new ise north america leadership summit and awards · 2017. 1. 6. · nominee showcase presentation...
TRANSCRIPT
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013
ISE® North AmericaLeadership Summit and Awards
November 6-7, 2013
Presentation Title: Embracing Cyber Security for Top-to-Bottom Results Presenter: Larry WilsonPresenter Title: Chief Information Security OfficerCompany Name: University of Massachusetts
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013
University of Massachusetts
• Providing High Quality Education for 140 Years• 2013 World University Ratings: 42nd of Top 100 Universities • 5 Campuses + Systems Office• 72,000 Students • 17,500 Faculty & Staff • UMass Online - 120 Degree & Certificate Programs
2
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013
Embracing Cyber-security for Top-to-Bottom Results
3
• What’s at Stake• UMASS Security Program Goals
– UMASS Security Program Design– Building a Controls Wall
• Top 20 CyberSecurity Controls– CyberSecurity Technology Architecture– CyberSecurity Software Design– CyberSecurity Controls Mapping
• UMASS Security Program Operations Center• CyberSecurity Controls Implementation• Lessons Learned / Best Practices
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 4
What’s at Stake?Risk of a data breach • Security Risk: Based on likelihood and impact of the university
experiencing an adverse event such as a data breach.
Contributing to Risk• Threats: Ever changing threat landscape consisting of internal
and external threats.
• Vulnerabilities: Decentralized administrative and academic computing environment across the university.
• High Value Assets: Intellectual property, research data, student and employee records, health records, credit cards, etc.
Risk Mitigation• Controls: Design, build, operate comprehensive set of security
controls that safeguard computing and information assets.
High Value Assets
Managed Assets
Unmanaged Assets
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 5
UMASS Security Program Goals
1. Develop university-wide security framework and strategic programs.
2. Invest in security controls to protect critical university assets (Critical Asset Groups): CAG-01: People, Identities, Access CAG-02: Endpoint Devices CAG-03: Business Applications CAG-04: Network Security CAG-05: Data Center Systems CAG-06: University Databases CAG:07: University Data
3. Align security controls with industry best practices [ISO 27002, Top 20 Critical Security Controls]. MGT: Information Security Management and Communications (People Focus) CSC: CyberSecurity Controls (Technology Focus) GCC: General Computer Controls (Process Focus)
4. Invest in resources (staffing, training) to implement and manage security controls.
5. Develop an implementation roadmap inclusive of all campuses and departments.
6. Establish a comprehensive communication program to increase stakeholder awareness.
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 6
Process Focus
Secure Applications
IT Operations
Access Controls
Records Retention
Technology Focus
Top 20 Critical Security Controls
People Focus
Risk Management
Policy / Program
Marketing & Communications
Awareness Training
UMass Information Security Program
ISO 27002 Foundation CSCS 20 Critical Security Controls
Policy, Legal, and Regulatory Framework(UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, …)
Management & Communications (MGT)
General Computer Controls (GCC)
Cyber-securityControls (CSC)
UMASS Security Program Design
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 7
Access to University Data
Allow or Deny Access
?
MGT-01 MGT-02 MGT-03 CSC-01 CSC-02 MGT-04 MGT-05 MGT-06
MGT-07 CSC-03 CSC-04 GCC-01 GCC-02 CSC-05 CSC-06 MGT-08
MGT-09 CSC-07 GCC-03 GCC-04 GCC-05 GCC-06 CSC-08 MGT-10
CSC-09 GCC-07 GCC-08 GCC-09 GCC-10 CSC-10
CSC-11 GCC-11 GCC-12 GCC-13 GCC-14 CSC-12
MGT-11 CSC-13 GCC-15 GCC-16 GCC-17 GCC-18 CSC-14 MGT-12
MGT-13 CSC-15 CSC-16 GCC-19 GCC-20 CSC-17 CSC-18 MGT-14
MGT-15 MGT-16 MGT-17 CSC-19 CSC-20 MGT-18 MGT-19 MGT-20
MGT
CSC
GCC
Security Management Controls (ISO 27002)
CyberSecurity Controls (CSCS CSCs)
General Computer Controls (ISO 27002)
CAG-07:University Data
Building a Controls Wall
CAG-01: People, Identity, Access
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 8
CSC-01 CSC-02 CSC-03 CSC-04 CSC-05
IT Asset Management Software Asset Management
System Configuration Vulnerability Management Malware Defenses
Application Security Wireless Devices Data Recovery Security Training Network Configuration
Ports, Protocols, Services Administrative Privileges Boundary Defenses Audit Logs Controlled Access
Account Monitoring Data Loss Prevention Incident Response Secure Network Engineering Penetration Testing
CSC-06 CSC-07 CSC-08 CSC-09 CSC-10
CSC-11 CSC-12 CSC-13 CSC-14 CSC-15
CSC-16 CSC-17 CSC-18 CSC-19 CSC-20
Top 20 Critical Security Controls
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 9
CSCS Critical Controls Database
ScanEngine
MonitorEngine
FilterEngine
Alerting & ReportingConsole
Managed & Unmanaged Assets
CAG-01: Identity, Access, Entitlements
CAG-02: Endpoint Devices
CAG-03: Business Applications
CAG-04: Network Security
CAG-05: Data Center Systems
CAG-06: Databases
CAG-07: University Data
Scan Rules
Monitor Rules
Filter Rules
Update
Update
Update
Cyber-Security TechnologyCritical Asset Groups
CyberSecurity Technology Architecture
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 10
CyberSecurity Software DesignSTART
Control Requirements (Asset Management): Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the organization network, including servers, workstations, laptops, and remote devices.
Design Requirements:1. Establish authoritative system of record (controls database) 2. Update with known “managed” assets (GCC Process)3. Scan rules for unknown “unmanaged” assets (active discovery) 4. Monitor rules for unknown “unmanaged” assets (passive discovery) 5. Filter rules for unknown “unmanaged” assets (access control) 6. Generate Real-time Alerts and Management Reports (Alerting and Reporting Console)7. Update authoritative system of record (controls database)
Compliance Assessment (Asset Management): Implement, operate, alert and report using processes and tools to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network.
END
Secu
rity
As
sess
men
t
Com
plia
nce
As
sess
men
t
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 11
SecurityControl Control Description
CAG-01 CAG-02 CAG-03 CAG-04 CAG-05 CAG-06 CAG-07
People, Identity, Access
EndpointDevices
BusinessApplications
UniversityNetworks
Data CenterSystems
Databases University Data
CSC-01 Inventory of Authorized and Unauthorized Devices
CSC-02 Inventory of Authorized and Unauthorized Software
CSC-03 System Configuration (servers, laptops, mobile devices)
CSC-04 Continuous Vulnerability Assessment and Remediation
CSC-05 Malware Defenses
CSC-06 Application Software Security
CSC-07 Wireless Device Control
CSC-08 Data Recovery
CSC-09 Security Skills Assessment and Training
CSC-10 Network Configuration (switches, routers, firewalls)
CSC-11 Control of Ports, Protocols, and Services
CSC-12 Control of Administrative Privileges
CSC-13 Boundary Defenses
CSC-14 Maintenance, Monitoring of Audit Logs
CSC-15 Controlled Access based on Need to Know
CSC-16 Account Monitoring
CSC-17 Data Loss Prevention
CSC-18 Incident Response Process Process Process Process Process Process Process
CSC-19 Secure Network Engineering
CSC-20 Penetration Testing & Red Team Exercises Assessment Assessment Assessment Assessment Assessment Assessment Assessment
CyberSecurity Controls Mapping
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 12
Asset Group Action Plan to Comply with University Standardsbased on Top 20 Critical Security Controls
Phase 1 Phase 2 Phase 3
CAG-01People, Identities, Access
1. USecure Program – Continue to implement the Usecure program based on CSCS STH2. Develop University-wide RFP for EndPoint Management Solution3. SecAdmin Process – University –wide process for managing access to Psoft applications
CAG-02 Endpoint Devices
4. Determine best campus / department for MDM pilot (mobile devices)5. NAC – Implement NAC to control unmanaged endpoints and servers6. Establish endpoint security standard (Anti-Virus, file/folder encryption, USB drive encryption)
CAG-03 Business Applications
7. BSIMM – Establish best practices for Software Security8. WAF – Evaluate Web Application Firewall technologies
CAG-04 Network Security
9. Establish standards for Wireless Networks10. Next-Gen Firewall – Determine best alternative for next-Gen Firewall11. Two Factor AuthN – Two factor authentication (RSA Tokens)
CAG-05 Data Center Systems
12. Vulnerability & Patch Management13. SIEM – Determine best alternative for SIEM or managed service14. Central authentication – evaluate technology solutions for central authentication of linux systems
CAG-06 Databases
15. Database Security – Determine database security strategy & technology
CAG-07 University Data
16. Implement technology to identify, inventory and manage sensitive data17. Records Administration – establish process for deleting sensitive data via records retention standards
CyberSecurity Controls Implementation (Example)
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 13
Help Desk
IT Operations
Incident Response Team
Management Team
Advisories & Incidents
Data Breaches
Alerts, Metrics & Reports
Work Requests, Tickets, Audit Findings
20 CSCs
CSIRT
Information Security Operations Center (ISOC)
Input
Output
(Build, Buy, Outsource, Cloud)
Intelligence Feeds
Zero-day Threats, Zero-day Vulnerabilities
UMASS Security Program Operations Center
Nominee Showcase Presentation
#ISEnaISE® North America Leadership Summit and Awards 2013 14
Lessons Learned / Best Practices
• Start with the Design: Get management buy-in including budget, resources and timelines.
• Implement in Phases: Quick wins, maximum impact – need success stories!
• Communicate Often: Monthly implementation and compliance reports.
• Work with Partners: Including Council on Cybersecurity, vendors / service providers to improve technology and service offerings