1

Cyber Security Framework:Intel’s Implementation Pilot Tim Casey, CISSPSenior Strategic Risk Analyst

@timcaseycyber

2 2

Background

3 3

A Changing Landscape Drives Security

Challenges are increasing in size, intensity, and

complexity over timeData

Aggregation & Amount of

Valuable Data

Number of Connected

People

A security program must keep pace with the evolving threat landscape.It must become an intrinsic part of the enterprise that grows along with it.

4 4

EO 13636 addresses the lack of robust security within the U.S. cyber-ecosystem with a tool to jump-start good security programs

Developed over a year as a joint project between NIST and U.S. industry, with international participation

Uses existing industry models and best practices

Comprised of a Risk Management Framework and a Maturity Model

Initial pilots have shown it is flexible, extensible, and easily tailored to individual environments The Framework is a tool to help create a harmonized

risk management approach – it is NOT a compliance checklist!

5 5

National Cybersecurity Framework StructureFramework

• Core• Tiers• Profiles• Illustrative Examples• References• Executive Overview

Governance

Define “Critical Infrastructure”

Voluntary Program

Metrics

Incentives

6 6

Top Concerns of Industry

• Alignment to existing practices

• Privacy

• Adoption

• Governance

• Minimizing regulatory impacts

• Critical Infrastructure vagueness

• DHS Voluntary Program Development

7 7

The Cybersecurity Framework

8 8

The Framework helps build or augment a security program that equips the enterprise to

keep pace with the evolving threats

Establish the right level of security for your environment

Inform cybersecurity budget planning

Communicate cyber risks comprehensively to Senior Leadership

Harmonize cybersecurity approaches and provide a common language

9 9

Framework Core

References

• COBIT APO01.06, BAI02.01

• ISO/IEC 27001 A.15.1.3• CCS CSC 17• NIST SP 800-53 Rev 4 SC-

28

Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational

PR.DS-1: Protect data (including phys records) during storage to achieve

Categories

Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements.

Subcategories

PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals

Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational

10 10

Framework ProfilesPROFILE EXAMPLE:

Tiers

Tier 3: Adaptive Tier 2: Repeatable Tier 1: Risk-Informed Tier 0: Partial

GAPS

11 11

Intel’s CSF Pilot

12 12

Alignment Strategy: 3-Tiered Approach

Infrastructure Align Macro-level risk management practices to CSF Perform initial CSF assessment against infrastructure

Product Explore mapping of products and services capabilities to CSF Examine product assurance initiatives (SDL, etc.) through CSF

lens.

Supply Chain/Third Party Contracting Examine and potentially pilot contracting updates to align to CSF

language

We are here

13 13

Infrastructure Risk – Using the CSF Design Office Manufacturing Enterprise Services

Identify          Business Environment          Asset Management          Governance          Risk Assessment          Risk Management Strategy          

Protect          Access Control          Awareness/Training          Data Security          Protective Process and Procedures          Maintenance          Protective Technologies          

Detect          Anomolies/Events          Secruity Continous Monitoring          Detection Process          Threat Intelligence          

Respond          Response Planning          Communication          Analysis          Mitigations          Improvements          

Recover          Recovery Planning          Improvements          Communications          

GoalsUse CSF to Establish alignment on risk

tolerance Inform budget planning for 2015 Communicate risk heat map to

Senior Leadership CSF as risk management

approach NOT a compliance checklist

StrategyUtilize DOMES approach Enables holistic view across the

infrastructure while enabling cross-sectional view of our business

Focus on OFFICE and ENTERPRISE initially

14 14

Infrastructure Assessment ProcessSet

Targets

• Establish Core Group (key SME’s and Managers)• F2F Session with Core Group to set targets and score actuals (2x4 hour sessions/8-

10 SME’s)• Create tailored Subcategories • Validate Targets with Decision Makers (CISO & Staff)

Assess

Current State

• Identify Key SME Scorers• Train SMEs• SME Use Tools to self score

Analyze Results

• Aggregate Individual SME roll-up with Core Team Actuals and compare to Targets• Use simple heat map to identify gaps >1 • Drill down on subcategories for identified gaps >1 to identify key issues

Communicate Results

• Review findings & recommendations with CISO & Staff• Inform impacted Managers to ensure prioritization feed into budget and planning

cycles• Brief Senior Leadership on findings and resulting recommendations

15 15

Assessment Tool – SME & Core Team

Subcategories scoring confused participants. Recommend changing to Heat Map (Over/Under)

Key Learning: Scorers do not need to know Target.

Scorers do not need to know Target

16 16

Tiers – People, Process, Technology & Ecosystem

Need to harmonize wording (staff, personnel, etc.) Need to refine

‘seams’ between Tiers

Need to clarify scope of dimension quality when using in categories

Overall: Tiers Definitions worked well for participants

17 17

Assessment Tool : SME Rollup Sample

NOTIONAL

/ EX

AMPL

E ONLY

SiobhanSanvi Patrick Siobhan Nala Mateo Terry

18 18

SME Rollup – Unexpected Benefits #1

NOTIONAL

/ EX

AMPL

E ONLY

Evaluating by functional area provided greater insights

19 19

SME Rollup – Unexpected Benefits #2

NOTIONAL

/ EX

AMPL

E ONLY

11

Mapping highlighted outliers and major differences

20 20

Assessment Tool : SME/CORE/TARGET Roll Up

NOTIONAL

/ EX

AMPL

E ONLY

High 2’s – Focus Areas stand out

Significant differences between Core and Individual scores can highlight visibility issues

Results matched “Gut Check” expectations

21 21

Additional Key LearningsDiscussion is a benefit itself

Security is a process, not an endpoint– Targets especially interesting - prescriptive targets would eliminate this benefit

Functions Mapped well to existing risk management practices and SME’s were easily ramped up No modifications to Functions recommended

Categories Categories were useful and for our initial use only one additional Category added – DETECT:

THREAT INTELLIGENCE. We expect additional Categories to emerge as we move through Design, Manufacturing and

Services environments

Sub Categories Still a bit of a puzzle on how to optimally use this granularity while balancing overhead. Next rev of tool will do away with scoring subcategories and use over/under model for heat

mapping inputs. Comments section on subcategories was helpful in the analytical stage to drill down on

high/low Category scores

22 22

Key Learnings ContinuedProgram Management

CSF utilization has progressed with no major deviations from plan of record. Low program management overhead to date as the organization assessed (Enterprise

and Office) have a strong risk management culture and mature security-related SMEs Very light-weight organizationally (leveraged existing processes/org structures)

Estimated Cost Less than 175 work-hours invested to date with 2 verticals (Office/Enterprise)

complete Repeatable tools and techniques developed so additional verticals may be less

overhead

Feedback from Participants Easy to understand and score No concerns about resourcing or time commits

23 23

Challenges• Granularity – Subcategories and the degree of granularity of assessment using the

CSF

• Repeatability – Changes in SME/scorers YoY may impact quality of assessment

• Visualization – How to best represent the results to various stakeholders and decision makers

• Alignment/Harmonization – Maintaining alignment across supply chain/partners on approach and language

• Governance, risk management, and compliance programs – How does the Framework support / intersect GRCs?

24 24

Do it yourself!

Start where you are comfortable

Tailor the Framework to your organization

Involve all levels of security & management within your org

Resources: NIST Website http://www.nist.gov/cyberframework Intel white paper (Q1 2015) Sector Information Sharing and Analysis Centers (ISAC) Industry associations

If you want to try it…

25

This presentation is for informational purposes only.

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS AND SERVICES. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS AND SERVICES INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

Intel, the Intel logo, Look Inside., and the Look Inside. logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2015 Intel Corporation. All rights reserved.