Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
Walk This Way:
Using CIS Critical Security Controls and NIST
Cybersecurity Framework to accomplish
Cyber Threat Resilience – A Tools Approach
Robin Basham, Chief Compliance Officer, VP
Information Security Risk & Compliance, Cavirin
Cybersecurity Essentials – E32

2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cyber Risk Recap: What could go wrong?
• Reputation is a cyber target
• Criminals value information – financial, health,
critical infrastructure
• The pace of technology intensifies and blurs
dependencies
• We can’t trace, never mind control our data
• Exfiltration happens
• The role of government and information custody is
flat out unclear
2

Cybersecurity Mission: Resilience
• Know the critical assets and who’s
responsible for them
• Get everyone involved in cyber-
resilience (discovery)
• Assure they have the knowledge and
autonomy to make good decisions
• Be prepared for both unsuccessful AND
successful attack
• Prevent a cyber attack from throwing
the organization into complete chaos.
3
Define
Establish
Implement
Analyze
Report
Respond
Review
Update
Continuous
Monitoring

IT’S ALL GOOD,
YOU’RE A ROCK STAR,
YOU’RE SUPERHUMAN – YOU CAN HERD CATS
4
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin.
We are inspired by his music.

Assessing Things SOC2 – PCI – NIST
CSF – HITRUST – SOX
- FedRamp
Control Matrix –
COSO – NIST 800
53r4 – Cobit –Risk
Management
Frameworks
Configuration Rules –
CIS – DISA for
example, can be
automated for
detection
Things – Servers –
Routers –
Containers – Apps
– all have
configuration
values that can
pass or fail
5

Assessing Things – In Reality
Things
Configuration
Rules
Controls
Assessment
Models – SOC –
PCI – CSF –
HITRUST – SOX -
FedRamp
6
xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_
Ensure_Load_and_unload_device_drivers_is_set_
to_Administrators
To establish the recommend-ed configuration via
GP, set the following UI path to Administrators
Computer ConfigurationPoliciesWindows
SettingsSecurity SettingsLocal PoliciesUser
Rights AssignmentLoad and unload device drivers
Impact
If you remove the Load and unload device drivers
user right from the Print Operators group or other
accounts you could limit the abilities of users who
are assigned to specific administrative roles in
your environment. You should ensure that
delegated tasks will not be negatively affected.

CISOPCI DSS
SOC2
HITECH
Cyber
Security
Framework
ISO27002
NIST 800-
53 r4,
Appendix J
CIC CSC
Top 20
DISA STIGS
FedRamp
SIG Due
Diligence
RMF, FAIR,
COSO ERM
Security Roles - Environments - Measures
CISOBuild
Business
Sell Security
Govern
Security
Operate
Securely
Identity &
Access
Risk
Management Legal
Interface
Compliance
Security
Architecture
Budget
Security
Roadmap
PMO Security
Roadmap
7
IaaS
PaaS
SaaS
Cloud
Hybrid
Cloud

Containers
Requirements
CIS
Benchmark
DISA STIGS
NIST 800-53
v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF
CSF Cyber
Security
Framework
ISO27002 CIS CSC Top
20
RMF
FedRamp
CJIS
UK Cyber
Essentials
FFIEC
GLBA
Rules run on Environments – are tagged to controls
8
IaaS
PaaS
SaaS
Cloud
Data Centers
Hybrid
Cloud
Assessment
Score
WIN2008R1
& R2
WIN20012R1
& R2
CentOS 6
CentOS7
RHEL6
RHEL7
UBUNTU12 UBUNTU14
AWS EC2
ESX 5.5
Azure
Docker
Windows 7
Windows 10

CRAWL THIS WAY
9
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin..

Crawl: Top initiatives to provide most protection
• Control Administrative Privileges
• Limiting Workstation-to-Workstation
Communication
• Antivirus File Reputation Services
• Anti-Exploitation
• Host Intrusion Prevention (HIPS) Systems
• Secure Baseline Configuration!!!!!
• Web Domain Name System (DNS)
Reputation
• Patching: Take Advantage of Software
Improvements
• Segregate Networks and Functions
• Application Whitelisting
• Think about your tools
10

Tools (Solutions) are Overwhelming
11
Credit to Monument Partners

Accountability +Compliance – crawl then walk
• We fear false confidence in published assessment reports.
• CIS Critical Security Controls (Top 20) and NIST Cybersecurity
framework make it possible to organize detected conditions, that
left unchecked, would unravel both the company’s investments and
controls.
• Using the 80/20 rule, crawl = secure host baseline, walk = CSC and
NIST CSF
12
AWS, Azure,
Docker (Cloud)
Ransomware &
Data
Exfiltration
Cyber
Insurance

From a cyber perspective, why does managing
configuration baseline matter?
To start, you have to
• Understand your a kill chain
• Handle changes to major US regulations
• Transfer cyber risk accountability
• Insurance requires evidence of due diligence, i.e. consistent
practice of risk assessment and remediation
• Because lateral movement and exfiltration doesn’t care
which devices are in your audit scope.
• Because there are too many environment and too many
things.
13
AWS, Azure,
Docker, Google
(Cloud)
Ransomware
& Data
Exfiltration
Cyber
Insurance

A successful kill only requires 5 elements
Risk
Scenarios
Events
Resources
Time
Threats
Actors
14

Let’s take out a target
Get access to the target’s outlook calendar (schedule)
Discover the route they travel (location)
Get fake uniforms so we blend in (identity)
Distract the guards (opportunity)
Interrupt the live camera feed so they don’t see us (time)
Purchase a weapon that can’t be traced (malware, spyware…)
Go – Go – Go: Take out the target
Burn down the structure so there’s nothing left, or just encrypt
everything and sell the target their own key. (ransomware)
15

To disrupt a kill chain, what do we assess?
• Environment is “hardened”
against types of threats
• Limits to bad Actors –
technical behaviors
• Time: environments
remain resilient to threats
(Drift)
• Resources: engineers will
not cause us to fail an
audit.
16
Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp

Risk Assessments frame risk conversation
• Assessments are industry focused and often repeat the same topics
• “Risk” Assessments have context and use an industry approved
model (an abstraction) to organize many “things”
• All industries struggle to gather technical evidence of implementing
their assessed controls.
• Control bypass and poor process often make it impossible for
engineers to configure to the requirements of security and
compliance – many times, the requirements are not understood
17

2016 SF ISACA FALL CONFERENCE – “SWEET 16” 19

Center for Internet Security Critical Security
Controls v. 6.1
• Updated by cyber experts based on actual attack data
pulled from a variety of public and private threat
sources.
• CIS Controls are likely to prevent majority of cyber-
attacks.
• Concise, prioritized set of cyber practices created to stop
today's most pervasive and dangerous cyber-attacks.
20

CIS CSC 6.1 Mapped to Rules for Configuration
21
Provide metrics for IT personnel to
understand, continuously diagnose
and mitigate risks, and automate
defenses to ensure compliance with
the controls.
With regard to Critical Security Controls, CSC
“…failure to implement all of the controls that
apply to an organization’s environment constitutes
a lack of reasonable security.”
Kamala Harris, Attorney General, CA Breach
Report 2016

Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT
Security Program at OS, Environment, Device levels
• Map compliance
testing to assertions
of good practice
across enterprise
environments
• Unmet criteria
triggers notification
with steps for
remediation
23

NIST Cybersecurity Framework: The CHALLENGE
US Executive Order 13636 on Improving
Critical Infrastructure Cybersecurity requires
accountability to assure cybersecurity
readiness.
Financial, Communications, Manufacturing,
Defense, Energy, Emergency Services, Food
and Agriculture, Healthcare, IT, Utilities,
Chemical, Water, Nuclear Reactors,
Materials, & Waste and Transportation
sectors are expected to initiate currently
“voluntary” compliance with the NIST
Cybersecurity Framework.
24

NIST CSF provides a cyber security functions model
Identify
CMDB, People,
Process,
Technology,
relationships,
alignment to
controls
Protect
Architecture,
Infrastructure,
Monitoring
Detect
Defined Sources,
Collection,
Interpretation,
Reporting
Methods
Respond
RCA, Corrective
Action,
Management
Meetings, Plans,
Optimization
Targets
Recover
Configuration
baselines,
response plans,
lessons learned,
Wiki,
documentation,
BIA
25

2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26
Assessment Testing Ransomware Exfiltration Mapping Query
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES
PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH
SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS
SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION
Group controls to risks associated with their absence
– Report under the assessment type that matters to your board

CIS CSC and NIST CSF Risk Assessment Context
• CIS Critical Security Controls
AND NIST Cybersecurity
security models play nicely
• You should understand DISA
STIG and CIS Benchmarks in
design of and implementation
of secure configuration
baseline
• You may need to consider if
you are use case A or B
27

Use Case – A or B
Hi, I assess OS for
non-government
systems.
Hi, I assess OS for
government
systems.
I’m A I’m B

Use Cases – How to assess an Operating System
I do that too, but I
use CIS Benchmarks
xccdf.
In government we examine
system rules by scanning
with DISA STIG xccdf.
I run rule checks
using OVALs, CCE,
CVE
I run rule checks
using OVALs, CCE,
CVE too
I’m A I’m B

Use Cases – Do we need DISA?
Nope, we just prioritize as
Level 1 and Level 2 and
end user applies what they
want.
Cool! Do you
classify your target
systems?
I’m A I’m B

Use Cases – Classified v. Non Classified
CIS Benchmarks enable a lot
of assessments, like SOC, CIS
CSC, NIST CSF, HITRUST CSF,
ISO27002, and PCI 3.2 for non
classified environments.
FISMA requires us to use
DISA and map to NIST.
We have to classify our
endpoints.
I’m A I’m B
We also use USGCBs
(United States Government
Configuration Baseline) for
baseline configurations on
Information Technology
products widely deployed
across federal agencies.

Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp
Customers come
from lots of
industries, but
solutions start by
asking one
question.
YES, the target
environment is
government
classified? I’ll use
DISA
Is the target environment government
classified?
For non classified assessment
models, I’m going to use CIS
Benchmarks to evaluate our host
baseline configurations
Industry and Data Classification

Center for Internet Security – states up to
80% of cyber attacks could be prevented by
• Maintaining an inventory of authorized
and unauthorized devices
• Maintaining an inventory of authorized
and unauthorized software
• Developing and managing secure
configurations for all devices
• Conducting continuous (automated)
vulnerability assessment and remediation
• Actively managing and controlling the use
of administrative privileges
33
• 84 Docker
Container
Policies
• 43 AWS Cloud
Policies
published by CIS
AWS, Azure,
Docker (Cloud)

Gartner Study and Recommendation for AWS
• Gartner’s Strategic Planning Assumption
• Through 2020, 80% of cloud breaches will be due to customer
misconfiguration, mismanaged credentials or insider theft, not
cloud provider vulnerabilities.
• The mismanagement of recommended configuration is both in
and beyond our locus of control, however, cloud breaches
impact everyone’s brand.
34

Automated Risk Analysis Platform must haves
• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,
concurrency…)
• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability
domains
• Must work with Private, Hybrid, and Public Clouds
• Support AWS, Azure, GCP (Google Cloud Platform)
• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,
OVAL, CCI)
• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS
Benchmark, DISA, CIS CSC, CSF)
• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)
• Be AWS Security Certified
20

According To Higher Education Information Security Council ©
2015 EDUCAUSE
• Most institutions that purchase a cyber
policy have limits of $5 million or less and
deductibles of $50,000 or less.
• Policies require attestation to thematurity
of information technology and
information security programs
• Subject to Independent audit of your IT
and IT security
• Inaccuracies may render claims invalid or
provide an opportunity for the insurer to
void the policy altogether.
36
Cyber
Insurance

NACD National Association of Certified Directors
– Cyber Handbook
• How to disclose a cyber event
• NIST Cyber Security Framework, voluntarily measure and
benchmark IT and Security Program effectiveness
• Boards require active reporting on Cyber preparedness
– Understanding risk appetite
– Exposure points
• Directors are exposed by third party dependencies, especially those
dependencies that exist in the cloud
• Credit card issuers and Healthcare providers are increasingly
experiencing recourses against Boards of Directors
3710/27/16

Resilience to Ransomware & Data Exfiltration
• Backup your data
• Keep your anti-virus software current
• Screen emails for phishing/malware
• Authenticate the sources of email
• Sandboxing suspicious software
• http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html
38
Ransomware &
Data
Exfiltration

Endpoint – user access to
sensitive data, at risk
employees
•Increasing granularity of data
policies and controls
•Start with most sensitive data
in high frequency locations like
email, CRM, financial systems
Network – high volume,
high risk protocols and
exit points
•Increasing monitored
protocols and endpoints
•Start with known
vulnerable algorithms and
protocols (SSL 3, TLS 1.0,
DES, RC4
Storage
•Increasing allowable and
monitored locations for data
•File servers, Exchange DB
•SharePoint, Database Servers
•Virtual Storage CIF
•Web Servers
DLP Policy
Monitoring &
prevention
Discovery &
protection
Crawl, Walk, Run
• Qualitative risk
assessment
• Leverage existing BIA
and Data Retention
Strategy
• Information Security
Threat analysis, and
• Integrate with Goals
for enterprise IT
39

Crawl, walk, run – Be the force
• Understand your environment
• Identify open wounds, stop
bleeding
• Factor risk against attention and
resource, tie out engineering to
audit
• Gain consistency across devices,
environments, businesses
• Achieve continuous automated
risk assessment, stitch greatest
risk into automation in your
continuous compliance platform
40

About Cavirin
Cavirin’s Automated Risk Analysis Platform (ARAP)
is a scalable, extensible fabric that provides instant
security visibility on cloud based (private, hybrid,
and public) infrastructure, offering continuous risk
assessment. Through its agentless discovery
mechanism, ARAP deep scans very large sets of
assets, applying rich “out-of-the-box” policy
covering sought-after security standards,
generating action oriented reports and aligning
actual to best practice and regulatory compliance
requirements. Its open “connector” architecture
allows enterprises to deploy on a hyper-plane that
integrates popular cloud-based assessment
services such as Amazon Inspector, delivering a
business and industry specific reporting enabled
by Scripted Policy Framework.
10/27/16 41
Cavirin services are cloud agnostic, recently
releasing Docker and Azure policy, is an Amazon
Web Services Certified Security vendor, and an
authorized partner for its Inspector service. The
ARAP content library includes PCI DSS, DISA & CIS
Benchmark, CIS Critical Security Controls, ISO
27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common
Security Framework.
Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
robin@cavirin.com https://www.linkedin.com/in/robinbasham

About your speaker: Robin Basham, VP Information Security Risk and
Compliance, & CCO
Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as
Cavirin’s Vice President Information Security Risk and Compliance,
providing thought leadership to industries ranging from large
enterprise to soaring SMB, delivering concrete programs that
transform compliance burden to strategic advantage. Robin is a
Certified Information Systems Security, Audit, Governance and Risk
professional, earning multiple master’s degrees in Technology and
Education. She is an Enterprise ICT GRC expert and early adopter in
both certifying and offering certification programs for Cloud and
Virtualization. Industry experience includes program direction,
architecting and management of systems, controls and data for
SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education,
Defense and High Tech. Robin has held positions in Technology as
an Officer at State Street Bank, Lead Process Engineering for a
major New England CLEC, and Sr. Director Enterprise Technology for
multiple advisory firms. Robin has delivered more than 75
compliance engineering products, and run two governance
software companies. Most recently she served as Director
Enterprise Compliance for a major player in the mortgage industry,
Ellie Mae. Robin’s expertise and knowledge are highly recognized in
Boston, Mid Atlantic, Silicon Valley and East Bay, where she has
served hundreds of clients and is a frequent speaker, educator, and
board contributor.
10/27/16
42Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
robin@cavirin.com https://www.linkedin.com/in/robinbasham

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

Recommended

More Related Content

What's hot (20)

Similar to Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule (20)

More from EnterpriseGRC Solutions, Inc. (18)

Recently uploaded (20)

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule