nist critical security framework (csf)
TRANSCRIPT
Critical Security Framework MEASURING Security
Dick Bussiere | Technical Director | Asia Pacific
Agenda
Some Opening Observations What is the NIST Cybersecurity
Framework? Why YOU should care? How would I apply it? How would I measure my
effectiveness?
Would you drive BLINDFOLDED?
Things to Ponder
205 Days until breach detected (APAC Average)?
Can you say with certainty that you are 100% Secure?
Do you know with certainty that you have NOT been breached?
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
A false sense of security?
Yet breaches continue to increase at an unprecedented
rate
Companies spent
$76.9B
in 2015 on information security
Without a Security Framework…
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
IF YOU CAN’TMEASUREYOU CAN’TITCONTROL
IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE
The Survey Says…
Security Frameworks guide the way…•84% Leverage a security framework•Broad range of company sizes
Wide Range of Frameworks Utilized•44% used more than one framework•EOY 2016 - CSF (43%), CIS (44%) ISO (44%)
Best practice & requirements drive CSF adoption•70% adopted CSF because they consider it best practice•29% adopted CSF because a partner required it
Security Framework Adoption is a Journey•Only 1 in 5 rank their organization as very mature•More than half of CSF adopters require significant investment to fully conform
Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US
Executive Order 13636
Why Cyber Security Framework? Asks the question “what are you doing to improve”
rather than “did you implement control XYZ” Results in a shift from compliance to action and specific
outcomes Business oriented
Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it
more appealing to business
Repeatable Flexible Technology
Neutral Cost Effective Measurable!
Common Language
Why Cyber Security Framework?
Objectives of CSF in a nutshell
Describe Current Security Posture
Describe Target
Security Posture
Continuous Improvement
Assess Progress towards Target Posture
Communicate Risk
A Framework of Frameworks
ISO/IEC 27001
CCS CSC1 ISA 62443
NIST SP 800-53 COBIT 5
NIST CYBERSECURITY FRAMEWORK
Framework Profile(Where you are and where
you want to go)
Framework Implementation
Tiers(How you view cybersecurity)
CSF Core(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization
•Required Tier based on perceived risk/benefit analysis
•Identify•Protect•Detect•Restore•Recover
The Cyber Security Framework at 40,000 feet…
CSF Component 1 – Framework Core
Framework Core
Identify
Detect
Respond
Recover
Protect
5 Core CSF Functions Explained…
Identify• Understand what’s important to the business and what the risks are
Protect• Develop safeguards to ensure CIA
Detect• Find bad things
Respond• What you do when bad things happen
Recover• How to restore what the bad guys broke
Structure
Function Unique Identifier
FunctionCategory Unique Identifier
Category Subcategory
Informative References
ID Identify
ID.AM-1 Asset Management
Physical devices
within the organization
are inventoried
• CCS-CSC1
• COBIT 5• ISA-
62443-2-1:2009
ID.AM-2 Asset Management
Software Platforms and Applications within the organization are inventoried
• CCS-CSC1
• COBIT 5• ISA-
62443-2-1:2009
Structure Example
Everything kinda looks the same…
Risk Profile, Requirements & Resources
ISO/IEC27001
Tailored Control Framework
NISTCybersecurity
Framework
ISA62443
Use CSF as ingredient to Custom Control Framework
Risk Profile, Requirements & Resources
ISO/IEC27001
NIST Cybersecurity Framework
CIS CriticalSecurity Controls
ISA62443
“Normalization Layer”
Use CSF to “Normalize to Common Language
Existing Frameworks
CSF Component 2 – Framework Implementation Tiers
PartialRisk Informed
Repeatable
Adaptable
How cybersecurity risks and processes are viewed within organization
Soph
isti
cati
on
CSF Component 3 – Framework Profile
Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources
Used to define current state and desired state Can help measure progress...
A Common Language for All LevelsPriorities
Risk AppetiteBudget
Framework Profile
Implementation Progress
Vulnerabilities, Threats, Assets
Status, Changes in
Risk
Executive LevelFocus: Organizational risk
Actions: Risk Decision/Priority
Operations LevelFocus: Risk Management
ImplementationActions: Secure Infrastructure,
Implement Profile
Process LevelFocus: Risk Management
Actions: Select Profile, Allocate Budget
Process
Prioritize and
ScopeBusiness Objective
sPriorities Strategy
Orient Related Systems Assets Regulatio
ns
Risk Assessme
ntExposure Tolerance
Create Current Profile
Where you are
now
Create Target Profile
Where you need
to be
Gap Analysis
Delta between
Current/Target
Action Plan MEASURE
How is CSF Different?
Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –
can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls
while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity
effectiveness independent of existing framework
CSF helps you to do all these great things…
How does CSF help you?
Reduce chance of breach, liability
Ability to know status “on the fly”
Communicate adherence to business, business partners, customers and auditors
Meet contractual obligations
Prioritize, evaluate security investments
Reduce resource drain and impact of multiple audits
*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821
The CSF is an absolute minimum
of guidance for new or existing cybersecurity
risk programs…
“ ”Gartner Says…
By 2020, more than 50 percent of organizations will use the NIST
Cybersecurity Framework, up from the current 30 percent in 2015
Gartner predicts:
“ ”*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821
To MEASURE, you need DATA…
…and MORE DATA...
Endpoint Assessment
Network Monitoring
Analytics
Event Monitoring
Ingredients to Measuring Compliance
Three Year Action Plan Tool..
http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool
Contact me:[email protected]
Websitehttp://www.tenable.com
blog.tenable.com tenable.com/podcast youtube.com/tenablesecurity discussions.nessus.org
Thank You Dick Bussiere |Technical Director |Asia
Pacific