Cybersecurity Best Practices Securing Your Organization, Systems and Platforms Health IT Summit The Cybersecurity Forum August 2017 Tony Sager Sr. Vice President and Chief Evangelist, CIS 1
Classic Risk Equation Risk = { } ƒ Vulnerability, Threat, Consequence countermeasures 2
A Lifetime of Cybersecurity Lessons Knowing about vulnerabilities doesn t get them fixed The Bad Guy doesn t perform magic USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers There s a large but limited number of defensive choices the 80/20 rule applies (The Pareto Principle) Cybersecurity => Information Management not Information Sharing, not technology when you hear share, think translate and execute Few people/enterprises make security decisions they make economic and social decisions Cybersecurity is more like Groundhog Day than Independence Day 3
"The reason for collecting, analyzing and disseminating information on a disease is to control that disease. Collection and analysis should not be allowed to consume resources if action does not follow. --Foege WH, et al. International Journal Of Epidemiology 1976; 5:29-37 4
The anti-malware governance baseline configuration standards SDL audit logs need-to-know security controls DLP continuous monitoring supply-chain security certification penetration testing threat feed best practice virtualization browser isolation maturity model whitelisting assessment SIEM sandbox risk management framework compliance encryption threat intelligence security bulletins user awareness training incident response two-factor authentication 5
DHS CDM Program NISP DoD 5220.22-M ENISA Security Framework FISMA NIST Cybersecurity Framework NIST 800-53 COBIT HIPAA NATO CCD Cybersecurity Framework Bank of England CBEST ISO 27001/27002 PCI DSS HITRUST Common Security Framework NERC CIP ISF Standard of Good Practice 6
The Defender s Dilemma 1. What s the right thing to do? and how much do I need to do? 2. How do I actually do it? 3. And how can I demonstrate to others that I have done the right thing? 7
from Best Practice Common Practice How do we know what is best? Based on data? Solution to the worst problem? Trusted source? What is a practice? How specific? How do I actually do it? What do I need to do this? What are the barriers? Knowledge? Cost? Tools? Training? Enforcement? Misalignment? It takes more than a list of practices Marketplace, tools, training; community-building; sharing of ideas; alignment of practices with oversight, auditing, compliance. 8
Health & Human Services - Best Practices Where are we today in cyberdefense? Research Validated Best Practice Field Tested Best Practice Promising Practice A program, activity or strategy.. that has the highest degree of proven effectiveness supported by objective and comprehensive research and evaluation... that has been shown to work effectively and produce successful outcomes and is supported to some degree by subjective and objective data sources... that has worked within one organization and shows promise during its early stages for becoming a best practice with long term sustainable impact. must have some objective basis for claiming effectiveness and must have the potential for replication among other organizations. 9
CIS Best Practice Workflow 10
CIS Controls
Who is CIS? We develop and support best practices for effective defenses against cyber attacks We mobilize and organize volunteers in a community model Not-for-profit, independent, objective, and international in scope. CIS delivers Confidence in the Connected World 12
Website: www.cisecurity.org Email: Controlsinfo@cisecurity.org Twitter: @CISecurity Facebook: Center for Internet Security LinkedIn Groups: Center for Internet Security 20 Critical Security Controls 13