© 2016 Carbon Black. All Rights Reserved. Think beyond the checkbox: Reducing Liability Through Effective Cyber Security Risk Measurement Christopher Strand, Security Risk and Compliance Officer | Carbon Black
© 2016 Carbon Black. All Rights Reserved.
Think beyond the checkbox: Reducing Liability Through Effective Cyber Security
Risk Measurement
Christopher Strand, Security Risk and Compliance Officer | Carbon Black
© 2016 Carbon Black. All Rights Reserved.
Agenda
Environmental considerations and distractions
IT security & audit measurement
Cyber security risk scorecard common recipe
Regulatory industry examples that build clarity
Recommended Critical Security Controls to focus on
© 2016 Carbon Black. All Rights Reserved.
About the Speaker
Christopher Strand
Security, Risk & Compliance Officer, Carbon Black
Christopher Strand leads Carbon Black’s IT governance, audit and compliance
programs. With more than 20 years of information technology and compliance
experience, he oversees the development of enterprise network and application security
solutions that help organizations deploy positive security to maintain and improve their
compliance and risk posture.
Previously, Strand held security/compliance positions at Trustwave, Tripwire,
EMC/RSA, and Compuware. A PCI Professional (PCIP) and trained Quality Security
Assessor (QSA), he is also proficient with other regulatory disciplines including HIPAA,
NERC CIP, SOX/GLBA, and multiple IT Security baseline practices and frameworks
such as ISO 27001, COBIT, SANS, and NIST 800-53. Strand regularly speaks about
security and compliance issues and best practices on webinars and at industry
conferences. He has authored many white papers, published articles in security industry
journals and books, and is frequently quoted as a thought leader by leading media
outlets.
© 2016 Carbon Black. All Rights Reserved.
5,329,418,398 Global records Lost since 2013 …
Why we should refocus our approach…
* Breach Level Index
© 2016 Carbon Black. All Rights Reserved.
The Threat Landscape
5
Regulations
Breaches & Incidents
© 2016 Carbon Black. All Rights Reserved.
• Eliminate Control Clutter – Unite Business silos, empowering the executive office
• Increase Worker Efficiency – Spend less on resources and maintain compliance
• Improve Compliance Adoption – Speed attainment and reduce administration
• Extend the Value of Technology Investments – Consolidate existing infrastructure
INDUSTRY
• NIST
• HIPAA
• PCI-DSS
• SOX/GLBA
Setting the Stage – Industry Compliance Pillars
GOVERNMENT
• PIPA – Personal
Information
Protection Act
• FIPPA
PARTNER
• Third-party Risk
Policy
• Risk
Assessment
CORPORATE
• Data Retention
• Data Privacy
• Data Protection
• Licensing
© 2016 Carbon Black. All Rights Reserved.
Board Level Cyber security is the #1 worry of
Directors and Chief Legal Council.
CEO National retail CEO was fired
following a data breach.
Reputation 1 in 3 consumers stop visiting businesses impacted by data
breaches.
Stock Price A payment provider lost $800M in
shareholder value following breach.
Customer Impact 1 in 2 Americans impacted by data
breach last year.
Legal Data breach reporting and
litigation can costs millions.
Audits/Assessments Increased focus and scrutiny by
auditors; greater fines.
Consequences of a weak security and compliance posture
© 2016 Carbon Black. All Rights Reserved.
Security objectives and risk measures
© 2016 Carbon Black. All Rights Reserved.
The year of ransomware: The game has changed
• Ransomware is on track to be a $1 billion crime in 2016
• 25+ variants of ransomware families have been
identified
• 4,000+ ransomware attacks happened daily since
January 1, 2016
• Phishing is the most popular ransomware attack vector
• The top-5 variants in the U.S. are: CryptoWall, CTB-
Locker, TeslaCrypt, MSIL/Samas, Locky
2015
$24 million
Jan – March
2016
$209 million
© 2016 Carbon Black. All Rights Reserved.
Liability is increasing via Ransomware
July 2016 U.S Department of Health and Human Services
“Ransomware attacks against a health facility or provider will generally be considered a
breach of personal information under the Health Information Portability and Accountability
Act”.
Jocelyn Samuels, Director of the agency's Office for Civil Rights
“When electronic protected health information is encrypted as the result of a ransomware
attack, a breach has occurred because the ePHI encrypted by the ransomware was
acquired (i.e., unauthorized individuals have taken possession or control of the
information)”
Protected Health Information (PHI)
© 2016 Carbon Black. All Rights Reserved.
2014
• Complying with standards and
other regulatory requirements
• Respond to new or emerging
threats or advanced persistent
threats (APTs)
• Recover quickly from a breach
incident
• Assure resiliency of IT operations
2016
• Respond to new threats or advanced
persistent threats and zero-day
attacks
• Protect integrity of patient data
• Secure supporting infrastructure
(e.g., addressing technical
deficiencies or vulnerabilities in
applications, middleware, network as
a whole)
• Meet regulatory compliance goals
Trends show security priority change…..
* SANS Healthcare Systems Survey 2016
© 2016 Carbon Black. All Rights Reserved.
Trends towards ensuring internal compliance
• Infrastructure as even more key
• Supporting = “critical asset at high risk”
by 50%
• High-integrity infrastructure, free of
malware = effective cloud security
control by 75%
• Emerging technologies are gaining ground
• Threat intelligence considered effective
by 70%
Importance of prevention plus compliance
Insider 3rd party
Negligent 28.5% 8%
Malicious 10.9% 8%
Total 39.4% 16%
* SANS Healthcare Systems Survey 2016
© 2016 Carbon Black. All Rights Reserved.
Top 10 reasons to develop a cyber security scorecard
10. Improve cyber security posture
9. Improve awareness of cybersecurity across the business
8. Increase credibility and transparency
7. Report and communicate the true posture of security
6. Make smarter security investment and strategy decisions
5. Increase corporate accountability
4. Accelerate corporate efforts on risk reduction
3. Justify resource investment and prioritization
2. Expose vulnerabilities that lead to liability
1. Reduce corporate liability
© 2016 Carbon Black. All Rights Reserved.
Anatomy of a Ransomware Attack
© 2016 Carbon Black. All Rights Reserved.
The cybersecurity attack kill chain
Attack is
Launched
Attack Penetrates
the Enterprise
Attacker Moves
Undetected Key Information
is Stolen
Realization of Breach
and tracks covered Reconnaissance
1 3 2 4 5 6
Preparation Intrusion Active Breach Response / Fallout
Align Security Framework to ensure Security Control Measure
Enforce security and compliance controls appropriately when needed
Automatically educate users about Compliance and Security policy as it’s being enforced
Categorize / Classify Monitor Detect Response / IR Protect Enforcement
© 2016 Carbon Black. All Rights Reserved.
CYBERSECURITY SCORECARD RECIPE
FFIEC
Software Asset Analysis Asset Integrity Monitoring Patch & Vulnerability
Analytics
Threat Prevent &
Reporting Policy Enforcement &
Remediation
NIST 800-53
COBIT
INTERNALLY
DEVELOPED
ISO
Provincial
Law
PIPA /
PIPEDA
SOX / GLBA
DISA STIGS
FIPPA PCI DSS HIPAA
SOX/GLBA
FERPA
CBEST
HITRUST
CSF
ASD TOP 35 SAS70
NERC
CIS CSC
TOP 20
Security Controls
Policy
Framework
© 2016 Carbon Black. All Rights Reserved.
Cybersecurity scorecard – map to the PCI DSS prioritized approach
MILESTONE STEPS
• Remove sensitive authentication data and limit data retention
• Protect systems and networks, and be prepared to respond to a system breach
• Secure card data applications
• Monitor and control access to your systems
• Protect card data information
• Finalize remaining compliance efforts, and ensure all controls are in place
QUICK WINS FOR SCORECARD
• Provides clarity and intelligence on your data policy – Classification and categorization
• Provides a response plan that can be aligned to protection policy – Protection and Response
• Security posture measure on payment systems – Measure
• Who, What, When, How – Monitor and Collection
• Provides proof of protection of critical data - Protection and Risk
• Provide Policy Enforcement proof and effective control
© 2016 Carbon Black. All Rights Reserved.
Low Inherent Risk
Minimal Inherent Risk
Moderate Inherent Risk
Significant Inherent Risk
Most Inherent Risk
Inherent Risk Profile – 39 Questions on Risk
FFIEC Cybersecurity Assessment Tool
Domain 1: Cyber
Risk Management
& Oversight
Domain 2: Threat
Intelligence &
Collaboration
Domain 3:
Cybersecurity
Controls
Domain 4:
External
Dependency
Management
Domain 5: Cyber
Incident
Management and
Resilience
Cybersecurity Maturity – 494 Y/N Questions
© 2016 Carbon Black. All Rights Reserved.
Cybersecurity Controls – layered maturity model to Measure security and compliance
Target gaps
Automate reporting
Align to framework / policy
Remediate
Enforce policy
Detect threats
Measure risk
Monitor & collection
Classification
IT security risk modeling – common steps
Report critical controls
Collect data based on policy
Implement a policy
Apply a framework
Identify sponsors & resources
RACI Documentation
Understand stakeholders
Security objectives/risk
Business objectives/risk
© 2016 Carbon Black. All Rights Reserved.
Cybersecurity control maturity model audit
scorecard
Conform assets
Protect data integrity
Proactively monitor critical systems
Threat protection and defense
Enforce security and compliance policy
Regula
tions, fr
am
ew
ork
s,
polic
ies
Business Assets
Lowest Risk
Lowest Liability
Visibility
• Continuous asset recording aligned to compliance and security
Detection
• Aggregated community threat intel detecting patterns of behavior
Prevention
• Policy-based default-deny with Change Control
Response
• Attack disruption & containment with Automated remediation to Prove Policy Enforcement
Integration
• Integration across the security stack
© 2016 Carbon Black. All Rights Reserved.
Cybersecurity scorecard – Focus on critical controls
Target Gaps
Automate Reporting
Align to Framework
Remediate
Enforce Policy
Detect Threats
Measure Risk
Monitor and Collection
Classification
© 2016 Carbon Black. All Rights Reserved.
Focus on the Business Process
In Scope Assets
Zero Trust Stance on Assets:
Trust policy allows quick identification of the bad by filtering out trusted files/processes first
Prevention:
Trust drives and optimizes prevention techniques in place to protect critical data and enforces Security and Compliance Policy across in scope systems
Business Policy IT-Driven Trust
• Trusted Updater (e.g., SCCM, Chrome)
• Trusted Directory (e.g., \\gold_dir)
• Trusted Publisher (e.g., Mozilla)
• Trusted User (e.g., help_desk)
• And more…
Cloud-Driven Trust
Trust Policy
User Downloaded
Classification
Keylogger
Chrome
0
1
0
5 Your
app
• Software distribution
• Patch management
• Application auto-updates
• Help desk
© 2016 Carbon Black. All Rights Reserved.
•Employ Asset Integrity Control vs. Monitoring:
–A process of segmenting systems and files that are relevant to a particular
standard from other assets in order to narrow the scope of compliance
efforts and reduce unnecessary information (noise).
REDUCE Cyber Security NOISE • File Integrity Monitoring based on a trust policy can help Control Change
• Use your established trust policy to detect changes as they occur or are attempted on front end
• Use your policies to establish what is allowed as per your business process – stop everything else
• Respond to events close to when they happen, not after file changes have been collated and analyzed
Monitor and Collection
© 2016 Carbon Black. All Rights Reserved.
Detect Attack patterns, IOC’s &
analysis
Reputation Good, bad &
unknown
Classify Attack context and threat actor
attribution
Collective Intelligence
3rd Party
United Intel
Threat Research
Analysis of threat data
from millions of endpoints
Community Threat Intel
Endpoints Monitor and record event
against policy
Detect and prioritize
threats
Actionable
Events
Measure Risk
Policy
Penetration Testing
Attack Simulation
© 2016 Carbon Black. All Rights Reserved.
Combine Positive Security + Reactive Security
Threat Prioritization, Detection, & Response Data Collection
In-Scope Assets
Threat Intelligence
Reputation Threat Indicators
Attack Classification
Trust rating for known-good, known-bad &
unproven assets
Indicators of attack behaviors and compromise
Comprehensive attack attribution &
context
IOC’s
Machine Learning Heuristics
Signatures
Proactive Analysis of Risk
Detect threats
TRUST POLICY
© 2016 Carbon Black. All Rights Reserved.
Attack is
Launched
Attack Penetrates
the Enterprise
Attacker Moves
Undetected Key Information
is Stolen
Realization of Breach
and tracks covered Reconnaissance
1 3 2 4 5 6
Preparation Intrusion Active Breach Response / Fallout
Actively enforce policy via security framework across lifecycle
• Enforce security and compliance policies at critical stages of attack
• Confirm both direct and compensating controls aligned against chosen framework
• Collect and provide education to all stakeholders and users regarding compliance and
security policy enforcement
Categorize / Classify Monitor Detect Response / IR Protect Enforcement
Enforce policy across the kill chain
© 2016 Carbon Black. All Rights Reserved.
Questions
Anyone?