KeepYourGuard:StayCompliantandBeSecureSeptember14th,2016

Presenters

Director, Product Management IT Security and Risk Strategist

Twitter: @terlin terlin@tripwire.com

Vice President, Services

Tim Erlin Karl Perman Bill Kearson

Director, Information Security

3

Current State of Industry Tripwire Research: http://www.tripwire.com/company/research

Could a cyberattack on operational technology in your organization cause physical damage?

* November, 2015, 150 IT professionals in energy, utilities and oil & gas

4

Current State of Industry Tripwire Research: http://www.tripwire.com/company/research

Does your organization have the ability to accurately track all the threats targeting your OT networks?

* November, 2015, 150 IT professionals in energy, utilities and oil & gas

5

Current State of Industry Tripwire Research: http://www.tripwire.com/company/research

What compliance requirements are the biggest driver for your purchase of cyber security products?

* November, 2015, 150 IT professionals in energy, utilities and oil & gas

ComplianceChallenge:Baselines•  WhatdoesNERCCIPrequire:

–  CIP-010R1:DevelopconfiguraLonbaselines,authorizeanddocumentchangestobaselines(OSincludingfirmware,soQware,ports,securitypatches)

–  CIP-010R2:MonitorandinvesLgatechangestobaselines•  TipsforAchievingandMaintainingCompliance

–  AutomaLon;reducingmanualeffortcandramaLcallyreduceauditburden.

–  DefinebaselineprocessforyourorganizaLon–  HaveaconfiguraLonchangemanagementsystemincludingchangeauthorizaLonprocess

ComplianceChallenge:Logging•  WhatdoesNERCCIPrequire:

–  CIP-007R4:Logsecurityevents,generatealerts,retainandreviewlogs–  CIP-006R2.2:Loggingofvisitoraccess–  CIP-009R1.5:DatapreservaLonfordeterminingcauseofCyberSecurityIncident–  CIP-005R1.5:DetecLngmaliciouscommunicaLons

•  TipsforAchievingandMaintainingCompliance–  NormalizaLonrules;chooseaproductthatcannormalizelogsfromsystemsinyour

environment.–  Don’tpayforlogstorage;chooseatoolthatlicensesbyasset,notbyeventsper

secondordatastored.–  ImplementaloggingprocessincludingclearlydefinedrolesandresponsibiliLes

ComplianceisNotSecurity

Security:SecureConfiguraLons•  WhatgapsdoesCIPcomplianceleaveopen:

–  Frequencyofreview;35daysisnotoQenenough!–  UseofconfiguraLoninformaLon–  Rememberoffenseaswellasdefense

•  TipsforgoingbeyondNERCCIPcompliancetosecurity–  UseaconfiguraLonbaselinetoolthatcanmonitorinrealLme.–  ExpandthebaselineconfiguraLonitemspromulgatedbyCIP–  FuseconfiguraLondatawiththreatintelligence

Security:SecurityEventManagement

•  WhatgapsdoesCIPcomplianceleaveopen:–  StatefulcorrelaLonofevents;5failedloginsfollowedbysuccess

–  TrackeventsthatmafertoyourorganizaLoninaddiLontoCIPrequirements

•  TipsforgoingbeyondNERCCIPcompliancetosecurity–  Usealogmanagementtoolthatcantrackstateacrossevents–  UsekeyperformanceindicatorstomeasureeffecLveness–  Eventanalysiscorrelatedwiththreatintelligence

Conclusion•  CIPisonlyabaseline;gofurtherforsecurity•  GoodCIPcompliancemaynotprotectyoufromallofthecurrentsecuritythreats

•  Aprocessdrivenapproachshouldmakecompliancelessburdensomeinthelongrun(definedandrepeatableprocesses)

•  Automatewhereyoucanasmanualprocessesarefraughtwithresourceconstraintsanderrors

TRIPWIREPROPRIETARY&CONFIDENTIAL.NOTFORDISTRIBUTION.INTERNALUSEONLY.

Questions