A Cybersecurity Strategy
How Stop Worrying and
Love the Cybersecurity Strategy
Elements of a
Cybersecurity
Strategy
7/16/2015 University of Wisconsin–Madison 3
1. Have a commonly agreed
to purpose
2. Be understood by the
community
3. Establish a governance
model
4. Assign accountability
5. Have a communications
plan
6. Be flexible and adaptable
to change
Cybersecurity Panel
Elaine Gerke
UW-Health
Director – IS Systems Security
Max Babler
Madison Gas & Electric
Director – Information Security
Nicholas Davis
UW System Administration
Chief Information Security Officer
Bob Turner
UW-Madison
Chief Information Security Officer
Discuss the importance of long-term planning to achieve
resilience across the IT and business organizations.
Introduction Question
7/16/2015 University of Wisconsin–Madison 5
How are you planning cybersecurity strategies
and initiatives?
UW Health IS Systems Security Cybersecurity Strategy
in a Healthcare HIPAA Covered Environment
Understanding the Business of Healthcare – Both
clinical care and research, the work must go on!
Understanding Cyber Vulnerabilities and Threats
– Keep a current inventory. Know what belongs in your environment and what doesn’t. Be the gatekeeper!
– Monitoring logs, automated alerts, and pursuing a SIEM solution for correlation of event logs
– Conducting regular vulnerability assessments and penetration testing, and use different vendors.
– Coordination and collaboration of intelligence sharing (UW Campus, State of Wisconsin, FBI, etc.)
– Exploring the possibility of shared expertise in the event of a cyber attack – Conducting Root Cause Analysis of events, get staff thinking outside the box,
not only about remediations, but preventative strategies – Tracking events, both large and small
UW Health IS Systems Security Cybersecurity Strategy
in a Healthcare HIPAA Covered Environment – Cont.
The Balancing Act - Securing our patient’s data while
allowing appropriate access
– Technical guardrails
• Know your data – What it is, and where it lives
• External facing servers housed in DMZ with limited access
• Locking down endpoints, and limiting elevated privilege accounts • Segregation of duties
• Restriction of traffic where possible for DLP (ports, protocols, services, and requirement of administrative rights to move the data, etc.)
• Use of Blacklisting. and Application Whitelisting (current FY project) • Secure Compute Environment – VDI with honest broker as gatekeeper
– Securing the Human / Training and Education of Staff
• Annual required training
• Use every opportunity to reinforce security education • Run Phishing Campaigns
• Understanding HIPAA requirements and liability in our environment • Multi-factor Authentication
Who am I?
•
Maxwell Babler
•
Director of Information
Security - Madison Gas and
Electric
•
Staff of 10 security
professionals and managers
•
18 + years in IT
•
Developer / Server
Operations
•
Enterprise Architecture /
Site Audit / Management
•
MGE
•
Community Focused
•
Serve primarily in
Madison area – including
this building
•
Diverse generation
portfolio including Gas,
Wind and Solar
•
One of the smallest
publicly traded utilities in
the US
Where am I on Strategy?
•
Working to establish the first 5
year strategic roadmap for
Security
•
Established Service domains
to measure against
•
Assessed functions with CMMI
rankings
•
Industry and Gartner
scoring
•
Arranged efforts based on
priority, tied to improvement
areas
•
My role:
•
Responsible for leading the
creation of the security
strategy
•
Play key role in socialization
and outreach for the strategy
itself
•
IT Areas
•
Wider Business Partners
(Engineering & Operations)
•
Sr. Leadership
•
Board of Directors
What guides my Strategy?
• Values:
• CIAS – Confidentiality. Integrity. Availability. Safety.
• PBR – Plan. Build. Run.
• SMS – Simple. Manageable. Secure.
• CBTS – Customer. Business. Technology. Security.
• Compliant, but then secure
• Goals:
• Deter attacker as much as possible – keeping the business use in mind
• Have a robust and fast incident response
• Have a flexible, fast and inclusive business continuity plan
• Frameworks:
• NIST – National Institute of Standards and Technology
• SOX – Sarbanes Oxley Act
• NERC CIP – National Electric Reliability Council, Critical Infrastructure Protection
• Domains:
• Data Management
• Consulting
• Identity Access Management
• Risk and Compliance
• Infrastructure Network
• Endpoint
• Business Resiliency and Continuity
Nick Davis
Areas of expertise
• Security Awareness: The knowledge and attitude members of an organization possess regarding the protection of the physical and especially, information assets of that organization.
• Cryptosystem: Any sort of methodology for encoding data so that only a desired party is capable of decoding and accessing it.
• Information Assurance: The practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and systems.
Notable Achievements
• Lecturer of Information Security courses at both the undergraduate and
graduate level, at UW-Madison, Cardinal Stritch University and Madison Area Technical College.
• Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA)
• Member, FBI Infragard: InfraGard is a non-profit organization serving as a
public-private partnership between U.S. businesses and the Federal Bureau of Investigation.
Higher Education is a whole new world…
Things I really liked
(for the most part…)• Organization – we were aligned for success in critical competencies • Staff were performing relevant and meaningful cybersecurity tasks • Incident Response – Metrics and Trends
• Threat Intel and Reporting
• Security Education and Training
Things that surprised me!!!!
• Vulnerability scanning & analysis is inconsistent / infrequent • Lack of periodic (comprehensive) security assessments • Tangled funding sources for staff engagements
• Inconsistent security engineering and formal approval for connecting or operating information systems
• Decentralized governance of security functions
My First 100 Days –
(a.k.a. the firehose treatment)
Why build a strategy?
7/15/2015 University of Wisconsin–Madison 14
Options: Detection or Prevention
• Last strategic plan was five years old and never formally adopted
by leadership
• Newer technology breeds newer and more sophisticated threats
• Well engineered and professional looking malware
• Zero Day attacks continue to increase in volume (24 tracked in 2014)* • Total Days of Exposure for malware was over 295 in 2014*
• Threat Actors are more clever and the stakes are higher
• Campaigns such as Dragonfly, Waterbug, and Turla infiltrated industrial systems, embassies, and other sensitive targets*
• Volume and Complexity of Threat Activity Increasing
• Spear-Phishing attempts increased by 8% and more sophisticated • Increased “State Sponsored” cyberespionage and greater focus on
Higher Education*
• Well engineered and professional looking malware
• Optimized risk management requires cybersecurity approaches
that center on the data
“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”
- Sun Tzu (Ancient Chinese Military Strategist)
Getting to work…
7/15/2015 University of Wisconsin–Madison 15
Options: Detection or Prevention
Know what you want at the end of the run…
• This is more than a Gap Analysis and Cybersecurity is more than a service function
• Understand the assets and the need for protection
• Be prepared to “dovetail” business risk to the security plans
• Know where you are and where you want to be – it’s that simple!!!
The mindset you need to create a useful strategy:
Executive Buy-In
• Support from the CIO and other C-Leaders plus VPs • Discussions that align guidance to business strategy
Speak in a Common Language
• Level set the definitions of risk, vulnerability and threat
• Understand how the business works and how managers talk
Do not be the “Merchant of No!”
• Learn the fastest way to get to YES!
“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”
– Gus Agnos (VP Strategy & Operations at Synack)
It has to be a team effort involving domain leaders and key performers
Where is our focus?
Cybersecurity Incident Response Cycle
Incident Response – Metrics and Trends
7/15/2015 University of Wisconsin–Madison 16
Data Classification
Components of UW-Madison Cybersecurity Strategy
7/15/2015 University of Wisconsin–Madison 17
Options: Detection or Prevention Preparation is key!
You cannot do this alone!
• Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc) • Cybersecurity Leadership Team
Executive and Department/College/Business Unit Buy-In
• Cost, Schedule, Performance • Governance and Collaboration
UW-Madison Cybersecurity Strategy
Strategic Elements Enabling Objectives
Data Governance and Information Classification Plan Retain previous strategy’s actions (“find it/delete it/protect it”)
Establish the UW-Madison Risk Management Framework Enable & support culture to value cybersecurity & reduce risk
Build community of experts/improve user competence (SETA) Establish Restricted Data Environments
Consolidate Security Operations & institute best practices Central data collection/aggregation to analyze security events
Improve Cyber Threat Analysis/Dissemination /Remediation Identify and seek sources of repeatable funding
Optimize Services, Security Metrics, Compliance & CDM Identify UW-Madison compliance issues (FERPA, HIPAA,
PCI-DSS, Red Flags Rule, etc.)
Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea)
Develop and refine sustainable security ops/risk assessments Develop & implement a marketing and communications plan