SlideShare a Scribd company logo

Practical approach to NIS Directive's incident management

Download as PPTX, PDF
DATA SECURITY SOLUTIONS
DATA SECURITY SOLUTIONS

Mariusz Stawowski, CISSP, CEH, CISCO https://dssitsec.eu

Technology
1 of 21
© 1991 − 2018, CLICO sp. z o.o. Practical approach to NIS Directive's incident management Mariusz Stawowski, Ph.D. CISSP, CEH, CCISO
© 1991 − 2018, CLICO sp. z o.o. Mandatory critical systems protection and incident reporting – the law obligation of operators of essential services • Risk management (NISD Art. 14.1) - threats, vulnerabilities and impact assessment of assets covered by the law requirements. • Assets protection (NISD Art. 14.1) - measures for ensuring the safety of the assets covered by the law requirements. • Incident management and reporting (NISD Art. 14.2, 14.3, 14.4) - take appropriate measures to prevent and minimize the impact of incidents as well as notify to the authority of security breaches related to the assets covered by the law requirements. • Documentation of assets and cybersecurity (NISD Art. 15.2.a) - documentation of assets covered by the law requirements and security measures that ensure their safety.
© 1991 − 2018, CLICO sp. z o.o. Business-critical Systems that failure can cause significant tangible or intangible economic costs, e.g., customer accounting system in a bank, e-banking system, etc. Mission-critical Systems that failure can cause an inability to complete the overall system or project objectives; e.g., loss of energy or water supply, unavailability of an important industrial process, etc. Life-critical, safety-critical Systems that failure can cause loss of life, serious personal injury, or damage to the natural environment. Critical infrastructure Assets that are essential for the functioning of a society and economy, e.g., electricity generation, transmission and distribution, water supply, public health, transportation systems, telecommunication, banking and financial services, etc.
© 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance OT IT Business Critical Systems Mission Critical Systems Life Critical Systems
© 1991 − 2018, CLICO sp. z o.o. NIST, Framework for Improving Critical Infrastructure Cybersecurity, April 16, 2018 1. Identify Understanding the business context, the resources that support critical functions, and the related cybersecurity risks 2. Protect Appropriate safeguards to ensure delivery of critical services 3. Detect Appropriate activities to identify the occurrence of a cybersecurity event 4. Respond Appropriate activities to take action regarding a detected cybersecurity incident (including the ability to contain the impact of a potential cybersecurity incident) 5. Recover Timely recovery to normal operations to reduce the impact from a cybersecurity incident Risk Management
© 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance Industrial/ Enterprise DMZ • FW, VPN & IPS • Privileged Access Security • Anti-Malware, etc.
© 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance Industrial/ Enterprise DMZ Incident detection
© 1991 − 2018, CLICO sp. z o.o. Flowmon ADS Security Intelligence based on Network Behavior Analysis
© 1991 − 2018, CLICO sp. z o.o. Incident detection with ICS networks Unknown DNS requests Port scanning (TCP, UDP) Network scanning (ICMP, TCP, UDP) DNS tunneling New IP address in the network Anomaly in network behavior C&C access attempts (Threat Intelligence) New protocol in the network ALERTS!
© 1991 − 2018, CLICO sp. z o.o. Variety of analytical methods for efficient incident detection FlowmonADS Machine Learning Adaptive Baselining Heuristics Behavior Patterns Threat Intelligence
© 1991 − 2018, CLICO sp. z o.o. LAN/WAN with Flowmon Probes or NetFlow/IPFIX compatible devices Internet Enterprise Monitoring of entire attack path - Internet, IT and OT • From Internet and VPN, business networks to the "deepest" OT WAN Industrial
© 1991 − 2018, CLICO sp. z o.o. Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes … Flow Export 9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 … 9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 … Detection of internal threats hidden from network safeguards • Malware detection by analysis of network access switches
© 1991 − 2018, CLICO sp. z o.o. • Detailed information about network and applications and users • Effective troubleshooting • Detection of misconfigurations • Optimization and capacity planning • Monitoring and analysis of network and application performance • Anti-DDoS, prevention of overload and network down-time Network visibility and troubleshooting of IT and OT
© 1991 − 2018, CLICO sp. z o.o. Simple and cost-effective deployment Flowmon Probes - Stand-alone passive sources of network statistics (NetFlow / IPFIX ) Flowmon Collector - Storing, visualization and analysis of network statistics Network Traffic Monitoring Network Statistics Collection & Analysis Advanced Analysis of Network Statistics • No need to copy all ICS network traffic and transfer to central system • Work modes: network flows, SPAN, Tap • Very cost-effective solution for ICS security monitoring
© 1991 − 2018, CLICO sp. z o.o. Five Keys to effective ICS incident detection 1. Variety of analytical methods for efficient incident detection • From machine learning and heuristics to Threat Intelligence 2. Monitoring of entire attack path in Internet, IT and OT • From Internet and VPN, business networks to the "deepest" OT 3. Detection of internal threats hidden from network safeguards • Malware detection by analysis of network access switches 4. Network visibility and troubleshooting of IT and OT • Network visibility and troubleshooting, app performance monitoring, Anti-DDoS 5. Simple and cost-effective deployment in existing ICS networks • No need to copy all ICS network traffic and transfer to central system
© 1991 − 2018, CLICO sp. z o.o. NIST, Framework for Improving Critical Infrastructure Cybersecurity, April 16, 2018 Rigor and sophistication in cybersecurity risk management (Tiers): 1. Partial - in summary organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner 2. Risk Informed - in summary risk management practices are approved by management but may not be established as organizational-wide policy 3. Repeatable - in summary the organization’s risk management practices are formally approved and expressed as policy 4. Adaptive - in summary the organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators
© 1991 − 2018, CLICO sp. z o.o. Integration with SIEM and IT GRC • Event exporting (syslog based) • Incident detection (Flowmon ADS) <-> Business Impact (IT GRC) Event Collection and Correlation NetFlow IPFIX SYSLOG Network Traffic Monitoring Collection and Behavior Analysis Flowmon Collector & ADS
© 1991 − 2018, CLICO sp. z o.o. Inicident management workflow and playbook
© 1991 − 2018, CLICO sp. z o.o. Business Impact Analysis (BIA) when managing incidents in ICS networks
© 1991 − 2018, CLICO sp. z o.o. Summary EU’s NIS Directive enforces cybersecurity requirements on the operators of essential services and providers of critical digital services: • Risk management • Assets protection (including critical systems) • Incident management and reporting • Documentation of assets and cybersecurity Recognized security standards and frameworks (e.g. NIST Framework for Improving Critical Infrastructure Cybersecurity) as well as high quality Security Management tools can significantly help organizations to comply with the new EU cybersecurity law
© 1991 − 2018, CLICO sp. z o.o. Thank you! Mariusz.Stawowski@clico.pl

Recommended

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
Francesco Ciclosi
 
Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity
European Services Institute
 
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
TI Safe
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
Digital Bond
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
SelectedPresentations
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
Christophe Briguet
 
Vidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solution
VidSys, Inc.
 

Recommended

The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
The risk analysis as a unified approach to satisfy GDPR, NIS Directive and IS...
Francesco Ciclosi
 
Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity Critical Infrastructure and Cybersecurity
Critical Infrastructure and Cybersecurity
European Services Institute
 
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
CLASS 2018 - Palestra de Jens Puhlmann (Security Manager, NA - ICS Security M...
TI Safe
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance Nightmare
Ignyte Assurance Platform
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
Digital Bond
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
SelectedPresentations
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
Christophe Briguet
 
Vidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solution
VidSys, Inc.
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security Threat
Alan Yau Ti Dun
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
Ivan Carmona
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
Cruxcreative
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013
APEXMarCom
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Ignyte Assurance Platform
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
Ignyte Assurance Platform
 
How to protect energy distribution for millions of people against cyber attac...
How to protect energy distribution for millions of people against cyber attac...How to protect energy distribution for millions of people against cyber attac...
How to protect energy distribution for millions of people against cyber attac...
TI Safe
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015
James Nesbitt
 
CMMC 2.0 I L1 & L2 Scoping Guidance Explained
CMMC 2.0 I L1 & L2 Scoping Guidance ExplainedCMMC 2.0 I L1 & L2 Scoping Guidance Explained
CMMC 2.0 I L1 & L2 Scoping Guidance Explained
Ignyte Assurance Platform
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
Smart Grid Interoperability Panel
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15
shed59
 
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriaisAprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
TI Safe
 
Risk management i
Risk management iRisk management i
Risk management i
Dhani Ahmad
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
Critical Infrastructure and Cybersecurity Transportation Sector
Critical Infrastructure and Cybersecurity Transportation SectorCritical Infrastructure and Cybersecurity Transportation Sector
Critical Infrastructure and Cybersecurity Transportation Sector
European Services Institute
 

More Related Content

What's hot

Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013
APEXMarCom
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015
James Nesbitt
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15
shed59
 
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriaisAprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
TI Safe
 

What's hot (20)

CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security Threat
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
How to protect energy distribution for millions of people against cyber attac...
How to protect energy distribution for millions of people against cyber attac...How to protect energy distribution for millions of people against cyber attac...
How to protect energy distribution for millions of people against cyber attac...
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015
 
CMMC 2.0 I L1 & L2 Scoping Guidance Explained
CMMC 2.0 I L1 & L2 Scoping Guidance ExplainedCMMC 2.0 I L1 & L2 Scoping Guidance Explained
CMMC 2.0 I L1 & L2 Scoping Guidance Explained
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15
 
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriaisAprendizado de máquinas aplicado à segurança cibernética de plantas industriais
Aprendizado de máquinas aplicado à segurança cibernética de plantas industriais
 
Risk management i
Risk management iRisk management i
Risk management i
 

Similar to Practical approach to NIS Directive's incident management

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx
oswald1horne84988
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Airport security 2013 slawomir szlufik
Airport security 2013 slawomir szlufikAirport security 2013 slawomir szlufik
Airport security 2013 slawomir szlufik
Russell Publishing
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 

Similar to Practical approach to NIS Directive's incident management (20)

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
Critical Infrastructure and Cybersecurity Transportation Sector
Critical Infrastructure and Cybersecurity Transportation SectorCritical Infrastructure and Cybersecurity Transportation Sector
Critical Infrastructure and Cybersecurity Transportation Sector
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
 
· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Airport security 2013 slawomir szlufik
Airport security 2013 slawomir szlufikAirport security 2013 slawomir szlufik
Airport security 2013 slawomir szlufik
 
WCIT 2016 Jan Ming Ho
WCIT 2016 Jan Ming HoWCIT 2016 Jan Ming Ho
WCIT 2016 Jan Ming Ho
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systems
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational Awareness
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric Utilities
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk Management
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
 

More from DATA SECURITY SOLUTIONS

More from DATA SECURITY SOLUTIONS (20)

The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
MLM or how to look at company users with new eyes
MLM or how to look at company users with new eyesMLM or how to look at company users with new eyes
MLM or how to look at company users with new eyes
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloudHow to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloud
 
Forensic tool development with rust
Forensic tool development with rustForensic tool development with rust
Forensic tool development with rust
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wan
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...
 
When network security is not enough
When network security is not enoughWhen network security is not enough
When network security is not enough
 
New security solutions for next generation of IT
New security solutions for next generation of ITNew security solutions for next generation of IT
New security solutions for next generation of IT
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
Network is the Firewall
Network is the FirewallNetwork is the Firewall
Network is the Firewall
 
Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...
 
IoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware SecurityIoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware Security
 
Cyber crime as a startup
Cyber crime as a startupCyber crime as a startup
Cyber crime as a startup
 
Services evolution in cybercrime economics
Services evolution in cybercrime economicsServices evolution in cybercrime economics
Services evolution in cybercrime economics
 
FSDI Latvia presentation 2018
FSDI Latvia presentation 2018FSDI Latvia presentation 2018
FSDI Latvia presentation 2018
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Practical approach to NIS Directive's incident management

  • 1. © 1991 − 2018, CLICO sp. z o.o. Practical approach to NIS Directive's incident management Mariusz Stawowski, Ph.D. CISSP, CEH, CCISO
  • 2. © 1991 − 2018, CLICO sp. z o.o. Mandatory critical systems protection and incident reporting – the law obligation of operators of essential services • Risk management (NISD Art. 14.1) - threats, vulnerabilities and impact assessment of assets covered by the law requirements. • Assets protection (NISD Art. 14.1) - measures for ensuring the safety of the assets covered by the law requirements. • Incident management and reporting (NISD Art. 14.2, 14.3, 14.4) - take appropriate measures to prevent and minimize the impact of incidents as well as notify to the authority of security breaches related to the assets covered by the law requirements. • Documentation of assets and cybersecurity (NISD Art. 15.2.a) - documentation of assets covered by the law requirements and security measures that ensure their safety.
  • 3. © 1991 − 2018, CLICO sp. z o.o. Business-critical Systems that failure can cause significant tangible or intangible economic costs, e.g., customer accounting system in a bank, e-banking system, etc. Mission-critical Systems that failure can cause an inability to complete the overall system or project objectives; e.g., loss of energy or water supply, unavailability of an important industrial process, etc. Life-critical, safety-critical Systems that failure can cause loss of life, serious personal injury, or damage to the natural environment. Critical infrastructure Assets that are essential for the functioning of a society and economy, e.g., electricity generation, transmission and distribution, water supply, public health, transportation systems, telecommunication, banking and financial services, etc.
  • 4. © 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance OT IT Business Critical Systems Mission Critical Systems Life Critical Systems
  • 5. © 1991 − 2018, CLICO sp. z o.o. NIST, Framework for Improving Critical Infrastructure Cybersecurity, April 16, 2018 1. Identify Understanding the business context, the resources that support critical functions, and the related cybersecurity risks 2. Protect Appropriate safeguards to ensure delivery of critical services 3. Detect Appropriate activities to identify the occurrence of a cybersecurity event 4. Respond Appropriate activities to take action regarding a detected cybersecurity incident (including the ability to contain the impact of a potential cybersecurity incident) 5. Recover Timely recovery to normal operations to reduce the impact from a cybersecurity incident Risk Management
  • 6. © 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance Industrial/ Enterprise DMZ • FW, VPN & IPS • Privileged Access Security • Anti-Malware, etc.
  • 7. © 1991 − 2018, CLICO sp. z o.o. Control devices (PLC, PAC, RTU, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Advanced analytics and data storage (MES, APC, Historian, etc.) WAN LAN LAN Internet VPN Cameras, IP phones, many more OT Maintenance Industrial/ Enterprise DMZ Incident detection
  • 8. © 1991 − 2018, CLICO sp. z o.o. Flowmon ADS Security Intelligence based on Network Behavior Analysis
  • 9. © 1991 − 2018, CLICO sp. z o.o. Incident detection with ICS networks Unknown DNS requests Port scanning (TCP, UDP) Network scanning (ICMP, TCP, UDP) DNS tunneling New IP address in the network Anomaly in network behavior C&C access attempts (Threat Intelligence) New protocol in the network ALERTS!
  • 10. © 1991 − 2018, CLICO sp. z o.o. Variety of analytical methods for efficient incident detection FlowmonADS Machine Learning Adaptive Baselining Heuristics Behavior Patterns Threat Intelligence
  • 11. © 1991 − 2018, CLICO sp. z o.o. LAN/WAN with Flowmon Probes or NetFlow/IPFIX compatible devices Internet Enterprise Monitoring of entire attack path - Internet, IT and OT • From Internet and VPN, business networks to the "deepest" OT WAN Industrial
  • 12. © 1991 − 2018, CLICO sp. z o.o. Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes … Flow Export 9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 … 9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 … Detection of internal threats hidden from network safeguards • Malware detection by analysis of network access switches
  • 13. © 1991 − 2018, CLICO sp. z o.o. • Detailed information about network and applications and users • Effective troubleshooting • Detection of misconfigurations • Optimization and capacity planning • Monitoring and analysis of network and application performance • Anti-DDoS, prevention of overload and network down-time Network visibility and troubleshooting of IT and OT
  • 14. © 1991 − 2018, CLICO sp. z o.o. Simple and cost-effective deployment Flowmon Probes - Stand-alone passive sources of network statistics (NetFlow / IPFIX ) Flowmon Collector - Storing, visualization and analysis of network statistics Network Traffic Monitoring Network Statistics Collection & Analysis Advanced Analysis of Network Statistics • No need to copy all ICS network traffic and transfer to central system • Work modes: network flows, SPAN, Tap • Very cost-effective solution for ICS security monitoring
  • 15. © 1991 − 2018, CLICO sp. z o.o. Five Keys to effective ICS incident detection 1. Variety of analytical methods for efficient incident detection • From machine learning and heuristics to Threat Intelligence 2. Monitoring of entire attack path in Internet, IT and OT • From Internet and VPN, business networks to the "deepest" OT 3. Detection of internal threats hidden from network safeguards • Malware detection by analysis of network access switches 4. Network visibility and troubleshooting of IT and OT • Network visibility and troubleshooting, app performance monitoring, Anti-DDoS 5. Simple and cost-effective deployment in existing ICS networks • No need to copy all ICS network traffic and transfer to central system
  • 16. © 1991 − 2018, CLICO sp. z o.o. NIST, Framework for Improving Critical Infrastructure Cybersecurity, April 16, 2018 Rigor and sophistication in cybersecurity risk management (Tiers): 1. Partial - in summary organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner 2. Risk Informed - in summary risk management practices are approved by management but may not be established as organizational-wide policy 3. Repeatable - in summary the organization’s risk management practices are formally approved and expressed as policy 4. Adaptive - in summary the organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators
  • 17. © 1991 − 2018, CLICO sp. z o.o. Integration with SIEM and IT GRC • Event exporting (syslog based) • Incident detection (Flowmon ADS) <-> Business Impact (IT GRC) Event Collection and Correlation NetFlow IPFIX SYSLOG Network Traffic Monitoring Collection and Behavior Analysis Flowmon Collector & ADS
  • 18. © 1991 − 2018, CLICO sp. z o.o. Inicident management workflow and playbook
  • 19. © 1991 − 2018, CLICO sp. z o.o. Business Impact Analysis (BIA) when managing incidents in ICS networks
  • 20. © 1991 − 2018, CLICO sp. z o.o. Summary EU’s NIS Directive enforces cybersecurity requirements on the operators of essential services and providers of critical digital services: • Risk management • Assets protection (including critical systems) • Incident management and reporting • Documentation of assets and cybersecurity Recognized security standards and frameworks (e.g. NIST Framework for Improving Critical Infrastructure Cybersecurity) as well as high quality Security Management tools can significantly help organizations to comply with the new EU cybersecurity law
  • 21. © 1991 − 2018, CLICO sp. z o.o. Thank you! Mariusz.Stawowski@clico.pl