Post on 17-Dec-2015
transcript
1
Cyber Security Framework:Intel’s Implementation Pilot Tim Casey, CISSPSenior Strategic Risk Analyst
@timcaseycyber
2 2
Background
3 3
A Changing Landscape Drives Security
Challenges are increasing in size, intensity, and
complexity over timeData
Aggregation & Amount of
Valuable Data
Number of Connected
People
A security program must keep pace with the evolving threat landscape.It must become an intrinsic part of the enterprise that grows along with it.
4 4
EO 13636 addresses the lack of robust security within the U.S. cyber-ecosystem with a tool to jump-start good security programs
Developed over a year as a joint project between NIST and U.S. industry, with international participation
Uses existing industry models and best practices
Comprised of a Risk Management Framework and a Maturity Model
Initial pilots have shown it is flexible, extensible, and easily tailored to individual environments The Framework is a tool to help create a harmonized
risk management approach – it is NOT a compliance checklist!
5 5
National Cybersecurity Framework StructureFramework
• Core• Tiers• Profiles• Illustrative Examples• References• Executive Overview
Governance
Define “Critical Infrastructure”
Voluntary Program
Metrics
Incentives
6 6
Top Concerns of Industry
• Alignment to existing practices
• Privacy
• Adoption
• Governance
• Minimizing regulatory impacts
• Critical Infrastructure vagueness
• DHS Voluntary Program Development
7 7
The Cybersecurity Framework
8 8
The Framework helps build or augment a security program that equips the enterprise to
keep pace with the evolving threats
Establish the right level of security for your environment
Inform cybersecurity budget planning
Communicate cyber risks comprehensively to Senior Leadership
Harmonize cybersecurity approaches and provide a common language
9 9
Framework Core
References
• COBIT APO01.06, BAI02.01
• ISO/IEC 27001 A.15.1.3• CCS CSC 17• NIST SP 800-53 Rev 4 SC-
28
Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational
PR.DS-1: Protect data (including phys records) during storage to achieve
Categories
Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements.
Subcategories
PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals
Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational
10 10
Framework ProfilesPROFILE EXAMPLE:
Tiers
Tier 3: Adaptive Tier 2: Repeatable Tier 1: Risk-Informed Tier 0: Partial
GAPS
11 11
Intel’s CSF Pilot
12 12
Alignment Strategy: 3-Tiered Approach
Infrastructure Align Macro-level risk management practices to CSF Perform initial CSF assessment against infrastructure
Product Explore mapping of products and services capabilities to CSF Examine product assurance initiatives (SDL, etc.) through CSF
lens.
Supply Chain/Third Party Contracting Examine and potentially pilot contracting updates to align to CSF
language
We are here
13 13
Infrastructure Risk – Using the CSF Design Office Manufacturing Enterprise Services
Identify Business Environment Asset Management Governance Risk Assessment Risk Management Strategy
Protect Access Control Awareness/Training Data Security Protective Process and Procedures Maintenance Protective Technologies
Detect Anomolies/Events Secruity Continous Monitoring Detection Process Threat Intelligence
Respond Response Planning Communication Analysis Mitigations Improvements
Recover Recovery Planning Improvements Communications
GoalsUse CSF to Establish alignment on risk
tolerance Inform budget planning for 2015 Communicate risk heat map to
Senior Leadership CSF as risk management
approach NOT a compliance checklist
StrategyUtilize DOMES approach Enables holistic view across the
infrastructure while enabling cross-sectional view of our business
Focus on OFFICE and ENTERPRISE initially
14 14
Infrastructure Assessment ProcessSet
Targets
• Establish Core Group (key SME’s and Managers)• F2F Session with Core Group to set targets and score actuals (2x4 hour sessions/8-
10 SME’s)• Create tailored Subcategories • Validate Targets with Decision Makers (CISO & Staff)
Assess
Current State
• Identify Key SME Scorers• Train SMEs• SME Use Tools to self score
Analyze Results
• Aggregate Individual SME roll-up with Core Team Actuals and compare to Targets• Use simple heat map to identify gaps >1 • Drill down on subcategories for identified gaps >1 to identify key issues
Communicate Results
• Review findings & recommendations with CISO & Staff• Inform impacted Managers to ensure prioritization feed into budget and planning
cycles• Brief Senior Leadership on findings and resulting recommendations
15 15
Assessment Tool – SME & Core Team
Subcategories scoring confused participants. Recommend changing to Heat Map (Over/Under)
Key Learning: Scorers do not need to know Target.
Scorers do not need to know Target
16 16
Tiers – People, Process, Technology & Ecosystem
Need to harmonize wording (staff, personnel, etc.) Need to refine
‘seams’ between Tiers
Need to clarify scope of dimension quality when using in categories
Overall: Tiers Definitions worked well for participants
17 17
Assessment Tool : SME Rollup Sample
NOTIONAL
/ EX
AMPL
E ONLY
SiobhanSanvi Patrick Siobhan Nala Mateo Terry
18 18
SME Rollup – Unexpected Benefits #1
NOTIONAL
/ EX
AMPL
E ONLY
Evaluating by functional area provided greater insights
19 19
SME Rollup – Unexpected Benefits #2
NOTIONAL
/ EX
AMPL
E ONLY
11
Mapping highlighted outliers and major differences
20 20
Assessment Tool : SME/CORE/TARGET Roll Up
NOTIONAL
/ EX
AMPL
E ONLY
High 2’s – Focus Areas stand out
Significant differences between Core and Individual scores can highlight visibility issues
Results matched “Gut Check” expectations
21 21
Additional Key LearningsDiscussion is a benefit itself
Security is a process, not an endpoint– Targets especially interesting - prescriptive targets would eliminate this benefit
Functions Mapped well to existing risk management practices and SME’s were easily ramped up No modifications to Functions recommended
Categories Categories were useful and for our initial use only one additional Category added – DETECT:
THREAT INTELLIGENCE. We expect additional Categories to emerge as we move through Design, Manufacturing and
Services environments
Sub Categories Still a bit of a puzzle on how to optimally use this granularity while balancing overhead. Next rev of tool will do away with scoring subcategories and use over/under model for heat
mapping inputs. Comments section on subcategories was helpful in the analytical stage to drill down on
high/low Category scores
22 22
Key Learnings ContinuedProgram Management
CSF utilization has progressed with no major deviations from plan of record. Low program management overhead to date as the organization assessed (Enterprise
and Office) have a strong risk management culture and mature security-related SMEs Very light-weight organizationally (leveraged existing processes/org structures)
Estimated Cost Less than 175 work-hours invested to date with 2 verticals (Office/Enterprise)
complete Repeatable tools and techniques developed so additional verticals may be less
overhead
Feedback from Participants Easy to understand and score No concerns about resourcing or time commits
23 23
Challenges• Granularity – Subcategories and the degree of granularity of assessment using the
CSF
• Repeatability – Changes in SME/scorers YoY may impact quality of assessment
• Visualization – How to best represent the results to various stakeholders and decision makers
• Alignment/Harmonization – Maintaining alignment across supply chain/partners on approach and language
• Governance, risk management, and compliance programs – How does the Framework support / intersect GRCs?
24 24
Do it yourself!
Start where you are comfortable
Tailor the Framework to your organization
Involve all levels of security & management within your org
Resources: NIST Website http://www.nist.gov/cyberframework Intel white paper (Q1 2015) Sector Information Sharing and Analysis Centers (ISAC) Industry associations
If you want to try it…
25
This presentation is for informational purposes only.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS AND SERVICES. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS AND SERVICES INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
Intel, the Intel logo, Look Inside., and the Look Inside. logo are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2015 Intel Corporation. All rights reserved.