Growing Up In Cyber but is Cyber Growing
Growing Up In Cyber… but is Cyber Growing Up? Tony Sager Senior VP & Chief Evangelist CIS (the Center for Internet Security)
Today’s Cyber Learning Model ?
Classic Risk Equation Risk = f{ Vulnerability, Threat, Consequence controls }
The Long and Winding Road….
Seismic Shifts • Communications Security “Cyber” • Mathematics CS, Networking, Opns, Analytics • Technology Information, Operations • Government monopoly user/market driven • “Control Model” of security open market • National Security economic/social Risk
A few cybersecurity lessons • Knowing about flaws doesn’t get them fixed • Cyber Defense => Information Management – when you see “share”, replace with “translate” and “execute” • The Bad Guy doesn’t perform magic • There’s a large but limited number of defensive choices – and the 80/20 rule applies (The Pareto Principle) • Cybersecurity is more like “Groundhog Day” than “Independence Day”
anti-malware governance DLP certification continuous monitoring penetration testing threat feed baseline configuration SDL audit logs standards assessment best practice SIEM virtualization risk management framework sandbox compliance encryption security bulletins threat intelligence user awareness training incident response two-factor authentication browser isolation security controls need-to-know supply-chain security maturity model whitelisting “The Fog of More”
The Defender’s Dilemma 1. What’s the right thing to do? • and how much do I need to do? 2. How do I actually do it? 3. And how can I demonstrate to others (many others) that I have done the right thing?
A Cyberdefense OODA Loop (“patch Tuesday”) OBSERVE Track security bulletins, advisories ACT Rollout, Monitor, Manage “breakage” DECIDE Prioritize remediation ORIENT Assess applicability, operational issues, risk
“Dueling OODAs” (and the role of Threat Intelligence, Analytics) • There are many loops, often connected • “farther in space, earlier in time” • The Bad Guy’s loop is an opportunity ACT ORIENT DECIDE ACT ORIENT OBSERV E O ACT ORIENT DECIDE ACT OBSERV E OBSERVE ORIENT DECIDE A ORIENT O DECIDE D
An Effective Cyberdefense “info machine” should be… • based on a model of Attacks, Attackers, and defensive choices – and focused on categories, types, patterns, templates, etc. • • • driven by data managed within an open, standards-based framework account for “community risk”, but be tailorable repeatable, dynamic, feedback-driven demonstrable, negotiable for Real People
Evolution of the CIS Controls NSA/Do. D Project The Consensus Audit Guidelines (CSIS) “The SANS Top 20” (the SANS Institute) The Critical Security Controls (CCS/CIS) The CIS Controls™�
The Original Controls Principles • Prioritize: – “Offense Informs Defense” • Implement: – ” Action today beats elegance tomorrow (or someday. Or never. )” • Sustain: – “It’s not about the list" • Align: – “ To win the cyberwar, we need peaceful co-existence”
CIS Best Practice Workflow
CIS Controls Version 7
Ecosystem of Resources • Mappings to other Frameworks – Special focus on NIST CSF [updated!] • • • CIS Risk Assessment Method (CIS-RAM) [new] ICS Companion Guide to the Controls [drafted] Measures and Metrics [updated] SME Implementation Guide CIS Community Attack Model Privacy and the Controls
Recent References to the CIS Controls • California Attorney General’s 2015 Data Breach Report • The NIST Cybersecurity Framework • Symantec 2016 Internet Security Threat Report – and Verizon DBIR, HP, Palo Alto, Solutionary…) • • • National Governor’s Association National Consortium for Advanced Policing Conference of State Bank Supervisors UK Critical Protection for National Infrastructure Zurich Insurance ENISA, ETSI
• • • Website: www. cisecurity. org Email: Controlsinfo@cisecurity. org Twitter: @CISecurity Facebook: Center for Internet Security Linked. In Groups: • Center for Internet Security • 20 Critical Security Controls
- Slides: 18