUE OF TECHNOLOGY

Gujarat Forensic Sciences University

Four Deadly Traps of Using Frameworks NIST Examples

Cyber Resilience. Think18. Felicity March IBM Corporation

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Evolving Cybersecurity Strategies

INFORMATION ASSURANCE DIRECTORATE

Automating the Top 20 CIS Critical Security Controls

DFARS Cyber Rule Considerations For Contractors In 2018

Cyber Attacks & Breaches It s not if, it s When

SecureTrack. Supporting SANS 20 Critical Security Controls. March

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Cybersecurity is a Team Sport

Bringing Cybersecurity to the Boardroom Bret Arsenault

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

K12 Cybersecurity Roadmap

WHO AM I? Been working in IT Security since 1992

ThaiCERT Incident Response & Phishing cases in Thailand. By Kitisak Jirawannakool Thai Computer Emergency Response team (ThaiCERT)

CloudCheckr NIST Matrix

INFORMATION ASSURANCE DIRECTORATE

UNITED STATES OF AMERICA BEFORE THE FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, DC 20554

NY DFS Cybersecurity Regulations August 8, 2017

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

CISO as Change Agent: Getting to Yes

CYBER SOLUTIONS & THREAT INTELLIGENCE

Stakeholders Analysis

What It Takes to be a CISO in 2017

It Takes the Village to Secure the Village SM

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015

NAC Institutional Committee Meeting

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

CYBERSECURITY RESILIENCE

Federal Mobility: A Year in Review

Syllabus:))AIT)671)0)Information)Systems)Infrastructure)Lifecycle) Management)

Cyber Security Challenges

Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH

FISMA Compliance and the Search for Security. Tim Murray NES Associates February 5, 2008

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Fiscal Year 2013 Federal Information Security Management Act Report

Bad Idea: Creating a U.S. Department of Cybersecurity

INFORMATION ASSURANCE DIRECTORATE

ISACA Arizona May 2016 Chapter Meeting

National Cyber R&D Framework: Changing The Game Recommendations from the NITRD Senior Steering Group on Cybersecurity R&D

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Les joies et les peines de la transformation numérique

ERS IT Portfolio Report

Cybersecurity Overview

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Cybersecurity & Privacy Enhancements

Continuous Monitoring: Diagnostics & Mitigation (FEDRAMP edition)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Reinvent Your 2013 Security Management Strategy

Continuous Monitoring Strategy & Guide

Feeling Cyber Insecure? Showing Progress Towards the Consensus Audit Guidelines Quest Software, Inc. ALL RIGHTS RESERVED.

Transcription:

The New Security Heroes Alan Paller apaller@sans.org

How they attack Spam with infected attachments Web sites that have infected content The most dangerous: targeted attacks Fooling the victim into Installing a program that Calls the mother ship to get instructions telling it to Connect with the servers inside the victim s organization to Steal information, Install back doors, and Attack others

FY09 TICKETS FY08 Increasing & Shifting Years Compared FY 08 FY 09 2104 3085 2% 51% 5% 39% TYPE FY 09 Quarters Quarters Tickets Oct-Dec 08 560 Jan-Mar 09 555 Apr-Jun 09 639 July-Aug 09 (Partial) 805 Months Compared 2008 - Tickets 2009- Tickets June 154 300 July 183 352 August 250 453 2% 1 1% 2% Malicious Code 9% 9% 79% Malicious Code Unauthorized Access Denial of Service Improper Use Scans/Probes/ Attempted Access Investigation

Bringing about broad based change when no one works for you The problem: CXOs are accountable for IT security. BUT directly supervise only a small part of the systems actually in use. 4

What makes a security hero? Radically improves security in ways that can be measured reliably, and replicated Ensures operational people are not asked to do the impossible. Ends the security wars with IT operations and with the audit staff. Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more

Results in 12 Months 1,200.0 1,000.0 Domestic Sites 800.0 Foreign Sites 600.0 400.0 200.0 89% Reduction 90% Reduction 0.0 6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009 6

Yet he never visited any of the 200+ foreign sites So how did he do it?

Used the 20 critical controls Return CAG ID Consensus Audit Guidelines NIST-800-53 1 Inventory of authorized and unauthorized hardware 2 Inventory of authorized and unauthorized software CM 1, CM 2, CM 3, CM 4, CM 5, CM 8, CM 9 CM 1, CM 2, CM 3, CM 5, CM 7, CM 8, CM 9, SA 7 CIRT Events 11 mo Multiple Tools < 6% < 22% 3 4 Secure configurations for HW and SW, if available Secure configurations for network devices such as firewalls and routers CM 6, CM 7, CP 10, IA 5, SC 7 AC 4, CM 6, CM 7, CP 10, IA 5, RA 5, SC 7 Nominal Nominal 5 Boundary Defense AC 17, RA 5, SC 7, SI 4 < 7% 6 Maintenance/Analysis of complete security audit logs AU 1, AU 2, AU 3, AU 4, AU 6, AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 Nominal 7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3, SA 4, SA 8, SA 11, SI 3 Decentralized 8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 Nominal 9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13 < 1% 10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 Nominal 11 Dormant account monitoring and control AC 2, PS 4, PS 5 Nominal 12 Anti-malware defenses AC 3, AC 4, AC 6, AC 17, AC 19, AC 20, AT 2, AT 3, CM 5, MA 3, MA 4, MA 5, MP 2, MP 4, PE 3, PE 4, PL 4, PS 6, RA 5, SA 7, SA 12, SA 13, SC 3, SC 7, SC 11, SC 20, SC 21, SC 22, SC 23, SC 25, SC 26, SC 27, SC 29, SC 30, SC 31, SI 3, SI 8 < 60% 13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7 Not yet graded 14 Wireless device control AC 17 Nominal 15 Data leakage protection AC 2, AC 4, PL 4, SC 7, SC 31, SI 4 Pending

How one can recognize a security hero The CISO of California UN.BE.LIEV.ABLE Jim Lewis The only rock star in security The Army General s standing ovation

SOLUTION Information & Tools Timely Targeted Prioritized Metrics with the Most Meaning 11

Results in 12 Months 1,200.0 1,000.0 Domestic Sites 800.0 Foreign Sites 600.0 400.0 200.0 89% Reduction 90% Reduction 0.0 6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009 15

Finding Details empower technical managers FOR TARGETED, DAILY ATTENTION TO REMEDIATION Summaries empower executives TO OVERSEE CORRECTION OF MOST SERIOUS PROBLEMS 16

Conclusions Huge improvements in a short time Scalable to large complex public and private sector organizations Higher ROI for continuous monitoring of technical controls as a substitute for paper reports 17

What allows continuous monitoring to work? Because it combined: Reliability and fairness in the metrics Authoritative consensus on what needed to be measured But where did the consensus come from? And what else makes metrics effective? 18

Authoritative and Important How can you prove you meet those criteria? The big idea: Offense informs defense!

Who understands offense? NSA Red Teams NSA Blue Teams DoD Cyber Crime Center (DC3) US-CERT (plus 3 agencies that were hit hard) Top Commercial Pen Testers Top Commercial Forensics Teams JTF-GNO AFOSI Army Research Laboratory DoE National Laboratories State Dept. Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?

YES, UNDER THE DIRECTION OF JOHN GILLIGAN? 1. CIO OF US DEPARTMENT OF ENERGY 2. CIO OF US AIR FORCE 3. CO-CHAIR OF THE FEDERAL CIO COUNCIL SECURITY COMMITTEE 4. KEY MEMBER OF THE COMMISSION ON CYBERSECURITY FOR THE 44 TH PRESIDENCY 5. PRES. OBAMA S TRANSITION TEAM LEAD FOR IT AND INFORMATION SECURITY FOR BOTH DOD AND THE INTELLIGENCE COMMUNITY

Consensus Audit Guidelines (CAG) Steps to broad implementation 1. Start with attacks (offense informs defense) 2. Agree on the controls that would stop or quickly recover from the known attacks. 3. Agree how to automate and measure effectiveness 4. Public review period (Feb -March 2009) and revision 5. Pilot program in two agencies and tuning 6. Establish tests that repeatably evaluate effectiveness 7. Find the tools that automate each control 8. Gain OMB, CIO and IG agreement to adopt the CAG. 9. Buy it together to keep costs down. 10. Commercial adoption as minimum standard of due care. 11. Keep controls current through multi-agency governance

Result: Twenty Critical Controls Consensus Audit Guidelines (CAG) The twenty key controls 1. 15 subject to automation: examples 1. Inventory 2. Wireless 3. Configuration 2. 5 that are important but cannot be easily automated

15 critical controls can be automated Return CAG ID Consensus Audit Guidelines NIST-800-53 1 Inventory of authorized and unauthorized hardware 2 Inventory of authorized and unauthorized software 3 4 Secure configurations for HW and SW, if available Secure configurations for network devices such as firewalls and routers CM 1, CM 2, CM 3, CM 4, CM 5, CM 8, CM 9 CM 1, CM 2, CM 3, CM 5, CM 7, CM 8, CM 9, SA 7 CM 6, CM 7, CP 10, IA 5, SC 7 AC 4, CM 6, CM 7, CP 10, IA 5, RA 5, SC 7 CIRT Events 11 mo Multiple Tools < 6% < 22% Nominal Nominal 5 Boundary Defense AC 17, RA 5, SC 7, SI 4 < 7% 6 Maintenance/Analysis of complete security audit logs AU 1, AU 2, AU 3, AU 4, AU 6, AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 Nominal 7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3, SA 4, SA 8, SA 11, SI 3 Decentralized 8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 Nominal 9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13 < 1% 10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 Nominal 11 Dormant account monitoring and control AC 2, PS 4, PS 5 Nominal 12 Anti-malware defenses AC 3, AC 4, AC 6, AC 17, AC 19, AC 20, AT 2, AT 3, CM 5, MA 3, MA 4, MA 5, MP 2, MP 4, PE 3, PE 4, PL 4, PS 6, RA 5, SA 7, SA 12, SA 13, SC 3, SC 7, SC 11, SC 20, SC 21, SC 22, SC 23, SC 25, SC 26, SC 27, SC 29, SC 30, SC 31, SI 3, SI 8 < 60% 13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7 Not yet graded 14 Wireless device control AC 17 Nominal 15 Data leakage protection AC 2, AC 4, PL 4, SC 7, SC 31, SI 4 Pending

How one can recognize a security hero The CISO of California UN.BE.LIEV.ABLE Jim Lewis The only rock star in security The Army General s standing ovation

John Gilligan s answer to: We don t have a lot of money; how can we get started doing what State did? You already have most (70%) of the tools you need to automate security risk measurement. The State Dept. will give you the software they use to measure and display risk. This isn t a money issue or a technology issue. It s a leadership issue. You don t have to wait for someone to tell you to do it. There is no other path available to CIOs and security managers to escape from the compliance morass and make a measureable difference in security.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback