In this exclusive webinar, Tony Sager – Chief Technologist of the Council on CyberSecurity – discussed how organizations can implement a third-party-validated, authoritative framework called the 20 Critical Security Controls to prioritize their efforts and make security practical, effective and aligned to the business.
Dwayne Melançon, Tripwire’s CTO, joined Sager as the webinar moderator.
In this webcast, we:
- Discussed how to translate security information into specific and scalable action
- Described the remediation plan for the controls, starting with the Top 5
- Discussed how the Council on CyberSecurity uses a community approach to this translation problem to create and sustain the Critical Security Controls.
- Discussed how the community will help advise and support your risk management efforts with a formalized framework
The full recording of the webcast that accompanies this slide deck is available here: http://www.tripwire.com/register/how-the-20-controls-address-real-threats/
6. 6
standards SDL
supply-chain security
security bulletins
user awareness training
browser isolationtwo-factor authentication
encryption
incident response
security controls
threat intelligence
whitelistingneed-to-know
SIEMvirtualization
sandbox
compliance
maturity model
anti-malware
penetration testing
audit logs
baseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessment
best practice
governance
7. The Defender’s Challenges
Who can I trust to help me sort thru this?
– “…cut through the fog…”
How do I get a more complete picture?
– ‘’…extend my information ‘reach’…”
What does the data tell me I should do?
– “…translate into prioritized action…”
When will I know if something relevant changes?
– …the variables in Risk change constantly…”
How can I do the right thing – and then prove it?!?
7
8. The Critical Security Controls
8
1 2
3
4
5
6
7
8
9
101112
13
14
15
16
17
18
19
20
1) Inventory of Authorized
and Unauthorized Devices
11) Limitation and Control
of Network Ports,
Protocols and Services
2) Inventory of Authorized and
Unauthorized Software
3) Secure Configurations for
Hardware, Software on Laptops,
Workstations, Servers
4) Continuous Vulnerability
Assessment and Remediation
5) Malware Defense
6) Application
Software Security
7) Mobile Device Control
8) Data Recovery Capability
9) Security Skills Assessment,
Appropriate Training to Fill Gaps
10) Secure Configuration of
Devices such as Firewalls,
Routers, and Switches
20) Penetration Tests and Red
Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access
Based on Need to Know
14) Maintenance, Monitoring
and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of
Administrative Privileges
16) Account Monitoring
and Control
9. Evolving a Threat Model
for the Critical Security Controls
• Gather friends that I trust
• and guide to consensus
• Add thousands of friends
• and repeat
• Translate/map from an authoritative source of data
• Verizon DBIR 2013, 2014
• Add numerous sources of data
• Standardize language, workflow
• Align with Risk Management Frameworks, models
• Building a “Community Threat Model”
9
10. Why a Community Threat Model?
• Extend our information reach
• “volume, velocity, variety”
• Most Enterprises can’t do it on their own
• or cannot do it more than once
• And even if you could, does that make sense…
• in a dynamic, connected world?
• where trust and risk are dynamic, and must be
negotiated?
10
11. The Council on CyberSecurity
Website: www.counciloncybersecurity.org
Email: info@counciloncybersecurity.org
Twitter: @CouncilonCyber
Facebook: Council on CyberSecurity
11
14. 20 Critical Security Controls NSA Rank
Tripwire
Solutions
CSC1
Inventory H/W Assets, Criticality,
and Location
Very High
CSC2
Inventory S/W Assets, Criticality,
and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4
Vulnerability Assessment
and Remediation
Very High
CSC5 Malware Protection High/Medium
CSC6 Application Security High
CSC7 Wireless Device Control High
CSC8 Data Recovery Medium
CSC9 Security Skills Assessment Medium
CSC10 Secure Config-Network High/Medium
CSC11
Limit and Control Network Ports,
Protocols, and Services
High/Medium
CSC12 Control Admin Privileges High/Medium
CSC13 Boundary Defense High/Medium
CSC14
Maintain, Monitor, and Analyze
Audit Logs
Medium
CSC15 “Need-to-Know” Access Medium
CSC16 Account Monitoring and Control Medium
CSC17 Data Loss Prevention Medium/Low
CSC18 Incident Response Medium
CSC19
Secure Network Engineering
(secure coding)
Low
CSC20
Penetration Testing and Red
Team Exercises
Low
Critical Security Controls
15. Critical Security Controls
20 Critical Security Controls NSA Rank
Tripwire
Solutions
CSC1
Inventory H/W Assets, Criticality,
and Location
Very High
CSC2
Inventory S/W Assets, Criticality,
and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4
Vulnerability Assessment
and Remediation
Very High
19. DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
Discover & profile all IT
infrastructure
Minimize vulnerabilities and
harden configurations to
reduce threat surface
Real-time detection of
suspicious behavior
Forward events of interest to
focus and enrich analysis &
correlation
Prioritize based on business context
Identify compromise by comparison
against baseline
Support forensic & incident response
Many times you have heard the phrase in security, “it’s not a matter of if you have been breached, but when”. I would like to add to that, it is also important to identify how long you have been exposed, or simply being able to detect if you have been breached in the first place.
The enterprise threat gap is a model that helps us illustrate the amount of time that passes through three critical phases.
The detection gap indicates the amount of time it takes to discover an actual compromise and identify it’s scope.
The remediation gap indicates the time between that detection and the amount of time it takes to limit the damage.
Then we have the preventive gap which is the measure of time it takes to avoid repeated or similar attacks.
This process allows you to answer three key questions to the business:
Have we been breached?
How bad is it?
Can we avoid this happening again?
Insert Slide
-Their mission statement and a picture of Jane and Tony
-Policy, manpower and Technology
JBJ to talk about meetings and success of those meeting
Merchantile Win—from tony
Technology slide with controls—we are the technology
You have to do the first 4 controls—again again and again
Industry is coming around this—industry says this is what you should do
Controls are less important
Council for Cyber security
Focus on 20 SCS council for Cyber Security…
Insert Slide
-Their mission statement and a picture of Jane and Tony
-Policy, manpower and Technology
JBJ to talk about meetings and success of those meeting
Merchantile Win—from tony
Technology slide with controls—we are the technology
You have to do the first 4 controls—again again and again
Industry is coming around this—industry says this is what you should do
Controls are less important
Council for Cyber security
Focus on 20 SCS council for Cyber Security…
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly
Tripwire core competency is collecting data—challlenge is that humans cannot deal with it
Driving Effective Security and Compliance—done on top of a bed of real system state intelligence
Driven by
VM –big change—vm assessment instantly