Presentation is loading. Please wait.

Presentation is loading. Please wait.

Christopher Strand, Carbon Black Security Risk and Compliance Officer

Published byErika Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "Christopher Strand, Carbon Black Security Risk and Compliance Officer"— Presentation transcript:

1 Staying ahead of the Game, Leveraging Compliance and Best of Breed Security for the Future
Christopher Strand, Carbon Black Security Risk and Compliance Officer AKA – Chief Compliance Evangelist March 22, 2016

2 Agenda Compliance Baseline Controls and and Themes
Compliance Frameworks and Best Practices: FFIEC CAT COBIT 5, SOX, and COSO Using Regulations as a Framework – PCI DSS Focus on Security Controls for True Compliance Measure Q & A

3 Global records Lost since 2013 …
3,710,630,722 Global records Lost since 2013 … Why we focus on our approach… * Breach Level Index

4 Compliance Baseline Controls and Themes/Frameworks

5 Compliance and Audit Ecosystem
PARTNER Third-party Risk Policy Risk Assessment CORPORATE Data Retention Data Privacy Data Protection Licensing INDUSTRY PCI DSS HIPAA SOX/GLBA NERC GOVERNMENT Data Privacy and Protection Federal Data Regulations EU Data Protection Eliminate Control Clutter – Unite Business silos, empowering the executive office Increase Worker Efficiency – Spend less on resources and maintain compliance Improve Compliance Adoption – Speed attainment and reduce administration Extend the Value of Technology Investments – Consolidate existing infrastructure

6 Merge Compliance and Security
CHALLENGE Compliance Security = Achieve Continuous Compliance and Strengthen Your Security Profile You must validate both compliance and security with controls that: 1. Identify, Classify & Scope and Critical Business Processes 1. Real Time Visibility 2. Stop Analyzing Change and Start Controlling it 2. Monitor & Prevent Change 3. “Active Intelligence” and Always-on Monitoring 3. Measure, Identify & Analyze Risk 4. Complete Protection from ALL Malware Threats 4. Detect & Prevent Malware 5. Immediate Enforcement and Audit of Security Compliance Policy 5. Actively Enforce Policy

7 Best Practices and Frameworks

8 The Trend Between Frameworks and Requirements

9 Compliance: Past Present Future…
Check the box Reactive Expensive &Resource Intensive Disparate Silos IT Audit Driven Funded by audit

10 Compliance: Past Present Future…
Security focused Automated and Integrated United coverage/liability across the organization Funded from multiple sources

11 Compliance: Past Present Future…
Instant notification of Policy Compromise Security + Compliance Converged Ease of use and resource savings Integration Streamlined

12 Proactively Managing and Measuring Compliance via Frameworks

13 FFIEC Cyber Security Assessment Tool (CAT)

14 FFIEC Cyber security Assessment Tool

15 Benefits of the CAT to Institutions
Identifying factors contributing to and determining the institution’s overall cyber risk Assessing the institution's cyber security preparedness. Evaluating whether the institutions cyber security preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies.

16 FFIEC Cybersecurity Assessment Tool
Low Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Inherent Risk Profile – 39 Questions on Risk Domain 1: Cyber Risk Management & Oversight Domain 2: Threat Intelligence & Collaboration Domain 3: Cybersecurity Controls Domain 4: External Dependency Management Domain 5: Cyber Incident Management and Resilience Cybersecurity Maturity – 494 Y/N Questions

17 Risk Maturity Matrix

18 How to use the CAT – Common Compliance Workflow

19 Control Maturity Level Inherent Risk Profile Level
Baseline Evolving Inherent Risk Profile Level Low Minimal Domain Level Controls Domain 1 - Governance, Risk, and Audit Solution capability desired - Visibility and Intelligence No Endpoint visibility Limited Intelligence on oversight and audit functions Polling and scanning, basic manual risks assigned Domain 2 - Threat Intelligence and Sharing Solution capability desired - Intelligence and Integration Limited Intelligence without any Integration Alerts and logs are consolidated in a SIEM for integration, manually shared Threat Intelligence Domain 3 - Preventive, Detective, and Corrective controls Solution capability desired - Detection, Prevention, and Response Detection: AV signatures Only detects known malware, extensive logs analysis Prevention: Relying on AV only stops known malware Response: Reimage machines, No root cause analysis Detection: Software and IP reputation data Prevention: Remove admin rights, Basic whitelisting Response: Manual root-cause and scope analysis, Post-mortem forensics Domain 4 - Third Party Management Solution capability desired - Visibility and Detection No visibility into third party security or threats No detection of security incidents spawned from third party's Limited visibility into criticality of third party’s Still no detection of interactions or unauthorized attempts to obtain/change sensitive information Domain 5 - Incident Response Solution capability desired - Detection and Response Negative Security Approach

20 Negative Security Model using Anti-Malware
Signatures IOC’s Detect & Protect Value Detect & Protect Value Time Time Heuristics Machine Learning Detect & Protect Value Detect & Protect Value Time Time

21 Control Maturity Level
Control Maturity Level Intermediate Advanced Innovative  Inherent Risk Level Moderate Significant Most Bit9 + Carbon Black ŸRisks exceed appetite they are escalated to management ŸPolicies include threat intelligence ŸBaselines cannot be altered w/o formal change request ŸFormal IT change management process ŸRisk management includes financial strategic, regulatory, and compliance implications ŸBenchmarks and target performance metrics are established ŸAudits are used to identify gaps Bit9+ Carbon Black ŸIndustry standards are used for the analysis of gaps ŸAutomated tools enable tracking, updating, asset prioritizing, and custom reporting of the asset inventory ŸAutomated processes are in place to detect and block unauthorized changes to software and hardware ŸRisk assessments of changes in change management system ŸRisk data aggregation and real time reporting capabilities support ongoing reporting ŸPeriodic audit process improvements based on threat landscape Bit9+Carbon Black ŸContinuous monitoring of security controls ŸKPI's determine training awareness influence ŸFormal change management function governs decentralized or highly distributed change requests and measures security risks ŸAutomated enterprise tools are implemented to detect and block unauthorized changes to software and hardware ŸBit9 + Carbon Black ŸFormal threat Intelligence program is implemented and has external and internal source ŸA read only central repository of cyber threat intelligence is maintained ŸProfile of threats is created Bit9 + Carbon Black ŸThreat Intelligence is automatically received from multiple sources in real time ŸThreat Intelligence is used to update architecture and configuration standards Bit9 + Carbon Black ŸIT systems automatically detect configuration weaknesses based on Threat Intellgince and alert management ŸReal time threat sharing ŸThreat analysis systems correlates threat data to risks while taking automated actions and alerting management ŸInvests in threat intelligence and collaboration mechanisms ŸCombines all threat intelligence from mechanisms Bit9 + Carbon Black ŸSecurity controls for remote access ŸUnauthorized code prevention tools Ÿ s and attachments are automatically scanned to detect malware and blocked when it is present ŸTools for unauthorized data mining ŸTools to monitor security logs ŸAudit logs are backed up to a centralized log server that is difficult to alter ŸEvent detection processes are tested as reliable Bit9 + Carbon Black ŸAnti-spoofing measures for forged IP addresses ŸAutomated tools proactively identifies high-risk behavior signaling on an employee who poses insider threat ŸAutomated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices ŸReal-time network monitoring and detection is implemented and incorporates sector wide event information ŸReal time alerts are automatically sent when unauthorized software, hardware, or changes occur ŸTools are in place to actively correlate event information from multiple sources and send alerts based on established parameters ŸPatch monitoring software is installed on all servers Bit9 + Carbon Black ŸAutomated real time risk scores of infrastructure ŸCentralized end-point management tool ŸReal time risk scoring of threats ŸDetection of insider threats and block activity in real time ŸRemediation of systems damaged by zero-days ŸBit9 + Carbon Black ŸControls verified to detect and prevent intrusions from third party connections ŸMonitoring covers all external and internal connections ŸBit9 + Carbon Black Maintain and improve security of external connections Detailed Diagram of data flow analysis ŸBit9 + Carbon Black ŸIR team notified when anomalous behavior and attack patterns or signatures are detected ŸDetect infiltrations before attacker traverses across systems, ŸIncidents detected in real time through automated processes and correlated events across the enterprise ŸNetworks and system alerts are correlated across business units to detect and prevent multifaceted attacks ŸEarly analysis of security events to minimize impact Bit9 + Carbon Black ŸInstitution corrects root cause for problems discovered during testing ŸSophisticated and adaptive technologies are deployed that can detect an alert the incident response team of ŸSpecific tasks when threat indicators across the enterprise indicate potential external and internal threats ŸAutomated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert IR teams in real time, ŸIR team collaborates with threat intelligence team during and incident, Detailed metrics, dashboards and/or scorecards outlining cyber events are provided to management. Bit9 + Carbon Black ŸIR plan ensures recovery from disruption, assurance of data integrity, and recovery of lost or corrupted data following an incident ŸIR process includes detailed actions and rule based triggers for automated response ŸValidated the ability to remediate systems damaged by zero day attacks to maintain RTO ŸDetect and block zero day attacks and alert management and IR teams in real time ŸRisk management of significant cyber incidents results in limited to no down time for critical services ŸMechanism in place to alert in real time incidents through multiple channels while tracking and verifying communication for audit Positive Security Approach

22 Positive Security Model
Detect & Protect Value Time

23 Key Considerations While Using the CAT
Focus on Innovative Cyber Security Maturity Proactive or real time detection and response Automation to gain metrics and reporting Focus Threat analytics that matter Baseline risk measurement for Discovery

24 The FFIEC and CAT through time…
Present Examiners have begun using the handbook Criticism from FI’s of making a voluntary tool seem mandated. They do not track the NIST Cyber security Framework or Compensating Controls Declarative statements that are subjective in nature. Future FFIEC took feedback as a response this January. The tool will be updated on a periodic basis. Publications from the FFIEC and OCC released stating the CAT could become mandatory if examiners do not see risk mitigations improvements from banks.

25 Sarbanes-Oxley (SOX), COBIT5, and COSO IT Audit Controls

26 COBIT Mapping for COSO and SOX Control Matrix

27 COSO Control Environment Component
COBIT reference:(EDM01, EDM03, and EDM05) Ensure Governance Framework Setting amongst all stakeholders across all Frameworks Ensures ownership

28 COSO Risk Assessment Component
COBIT Reference: Manage Risk (APO12) Risk assessment: Crucial for SOX standard: Determine the significance of Financial Data disclosure relative to each controls in place. Selection and scope of controls to test Determination of audit necessary for a given control

29 COSO Control Activities Component
COBIT Reference: Manage Human Resources and Quality (APO07 and APO11) Four types of control activities: • Data center operation controls • System software controls • Access security controls • Application system development and maintenance controls

30 COSO Information and Communication Component
COBIT Reference: (APO01 and EDM05) Manage the IT Management Framework Ensure Stakeholder Transparency

31 COSO Monitoring Activities Component
FIC/FIM Visibility into transaction data – chain of command Reporting and audit Visibility and control Eliminate the noise associated with monitoring controls like File Integrity Monitoring and immediately identify critical changes Proactive analysis of risk on in-scope endpoints Proactive monitoring for of regulatory scope - Gain immediate Risk, threat and trust measure across the entire enterprise, Trace entire security event. Enforcement and protection of all in-scope systems Ensure total enforcement, compliance, and audit with security policy; Move from patch mitigation to threat mitigation

32 Evolution of COBIT – Audit to True Enterprise IT Measurement

33 Modern Baseline Framework – PCI DSS Prioritized Approach.

34 PCI DSS Gradual shift from Checkbox to Compliance Measure
100% of Companies that were breached in 2015 were non-Compliant 100% of Companies Were Failing Compliance 0 IN TEN YEARS “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”

35 Future of PCI

36

37 Snapshot: Top 5 Critical Security Controls and PCI DSS 3.0
CSC 1 Inventory of Authorized and Unauthorized Devices Requirement 2.4 Inventory of Authorized and Unauthorized Software CSC 2 Requirement 2.4.a CSC 3 Secure Configurations for Hardware and Software Requirements 2.2, 6.2, 11.5 CSC 4 Continuous Vulnerability Assessment and Remediation Requirements 6.1, 6.2 CSC 5 Requirements 5.1, 5.2, 5.4 Malware Defenses

38 Visibility CSC & PCI CSC 1 PCI DSS 2.4
Inventory of Authorized and Unauthorized Devices Maintain an inventory of system components that are in scope for PCI DSS Visibility Quick Win: Change your system to a proactive posture in order to speed up the attainment of pre-compliance data gathering.

39 Visibility CSC & PCI DSS CSC 2 PCI DSS 2.4.a
Inventory of Authorized and Unauthorized Software Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each Visibility Quick win… Quick Win: Introduce real-time, instant visibility into what applications and processes are running on all endpoints and servers, including version information

40 Configuration Monitoring
CSC & PCI DSS CSC PCI DSS 2.2, 6.2, 11.5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Develop configuration standards for all system components [that] address all known security vulnerabilities. Protect critical system files. Configuration Monitoring Quick Win: Prevent unauthorized change and set up real-time monitoring and recording of critical changes

41 Vulnerability Analysis & Response
CSC & PCI DSS CSC 4 PCI DSS 6.1, 6.2, 11.2 Continuous Vulnerability Assessment and Remediation Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities and file assets. Vulnerability Analysis & Response Quick Win: Apply Real Time Vulnerability and Threat Analysis to all in-scope systems

42 Malware CSC & PCI DSS CSC 5 PCI DSS 5.1
Malware Defenses Deploy anti-virus software Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. Deploy anti-virus software Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software How long does it take the system to identify any malicious software that is installed, attempted to be installed, executed, or attempted to be executed on a computer system (time in minutes)? Malware Quick Wins: Actively block all unknown and untrusted processes

43 Common Security Control Focus Across all Frameworks: Focus on Success

44 Common Critical Security Controls Required for Success
FIC/FIM Visibility into transaction data Reporting and audit Visibility and control Eliminate the noise associated with monitoring controls like File Integrity Monitoring and immediately identify critical changes Proactive analysis of risk on in-scope endpoints Proactive monitoring for of regulatory scope - Gain immediate Risk, threat and trust measure across the entire enterprise, Trace entire security event. Enforcement and protection of all in-scope systems Ensure total enforcement, compliance, and audit with security policy; Move from patch mitigation to threat mitigation

45 POSTIVE SECURITY: FILE INTEGRITY CONTROL
Detect changes as they occur or are attempted Use policies to establish what is allowed – block everything else Respond to alerts in real-time, not after file changes have been collated and analyzed

46 POSTIVE SECURITY: PROACTIVE ANALYSIS OF RISK
Prevents unauthorized processes from occurring Eliminates the need to keep up with negative or static blacklists – an impossible task anyway

47 POSTIVE SECURITY: SECURITY AND COMPLIANCE POLICY ENFORCEMENT
Enforce security and compliance policies in real-time Provides a compensating control systems and applications Automatically educate users about compliance policy as it’s being enforced

48 Practice Best of Breed Security to Enable Compliance and Risk Measure

49 Compliance and Security Control Example (PCI)
Example of Compliance Coverage across the Kill Chain Threat to Compliance Failure of Requirements leads to Compromise: Reconnaissance Attacker researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempts to exfiltrate data Multiple, customizable forms of prevention PREVENTION How did it start? Where did it spread? What did it do? What do I do now? DETECTION AND RESPONSE Req. 6.1 Req. 6.2 Req. 5.1 Req. 5.4 Req. 11.5 Req Req. 2.2 Req. 5.3 Req. 11.5 Req. 10.x Req. 12.x

50 From Checking the Box to Becoming Innovative in Security
Level 4 Best protection Level 3 Strong posture Level 2 Reduced risk Level 1 Vulnerable Visibility None AV signatures Only detects known malware Only stops known malware Reimage machines No root cause analysis Silos Polling, scanning Reputation data Algorithms Remove admin rights Basic whitelisting Anti-exploitation Manual root-cause and scope analysis Post-mortem forensics Alerts, logs consolidated in SIEM Real-time visibility & continuous recording of endpoint state Single-source threat intelligence Simple indicators Custom bans Automated root- cause and scope analysis Data correlated with network security, SIEMS, etc. Real-time visibility & continuous recording of endpoint activity Aggregated, multi- vendor threat intel Patterns and behavior Policy-based default- deny Customizable forms of prevention Attack disruption & containment Automated remediation Customized integration via open APIs Detection Prevention Response Integration

51 Every second counts Continuously record, centralize and retain activity from every endpoint Record: Continuous, always on, never sleeps, because you can’t know what is bad ahead of time. Collect: The right data, based on our offensive security expertise. Centralize: Stream all data to an aggregated “system-of-record.” Single source of truth. Manage as key IT asset. Retain: Persistent history of attacker’s every action, root cause, patterns of behavior. Non-Intrusive: Never impact endpoint or user. Benefits: Visibility. Know what’s happening on every endpoint. Scope an incident in minutes. Historical traceability for investigations. Apply new detection rules retrospectively. Copy of every executed binary Network connections File executions File modifications Cross-process events Registry modifications Track an attacker’s every action

52 Questions?

Download ppt "Christopher Strand, Carbon Black Security Risk and Compliance Officer"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.

ISecurity Complete Product Series For System i. About Raz-Lee Internationally renowned System i solutions provider Founded in 1983; 100% focused on System.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Security Controls – What Works

Security Controls – What Works
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,

A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.

Similar presentations

Ads by Google