In this exclusive webinar, Tony Sager – Chief Technologist of the Council on CyberSecurity – discussed how organizations can implement a third-party-validated, authoritative framework called the 20 Critical Security Controls to prioritize their efforts and make security practical, effective and aligned to the business. Dwayne Melançon, Tripwire’s CTO, joined Sager as the webinar moderator. In this webcast, we: - Discussed how to translate security information into specific and scalable action - Described the remediation plan for the controls, starting with the Top 5 - Discussed how the Council on CyberSecurity uses a community approach to this translation problem to create and sustain the Critical Security Controls. - Discussed how the community will help advise and support your risk management efforts with a formalized framework The full recording of the webcast that accompanies this slide deck is available here: http://www.tripwire.com/register/how-the-20-controls-address-real-threats/

1. How The 20 Controls Address
Real Threats
WITH TONY SAGER AND DWAYNE MELANÇON

4. How the 20 Critical Critical Controls
Address Real Threats
Tony Sager
Chief Technologist, the Council on CyberSecurity

5. Risk = { }
Classic Risk Equation
 Vulnerability, Threat, Consequence
countermeasures

6. 6
standards SDL
supply-chain security
security bulletins
user awareness training
browser isolationtwo-factor authentication
encryption
incident response
security controls
threat intelligence
whitelistingneed-to-know
SIEMvirtualization
sandbox
compliance
maturity model
anti-malware
penetration testing
audit logs
baseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessment
best practice
governance

7. The Defender’s Challenges
Who can I trust to help me sort thru this?
– “…cut through the fog…”
How do I get a more complete picture?
– ‘’…extend my information ‘reach’…”
What does the data tell me I should do?
– “…translate into prioritized action…”
When will I know if something relevant changes?
– …the variables in Risk change constantly…”
How can I do the right thing – and then prove it?!?
7

8. The Critical Security Controls
8
1 2
3
4
5
6
7
8
9
101112
13
14
15
16
17
18
19
20
1) Inventory of Authorized
and Unauthorized Devices
11) Limitation and Control
of Network Ports,
Protocols and Services
2) Inventory of Authorized and
Unauthorized Software
3) Secure Configurations for
Hardware, Software on Laptops,
Workstations, Servers
4) Continuous Vulnerability
Assessment and Remediation
5) Malware Defense
6) Application
Software Security
7) Mobile Device Control
8) Data Recovery Capability
9) Security Skills Assessment,
Appropriate Training to Fill Gaps
10) Secure Configuration of
Devices such as Firewalls,
Routers, and Switches
20) Penetration Tests and Red
Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access
Based on Need to Know
14) Maintenance, Monitoring
and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of
Administrative Privileges
16) Account Monitoring
and Control

9. Evolving a Threat Model
for the Critical Security Controls
• Gather friends that I trust
• and guide to consensus
• Add thousands of friends
• and repeat
• Translate/map from an authoritative source of data
• Verizon DBIR 2013, 2014
• Add numerous sources of data
• Standardize language, workflow
• Align with Risk Management Frameworks, models
• Building a “Community Threat Model”
9

10. Why a Community Threat Model?
• Extend our information reach
• “volume, velocity, variety”
• Most Enterprises can’t do it on their own
• or cannot do it more than once
• And even if you could, does that make sense…
• in a dynamic, connected world?
• where trust and risk are dynamic, and must be
negotiated?
10

11. The Council on CyberSecurity
Website: www.counciloncybersecurity.org
Email: info@counciloncybersecurity.org
Twitter: @CouncilonCyber
Facebook: Council on CyberSecurity
11

13. DETECTION
REMEDIATION
PREVENTION

14. 20 Critical Security Controls NSA Rank
Tripwire
Solutions
CSC1
Inventory H/W Assets, Criticality,
and Location
Very High
CSC2
Inventory S/W Assets, Criticality,
and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4
Vulnerability Assessment
and Remediation
Very High
CSC5 Malware Protection High/Medium
CSC6 Application Security High
CSC7 Wireless Device Control High
CSC8 Data Recovery Medium
CSC9 Security Skills Assessment Medium
CSC10 Secure Config-Network High/Medium
CSC11
Limit and Control Network Ports,
Protocols, and Services
High/Medium
CSC12 Control Admin Privileges High/Medium
CSC13 Boundary Defense High/Medium
CSC14
Maintain, Monitor, and Analyze
Audit Logs
Medium
CSC15 “Need-to-Know” Access Medium
CSC16 Account Monitoring and Control Medium
CSC17 Data Loss Prevention Medium/Low
CSC18 Incident Response Medium
CSC19
Secure Network Engineering
(secure coding)
Low
CSC20
Penetration Testing and Red
Team Exercises
Low
Critical Security Controls

15. Critical Security Controls
20 Critical Security Controls NSA Rank
Tripwire
Solutions
CSC1
Inventory H/W Assets, Criticality,
and Location
Very High
CSC2
Inventory S/W Assets, Criticality,
and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4
Vulnerability Assessment
and Remediation
Very High

18. Tripwire Reporting &
Analytics
Attack Surface
Reduction
APT / MPS
SIEM
Big Data/Security
Analytics
Threat Intelligence

19. DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
DETECTION
GAP
RESPONSE
GAP
PREVENTION
GAP
 Discover & profile all IT
infrastructure
 Minimize vulnerabilities and
harden configurations to
reduce threat surface
 Real-time detection of
suspicious behavior
 Forward events of interest to
focus and enrich analysis &
correlation
 Prioritize based on business context
 Identify compromise by comparison
against baseline
 Support forensic & incident response

21. INFO@COUNCILONCYBERSECURITY.ORG
DMELANCON@TRIPWIRE.COM