This document summarizes an ISACA conference that took place in October 2016 in San Francisco. It discusses using the CIS Critical Security Controls and NIST Cybersecurity Framework to achieve cyber threat resilience through tools and automation. It also covers assessing baseline configurations of systems and environments to measure compliance with frameworks like CIS Benchmarks, DISA STIGs, NIST CSF and identifying gaps to prioritize remediation. Lastly, it emphasizes that most cyberattacks can be prevented by maintaining secure baseline configurations of devices and software through continuous monitoring and vulnerability management.
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
1. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
Walk This Way:
Using CIS Critical Security Controls and NIST
Cybersecurity Framework to accomplish
Cyber Threat Resilience – A Tools Approach
Robin Basham, Chief Compliance Officer, VP
Information Security Risk & Compliance, Cavirin
Cybersecurity Essentials – E32
2. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cyber Risk Recap: What could go wrong?
• Reputation is a cyber target
• Criminals value information – financial, health,
critical infrastructure
• The pace of technology intensifies and blurs
dependencies
• We can’t trace, never mind control our data
• Exfiltration happens
• The role of government and information custody is
flat out unclear
2
3. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cybersecurity Mission: Resilience
• Know the critical assets and who’s
responsible for them
• Get everyone involved in cyber-
resilience (discovery)
• Assure they have the knowledge and
autonomy to make good decisions
• Be prepared for both unsuccessful AND
successful attack
• Prevent a cyber attack from throwing
the organization into complete chaos.
3
Define
Establish
Implement
Analyze
Report
Respond
Review
Update
Continuous
Monitoring
4. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
IT’S ALL GOOD,
YOU’RE A ROCK STAR,
YOU’RE SUPERHUMAN – YOU CAN HERD CATS
4
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin.
We are inspired by his music.
5. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things SOC2 – PCI – NIST
CSF – HITRUST – SOX
- FedRamp
Control Matrix –
COSO – NIST 800
53r4 – Cobit –Risk
Management
Frameworks
Configuration Rules –
CIS – DISA for
example, can be
automated for
detection
Things – Servers –
Routers –
Containers – Apps
– all have
configuration
values that can
pass or fail
5
6. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things – In Reality
Things
Configuration
Rules
Controls
Assessment
Models – SOC –
PCI – CSF –
HITRUST – SOX -
FedRamp
6
xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_
Ensure_Load_and_unload_device_drivers_is_set_
to_Administrators
To establish the recommend-ed configuration via
GP, set the following UI path to Administrators
Computer ConfigurationPoliciesWindows
SettingsSecurity SettingsLocal PoliciesUser
Rights AssignmentLoad and unload device drivers
Impact
If you remove the Load and unload device drivers
user right from the Print Operators group or other
accounts you could limit the abilities of users who
are assigned to specific administrative roles in
your environment. You should ensure that
delegated tasks will not be negatively affected.
7. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CISOPCI DSS
SOC2
HITECH
Cyber
Security
Framework
ISO27002
NIST 800-
53 r4,
Appendix J
CIC CSC
Top 20
DISA STIGS
FedRamp
SIG Due
Diligence
RMF, FAIR,
COSO ERM
Security Roles - Environments - Measures
CISOBuild
Business
Sell Security
Govern
Security
Operate
Securely
Identity &
Access
Risk
Management Legal
Interface
Compliance
Security
Architecture
Budget
Security
Roadmap
PMO Security
Roadmap
7
IaaS
PaaS
SaaS
Cloud
Hybrid
Cloud
8. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Containers
Requirements
CIS
Benchmark
DISA STIGS
NIST 800-53
v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF
CSF Cyber
Security
Framework
ISO27002 CIS CSC Top
20
RMF
FedRamp
CJIS
UK Cyber
Essentials
FFIEC
GLBA
Rules run on Environments – are tagged to controls
8
IaaS
PaaS
SaaS
Cloud
Data Centers
Hybrid
Cloud
Assessment
Score
WIN2008R1
& R2
WIN20012R1
& R2
CentOS 6
CentOS7
RHEL6
RHEL7
UBUNTU12 UBUNTU14
AWS EC2
ESX 5.5
Azure
Docker
Windows 7
Windows 10
9. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
CRAWL THIS WAY
9
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin..
10. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl: Top initiatives to provide most protection
• Control Administrative Privileges
• Limiting Workstation-to-Workstation
Communication
• Antivirus File Reputation Services
• Anti-Exploitation
• Host Intrusion Prevention (HIPS) Systems
• Secure Baseline Configuration!!!!!
• Web Domain Name System (DNS)
Reputation
• Patching: Take Advantage of Software
Improvements
• Segregate Networks and Functions
• Application Whitelisting
• Think about your tools
10
11. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Tools (Solutions) are Overwhelming
11
Credit to Monument Partners
12. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Accountability +Compliance – crawl then walk
• We fear false confidence in published assessment reports.
• CIS Critical Security Controls (Top 20) and NIST Cybersecurity
framework make it possible to organize detected conditions, that
left unchecked, would unravel both the company’s investments and
controls.
• Using the 80/20 rule, crawl = secure host baseline, walk = CSC and
NIST CSF
12
AWS, Azure,
Docker (Cloud)
Ransomware &
Data
Exfiltration
Cyber
Insurance
13. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
From a cyber perspective, why does managing
configuration baseline matter?
To start, you have to
• Understand your a kill chain
• Handle changes to major US regulations
• Transfer cyber risk accountability
• Insurance requires evidence of due diligence, i.e. consistent
practice of risk assessment and remediation
• Because lateral movement and exfiltration doesn’t care
which devices are in your audit scope.
• Because there are too many environment and too many
things.
13
AWS, Azure,
Docker, Google
(Cloud)
Ransomware
& Data
Exfiltration
Cyber
Insurance
14. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
A successful kill only requires 5 elements
Risk
Scenarios
Events
Resources
Time
Threats
Actors
14
15. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Let’s take out a target
Get access to the target’s outlook calendar (schedule)
Discover the route they travel (location)
Get fake uniforms so we blend in (identity)
Distract the guards (opportunity)
Interrupt the live camera feed so they don’t see us (time)
Purchase a weapon that can’t be traced (malware, spyware…)
Go – Go – Go: Take out the target
Burn down the structure so there’s nothing left, or just encrypt
everything and sell the target their own key. (ransomware)
15
16. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
To disrupt a kill chain, what do we assess?
• Environment is “hardened”
against types of threats
• Limits to bad Actors –
technical behaviors
• Time: environments
remain resilient to threats
(Drift)
• Resources: engineers will
not cause us to fail an
audit.
16
Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp
17. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Risk Assessments frame risk conversation
• Assessments are industry focused and often repeat the same topics
• “Risk” Assessments have context and use an industry approved
model (an abstraction) to organize many “things”
• All industries struggle to gather technical evidence of implementing
their assessed controls.
• Control bypass and poor process often make it impossible for
engineers to configure to the requirements of security and
compliance – many times, the requirements are not understood
17
20. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security Critical Security
Controls v. 6.1
• Updated by cyber experts based on actual attack data
pulled from a variety of public and private threat
sources.
• CIS Controls are likely to prevent majority of cyber-
attacks.
• Concise, prioritized set of cyber practices created to stop
today's most pervasive and dangerous cyber-attacks.
20
21. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC 6.1 Mapped to Rules for Configuration
21
Provide metrics for IT personnel to
understand, continuously diagnose
and mitigate risks, and automate
defenses to ensure compliance with
the controls.
With regard to Critical Security Controls, CSC
“…failure to implement all of the controls that
apply to an organization’s environment constitutes
a lack of reasonable security.”
Kamala Harris, Attorney General, CA Breach
Report 2016
23. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT
Security Program at OS, Environment, Device levels
• Map compliance
testing to assertions
of good practice
across enterprise
environments
• Unmet criteria
triggers notification
with steps for
remediation
23
24. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST Cybersecurity Framework: The CHALLENGE
US Executive Order 13636 on Improving
Critical Infrastructure Cybersecurity requires
accountability to assure cybersecurity
readiness.
Financial, Communications, Manufacturing,
Defense, Energy, Emergency Services, Food
and Agriculture, Healthcare, IT, Utilities,
Chemical, Water, Nuclear Reactors,
Materials, & Waste and Transportation
sectors are expected to initiate currently
“voluntary” compliance with the NIST
Cybersecurity Framework.
24
25. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST CSF provides a cyber security functions model
Identify
CMDB, People,
Process,
Technology,
relationships,
alignment to
controls
Protect
Architecture,
Infrastructure,
Monitoring
Detect
Defined Sources,
Collection,
Interpretation,
Reporting
Methods
Respond
RCA, Corrective
Action,
Management
Meetings, Plans,
Optimization
Targets
Recover
Configuration
baselines,
response plans,
lessons learned,
Wiki,
documentation,
BIA
25
26. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26
Assessment Testing Ransomware Exfiltration Mapping Query
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES
PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH
SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS
SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION
Group controls to risks associated with their absence
– Report under the assessment type that matters to your board
27. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC and NIST CSF Risk Assessment Context
• CIS Critical Security Controls
AND NIST Cybersecurity
security models play nicely
• You should understand DISA
STIG and CIS Benchmarks in
design of and implementation
of secure configuration
baseline
• You may need to consider if
you are use case A or B
27
28. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Case – A or B
Hi, I assess OS for
non-government
systems.
Hi, I assess OS for
government
systems.
I’m A I’m B
29. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – How to assess an Operating System
I do that too, but I
use CIS Benchmarks
xccdf.
In government we examine
system rules by scanning
with DISA STIG xccdf.
I run rule checks
using OVALs, CCE,
CVE
I run rule checks
using OVALs, CCE,
CVE too
I’m A I’m B
30. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Do we need DISA?
Nope, we just prioritize as
Level 1 and Level 2 and
end user applies what they
want.
Cool! Do you
classify your target
systems?
I’m A I’m B
31. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Classified v. Non Classified
CIS Benchmarks enable a lot
of assessments, like SOC, CIS
CSC, NIST CSF, HITRUST CSF,
ISO27002, and PCI 3.2 for non
classified environments.
FISMA requires us to use
DISA and map to NIST.
We have to classify our
endpoints.
I’m A I’m B
We also use USGCBs
(United States Government
Configuration Baseline) for
baseline configurations on
Information Technology
products widely deployed
across federal agencies.
32. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp
Customers come
from lots of
industries, but
solutions start by
asking one
question.
YES, the target
environment is
government
classified? I’ll use
DISA
Is the target environment government
classified?
For non classified assessment
models, I’m going to use CIS
Benchmarks to evaluate our host
baseline configurations
Industry and Data Classification
33. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security – states up to
80% of cyber attacks could be prevented by
• Maintaining an inventory of authorized
and unauthorized devices
• Maintaining an inventory of authorized
and unauthorized software
• Developing and managing secure
configurations for all devices
• Conducting continuous (automated)
vulnerability assessment and remediation
• Actively managing and controlling the use
of administrative privileges
33
• 84 Docker
Container
Policies
• 43 AWS Cloud
Policies
published by CIS
AWS, Azure,
Docker (Cloud)
34. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Gartner Study and Recommendation for AWS
• Gartner’s Strategic Planning Assumption
• Through 2020, 80% of cloud breaches will be due to customer
misconfiguration, mismanaged credentials or insider theft, not
cloud provider vulnerabilities.
• The mismanagement of recommended configuration is both in
and beyond our locus of control, however, cloud breaches
impact everyone’s brand.
34
35. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Automated Risk Analysis Platform must haves
• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,
concurrency…)
• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability
domains
• Must work with Private, Hybrid, and Public Clouds
• Support AWS, Azure, GCP (Google Cloud Platform)
• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,
OVAL, CCI)
• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS
Benchmark, DISA, CIS CSC, CSF)
• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)
• Be AWS Security Certified
20
37. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NACD National Association of Certified Directors
– Cyber Handbook
• How to disclose a cyber event
• NIST Cyber Security Framework, voluntarily measure and
benchmark IT and Security Program effectiveness
• Boards require active reporting on Cyber preparedness
– Understanding risk appetite
– Exposure points
• Directors are exposed by third party dependencies, especially those
dependencies that exist in the cloud
• Credit card issuers and Healthcare providers are increasingly
experiencing recourses against Boards of Directors
3710/27/16
38. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Resilience to Ransomware & Data Exfiltration
• Backup your data
• Keep your anti-virus software current
• Screen emails for phishing/malware
• Authenticate the sources of email
• Sandboxing suspicious software
• http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html
38
Ransomware &
Data
Exfiltration
39. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Endpoint – user access to
sensitive data, at risk
employees
•Increasing granularity of data
policies and controls
•Start with most sensitive data
in high frequency locations like
email, CRM, financial systems
Network – high volume,
high risk protocols and
exit points
•Increasing monitored
protocols and endpoints
•Start with known
vulnerable algorithms and
protocols (SSL 3, TLS 1.0,
DES, RC4
Storage
•Increasing allowable and
monitored locations for data
•File servers, Exchange DB
•SharePoint, Database Servers
•Virtual Storage CIF
•Web Servers
DLP Policy
Monitoring &
prevention
Discovery &
protection
Crawl, Walk, Run
• Qualitative risk
assessment
• Leverage existing BIA
and Data Retention
Strategy
• Information Security
Threat analysis, and
• Integrate with Goals
for enterprise IT
39
40. 2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl, walk, run – Be the force
• Understand your environment
• Identify open wounds, stop
bleeding
• Factor risk against attention and
resource, tie out engineering to
audit
• Gain consistency across devices,
environments, businesses
• Achieve continuous automated
risk assessment, stitch greatest
risk into automation in your
continuous compliance platform
40