Cybersecurity for real life: Using the NIST Framework to protect your critical infrastructure
Jan 22, 2018
© 2017
@CohesiveNet
About me The need for NIST The fog of more - life before the Framework Intro to the NIST Cybersecurity Framework NIST for all Real life use case
Agenda
2
© 2017
@CohesiveNet
tl;dr
3
NIST Cybersecurity Framework can help all orgs:
• move from checklist security to proactive prevention
• asses current security capabilities
• measure vulnerable areas across compliance standards
© 2017
@CohesiveNet
Dwight Koop, CFO & COO
5
co-founded the Chicago Board of Options Exchange (CBoE)
co-founded Rabbit MQ, now VMware
Secret Services’ Chicago Electronic Crimes Task Force
Treasurer for Chicago FBI Infragard
© 2017
@CohesiveNet
Cohesive Networks - your applications secured
6
VNS3 security & network software products
2000+ customers in 20+ countries across industries and sectors
Enterprise Security
Top 20 Most Promising
Company
Cloud Marketplace Provider
MARKETPLACE SELLERTECHNOLOGY PARTNER
© 2017
@CohesiveNet
new cyber realities
8
Attacks have become professional: hackers, criminals or foreign governments.
In the post-Sony era, all servers “on a wire” are compromised or targets.
Regulatory implementation and reporting demands are increasing.
© 2017
@CohesiveNet
• Increase Information Sharing
• Protect Privacy & Civil Liberties
• Consult with Everyone
• NIST Create Cybersecurity Framework
• Voluntary Adoption Program w/ Incentives
• Identify Greatest Risks
• Determine Need for More Regulation
DHS mandate: organize & coordinate
13
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
Image credit: Wikimedia Commons
© 2017
@CohesiveNet
DHS mandate: organize & coordinate
14
Cybersecurity Enhancement Act of 2014• Amends the NIST Act (15 U.S.C. 272(c))
• Voluntary
•Consensus-based
• Industry-led
Image credit: Wikimedia Commons
© 2017
@CohesiveNet
Pre-NIST Cybersecurity Frameworks
16
• International Organization for Standardization ISO/IEC 27005:2011
• Electricity Sub-Sector Cybersecurity Risk Management Process (RMP) guideline
• Committee of Sponsoring Organizations (Accounting Orgs) (COSO)
• American Institute of CPA's (AICPA) SOC 2 & SAS70
• American Institute of CPA's (AICPA) - Generally Accepted Privacy PrinciplesGAPP (August 2009)
• Shared Assessments ORG Vendor Assessments (AUP v5.0 & SIG v6.0)
• FTC Children's Online Privacy Protection Rule (COPPA)
• European Union Agency for Network and Information Security (ENISA) IAF
• European Union Data Protection Directive 95/46/EC
• GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls
• Family Educational and Privacy Rights Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Dept. of State International Traffic in Arms Regulations ITAR
• UK Royal Mail - Jericho Forum on De-Perimeterisation
• and on and on…
© 2017
@CohesiveNet
The Big 10
17
International Organization for Standardization ISO 31000:2009
International Organization for Standardization ISO/IEC 27001 2013
NIST Special Publication NIST 800-53r3 & r4
Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0
International Society of Automation Industrial Automation And Controls ISA-IAC 62443-2-1:2009
Information Systems Audit and Control Association (ISACA) COBIT 5
Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0
SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5
DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Cybersecurity Evaluation Tool (CSET®)
Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2
© 2017
@CohesiveNet
Software Tools
Standards
Training Classes
Certification Badges
Certification, PenTest, & Audit Services
Vulnerability Databases
Guidance & Best Practices
Catalogs of Controls
Checklists
Vendor Benchmarks
Recommendations, Regulations & Requirements
Threat Information Feeds
Risk Management Frameworks
Competing Options, Priorities, Opinions, and Claims
The Fog of More
19
© 2017
@CohesiveNet
Who: 16 Critical Infrastructure Sectors
21
Nuclear Chemical Facilities CommsManufacturing Emergency DamsDefense
Financial Energy Agriculture HealthWater IT Gov FacilitiesTransportation
Image credit: dhs.gov
© 2017
@CohesiveNet
NIST Cybersecurity Framework
25
Creates a common language 82% of US federal agencies fully or partially adopting it “align these policies, standards, and guidelines with the Framework”
Creates actionable guides for agencies: 1. create a report within 90 days with an implementation plan 2. maintain a comprehensive understanding of cybersecurity risk
© 2017
@CohesiveNet
Organized
One standard format
Common language
Unifying process
Defense in breadth & depth
Incentives
Risk management focused
Free
Cons
Why: NIST Cybersecurity Framework
26
Redundant
Yet another framework
Enforcement & penalties
Sustained cyber-siege
Not technical
Not designed for small firms
Technology debt?
Pros
© 2017
@CohesiveNet
applying risk based cybersecurity
27
Traditional Risk-Based
Audit focus Business focus
Transation-based Process-based
Compliance objective Customer focus
Policies & procedures focus Risk management focus
Multi-year audit coverage Continual risk-reassessment coverage
Policy adherence Change facilitator
Budgeted cost centerAccountability for performance improvement results
Career auditors Diversified knowledge and experience
Methodology: Focus on policies, transactions, and compliance
Methodology: Focus on goals, strategies, and risk management processes
© 2017
@CohesiveNet
risk-based security frameworks
28
2016 PwC State of Information Security:
91% of companies have already adopted a risk-based cybersecurity framework
Risk-based security can help: •identify and prioritize risks •gauge the maturity of cybersecurity practices •better communicate internally and externally •design, measure and monitor goals •build program that centers around safety and security of data
91%
© 2017
@CohesiveNet
how: NIST Cybersecurity for all
30
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
Step 7: Implement Action Plan
Repeat The Steps As Needed (Rinse and Repeat)
© 2017
@CohesiveNet
Chicago style cybersecurity
31
Innovative blend proven style with new technologies Pragmatic work within constraints - shifting sand (literally!) Transparent more opportunities to allow more light internally Tenacious driven by the Mid-Western work ethic Creative willingness to build solutions rather than empires The Marquette Building
Image via the MacArthur Foundation
© 2017
@CohesiveNet
roll your own NIST Manual
32
INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External Participation SCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications
Risk Management Situational Awareness Threat and Vulnerability Management Workforce Management INFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology Debt CYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.
Cybersecurity Risk Management & Network Operations Center Manual
© 2017
@CohesiveNet
conduct app-specific self-evaluations
33
Self evaluations available -
Just go download a template!
© 2017
@CohesiveNet
1. Integrate Enterprise and Cybersecurity Risk Management 2. Manage Cybersecurity Requirements 3. Integrate and Align Cybersecurity and Acquisition Processes 4. Evaluate Organizational Cybersecurity 5. Manage the Cybersecurity Program 6. Maintain a Comprehensive Understanding of Cybersecurity
Risk 7. Report Cybersecurity Risks 8. Inform the Tailoring Process
further reading: DRAFT NISTIR 8170 - Implementation Guidance for Federal Agencies
34
Public comment period: May 12, 2017 through June 30, 2017
© 2017
@CohesiveNet
LocusView
• Natural gas SaaS provider
• Chicago-based
• Customers build critical infrastructure
case study: LocusView
36
Challenge
An increasing stream of requests for documentation, certifications, and penetration test results
LocusView’s LocusMay product for tracking and traceability
© 2017
@CohesiveNet
case study: LocusView
37
Solution
Used NIST Framework to map the compliance areas that matter most to their organization and clients
Used VNS3 to securely route traffic between customer networks and AWS-based resources
customer network
Public Cloud
Overlay Network
IPsec Tunnel
Firewall / IPsec
Cloud ServerAWS ELB
VNS3 Controller
public internet user traffic
© 2017
@CohesiveNet
case study: LocusView
38
Outcome
• Updated risk-management approach
• Built roadmap for repeatable reports
• Passed initial audits and first of many penetration tests
“We wanted to look at a bigger picture than just natural gas and current regulations.”
Tim Hopper - GIS Professional LocusView
Adjust
MonitorAudit
© 2017
Conclusions
39
• Standards are still relevant — Map from standards, not to
• Shift from audit-heavy compliance to risk-based prevention
• Prioritize current compliance over post-mortem disaster recovery
• Holistic security for each business unit
• NIST Framework can make everyone’s jobs less complicated
© 2017
@CohesiveNet
VNS3 cloud network solution
41
Software-only virtual appliance deployed to any cloud
firewall vpn concentrator protocol distributor extensible nfv
VNS3 Core Network Components
router switch
Increased mobility/agility and control over end to end encryption, IP addressing, and network topology
© 2017
@CohesiveNet
VNS3 extends network functions
42
firewall vpn concentrator protocol distributor extensible nfv
VNS3 Core Components
router switch
waf content caching nids proxy load balancing custom
L4-L7 Plugin System
© 2017
Cloud overlay networking diagram
43
Active IPsec Tunnel
VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Peered Peered
Overlay IP: 172.31.1.1Cloud Server A
Overlay IP: 172.31.1.2Cloud Server B
Overlay IP: 172.31.1.3Cloud Server C
Overlay IP: 172.31.1.4Primary DB
Overlay IP: 172.31.1.5Backup DB
us-west-2 north europe
Data Center 2London
Data Center 1Seattle, WA
Failover IPsec Tunnel
vpc 1 vlan 2 vpc 3
VNS3:ha 1
central us
© 2017 44
• Business applications are a collection of servers
• Traffic needs to only flow in permitted directions, from permitted locations
• No server should communicate with any other server without going through a secure and encrypted switch
• Apply application-centric security rules
Is the right traffic going to/from your cloud servers?
Challenges:
Security: Application Segmentation
Issue: VNS3 Controller
web
app
db
mq
Overlay Network
logical subnet
© 2017 45
• Delivering your SaaS in multiple regions, on multiple clouds.
• Attesting to data in motion encryption in a public cloud environment
• Monitoring and management
Extend the reach of your application via region or cloud federation
Challenges:
Connectivity: Cloud Federation
Public Cloud West Europe
IPsec Tunnel
VNS3 Controller
Issue:
Customer A
Firewall / IPsec
Customer C Site 1 - US
ISV NOCCustomer B Customer C Site 2 - EU
Public Cloud East US
VNS3:ms
Customer A Overlay Network
Customer B Overlay Network
ISV Overlay Network
Customer C Overlay Network
Peered