operationalizing the cis top 20 critical security controls · 2020-05-16 · operationalizing the...
TRANSCRIPT
Copyright©2016SplunkInc.
OperationalizingtheCIS“Top20”CriticalSecurityControlswithSplunkEnterprise
AnthonyPerez– SecurityArchitect,Splunk
RoadmapforToday’sSession
▸ Framingourdiscussion▸ Thelegacychallenge▸ Anapproachforoperationalization▸ Impactsonsecuritymaturity▸ LiveDemonstration
2
FramingourDiscussion
Organizationalsecurityshouldbeviewedasacontinuumversusanend-state▸ Viewingsecurityasacontinuumpositionsorganizationstofocusoncontinuousimprovement§ “Wecanalwaysimprovesomething.”
▸ Thesecuritycontinuumconceptcanalsodriveintrospectionfororganizations§ “Whatisoursecuritymaturitytoday?”
▸ Introspectiononanorganization’ssecuritymaturityoftenfeedsstrategicthinking§ “Let’smapoutstepstoraiseouroverallsecuritymaturity.”
4
Regardlessofwhereanorganizationexistsonthesecuritycontinuum,theirfoundationshouldbebuiltuponbest-practices
▸ Acceptingthatfoundationalsecurityisbuiltuponbestpractices–Westillneedtoidentifywhatbestpracticesactuallyare
▸ Organizationsalsoneedtoestablishpoliciesandproceduresaimedatkeepingtheirbest-practicesrelevantasthethreatlandscapechanges
▸ Beyondpoliciesandprocedures,organizationsneedtoestablishaplanforoperationalizationofthesebestpracticesaswell
5
Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach
▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof
leadingexpertsfromaroundtheworld
6
https://www.cisecurity.org/critical-controls.cfm
KeyInsight:“TheNationalGovernorsAssociationrecommends thatstatesturntotheCriticalSecurityControlsforabaselineofeffectivecybersecuritypractices…”
NationalGovernorsAssociationActandAdjust:ACalltoActionforGovernorsforCybersecuritySeptember2013
Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach
▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof
leadingexpertsfromaroundtheworld
7
https://www.cisecurity.org/critical-controls.cfm
KeyInsights:§ TheCIScontrolsareanalogoustocomponentsofmultipleUSFederalinformationsecurityframeworkssuchas
FISMA,DFARS,andRMF
§ TheControlsalsomapcloselytoAustralianSignalsDirectorate“Top4”andISO/IEC27001
TheLegacyChallenge
Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults
9
“Usethese10solutions togainvisibility” “Runthisscannerwhenyouwanttogenerateareport”
“Hireustobuild yousomethingfromscratch”
“LeverageyourlegacySIEMtogetsomeofthewaythere”
Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults
10
“Usethese10solutionstogainvisibility” “Runthisscannerwhenyouwanttogenerate areport”
“Hireustobuildyousomethingfromscratch”
“Leverage yourlegacySIEMtogetsomeofthewaythere”
▸ Commoncomments/questionsonoperationalizationinclude:§ “Thisissuchabigproject,IhavenoideawhereIshouldevenstart…”§ “Whycan’t IusemylegacySIEM?”
- Rigid(datasource-specific)andconventionalsecuritydataonly§ “WhataboutES?”
- Flexible,capable,butsomeorganizationsaren’tsizedorstructuredtoneed ESforoperations
AnApproachforOperationalization
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
12
KeyInsight:CISstates:§ “OrganizationsthatapplyjustthefirstfiveCISControlscanreduce
theirriskofcyberattackbyaround85percent.”
§ “Implementingall20CISControls increasestheriskreduction toaround94percent”
https://www.cisecurity.org/critical-controls.cfm
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software
13
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software
▸ SplunkEnterprise
14
Combiningtheseingredientscandrive“quickwin”visibilityintosecurityposturerelevanttotheCIScontrols▸ Basicstepsforoperationalizationinclude:
1. IngestdatarelevanttothecontrolcategoriesintoSplunkEnterprise2. EnsurethatdataiscompliantwithSplunk’sCommonInformationModel(CIM)3. InstalltheCISCriticalSecurityControls appforSplunk4. Updatelookupfileswithintheappbasedondomainknowledgeaboutyour
organization
15
What’sreallymakingthispossibleonthebackend?
▸ TheSplunkCommonInformationModel(CIM)§ The“RosettaStone”thatprovidesdatanormalization
▸ CIM-compliantsearches§ Provideflexibilityandvendor/data-agnosticvisibility intotheenvironment
▸ Splunklookupfiles§ Providedataenrichment– specificallyrelevanttoyourorganization
▸ OpensourceThreat/IOClists
16
ImpactonSecurityMaturity
Whatimpactsshouldorganizationsanticipatefortheirsecuritymaturity?▸ Visibility:
§ Holisticvisibility intoyourorganization’ssecurityposturewithrespecttobestpracticesinnear-time
▸ Flexibility:§ Vendor/sourcetype-agnosticarchitecture(viaCIM)buildsinflexibilityasyour
infrastructureandorganizationchanges
▸ Efficiency:§ Increasedefficienciesfromanoperationalperspective, freeingtimeformore
value-addsecurityactivity
▸ FederalRelevance:ThecontrolsareanalogoustocomponentsofmultipleFederalsecuritymandatessuchasFISMA,DFARS,andRMF
Lowest HighestSecurity0Maturity
Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0
searching
Ostrichapproach
ManualReview Splunk>0
(+0SPLICE)Splunk> +
Enterprise0Security0app
+
WhatshouldIexpectbasedonmyorganization’scurrentsecurity-maturitylevel?▸ Organizationswillgainutilityregardlessofwheretheyexistonthesecuritymaturitycontinuum
▸ Fornascentsecurityprograms§ Quicktime-to-valueonbest-practices tiedtocurrentreal-worldthreats
▸ Formid-maturitysecurityprograms§ ^+automationthatcreatesefficienciesforsmallerteams,enablingtimefor
morevalue-addactivities suchasproactiveanalysis
▸ Forhigh-maturitysecurityprograms§ ^+consolidatedreportsandvisualizationsthatareeasily integratedintoexisting
workflows
19Lowest HighestSecurity0Maturity
Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0
searching
Ostrichapproach
ManualReview Splunk>0
(+0SPLICE)Splunk> +
Enterprise0Security0app
+
LiveDemonstration
Questions
Announcements
.conf2017iscomingtoWashington,D.C.!
23
September25-28,2017WalterE.WashingtonConventionCenter
Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!
Reserveyourspottoday,paylater!
SignUpToday:http://live.splunk.com/LP=1822
Afterregistrationopens, youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.
VisittheInformationKioskintheSolutionPavilion!
SupportOperationHomefront!
24
EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram foreveryattendee thatcompletes theirmissionofearning6sponsorbadges.Theprogramwillprovidemeals
toourlocalmilitaryfamiliesthisholidayseason.Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldoublethe$3,500donationto
$7,000!
Workshops:GetSplunkHands-onExperienceAttendaSplunkWorkshop
UpcomingSchedule▸ December1:IntroductiontoSplunk Enterprise
▸ December14:IntroductiontoSplunk ITTroubleshooting
▸ January11:IntroductiontoSplunk EnterpriseSecurity
▸ January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop
▸ January25:IntroductiontoSplunk ITServiceIntelligence
▸ January25:NEW! Splunk AppDevelopmentWorkshop
Location▸ SplunkOfficeMcLean,VA
Visithttp://www.doyouknowsplunk.com/workshops
VisittheInformationKioskintheSolutionPavilion!
SplunkUserGroups- ConnectwithLocalSplunkers
NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html
DCMeetsthelastWednesdayofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html
BaltimoreMeetsthe3rdMondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html
VisittheInformationKioskintheSolutionPavilion!
TaketheGovSummitPostEventSurvey!
27
Wevalueyourfeedback!Taketheposteventsurvey ontheiPadsinthefoyerstartingat2:30pm!