ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information Security Officer University of Massachusetts ISE North America Leadership Summit and Awards 2013 #ISEna
University of Massachusetts Providing High Quality Education for 140 Years 2013 World University Ratings: 42 nd of Top 100 Universities 5 Campuses + Systems Office 72,000 Students 17,500 Faculty & Staff UMass Online - 120 Degree & Certificate Programs ISE North America Leadership Summit and Awards 2013 #ISEna 2
Embracing Cyber-security for Top-to-Bottom Results What s at Stake UMASS Security Program Goals UMASS Security Program Design Building a Controls Wall Top 20 CyberSecurity Controls CyberSecurity Technology Architecture CyberSecurity Software Design CyberSecurity Controls Mapping UMASS Security Program Operations Center CyberSecurity Controls Implementation Lessons Learned / Best Practices ISE North America Leadership Summit and Awards 2013 #ISEna 3
What s at Stake? High Value Assets Risk of a data breach Security Risk: Based on likelihood and impact of the university experiencing an adverse event such as a data breach. Contributing to Risk Threats: Ever changing threat landscape consisting of internal and external threats. Managed Assets Unmanaged Assets Vulnerabilities: Decentralized administrative and academic computing environment across the university. High Value Assets: Intellectual property, research data, student and employee records, health records, credit cards, etc. Risk Mitigation Controls: Design, build, operate comprehensive set of security controls that safeguard computing and information assets. ISE North America Leadership Summit and Awards 2013 #ISEna 4
UMASS Security Program Goals 1. Develop university-wide security framework and strategic programs. 2. Invest in security controls to protect critical university assets (Critical Asset Groups): CAG-01: People, Identities, Access CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security CAG-05: Data Center Systems CAG-06: University Databases CAG:07: University Data 3. Align security controls with industry best practices [ISO 27002, Top 20 Critical Security Controls]. MGT: Information Security Management and Communications (People Focus) CSC: CyberSecurity Controls (Technology Focus) GCC: General Computer Controls (Process Focus) 4. Invest in resources (staffing, training) to implement and manage security controls. 5. Develop an implementation roadmap inclusive of all campuses and departments. 6. Establish a comprehensive communication program to increase stakeholder awareness. ISE North America Leadership Summit and Awards 2013 #ISEna 5
UMASS Security Program Design UMass Information Security Program Management & Communications (MGT) General Computer Controls (GCC) Cyber-security Controls (CSC) People Focus Risk Management Policy / Program Marketing & Communications Awareness Training Process Focus Secure Applications IT Operations Access Controls Records Retention Technology Focus Top 20 Critical Security Controls ISO 27002 Foundation CSCS 20 Critical Security Controls Policy, Legal, and Regulatory Framework (UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, ) ISE North America Leadership Summit and Awards 2013 #ISEna 6
Building a Controls Wall Access to University Data MGT-01 MGT-02 MGT-03 CSC-01 CSC-02 MGT-04 MGT-05 MGT-06 MGT-07 CSC-03 CSC-04 GCC-01 GCC-02 CSC-05 CSC-06 MGT-08 CAG-01: People, Identity, Access? Allow or Deny Access MGT-09 CSC-07 GCC-03 GCC-04 GCC-05 GCC-06 CSC-08 MGT-10 CSC-09 GCC-07 GCC-08 GCC-09 GCC-10 CSC-10 CAG-07: University Data CSC-11 GCC-11 GCC-12 GCC-13 GCC-14 CSC-12 MGT-11 CSC-13 GCC-15 GCC-16 GCC-17 GCC-18 CSC-14 MGT-12 MGT CSC GCC Security Management Controls (ISO 27002) CyberSecurity Controls (CSCS CSCs) General Computer Controls (ISO 27002) MGT-13 CSC-15 CSC-16 GCC-19 GCC-20 CSC-17 CSC-18 MGT-14 MGT-15 MGT-16 MGT-17 CSC-19 CSC-20 MGT-18 MGT-19 MGT-20 ISE North America Leadership Summit and Awards 2013 #ISEna 7
Top 20 Critical Security Controls CSC-01 CSC-02 CSC-03 CSC-04 CSC-05 IT Asset Management Software Asset Management System Configuration Vulnerability Management Malware Defenses CSC-06 CSC-07 CSC-08 CSC-09 CSC-10 Application Security Wireless Devices Data Recovery Security Training Network Configuration CSC-11 CSC-12 CSC-13 CSC-14 CSC-15 Ports, Protocols, Services Administrative Privileges Boundary Defenses Audit Logs Controlled Access CSC-16 CSC-17 CSC-18 CSC-19 CSC-20 Account Monitoring Data Loss Prevention Incident Response Secure Network Engineering Penetration Testing ISE North America Leadership Summit and Awards 2013 #ISEna 8
CyberSecurity Technology Architecture Cyber-Security Technology Update Scan Engine Scan Rules Critical Asset Groups Managed & Unmanaged Assets Alerting & Reporting Console CSCS Critical Controls Database Update Monitor Engine Monitor Rules CAG-01: Identity, Access, Entitlements CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security Update Filter Engine Filter Rules CAG-05: Data Center Systems CAG-06: Databases CAG-07: University Data ISE North America Leadership Summit and Awards 2013 #ISEna 9
CyberSecurity Software Design START Control Requirements (Asset Management): Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the organization network, including servers, workstations, laptops, and remote devices. Compliance Assessment Security Assessment Design Requirements: 1. Establish authoritative system of record (controls database) 2. Update with known managed assets (GCC Process) 3. Scan rules for unknown unmanaged assets (active discovery) 4. Monitor rules for unknown unmanaged assets (passive discovery) 5. Filter rules for unknown unmanaged assets (access control) 6. Generate Real-time Alerts and Management Reports (Alerting and Reporting Console) 7. Update authoritative system of record (controls database) Compliance Assessment (Asset Management): Implement, operate, alert and report using processes and tools to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network. END ISE North America Leadership Summit and Awards 2013 #ISEna 10
CyberSecurity Controls Mapping Security Control Control Description CAG-01 CAG-02 CAG-03 CAG-04 CAG-05 CAG-06 CAG-07 People, Identity, Access Endpoint Devices Business Applications University Networks Data Center Systems CSC-01 Inventory of Authorized and Unauthorized Devices CSC-02 Inventory of Authorized and Unauthorized Software CSC-03 System Configuration (servers, laptops, mobile devices) CSC-04 Continuous Vulnerability Assessment and Remediation CSC-05 Malware Defenses CSC-06 Application Software Security CSC-07 Wireless Device Control Databases CSC-08 Data Recovery CSC-09 Security Skills Assessment and Training CSC-10 Network Configuration (switches, routers, firewalls) CSC-11 Control of Ports, Protocols, and Services CSC-12 Control of Administrative Privileges CSC-13 Boundary Defenses CSC-14 Maintenance, Monitoring of Audit Logs CSC-15 Controlled Access based on Need to Know CSC-16 Account Monitoring CSC-17 Data Loss Prevention University Data CSC-18 Incident Response Process Process Process Process Process Process Process CSC-19 Secure Network Engineering ISE North America Leadership Summit and Awards 2013 #ISEna 11 CSC-20 Penetration Testing & Red Team Exercises Assessment Assessment Assessment Assessment Assessment Assessment Assessment
CyberSecurity Controls Implementation (Example) Asset Group Action Plan to Comply with University Standards based on Top 20 Critical Security Controls Phase 1 Phase 2 Phase 3 CAG-01 People, Identities, Access 1. USecure Program Continue to implement the Usecure program based on CSCS STH 2. Develop University-wide RFP for EndPoint Management Solution 3. SecAdmin Process University wide process for managing access to Psoft applications CAG-02 Endpoint Devices 4. Determine best campus / department for MDM pilot (mobile devices) 5. NAC Implement NAC to control unmanaged endpoints and servers 6. Establish endpoint security standard (Anti-Virus, file/folder encryption, USB drive encryption) CAG-03 Business Applications 7. BSIMM Establish best practices for Software Security 8. WAF Evaluate Web Application Firewall technologies CAG-04 Network Security 9. Establish standards for Wireless Networks 10. Next-Gen Firewall Determine best alternative for next-gen Firewall 11. Two Factor AuthN Two factor authentication (RSA Tokens) CAG-05 Data Center Systems 12. Vulnerability & Patch Management 13. SIEM Determine best alternative for SIEM or managed service 14. Central authentication evaluate technology solutions for central authentication of linux systems CAG-06 Databases 15. Database Security Determine database security strategy & technology CAG-07 University Data 16. Implement technology to identify, inventory and manage sensitive data 17. Records Administration establish process for deleting sensitive data via records retention standards ISE North America Leadership Summit and Awards 2013 #ISEna 12
UMASS Security Program Operations Center Input Output Incident Response Team Help Desk Information Security Operations Center (ISOC) Work Requests, Tickets, Audit Findings (Build, Buy, Outsource, Cloud) Advisories & Incidents CSIRT IT Operations 20 CSCs Data Breaches Management Team Intelligence Feeds Zero-day Threats, Zero-day Vulnerabilities Alerts, Metrics & Reports ISE North America Leadership Summit and Awards 2013 #ISEna 13
Lessons Learned / Best Practices Start with the Design: Get management buy-in including budget, resources and timelines. Implement in Phases: Quick wins, maximum impact need success stories! Communicate Often: Monthly implementation and compliance reports. Work with Partners: Including Council on Cybersecurity, vendors / service providers to improve technology and service offerings ISE North America Leadership Summit and Awards 2013 #ISEna 14