Building Defensible Architecture with CIS Critical Security Controls Arnab Roy Regional Solution Architect McAfee 28/04/2020
Building Defensible Architecture with CIS Critical Security Controls
Arnab RoyRegional Solution ArchitectMcAfee
28/04/2020
2
Current State of Play
80% of cyber security incidents are caused by the same 20% root causes
Commonly known as Pareto’s Law
Compliance ≠ Secure
Compliance works on the principle of checkboxes
Real defensive strategy should be risk driven
3
Adding method to madness - Cyber Security Frameworks
• Security frameworks act as road signs to drive security efforts
• We learnt the road signs before learning to drive on the road!
• Avoid crashes, but allow safe acceleration
• Structure leads to creativity and better outcomes
• Controls should have enablement objectives not just to prevent some activity
4
Types - Cyber Security Frameworks
Security Frameworks
Compliance/Regulations
Frameworks –GDPR,HIPAA, PCI-DSS,SOX
Cybersecurity Laws – ITAR,
EU-CSA,GLBA,
Directives/Domain Specific Frameworks –
NIS-D , CSA
Control Frameworks –NIST 800-53,
ISO, CIS, Cyber Essentials
…many more
Risk Management Frameworks -NIST 800-37
Governance Frameworks –
COBIT 5, ITIL….
And many more! ….
Based on Industry vertical some or all of these need to be implemented
Where are the resources to implement and validate all of
them?
5
Choosing the correct – Controls Framework
Factors Influencing selection of controls frameworks
Risk Prioritisation Context – Business and Operational Context, Threat Landscape(People, Process
and Tech)
Starting Point Measurable Benefits Right sizing
• Prioritise Vulnerabilities and patch management
• Prioritise assets for protection
• Provide actionable language
• Frameworks should be tailored/scoped to your organisational context
• Not all controls can be mapped to every organisation
• Your security program needs to start from somewhere
• It needs to provide a path to optimise or mature existing programs
• Provide clear benefits from a quantitative and qualitative perspective
• Risk reduction should be the key metric
• Is the framework fit for your organisational size ?
• Is the framework fit for your security maturity ?
6
Introduction to CIS – Who are Center for Internet Security
US Contributors Include: International Contributors Include:
Department of Homeland Security (DHS)National Security Agency (NSA)Department of Energy (DoE) LaboratoriesDepartment of State (DoS)US-CERT and other incident response teamsDoD Cyber Crime Center (DC3)The Federal ReserveThe SANS InstituteCivilian penetration testersNumerous other Federal CIOs and CISOsHundreds of other private sector researchers
UK Government Communications Headquarters (GCHQ)UK Centre for the Protection of National Infrastructure (CPNI)Australian Defence Signals Directorate (DSD)Japanese Security Researchers Scandinavian Security ResearchersGCC Security ResearchersTurkish Security ResearchersCanadian Security ResearchersMany other international researchers
❑ A Non-Profit organisation - Dedicated to establish security best practises for effective cyber defence
❑ Key contributions – CIS Controls, CIS Benchmark, CAT Tool
❑ Key contributors -
7
What is Critical Security Controls?
• 20 Controls based on input from the defender community
• Based on protecting against real world attacks and known TTP’s
• Provides actionable tasks in clear language
Uses 5 Key Principles
• Offense Informs Defense• Prioritisation• Metrics• Continuous Monitoring and Risk Mitigation• Security Automation
8
CIS Offers an Opportunity for every type of enterprise to improve their security posture
3 – Implementation groups based on Maturity and Capability
• IG 1 - Aimed at small businesses with low data sensitivity
• IG 2 - This group is aimed at the enterprise storing sensitive business information and having reasonable cybersecurity resources for implementation of the controls.
• IG 3 - This group is mainly aimed as a defence against sophisticated adversaries such as Nation State actors utilizing Zero-day vulnerabilities
CIS Sub controls – Evolving Enterprise Maturity
9
Driving Discovery & Context – through Assessment
Excel Based tool, looks at 20 high level CIS controls
Designed to discover control gaps
Easy questions , so executives can answer
Results in measure of the customer effort –1 – 30% - Emerging Level30 – 60% - Foundational Level60 to 100% - Evolved Level
10
NIST Risk Management Frameworks – CIS Mapping
11McAFEE CONFIDENTIAL
Digital Enterprise Assets- Reference Architecture
Cloud –SaaS, IaaS, CaaS
Security Operations
Endpoints –Mobile, Workstations, Secure Access and Data Protection
Clo
ud
Acc
ess
Ed
ge
Legacy Perimeter
Encrypted traffic
Systems Management
Directory Services
Core Network Services –DNS/DHCP/IPAM
Legacy(On-Prem) Applications
Databases
DM
Z File Storage
Web Applications
Endpoints
Workstations
TR
US
T
Inte
rne
t
People
Cloud Service Provider Logs, Network Logs, Endpoint Traces, Application Logs, Threat Intelligence Feeds CISO, SOC Analysts,IT Manager,SO,BO
Cloud Compute
Cloud Storage
SaaS Collaboration, Email, Storage
Cloud Networks
Containers
Network Firewalls
Web Gateways
Monolithic Applications
Enterprise WAN
Enterprise LAN
Enterprise WLAN
Building Management
Mobile Devices
IoT/OT/IIOT
Employees
Governance
Operating Processes
Step 1: Define a reference architecture that represents your enterprise
Step 2: Identify Assets
Mobile Worker, Remote Branch
12McAFEE CONFIDENTIAL
Cloud –SaaS, IaaS, CaaS
3. Continuous Vulnerability Management
8. Malware Defences
1. Inventory of Hardware assets (IaaS,CaaS)
2. Inventory of software assets
6,16. Account Monitoring &Audit log analysis
13,10. Data Protection & Recovery
Remote Workers Branch Office(Endpoint Protection, Secure Access and Data Protection)
Clo
ud
Acc
ess
Ed
ge
Legacy Perimeter
8. Malware Defences
12. Boundary Defences
13. Data Protection
7. Email & Web Protection
7. Email & Web Protection
9. Limitation & control of network
ports and protocols
6. Audit Log analysis
Systems Management
8. Malware Defences
1. Inventory of Hardware assets
2. Inventory of software assets
13. Data Protection
3. Continuous Vulnerability Management
6,16. Account Monitoring &Audit log analysis
Legacy(On-Prem) Applications
3. Continuous Vulnerability Management
15. Wireless Access Control
DM
Z
10,13. Data Recovery & Protection
18. Application Software Security
6. Audit Log analysis
Endpoints
8. Malware Defences
13. Data Protection
7. Email & Web Protection
9. Limitation & control of network
ports and protocols
6. Audit Log analysis
TR
US
T
Inte
rne
t
People
17. Implement a security awareness training
19. Incident Response and Management 20. Penetration Tests and Red Team Exercises
Building a Workplace Security Architecture Using CIS CSC
Step 4: Map Controls
➢ Map controls to Assets
➢ Identify Business enablement objectives
➢ Tailor and scope the framework
a) Forensics 6. Vulnerability Management 6. Log analysis
b. Proactive Threat Hunting using Threat Intelligence c. Enterprise Deception Tactics Offense Informs Defence
Mobile Worker, Remote Branch
Security Operations
13McAFEE CONFIDENTIAL
Building a Defensible Architecture - Digital Workplace
Multi-Cloud –SaaS, IaaS, CaaS
Endpoint Protection, Secure Access and Data Protection
Clo
ud
Acc
ess
Ed
ge
Legacy Perimeter
Systems Management
Legacy(On-Prem) Applications
DM
Z
Endpoints
TR
US
T
Inte
rne
t
People
MVISION Cloud
Converged, Endpoint, Web and Cloud DLP
Visibility & Access Control
Risk, Posture & Vulnerability Management
Container -Network Segmentation, Posture
Cloud WorkloadSecurityVisibility & Access Control
Risk, Posture ,Vulnerability Management & Benchmarking
Network Segmentation, Visibility & Threat Protection
Cloud WebGW –Remote WorkersBranch Offices
On prem web gateway / IPSEC to Cloud
DLPAnti-MalwareAdvanced Threat ProtectionContent ControlWeb Risk Management
Network SecurityPlatform
Network Threat Monitoring and managementNTBAIDS/IPS
Checkpoint, Fortinet Firewalls
Application Control
ApplicationWhitelisting
Dynamic Process Control
Policy AuditorSoftware Inventory
Vulnerability Management
Benchmarking
Database AccessMonitor
DB protection -Injection,Access controlVirtual patching
ePolicy Orchestrator
Centralised Policy Management, Compliance and asset visibility
Vulnerability and Patch Management – Tenable , Rapid7
Network Protection – ISE, ClearPass, ForescoutDNS - Infoblox
Malware defence and threat protection
Server Security
mVMobile
ENS+RP+ATP+HIPS
eDLP + Device Control
Mobile Threat DefenceZero Day protectionApplication securityanalysis
Malware ProtectionZero Day ProtectionNetwork ProtectionSecurity Orchestration
Remote Browser Isolation
Client Proxy
Web Protection
Architecture Workshops
Maturity Assessment
Awareness Training
Process Development
MVISION CloudEnterprise Security Manager
ePolicy OrchestratorMVISION EDR
Advanced Threat DefenceMulti-Cloud Incident Mgmt. across SaaS,IaaS and CaaS
Event Collection, Correlation & Forensics
Malware Analysis and forensics Endpoint Threat EventAnalysis
Endpoint Threat hunting and guided Incident Management
Threat Intelligence
IOC Enrichment, Context,Automation
Step 4: Map Technology to controls
➢ Identify required product capabilities
➢ Map security product capabilities to control requirements
➢ Validate enablement objectives and controls
Mobile Worker, Remote Branch
Security Operations
CIS Controls and Public Cloud
CIS Controls cover most private cloud use cases
In case of Public Cloud – Shared responsibility results in loss of control on
underlying infrastructure and creates coverage gaps for CIS
Additional Reference Content
McAfee Enterprise Product Mapping - https://www.mcafee.com/enterprise/en-us/assets/guides/gd-cis-csc20-product-mapping.pdf
McAfee Blog - Establishing Cyber Defence Maturity through CIS Controls -https://www.mcafee.com/blogs/enterprise/establishing-security-maturity-through-cis-cyber-defense-framework/
Architecture Workshops - Deep Dives into Specific domains such as Cloud Data & Infrastructure Protection/ Digital Workplace / Cyber
Defence and SecOps
CIS Cloud Companion Guide - https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/
Thank you.