think beyond the checkbox: reducing liability through ...€¦ · liability through effective cyber...

© 2016 Carbon Black. All Rights Reserved.

Think beyond the checkbox: Reducing Liability Through Effective Cyber Security

Risk Measurement

Christopher Strand, Security Risk and Compliance Officer | Carbon Black


Agenda

Environmental considerations and distractions

IT security & audit measurement

Cyber security risk scorecard common recipe

Regulatory industry examples that build clarity

Recommended Critical Security Controls to focus on


About the Speaker

Christopher Strand

Security, Risk & Compliance Officer, Carbon Black

Christopher Strand leads Carbon Black’s IT governance, audit and compliance

programs. With more than 20 years of information technology and compliance

experience, he oversees the development of enterprise network and application security

solutions that help organizations deploy positive security to maintain and improve their

compliance and risk posture.

Previously, Strand held security/compliance positions at Trustwave, Tripwire,

EMC/RSA, and Compuware. A PCI Professional (PCIP) and trained Quality Security

Assessor (QSA), he is also proficient with other regulatory disciplines including HIPAA,

NERC CIP, SOX/GLBA, and multiple IT Security baseline practices and frameworks

such as ISO 27001, COBIT, SANS, and NIST 800-53. Strand regularly speaks about

security and compliance issues and best practices on webinars and at industry

conferences. He has authored many white papers, published articles in security industry

journals and books, and is frequently quoted as a thought leader by leading media

outlets.


5,329,418,398 Global records Lost since 2013 …

Why we should refocus our approach…

* Breach Level Index


The Threat Landscape

5

Regulations

Breaches & Incidents


• Eliminate Control Clutter – Unite Business silos, empowering the executive office

• Increase Worker Efficiency – Spend less on resources and maintain compliance

• Improve Compliance Adoption – Speed attainment and reduce administration

• Extend the Value of Technology Investments – Consolidate existing infrastructure

INDUSTRY

• NIST

• HIPAA

• PCI-DSS

• SOX/GLBA

Setting the Stage – Industry Compliance Pillars

GOVERNMENT

• PIPA – Personal

Information

Protection Act

• FIPPA

PARTNER

• Third-party Risk

Policy

• Risk

Assessment

CORPORATE

• Data Retention

• Data Privacy

• Data Protection

• Licensing


Board Level Cyber security is the #1 worry of

Directors and Chief Legal Council.

CEO National retail CEO was fired

following a data breach.

Reputation 1 in 3 consumers stop visiting businesses impacted by data

breaches.

Stock Price A payment provider lost $800M in

shareholder value following breach.

Customer Impact 1 in 2 Americans impacted by data

breach last year.

Legal Data breach reporting and

litigation can costs millions.

Audits/Assessments Increased focus and scrutiny by

auditors; greater fines.

Consequences of a weak security and compliance posture


Security objectives and risk measures


The year of ransomware: The game has changed

• Ransomware is on track to be a $1 billion crime in 2016

• 25+ variants of ransomware families have been

identified

• 4,000+ ransomware attacks happened daily since

January 1, 2016

• Phishing is the most popular ransomware attack vector

• The top-5 variants in the U.S. are: CryptoWall, CTB-

Locker, TeslaCrypt, MSIL/Samas, Locky

2015

$24 million

Jan – March

2016

$209 million


Liability is increasing via Ransomware

July 2016 U.S Department of Health and Human Services

“Ransomware attacks against a health facility or provider will generally be considered a

breach of personal information under the Health Information Portability and Accountability

Act”.

Jocelyn Samuels, Director of the agency's Office for Civil Rights

“When electronic protected health information is encrypted as the result of a ransomware

attack, a breach has occurred because the ePHI encrypted by the ransomware was

acquired (i.e., unauthorized individuals have taken possession or control of the

information)”

Protected Health Information (PHI)


2014

• Complying with standards and

other regulatory requirements

• Respond to new or emerging

threats or advanced persistent

threats (APTs)

• Recover quickly from a breach

incident

• Assure resiliency of IT operations

2016

• Respond to new threats or advanced

persistent threats and zero-day

attacks

• Protect integrity of patient data

• Secure supporting infrastructure

(e.g., addressing technical

deficiencies or vulnerabilities in

applications, middleware, network as

a whole)

• Meet regulatory compliance goals

Trends show security priority change…..

* SANS Healthcare Systems Survey 2016


Trends towards ensuring internal compliance

• Infrastructure as even more key

• Supporting = “critical asset at high risk”

by 50%

• High-integrity infrastructure, free of

malware = effective cloud security

control by 75%

• Emerging technologies are gaining ground

• Threat intelligence considered effective

by 70%

Importance of prevention plus compliance

Insider 3rd party

Negligent 28.5% 8%

Malicious 10.9% 8%

Total 39.4% 16%

* SANS Healthcare Systems Survey 2016


Top 10 reasons to develop a cyber security scorecard

10. Improve cyber security posture

9. Improve awareness of cybersecurity across the business

8. Increase credibility and transparency

7. Report and communicate the true posture of security

6. Make smarter security investment and strategy decisions

5. Increase corporate accountability

4. Accelerate corporate efforts on risk reduction

3. Justify resource investment and prioritization

2. Expose vulnerabilities that lead to liability

1. Reduce corporate liability


Anatomy of a Ransomware Attack


The cybersecurity attack kill chain

Attack is

Launched

Attack Penetrates

the Enterprise

Attacker Moves

Undetected Key Information

is Stolen

Realization of Breach

and tracks covered Reconnaissance

1 3 2 4 5 6

Preparation Intrusion Active Breach Response / Fallout

Align Security Framework to ensure Security Control Measure

Enforce security and compliance controls appropriately when needed

Automatically educate users about Compliance and Security policy as it’s being enforced

Categorize / Classify Monitor Detect Response / IR Protect Enforcement


CYBERSECURITY SCORECARD RECIPE

FFIEC

Software Asset Analysis Asset Integrity Monitoring Patch & Vulnerability

Analytics

Threat Prevent &

Reporting Policy Enforcement &

Remediation

NIST 800-53

COBIT

INTERNALLY

DEVELOPED

ISO

Provincial

Law

PIPA /

PIPEDA

SOX / GLBA

DISA STIGS

FIPPA PCI DSS HIPAA

SOX/GLBA

FERPA

CBEST

HITRUST

CSF

ASD TOP 35 SAS70

NERC

CIS CSC

TOP 20

Security Controls

Policy

Framework


Cybersecurity scorecard – map to the PCI DSS prioritized approach

MILESTONE STEPS

• Remove sensitive authentication data and limit data retention

• Protect systems and networks, and be prepared to respond to a system breach

• Secure card data applications

• Monitor and control access to your systems

• Protect card data information

• Finalize remaining compliance efforts, and ensure all controls are in place

QUICK WINS FOR SCORECARD

• Provides clarity and intelligence on your data policy – Classification and categorization

• Provides a response plan that can be aligned to protection policy – Protection and Response

• Security posture measure on payment systems – Measure

• Who, What, When, How – Monitor and Collection

• Provides proof of protection of critical data - Protection and Risk

• Provide Policy Enforcement proof and effective control


Low Inherent Risk

Minimal Inherent Risk

Moderate Inherent Risk

Significant Inherent Risk

Most Inherent Risk

Inherent Risk Profile – 39 Questions on Risk

FFIEC Cybersecurity Assessment Tool

Domain 1: Cyber

Risk Management

& Oversight

Domain 2: Threat

Intelligence &

Collaboration

Domain 3:

Cybersecurity

Controls

Domain 4:

External

Dependency

Management

Domain 5: Cyber

Incident

Management and

Resilience

Cybersecurity Maturity – 494 Y/N Questions


Cybersecurity Controls – layered maturity model to Measure security and compliance

Target gaps

Automate reporting

Align to framework / policy

Remediate

Enforce policy

Detect threats

Measure risk

Monitor & collection

Classification

IT security risk modeling – common steps

Report critical controls

Collect data based on policy

Implement a policy

Apply a framework

Identify sponsors & resources

RACI Documentation

Understand stakeholders

Security objectives/risk

Business objectives/risk


Cybersecurity control maturity model audit

scorecard

Conform assets

Protect data integrity

Proactively monitor critical systems

Threat protection and defense

Enforce security and compliance policy

Regula

tions, fr

am

ew

ork

s,

polic

ies

Business Assets

Lowest Risk

Lowest Liability

Visibility

• Continuous asset recording aligned to compliance and security

Detection

• Aggregated community threat intel detecting patterns of behavior

Prevention

• Policy-based default-deny with Change Control

Response

• Attack disruption & containment with Automated remediation to Prove Policy Enforcement

Integration

• Integration across the security stack


Cybersecurity scorecard – Focus on critical controls

Target Gaps

Automate Reporting

Align to Framework

Remediate

Enforce Policy

Detect Threats

Measure Risk

Monitor and Collection

Classification


Focus on the Business Process

In Scope Assets

Zero Trust Stance on Assets:

Trust policy allows quick identification of the bad by filtering out trusted files/processes first

Prevention:

Trust drives and optimizes prevention techniques in place to protect critical data and enforces Security and Compliance Policy across in scope systems

Business Policy IT-Driven Trust

• Trusted Updater (e.g., SCCM, Chrome)

• Trusted Directory (e.g., \\gold_dir)

• Trusted Publisher (e.g., Mozilla)

• Trusted User (e.g., help_desk)

• And more…

Cloud-Driven Trust

Trust Policy

User Downloaded

Classification

Keylogger

Chrome

0

1

0

5 Your

app

• Software distribution

• Patch management

• Application auto-updates

• Help desk


•Employ Asset Integrity Control vs. Monitoring:

–A process of segmenting systems and files that are relevant to a particular

standard from other assets in order to narrow the scope of compliance

efforts and reduce unnecessary information (noise).

REDUCE Cyber Security NOISE • File Integrity Monitoring based on a trust policy can help Control Change

• Use your established trust policy to detect changes as they occur or are attempted on front end

• Use your policies to establish what is allowed as per your business process – stop everything else

• Respond to events close to when they happen, not after file changes have been collated and analyzed

Monitor and Collection


Detect Attack patterns, IOC’s &

analysis

Reputation Good, bad &

unknown

Classify Attack context and threat actor

attribution

Collective Intelligence

3rd Party

United Intel

Threat Research

Analysis of threat data

from millions of endpoints

Community Threat Intel

Endpoints Monitor and record event

against policy

Detect and prioritize

threats

Actionable

Events

Measure Risk

Policy

Penetration Testing

Attack Simulation


Combine Positive Security + Reactive Security

Threat Prioritization, Detection, & Response Data Collection

In-Scope Assets

Threat Intelligence

Reputation Threat Indicators

Attack Classification

Trust rating for known-good, known-bad &

unproven assets

Indicators of attack behaviors and compromise

Comprehensive attack attribution &

context

IOC’s

Machine Learning Heuristics

Signatures

Proactive Analysis of Risk

Detect threats

TRUST POLICY


Attack is

Launched

Attack Penetrates

the Enterprise

Attacker Moves

Undetected Key Information

is Stolen

Realization of Breach

and tracks covered Reconnaissance

1 3 2 4 5 6

Preparation Intrusion Active Breach Response / Fallout

Actively enforce policy via security framework across lifecycle

• Enforce security and compliance policies at critical stages of attack

• Confirm both direct and compensating controls aligned against chosen framework

• Collect and provide education to all stakeholders and users regarding compliance and

security policy enforcement

Categorize / Classify Monitor Detect Response / IR Protect Enforcement

Enforce policy across the kill chain


Questions

Anyone?

think beyond the checkbox: reducing liability through ...€¦ · liability through effective cyber...

Documents