CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using the NIST Framework to protect your critical infrastructure

Cybersecurity for real life: Using the NIST Framework to

protect your critical infrastructure

© 2017

@CohesiveNet

About me The need for NIST The fog of more - life before the Framework Intro to the NIST Cybersecurity Framework NIST for all Real life use case

Agenda

2

© 2017

@CohesiveNet

tl;dr

3

NIST Cybersecurity Framework can help all orgs:

• move from checklist security to proactive prevention

• asses current security capabilities

• measure vulnerable areas across compliance standards

© 2017

About Me

4

© 2017

@CohesiveNet

Dwight Koop, CFO & COO

5

co-founded the Chicago Board of Options Exchange (CBoE)

co-founded Rabbit MQ, now VMware

Secret Services’ Chicago Electronic Crimes Task Force

Treasurer for Chicago FBI Infragard

© 2017

@CohesiveNet

Cohesive Networks - your applications secured

6

VNS3 security & network software products

2000+ customers in 20+ countries across industries and sectors

Enterprise Security

Top 20 Most Promising

Company

Cloud Marketplace Provider

MARKETPLACE SELLERTECHNOLOGY PARTNER

© 2017

The need for NIST

7

© 2017

@CohesiveNet

new cyber realities

8

Attacks have become professional: hackers, criminals or foreign governments.

In the post-Sony era, all servers “on a wire” are compromised or targets.

Regulatory implementation and reporting demands are increasing.

© 2017

@CohesiveNet

target: governments

9

© 2017

@CohesiveNet

target: healthcare

10

© 2017

@CohesiveNet

target: retail

11

© 2017

@CohesiveNet

target: you

12

© 2017

@CohesiveNet

• Increase Information Sharing

• Protect Privacy & Civil Liberties

• Consult with Everyone

• NIST Create Cybersecurity Framework

• Voluntary Adoption Program w/ Incentives

• Identify Greatest Risks

• Determine Need for More Regulation

DHS mandate: organize & coordinate

13

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

Image credit: Wikimedia Commons

© 2017

@CohesiveNet

DHS mandate: organize & coordinate

14

Cybersecurity Enhancement Act of 2014• Amends the NIST Act (15 U.S.C. 272(c))

• Voluntary

•Consensus-based

• Industry-led

Image credit: Wikimedia Commons

© 2017

Fog of More: Life before NIST

15

© 2017

@CohesiveNet

Pre-NIST Cybersecurity Frameworks

16

• International Organization for Standardization ISO/IEC 27005:2011

• Electricity Sub-Sector Cybersecurity Risk Management Process (RMP) guideline

• Committee of Sponsoring Organizations (Accounting Orgs) (COSO)

• American Institute of CPA's (AICPA) SOC 2 & SAS70

• American Institute of CPA's (AICPA) - Generally Accepted Privacy PrinciplesGAPP (August 2009)

• Shared Assessments ORG Vendor Assessments (AUP v5.0 & SIG v6.0)

• FTC Children's Online Privacy Protection Rule (COPPA)

• European Union Agency for Network and Information Security (ENISA) IAF

• European Union Data Protection Directive 95/46/EC

• GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls

• Family Educational and Privacy Rights Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Health Information Technology for Economic and Clinical Health (HITECH) Act

• Dept. of State International Traffic in Arms Regulations ITAR

• UK Royal Mail - Jericho Forum on De-Perimeterisation

• and on and on…

© 2017

@CohesiveNet

The Big 10

17

International Organization for Standardization ISO 31000:2009

International Organization for Standardization ISO/IEC 27001 2013

NIST Special Publication NIST 800-53r3 & r4

Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0

International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009

Information Systems Audit and Control Association (ISACA) COBIT 5

Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0

SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5

DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Cybersecurity Evaluation Tool (CSET®)

Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2

© 2017

@CohesiveNet

Class Test

Certification is expensive

18

© 2017

@CohesiveNet

Software Tools

Standards

Training Classes

Certification Badges

Certification, PenTest, & Audit Services

Vulnerability Databases

Guidance & Best Practices

Catalogs of Controls

Checklists

Vendor Benchmarks

Recommendations, Regulations & Requirements

Threat Information Feeds

Risk Management Frameworks

Competing Options, Priorities, Opinions, and Claims

The Fog of More

19

© 2017

Intro to the NIST Cybersecurity Framework

20

© 2017

@CohesiveNet

Who: 16 Critical Infrastructure Sectors

21

Nuclear Chemical Facilities CommsManufacturing Emergency DamsDefense

Financial Energy Agriculture HealthWater IT Gov FacilitiesTransportation

Image credit: dhs.gov

© 2017

@CohesiveNet

NIST Cybersecurity Framework Core

22

© 2017

@CohesiveNet

just one subcategory:

23

© 2017

@CohesiveNet

NIST Framework tiers of maturity

24

© 2017

@CohesiveNet

NIST Cybersecurity Framework

25

Creates a common language 82% of US federal agencies fully or partially adopting it “align these policies, standards, and guidelines with the Framework”

Creates actionable guides for agencies: 1. create a report within 90 days with an implementation plan 2. maintain a comprehensive understanding of cybersecurity risk

© 2017

@CohesiveNet

Organized

One standard format

Common language

Unifying process

Defense in breadth & depth

Incentives

Risk management focused

Free

Cons

Why: NIST Cybersecurity Framework

26

Redundant

Yet another framework

Enforcement & penalties

Sustained cyber-siege

Not technical

Not designed for small firms

Technology debt?

Pros

© 2017

@CohesiveNet

applying risk based cybersecurity

27

Traditional Risk-Based

Audit focus Business focus

Transation-based Process-based

Compliance objective Customer focus

Policies & procedures focus Risk management focus

Multi-year audit coverage Continual risk-reassessment coverage

Policy adherence Change facilitator

Budgeted cost centerAccountability for performance improvement results

Career auditors Diversified knowledge and experience

Methodology: Focus on policies, transactions, and compliance

Methodology: Focus on goals, strategies, and risk management processes

© 2017

@CohesiveNet

risk-based security frameworks

28

2016 PwC State of Information Security:

91% of companies have already adopted a risk-based cybersecurity framework

Risk-based security can help: •identify and prioritize risks •gauge the maturity of cybersecurity practices •better communicate internally and externally •design, measure and monitor goals •build program that centers around safety and security of data

91%

© 2017

NIST for all

29

© 2017

@CohesiveNet

how: NIST Cybersecurity for all

30

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

Step 7: Implement Action Plan

Repeat The Steps As Needed (Rinse and Repeat)

© 2017

@CohesiveNet

Chicago style cybersecurity

31

Innovative blend proven style with new technologies Pragmatic work within constraints - shifting sand (literally!) Transparent more opportunities to allow more light internally Tenacious driven by the Mid-Western work ethic Creative willingness to build solutions rather than empires The Marquette Building

Image via the MacArthur Foundation

© 2017

@CohesiveNet

roll your own NIST Manual

32

INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External Participation SCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications

Risk Management Situational Awareness Threat and Vulnerability Management Workforce Management INFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology Debt CYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.

Cybersecurity Risk Management & Network Operations Center Manual

© 2017

@CohesiveNet

conduct app-specific self-evaluations

33

Self evaluations available -

Just go download a template!

© 2017

@CohesiveNet

1. Integrate Enterprise and Cybersecurity Risk Management 2. Manage Cybersecurity Requirements 3. Integrate and Align Cybersecurity and Acquisition Processes 4. Evaluate Organizational Cybersecurity 5. Manage the Cybersecurity Program 6. Maintain a Comprehensive Understanding of Cybersecurity

Risk 7. Report Cybersecurity Risks 8. Inform the Tailoring Process

further reading: DRAFT NISTIR 8170 - Implementation Guidance for Federal Agencies

34

Public comment period: May 12, 2017 through June 30, 2017

© 2017

LocusView use case

35

© 2017

@CohesiveNet

LocusView

• Natural gas SaaS provider

• Chicago-based

• Customers build critical infrastructure

case study: LocusView

36

Challenge

An increasing stream of requests for documentation, certifications, and penetration test results

LocusView’s LocusMay product for tracking and traceability

© 2017

@CohesiveNet

case study: LocusView

37

Solution

Used NIST Framework to map the compliance areas that matter most to their organization and clients

Used VNS3 to securely route traffic between customer networks and AWS-based resources

customer network

Public Cloud

Overlay Network

IPsec Tunnel

Firewall / IPsec

Cloud ServerAWS ELB

VNS3 Controller

public internet user traffic

© 2017

@CohesiveNet

case study: LocusView

38

Outcome

• Updated risk-management approach

• Built roadmap for repeatable reports

• Passed initial audits and first of many penetration tests

“We wanted to look at a bigger picture than just natural gas and current regulations.”

Tim Hopper - GIS Professional LocusView

Adjust

MonitorAudit

© 2017

Conclusions

39

• Standards are still relevant — Map from standards, not to

• Shift from audit-heavy compliance to risk-based prevention

• Prioritize current compliance over post-mortem disaster recovery

• Holistic security for each business unit

• NIST Framework can make everyone’s jobs less complicated

© 2017

Questions?

40

© 2017

@CohesiveNet

VNS3 cloud network solution

41

Software-only virtual appliance deployed to any cloud

firewall vpn concentrator protocol distributor extensible nfv

VNS3 Core Network Components

router switch

Increased mobility/agility and control over end to end encryption, IP addressing, and network topology

© 2017

@CohesiveNet

VNS3 extends network functions

42

firewall vpn concentrator protocol distributor extensible nfv

VNS3 Core Components

router switch

waf content caching nids proxy load balancing custom

L4-L7 Plugin System

© 2017

Cloud overlay networking diagram

43

Active IPsec Tunnel

VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3

VNS3 Overlay Network - 172.31.1.0/24

Peered Peered

Overlay IP: 172.31.1.1Cloud Server A

Overlay IP: 172.31.1.2Cloud Server B

Overlay IP: 172.31.1.3Cloud Server C

Overlay IP: 172.31.1.4Primary DB

Overlay IP: 172.31.1.5Backup DB

us-west-2 north europe

Data Center 2London

Data Center 1Seattle, WA

Failover IPsec Tunnel

vpc 1 vlan 2 vpc 3

VNS3:ha 1

central us

© 2017 44

• Business applications are a collection of servers

• Traffic needs to only flow in permitted directions, from permitted locations

• No server should communicate with any other server without going through a secure and encrypted switch

• Apply application-centric security rules

Is the right traffic going to/from your cloud servers?

Challenges:

Security: Application Segmentation

Issue: VNS3 Controller

web

app

db

mq

Overlay Network

logical subnet

© 2017 45

• Delivering your SaaS in multiple regions, on multiple clouds.

• Attesting to data in motion encryption in a public cloud environment

• Monitoring and management

Extend the reach of your application via region or cloud federation

Challenges:

Connectivity: Cloud Federation

Public Cloud West Europe

IPsec Tunnel

VNS3 Controller

Issue:

Customer A

Firewall / IPsec

Customer C Site 1 - US

ISV NOCCustomer B Customer C Site 2 - EU

Public Cloud East US

VNS3:ms

Customer A Overlay Network

Customer B Overlay Network

ISV Overlay Network

Customer C Overlay Network

Peered