• No results found

Applying IBM Security solutions to the NIST Cybersecurity Framework

N/A
N/A
Protected

Academic year: 2021

Share "Applying IBM Security solutions to the NIST Cybersecurity Framework"

Copied!
12
0
0

Loading.... (view fulltext now)

Full text

(1)

Applying IBM Security solutions to the NIST Cybersecurity Framework

Help avoid gaps in security and compliance coverage as threats and business

requirements change

(2)

Introduction

Approaching risk management and security frameworks is not a simple exercise. With cyber threats changing all the time—and with them, an organization’s business environment and ability to meet new changing requirements—the ability to apply new risk strategies is critical. Such strategies are applied to the differing levels of security needed in order to evolve and support business operations and risk, not simply as an effort in compliance.

Using the Framework for Improving Critical Infrastructure

Cybersecurity,1

a set of guidelines and practices created by the US National Institute of Standards and Technology (NIST), provides government and non-government organizations with a vital first step toward managing cyber-security risk. Moving forward, organizations need solutions that not only satisfy the NIST Cybersecurity Framework at the time of deployment but that also enable continued security as threats and business needs change and evolve.

This white paper will enumerate the Core Practices created in the NIST Cybersecurity Framework (referred to as the

“NIST framework”) and map each category and subcategory to the IBM solutions that can help meet the specific requirements.

The components of the NIST framework

The NIST framework contains five categories of “core” func- tions that are necessary to achieving cyber security: Identify, Protect, Detect, Respond and Recover. Each of these categories is subdivided into as many as 11 subcategories that describe actions or processes that support the function. With a total of nearly 90 subcategories in the NIST framework, the challenge then becomes how to ensure the organization has the solutions and capabilities it needs to use the framework as a key strategic element in the ongoing processes of managing risk.

Key steps in utilizing the NIST framework are to identify the organization’s “implementation tier”—a designation that indicates the degree to which the organization’s cyber-security solutions are achieving the risk tolerance of subcategories—and

to establish a “framework profile”—desired outcomes from using the NIST framework in both the current and future timeframes.

Periodic reviews of needs and capabilities are central to the framework’s ongoing effectiveness.

When applying the NIST framework, organizations must pay close attention to shifting threats and the constant need to improve their ability to meet the suggested best practices within the NIST subcategories.

Organizations that have no security strategy, that have adopted security measures only in response to specific threats, or that have implemented solutions only because they have been mandated will require more thorough planning and strategy to utilize the NIST framework within their business operations.

IBM Security solutions for evolving needs

IBM® Security solutions provide a comprehensive portfolio that can address the NIST framework core categories and subcatego- ries, implementation tiers and framework profiles, while also enabling organizations to advance through the tiers and close gaps to meet their risk goals and objectives. Many IBM solutions address multiple core subcategories with integrated functions that are critical to ensuring cost-efficiency, simplifying manage- ment, and providing the scalability and flexibility necessary to avoid gaps in coverage as threats evolve and change.

For organizations just beginning to use the NIST framework, IBM Security solutions provide a manageable starting point.

For organizations with more mature security strategies and more complex and demanding protection needs, IBM Security solu- tions provide comprehensive controls and integrated actions to support strict risk profiles.

The tables on the following pages demonstrate how the entire

span of the IBM Security portfolio—including products and

services—can help organizations achieve the insight, understand-

ing and management capabilities necessary to identify vulnera-

bilities, protect assets, control access and manage cyber-security

risks.

(3)

Identify

Category Subcategory IBM offerings

Asset Management ID.AM-1: Physical devices and systems within the organization are inventoried.

IBM Security QRadar® Vulnerability Manager, IBM Endpoint Manager, IBM Security Access Manager ID.AM-2: Software platforms and applications within

the organization are inventoried.

QRadar Vulnerability Manager, Endpoint Manager, Fiberlink,* IBM Security AppScan®

ID.AM-3: The organizational communication and data flow is mapped.

IBM Security QRadar SIEM, IBM Global Technology Services® – Information Security Framework ID.AM-4: External information systems are mapped

and cataloged.

IBM Security QRadar, Global Technology Services – Information Security Framework, IBM Global Business Services®, IBM OpenPages®, IBM i2® Intelligence Analysis Platform

ID.AM-5: Resources are prioritized based on the classifica- tion/criticality/business value of hardware, devices, data and software.

QRadar SIEM, QRadar Vulnerability Manager, IBM Security AppScan, IBM Security Access Manager, OpenPages, Global Technology Services – Security policy planning and development, Global Business Services

ID.AM-6: Workforce roles and responsibilities for business functions, including cyber security, are established.

IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Access Manager, Global Technology Services – Industrial Controls Cybersecurity Consulting, Global Business Services Business Environment ID.BE-1: The organization’s role in the supply chain is

identified and communicated.

Global Technology Services, Global Business Services

ID.BE-2: The organization’s place in critical infrastructure and their industry ecosystem is identified and communicated.

Global Technology Services – Industrial Controls Cybersecurity consulting, Global Business Services

ID.BE-3: Priorities for organizational mission, objectives and activities are established.

Global Technology Services – Security policy planning and development, Global Business Services, OpenPages, IBM Cognos®

ID.BE-4: Dependencies and critical functions for delivery of critical services are established.

QRadar SIEM, IBM Security QRadar Risk Manager, Global Technology Services – Security policy planning and development, Global Business Services

ID.BE-5: Resilience requirements to support delivery of critical services are established.

Global Technology Services – Security Risk Assessment, Global Business Services, QRadar SIEM,

QRadar Risk Manager

(4)

Identify

Category Subcategory IBM offerings

Governance ID.GV-1: Organizational information security policy is established.

OpenPages, Global Technology Services – Security policy planning and development, Global Business Services, QRadar SIEM, QRadar Risk Manager, IBM Security SiteProtector™ System

ID.GV-2: Information security roles and responsibility are coordinated and aligned.

IBM Security Identity Manager, IBM Security Access Manager, OpenPages, Global Technology Services – Identity assessment and strategy, Global Business Services, i2 Intelligence Analysis Platform ID.GV-3: Legal and regulatory requirements regarding

cyber security, including privacy and civil liberties obligations, are understood and managed.

OpenPages, Global Technology Services – Industrial Controls Cybersecurity Consulting, Global Business Services, QRadar Risk Manager

ID.GV-4: Governance and risk management processes address cyber-security risks.

QRadar SIEM, QRadar Risk Manager, OpenPages, Global Technology Services – Security Risk Assessment, Global Business Services

Protect

Category Subcategory IBM offerings

Access Control ID.RA-1: Asset vulnerabilities are identified and documented.

IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Access Manager ID.RA-2: Threat and vulnerability information is received

from information-sharing forums and sources.

Global Technology Services – Industrial Controls Cybersecurity Consulting, Global Business Services ID.RA-3: Threats to organizational assets are identified

and documented.

IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Access Manager, Global Technology Services – Industrial Controls Cybersecurity Consulting, IBM Information Security Assessment ID.RA-4: Potential impacts are analyzed. IBM Security Access Manager, IBM Tivoli® Federated

Identity Manager, IBM Security Access Manager for Enterprise Single Sign-On, Global Technology Services – Industrial Controls Cybersecurity Consulting

ID.RA-5: Risk responses are identified. QRadar Vulnerability Manager, SiteProtector System

(5)

Protect

Category Subcategory IBM offerings

Awareness and Training PR.AT-1: General users are informed and trained. Global Technology Services, Global Business Services PR.AT-2: Privileged users understand roles and

responsibilities.

Global Technology Services – Identity assessment and strategy, Global Business Services,

IBM Security Privileged Identity Manager, OpenPages PR.AT-3: Third-party stakeholders (suppliers, customers,

partners) understand roles and responsibilities.

Global Technology Services, Global Business Services, OpenPages

PR.AT-4: Senior executives understand roles and responsibilities.

Global Technology Services – Identity assessment and strategy, Global Business Services, OpenPages PR.AT-5: Physical and information security personnel

understand roles and responsibilities.

Global Technology Services – Identity assessment and strategy, Global Business Services, OpenPages, i2 Intelligence Analysis Platform

Data Security PR.DS-1: Data at rest is protected. IBM Tivoli Storage Manager, IBM InfoSphere® Optim™

PR.DS-2: Data in motion is secured. IBM Security Key Lifecycle Manager PR.DS-3: Assets are formally managed throughout

removal, transfers and disposition.

QRadar SIEM, Tivoli Storage Manager, Global Technology Services – Data security strategy and assessment PR.DS-4: Adequate capacity to ensure availability is

maintained.

Global Technology Services, Global Business Services

PR.DS-5: There is protection against data leaks. QRadar SIEM, SiteProtector System,

IBM Power Systems™ GX adapters, IBM InfoSphere Guardium®, Global Technology Services – Endpoint &

network data loss prevention

PR.DS-6: Intellectual property is protected. QRadar SIEM, Tivoli Storage Manager,

IBM Security Key Lifecycle Manager, InfoSphere Guardium, Global Technology Services – Endpoint and network data loss prevention

PR.DS-7: Unnecessary assets are eliminated. Tivoli, QRadar SIEM, Endpoint Manager PR.DS-8: Separate testing environments are used in

system development.

Global Technology Services – Data security strategy and assessment, Global Business Services

PR.DS-9: Privacy of individuals and personally identifiable information (PII) is protected.

InfoSphere Optim, InfoSphere Guardium, Power Systems GX adapters, QRadar SIEM, IBM Security Access Manager

(6)

Protect

Category Subcategory IBM offerings

Information Protection PR.IP-1: A baseline configuration of information technology/operational technology systems is created.

QRadar SIEM, Endpoint Manager

PR.IP-2: A system development lifecycle to manage systems is implemented.

Global Technology Services – Cybersecurity Assessment and Response, Global Business Services

PR.IP-3: Configuration change control processes are in place.

IBM Tivoli Configuration Manager, Endpoint Manager, QRadar SIEM

PR.IP-4: Backups of information are managed. Tivoli Storage Manager PR.IP-5: Policy and regulations regarding the physical

operating environment for organizational assets are met.

Global Business Services, Global Technology Services – Industrial Controls Cybersecurity Consulting

PR.IP-6: Information is destroyed according to policy and requirements.

Global Business Services, Global Technology Services, Tivoli Storage Manager

PR.IP-7: Protection processes are continuously improved. Global Business Services, Global Technology Services PR.IP-8: Information sharing occurs with

appropriate parties.

IBM X-Force® research and development team

PR.IP-9: Response plans (business continuity plan(s), disaster recovery plan(s), incident handling plan(s) are in place and managed.

Global Business Services, IBM IT Emergency Response Services

PR.IP-10: Response plans are exercised. Global Business Services, IBM IT Emergency Response Services

PR.IP-11: Cyber security is included in human resources practices (including de-provisioning, personnel screening and others).

IBM Security Identity Manager, IBM Security Access Manager

(7)

Protect

Category Subcategory IBM offerings

Maintenance PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools.

QRadar SIEM

PR.MA-2: Remote maintenance of organizational assets is approved, logged and performed in a manner that prevents unauthorized access and supports availability requirements for important operational and information systems.

QRadar SIEM, IBM Security Identity Manager, Fiberlink*

Protective Technology PR.PT-1: Audit and log records are stored in accordance with audit policy.

QRadar SIEM, QRadar Risk Manager, Global Technology Services – Security policy planning and development PR.PT-2: Removable media are protected according to a

specified policy.

System Storage, Tivoli Storage Manager, Endpoint Manager

PR.PT-3: Access to systems and assets is appropriately controlled.

IBM Security Identity Manager, IBM Security Access Manager, Global Business Services, Global Technology Services – Security policy planning and development PR.PT-4: Communications networks are secured. SiteProtector System, Power Systems GX adapters PR.PT-5: Specialized systems are protected according

to the risk analysis (SCADA, ICS, DLS).

SiteProtector System, Power Systems GX adapters

(8)

Detect

Category Subcategory IBM offerings

Anomalies and Events DE.AE-1: A baseline of normal operations and procedures is identified and managed.

QRadar SIEM, QRadar Vulnerability Manager, SiteProtector System, IBM Security Network Protection XGS,

Power Systems GX adapters, Global Technology Services – Industrial Controls Cybersecurity Consulting DE.AE-2: Detected events are analyzed to understand

attack targets and methods.

QRadar SIEM, SiteProtector System, IBM Security Network Protection XGS, Power Systems GX adapters

DE.AE-3: Cyber-security data is correlated from diverse information sources.

QRadar SIEM

DE.AE-4: Impact of potential cyber-security events is determined.

QRadar SIEM, QRadar Risk Manager

DE.AE-05: Incident alert thresholds are created. QRadar SIEM, SiteProtector System Security Continuous

Monitoring

DE.CM-1: The network is monitored to detect potential cyber-security events.

SiteProtector System, IBM Security Network Protection XGS, Power Systems GX adapters, QRadar, Global Technology Services – IBM Managed Security Services DE.CM-2: The physical environment is monitored to

detect potential cyber-security events.

Global Technology Services, Global Technology Services – Managed Security Services

DE.CM-3: Personnel activity is monitored to detect potential cyber-security events.

IBM Security Access Manager, IBM Security Identity Manager, IBM Security Privileged Identity Manager, QRadar SIEM, Global Technology Services – Managed Security Services

DE.CM-4: Malicious code is detected. IBM Security Network Protection XGS, Power Systems GX adapters, Endpoint Manager, Fiberlink,* QRadar SIEM, Global Technology Services – Managed Security Services DE.CM-5: Unauthorized mobile code is detected. Endpoint Manager, Fiberlink*

DE.CM-6: External service providers are monitored. SiteProtector System, IBM Security Network Protection XGS, Power Systems GX adapters, Global Technology Services, Global Business Services, Global Technology Services – Managed Security Services

DE.CM-7: Unauthorized resources are monitored. QRadar SIEM, Endpoint Manager, Global Technology Services – Managed Security Services

DE.CM-8: Vulnerability assessments are performed. AppScan, QRadar Vulnerability Manager

(9)

Detect

Category Subcategory IBM offerings

Detection Processes DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability.

IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Access Manager, QRadar SIEM, Global Technology Services, Global Business Services, OpenPages DE.DP-2: Detection activities comply with all applicable

requirements, including those related to privacy and civil liberties.

Global Technology Services, Global Business Services

DE.DP-3: Detection processes are exercised to ensure readiness.

QRadar SIEM, QRadar Vulnerability Manager

DE.DP-4: Event detection information is communicated to appropriate parties.

SiteProtector System, IBM Security Network Protection XGS, QRadar SIEM, OpenPages, AppScan

DE.DP-5: Detection processes are continuously improved.

Global Technology Services – Security policy planning and development, Global Business Services

Respond

Category Subcategory IBM offerings

Response Planning RS.PL-1: Response plan is implemented during or after an event.

IBM IT Emergency Response Services,

Global Business Services, Incident Response/ERS Communications RS.CO-1: Personnel know their roles and order of

operations when a response is needed.

IBM IT Emergency Response Services, Global Business Services, IBM Security Identity Manager, IBM Security Privileged Identity Manager, SiteProtector System, IBM Security QRadar SIEM, Security Operations Personnel, Incident Response/ERS

RS.CO-2: Events are reported consistent with established criteria.

IBM IT Emergency Response Services,

Global Business Services, Security Operations Personnel, Incident Response/ERS

RS.CO-3: Detection/response information, such as breach reporting requirements, is shared consistent with response plans, including those related to privacy and civil liberties.

IBM IT Emergency Response Services, Global Business Services, Security Operations Personnel, Incident Response/ERS

RS.CO-4: Coordination with stakeholders occurs consistent with response plans, including those related to privacy and civil liberties.

IBM IT Emergency Response Services, Global Business Services, Security Operations Personnel, Incident Response/ERS

RS.CO-5: Voluntary coordination occurs with external stakeholders (for example: business partners, information sharing and analysis centers or customers).

Global Technology Services, Global Business Services, Security Operations Personnel, Incident Response/ERS

(10)

Respond

Category Subcategory IBM offerings

Analysis RS.AN-1: Notifications from the detection system are investigated.

SiteProtector System, QRadar SIEM

RS.AN-2: Understand the impact of the incident. IBM IT Emergency Response Services, Global Business Services, QRadar SIEM,

QRadar Risk Manager, QRadar Vulnerability Manager RS.AN-3: Forensics are performed. QRadar SIEM, eForensics

RS.AN-4: Incidents are classified consistent with response plans.

Global Technology Services, Global Business Services, SiteProtector System, QRadar SIEM, Security Operations Personnel, Incident Response/ERS

Mitigation RS.MI-1: Incidents are contained. QRadar SIEM, SiteProtector System, IBM Security Network Protection XGS, Fiberlink,* eForensics

RS.MI-2: Incidents are eradicated. Endpoint Manager, eForensics

Improvements RS.IM-1: Response plans incorporate lessons learned. Global Technology Services, Global Business Services, Security Operations Personnel, IBM IT Emergency Response Services

RS.IM-2: Response strategies are updated. IBM IT Emergency Response Services,

Global Business Services, Security Operations Personnel, Incident Response/ERS, Cognos, OpenPages,

IBM Security Network Protection XGS

(11)

Recover

Category Subcategory IBM offerings

Recovery Planning RC.RP-1: Recovery plan is executed. IBM IT Emergency Response Services,

Global Business Services, Tivoli Storage Manager, Security Operations Personnel, Incident Response/ERS Improvements RC.IM-1: Plans are updated with lessons learned. IBM IT Emergency Response Services,

Global Business Services, OpenPages,

Security Operations Personnel, Incident Response/ERS RC.IM-2: Recovery strategy is updated. IBM IT Emergency Response Services,

Global Business Services, Security Operations Personnel, Incident Response/ERS, OpenPages

Communications RC.CO-1: Public relations are managed. IBM IT Emergency Response Services, Global Business Services

RC.CO-2: Reputation after an event is repaired. IBM IT Emergency Response Services, Global Business Services

Conclusion

Utilizing the guidance in the NIST framework and implement- ing comprehensive solutions that correspond to various aspects of the core subcategories of the framework gives an organization the ability to apply risk management principles to cyber-security. Most importantly, it sets the stage for continuous self-assessment, security adjustments and capabilities for closing gaps in protection that typically appear as threats and business needs change. A comprehensive portfolio of solutions can posi- tion an organization to move up to higher levels of maturity in risk and cyber-security management. The NIST framework is a process-focused approach to security that is centered on incident prevention and response. It lays the groundwork for a range of higher-level approaches with different areas of focus.

●●

Domain frameworks such as the IBM Security Framework that address how IT security teams organize and execute their daily operations

●●

Sectoral frameworks that address the security concerns of specific business sectors

●●

Organizational frameworks that address the unique require- ments of an individual organization and its infrastructure

●●

Smart Architecture frameworks that deliver an architectural design for strengthening operations and security

All of these frameworks provide the building blocks for assessing controls and managing risk. The higher maturity levels help avoid a focus on security issues that have already occurred, with a concentration instead on managing emerging issues. They help elevate the security conversation to involve higher-level executives—assuring a proper focus on business needs.

Ultimately, they make it possible for the entire organization—

not IT alone—to have a stake in cyber risk management in

order to help ensure ongoing security improvement, smooth

transitions to new security technologies and provide greater

protection for the enterprise.

(12)

Please Recycle

portfolio, supported by world-renowned X-Force research and

development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applica- tions, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and deliv- ery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.

Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. W e’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit:

ibm.com/financing

Somers, NY 10589

Produced in the United States of America August 2014

IBM, the IBM logo, ibm.com, AppScan, Cognos, Global Business Services, Global Technology Services, Guardium, i2, InfoSphere, OpenPages, QRadar, Tivoli, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies.

A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED

“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others.

No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.

* Fiberlink Communications was acquired by IBM in December of 2013.

1National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” February 12, 2014.

http://www.nist.gov/cyberframework/upload/

cybersecurity-framework-021214-final.pdf

WGW03064-USEN-00

References

Related documents

To address these challenges, IBM provides Tivoli Identity Manager, a security- rich, automated, policy-based user management solution.. Designed as a key element of IBM

≡ Process variation affects both process flow and product quality. ≡ Compliance flows from

Initiation Planning Execution Controlling Closing Integration Mgmt Scope Mgmt Time Mgmt Cost Mgmt Quality Mgmt Human Resource Management

On the Manage Life Cycle Rules page, select the check box next to the lifecycle rule that you want to modify, and then click Change. The Manage Life Cycle Rules notebook

As part of each configuration, the IBM Security Identity Manager Office 365 Adapter must be installed on the computer that is running the IBM Tivoli Directory Integrator server.. For

When used with IBM Security QRadar QFlow Collector appli- ances or IBM Security QRadar VFlow Collector appliances, QRadar SIEM provides Layer 7 application visibility and flow

Security AppScan exports application vulnerabilities information into IBM Security SiteProtector™ System and Security QRadar solutions, where information can be correlated

IBM Tivoli Security Information and Event Manager V1.0 is comprised of two products: IBM Tivoli Security Operations Manager V4.1 and IBM Tivoli Compliance Insight Manager V8.5..