Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Cybersecurity Framework

Published byJames Parrish Modified over 6 years ago

Similar presentations

Presentation on theme: "The Cybersecurity Framework"— Presentation transcript:

1 The Cybersecurity Framework
Jerry Beasley, CISM Security Services Manager Presented to NASCUS/CUNA Cybersecurity Symposium 2017

2 Overview Today’s session will explore: The Threat Landscape
Defense Strategies Defense Frameworks Implementing the NIST Cybersecurity Framework

3 Threat Landscape Threat Landscape
Attacks ARE increasing: According to Symantec’s 2016 Internet Security Threat Report: 42% increase in targeted attacks 5,585 new vulnerabilities discovered 55% increase in phishing campaigns 415 new vulnerabilities on mobile operating systems 54 zero-day vulnerabilities (up 125%) – no warning before exploit 43% of targeted attacks aimed at businesses with < 250 employees 3

4 Threat Landscape Threat Landscape
Cyber Crime is Growing: Attack distribution for 2015/16 (as reported by hackmageddon.com): 4

5 Threat Landscape Threat Landscape
Cybercrime costs the global economy up to US$575 billion annually according to a recent report by BofA Merrill Lynch Global Research. Another new record was set near the end of the year when 191 million identities were exposed, surpassing the previous record for the largest single data beach. 2017 promises to easily break these records. 5

6 Threat Landscape Threat Landscape Does it make you “WannaCry” ? 6

7 What is Cybersecurity? INFORMATION SECURITY Background
Cyber ~ “computer” “computer network” “virtual” In our practical application, it is synonymous with: INFORMATION SECURITY

8 DEFENSE STRATEGIES Information/Cyber Security Lessons Learned
We cannot rely solely on firewalls and anti-malware Attack vectors are present at all layers of an organization / infrastructure Attack defenses must address all of these (Defense in Depth) Aggressive testing can help identify undiscovered weaknesses Vulnerability or Penetration Testing alone cannot prevent a breach Successful organizations have a plan and establish a framework

9 DEFENSE STRATEGIES Defense in Depth An information assurance concept in which multiple layers of security controls (defense) are placed throughout an IT system The strategy is to provide redundancy so that if one layer of defense fails, another layer may thwart or further delay attacks 9

10 People, Policies & Procedures
Defense in Depth Firewall IDS / IPS NAC Permissions HIDS Anti-malware People, Policies & Procedures Updates User Training Analogy – layers of an onion. I like this slide better than the previous – they’ll get this. DiD is an important term… Encryption Backups Physical 10

11 Building People, Policies, and Procedures: Existing Models
DEFENSE STRATEGIES Building People, Policies, and Procedures: Existing Models NIST Risk Management Framework (SP , A) CIS 20 Critical Security Controls ISO/IEC 27001 The Cybersecurity Framework Version 1.0 /1.1 (draft) CAREFUL!!! This will open questions like “which one(s) does FP use? What do you audit against, which is best? I’d highlight that these are all guidelines to help make our jobs easier to cover everything.

12 NIST Risk Management Framework

13 CIS 20 Critical Security Controls
Is a compilation of 20 critical controls providing: Controls mapped to specific attack types Specific actions that organizations are taking to implement, automate, and measure effectiveness Recommended procedures and tools to enable implementation The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 13

14 CIS 20 Critical Security Controls
The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 14

15 ISO/IEC 27001/27002 Code of practice for information security controls: 15

16 DEFENSE STRATEGIES A National Cybersecurity Framework
With executive order 13636, the President initiated the Framework for Improving Critical Infrastructure Cybersecurity A general framework for mass consumption Uses business drivers to focus efforts on the security agenda Use is voluntary, but the framework is gaining steam Flexible – not a “one size fits all” approach Founded on risk management principles

17 Who is part of this community?
National Cybersecurity Framework Who is part of this community? Entities with a role in securing the nation’s infrastructure Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems…”

18 NIST Implementation The National Institute of Standards and Technology (NIST) Implementation NIST developed the initial implementation guidance: “Framework for Improving Critical Infrastructure Cybersecurity” Also known as, “The Cybersecurity Framework” or CSF

19 Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others
The Cybersecurity Framework Industry Adoption Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others

20 The Cybersecurity Framework
FFIEC Cybersecurity Assessment Tool (CSAT) Management tool for evaluating framework implementation

21 The Cybersecurity Framework
Designing your program around the NIST Cybersecurity Framework provides: A framework to implement a defense-in-depth strategy (risk reduction) An method to assure alignment with regulatory guidance (compliance)

22 The Cybersecurity Framework
The framework aligns with the common Cybersecurity functions:

23 The Cybersecurity Framework
The framework provides the required program elements (high-level controls).

24 The Cybersecurity Framework
The framework introduces the concept of “Implementation Tiers” or the degree of implementation. FFIEC’s CSAT translates this concept into “Maturity Levels”

25 The Cybersecurity Framework
The framework maps to implementation guidance

26 The Cybersecurity Framework
A recommended starting point is the Framework Core 98 controls/practices that should be common to most organizations These will be adapted and supplemented based on your needs

27 The Cybersecurity Framework
SO…if you’ve implemented another standard (ISO, CIS 20 Critical Controls, COBIT, etc.)… …You can still use the implementation details within the CSF.

28 The Cybersecurity Framework
Is intended to be integrated into a Risk Management program Source: Cybersecurity Framework Version 1.0

29 IMPLEMENTATION STRATEGY
Risk Assessment Existing Program Inventory Modeling New Program Measuring Progress Adapting Source: Cybersecurity Framework Version 1.0

30 IMPLEMENTATION STRATEGY
Risk Assessment Determine what you are protecting Determine the type and likelihood of threats Determine if your current controls are adequate to reduce the risk Provides prioritization for control implementation Source: Cybersecurity Framework Version 1.0

31 IMPLEMENTATION STRATEGY
Existing Program Inventory Gap Analysis CSAT provides a good program-level view and helps determine the degree of implementation required May also be derived from existing Risk or Compliance Assessments This documents “current” profile Elements of the CSF you already have in place Source: Cybersecurity Framework Version 1.0

32 IMPLEMENTATION STRATEGY
Model New Program Translate functions into strategies Translate categories into roles / responsibilities Translate sub-categories into plans of action Establish your “target” profile Source: Cybersecurity Framework Version 1.0

33 IMPLEMENTATION STRATEGY
Monitor & Re-assess How do you know it’s working? Risk Assessments Audit and Compliance Testing and Exercises New CSAT to determine changes in inherent risk or maturity Source: Cybersecurity Framework Version 1.0

34 IMPLEMENTATION STRATEGY
Adapt Add to or modify the CSF core to ensure effective: Identification – knowing what you have Protection – establishing defense-in-depth Detection – awareness of cybersecurity events Response – knowing what to do when events happen Recovery – having the means to recover from events Source: Cybersecurity Framework Version 1.0

35 Tier 4 Tier 3 Tier 2 Tier 1 Where to go from here?
Improve and optimize Identify Protect Tier 1 Tier 2 Tier 3 Tier 4 Detect IMPROVE/ADAPT Respond Recover

36 Innovative Advanced Intermediate Evolving Baseline
Where to go from here? Improve and optimize Identify Baseline Evolving Intermediate Advanced Innovative Protect Detect IMPROVE/ADAPT Respond Recover

37 Summary Today we discussed: The Threat Landscape Defense Strategies
The Need for Defense in Depth Defense Frameworks Common Frameworks Employing the Cybersecurity Framework

38 Summary QUESTIONS?

39 References Executive Order Improving Critical Infrastructure Cybersecurity NIST Framework for Improving Critical Infrastructure Cybersecurity CIS Critical Controls for Effective Cyber Defense NIST Special Publication , Security and Privacy Controls for Federal Information Systems and Organizations Symantec’s 2016 Internet Security Threat Report NSA Whitepaper “Defense in Depth”

40 Learn more and request a TraceCSO Demo.
Questions? Clean up the “extra” slides now…. Learn more and request a TraceCSO Demo.

Download ppt "The Cybersecurity Framework"

Similar presentations

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Introduction to Network Defense

Introduction to Network Defense
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.

Engineering Essential Characteristics Security Engineering Process Overview.

Similar presentations

Ads by Google