Welcome!
Note that audio will be through your phone.
Please dial: 866-740-1260
Access code: 6260070
The webcast will be 60 minutes in length with
time allotted for responding to questions.
An archive of the webinar will be available at
http://www.mhectech.org
or
http://www.youtube.com/user/mhec12
Designing and Building a
Cybersecurity Program
2
Overview
The Midwestern Higher Education
Compact (MHEC)
MHEC/EiQ Networks Master Price
Agreement
Justin Pennock, EiQ
Special Guest: Larry Wilson,
Information Security Lead,
President’s Office, UMass
WICHE
1953
SREB
1948
NEBHE
1955
MHEC
1991
Interstate Compacts
4
The compact statute creating MHEC makes MHEC an
instrumentality of state government of each of its
member states.
This statutory language gives MHEC broad
contracting authority to help carry out its mission.
MHEC then enters into agreements for the benefit of
its twelve member states, effectively letting
institutions in one state pool their resources and
expertise with different institutions in other states to
gain advantages in the marketplace they otherwise
would not be able to obtain.
What is a Compact?
5
Illinois - Chapter 45 ILCS 155
Indiana - Chapter IC 20-12-73
Iowa - Chapter 261D
Kansas - Chapter 72-60b01
Michigan - Section 390.1531
Minnesota - Section 135A.20
Missouri - Section 173.700
Nebraska - Section 85-1301
North Dakota - Chapter 15-10.2
Ohio - Chapter 3333.40
South Dakota - Chapter 13-53C-1
Wisconsin - Chapter 14.90
Statutory Authority to
Purchase from MHEC Contracts
Competitively Sourced in 2011
Award to EiQ Networks
◦
Log Analysis
◦
Event Pattern Detection
◦
Compliance Automation
◦
Etc…
Contract Term: July 31, 2014 – August 1, 2015
with three one-year renewals (2018).
7
Security Event & Information
Management
Master Price Agreements
Product and Services Price List
Large Order Negotiations
Terms and Conditions
EULA
http://www.mhectech.org/sites/mhectech.or
g/files/20110919eiqnetworks_mstr_0.pdf
8
Master Price Agreement
Compacts:
◦
MHEC’s 12 Midwestern states
(ND & SD dual members)
◦
SREB’s 16 Southeastern states
◦
WICHE’s 15 Western states
Higher Education
K-12 districts and schools
Cities, State and Local Governments
Who is eligible to purchase?
9
http://www.mhectech.org/
Contract Highlights
http://www.mhectech.org/eiq
12
Contract Page
http://mhectech.org/contracts
Contact Information:
Nathan Sorensen
Strategic Information Technology (IT) Procurement Officer
612-677-2767
[email protected]
Rob Trembath
Vice President and General Counsel
612-677-2763
[email protected]
Mary Roberson
Director of Communications & Marketing
612-677-2765
[email protected]
MHEC Resources
Effective Cyber Security
Monitoring & Compliance
What is an effective security program?
•
A set of processes and best practices
developed and implemented
–
Based on industry standards
Process
Technology
•
Immediate and comprehensive visibility
into the “Threat”
–
Remove silos and connect the dots
People
•
Trained, experienced Information Security
professionals
–
Must be operational 24 x7
What EiQ’s SOCVue Delivers:
•
Council on Cyber Security & SANS Critical Security
Controls Automation
– Continuously analyze your IT environment against Security best practice – Identify weak Links in your security postureProcess
Technology
•
EiQ SecureVue
– Log Management & Security Monitoring – Correlation & Forensic Analysis – Compliance Reporting – Asset DiscoveryPeople
•
EiQ SOCVue Service
– Certified Security & Product engineers – 24x7 Monitoring
– Alert Notification and Remediation Guidance – On‐Demand Investigation
Larry Wilson [email protected] October 23, 2014
Designing & Building a Cybersecurity Program
To protect our critical assets…
Our Controls Factory
Midwestern Higher Education Compact
1The Challenge: To our Corporate and Government Leaders
There is a global awakening among non technologists
That we are vulnerable in cyberspace We are not organized well to protect ourselves We suffer from a “fog of more” …… More standards, more checklists, more devices, more things …Where does your business stand on basic cybersecurity hygiene?
Our Executives need to ask five basic questions
Do we know what’s connected to our systems and networks? Do we know what’s running or trying to run on our systems and networks? Are we limiting the number of people with administrative privileges to change, bypass or override the security setting? Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?Because ….
Having these basic safeguards in place will prevent 80% to 90% of the known attacks 2 Jane Holl Lute Council on Cybersecurity Served as Deputy Secretary for Homeland Security from April, 2009 to April 2013Manage or Risks
Understand and establish a well developed risk management modelManage our Assets
Inventory, prioritize, categorize (by type and value), safeguard Lifecycle Management (provision, de‐provision, discover, manage changes, reconciliation, monitor & alert Because every security incident starts with a compromised assetAlignment and Transparency
Are we on the same page? Are we learning and improving? Are we testing and measuring? Are we maturing our program over time?Our Response: We Need to be Proactive ….
3Secure our Assets
Manage our Risks
How do we calculate risk?
Risk is based on the likelihood and impact of a cyber‐security incident or data breach (model) Threats involve the potential attack against IT resources and information assets (model) Vulnerabilities are weaknesses of IT resources and information that could be exploited by a threat (model) Asset Value is based on criticality of IT resources and information assets (assess) Controls are safeguards that protect IT resources and information assets against threats and/or vulnerabilities (assess) Residual risk includes a combination of unknown threats + unknown vulnerabilities + unmanaged assets (model) Risk Threats = Asset Value Vulnerabilities X X Controls+
Residual Risk 4The Risk Equation
Manage our Assets
5Our Managed Assets
ARE
protected
Identify and secure our managed assets We need to understand why security breaches occur And the steps to take to prevent them What is our managed asset portfolio? We need to build a portfolio of managed assets Identify and secure our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets Ultimately leads to a breach from missing or ineffective controls What is our unmanaged asset portfolio? We need to secure our unmanaged assets and add them to our managed asset portfolio
Our Unmanaged Assets
ARE NOT
protected
Unmanaged Assets
The Cybersecurity Controls Factory
2.2 The C³ Framework Components 3.2 Security Programs & Projects 2.1 Controls Framework & Standards 1.1 Threats, Vulnerabilities Consequences 1.2 The Cyber Attack Chain 3.1 Vendor Technologies & Services 1.0 ThreatModel 2.0 ControlsDesign Implementation3.0 Controls
1.3 Modeling Cyber Attacks 2.3. The Cybersecurity Controls Model 3.3 Security as a Service (SaaS) 4.2 Controls Testing Techniques 4.1 Controls Testing Guidelines 4.0 Controls Testing 4.3 Controls Assessment Procedures Input
Alignment and Transparency
6 Unmanaged Assets* Managed Assets* * The Assets 00: Master Blueprint – Incorporates all programs and projects into single program blueprint 01: Endpoint Devices ‐ laptops, workstations, smart phones, tablets, point of sale terminals, etc. 02: Applications & Spreadsheets ‐ developing, implementing secure applications based on BSIMM‐V 03: Network Security ‐ including the perimeter, across the LAN, WAN, wireless networks 04: Data Center Systems ‐ securing servers in the data center (windows, linux, etc.). 05: Databases ‐ database applications or stored functions, database systems, database servers, et 06: Identity & Access Governance ‐ securing users, accounts, entitlements07: Data Governance ‐ processes , technologies , and methods used by data stewards and data custodians to handle data 08: Monitoring & Response Center ‐ real‐time monitoring, correlation and expert analysis of security activity
Output Current State ‐ “As‐is” Risk Environment Desired State ‐ “To‐be” Risk Environment
1.0 The Threat Model
71.1 The Threats, Vulnerabilities, Consequences
1.2 The Cyber Attack Chain
1.3 Modelling Cyber Attacks
1.1 Threats, Vulnerabilities, Consequences
8Threats Vulnerabilities Consequences
9
10
1.3 Modelling Cyber‐Attacks
Process for Attack Simulation and Threat Analysis (PASTA)2.0 The Controls Design
112.1 Controls Frameworks and Standards
2.2 The C³ Framework Components
2.3 The Cybersecurity Controls Model
2.1 The Controls Frameworks and Standards
12 NIST Cybersecurity Framework Core Functions Council on Cybersecurity Critical Security Controls (CSCs) ISO 27002: 2013 Code of Practice for Information Security ControlsBuilding a Cybersecurity Program 13
6/25/2014 Building a Cyber-security Program 13
2.2 The C³ Framework Components
Function Unique Identifier Function (Basic activities) Category Unique Identifier Category (Cybersecurity outcomes) Subcategories (Specific outcomes of technical or management activities) Informative References (Specific sections of standards, guidelines, and best practices) ID Identify (24 activities)ID.AM Asset Management 6 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices ID.BE Business Environment 5 technical or management activities Align to ISO/IEC 27001:13 best practices ID.GV Governance 4 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RA Risk Assessment 6 technical or management activities Align to ISO/IEC 27001:13 best practices ID.RM Risk Management Strategy 3 technical or management activities Align to ISO/IEC 27001:13 best practices
PR Protect
(35 Activities)
PR.AC Access Control 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.AT Awareness & Training 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.DS Data Security 7 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.IP Information Protection Process 12 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices PR.MA Maintenance 2 technical or management activities Align to ISO/IEC 27001:13 best practices PR.PT Protective Technology 4 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices
DE Detect
(18 Activities)
DE.AE Anomalies and Events 5 technical or management activities Align to ISO/IEC 27001:13 best practices DE.CM Security Continuous Monitoring 8 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices DE.DP Detection Processes 5 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices
RS Respond
(16 Activities)
RS.RP Response Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RS.CO Communications 5 technical or management activities Align to ISO/IEC 27001:13 best practices RS.AN Analysis 4 technical or management activities Align to ISO/IEC 27001:13 best practices RS.MI Mitigation 3 technical or management activities Align to ISO/IEC 27001:13 best practices RS.IM Improvements 2 technical or management activities Align to ISO/IEC 27001:13 best practices
RC Recover
(6 Activities)
RC.RP Recovery Planning 1 technical or management activities Align to ISO/IEC 27001:13 & CCS CSC best practices RC.IM Improvements 2 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices RC.CO Communications 3 technical or management activities Not aligned with ISO/IEC 27001:2013 or CCS CSC practices
The Voluntary Framework is a set of Cybersecurity Activities, Desired Outcomes and Applicable References Asset Governance Provisioning – initial creation of the asset Reconciliation – periodic recertification of the asset De‐provisioning – removal of the asset from the environment Monitoring & Management – generate alerts and reports Unmanaged Assets Start with all known assets Categorize assets by type and value Discover / Identify unknown assets Asset Discovery Scan, Monitor, Filter for unknown assets Update known assets with those discovered Security Controls Management & Communications Controls [MGT] Cyber‐security Controls [CSC] General Computer Controls [GCC] Managed Assets Known assets (per asset group) with controls applied Managed Assets Unmanaged Assets Asset Governance Management & Communications Controls Cybersecurity Controls General Computer Controls
Managed Asset Model
142.3 Modeling Cybersecurity Controls
Filter Unmanaged Assets Monitor Unmanaged Assets Scan Unmanaged Assets 1. Establish system of record Create initial baseline of known users, devices, applications, information assets, information owners 2. Update with known assets Add / remove assets following standard approach 3. Scan network for unknown assets Establish network scanning process to detect unknown devices. 4. Monitor network for unknown assets Establish traffic monitoring process to detect unknown devices. 5. Filter network access from unknown assets 802.1x, NAC, Client Certificates, Whitelist, Blacklist 6. Update system of record with known but unmanaged assets Discovered through scanning, monitoring and filtering 7. Apply security controls to known assets General Computer Controls [GCC], Cyber‐security Controls [CSC], Management & Communications Controls [MGT] 8. Generate real‐time alerts and management reports Alert management when suspicious activity is detected. 9. Update system of record with managed assets Update with known as well as unknown (discovered) devicesManaged Assets
The Controls Model
153.0 The Controls Implementation
163.1 Vendor Technologies and Services
3.2 Cybersecurity Programs and Projects
3.3 Security as a Service (SaaS)
3.1 Vendor Technologies & Services
17TEC‐01 TEC‐02 TEC‐03 TEC‐04 TEC‐05
TEC‐06 TEC‐07 TEC‐08 TEC‐09 TEC‐10
TEC‐11 TEC‐12 TEC‐13 TEC‐14 TEC‐15
TEC‐16 TEC‐17
SVC‐01 SVC‐02 SVC‐03
Quest Software
TEC‐18 TEC‐19 TEC‐20
3.2 Security Programs and Projects
PRG‐01: Endpoint Security PRG‐02: Application Security PRG‐03: Network Security PRG‐04: Data Center System Security PRG‐05: Database Security PRG‐07: Data Governance PRG‐00: Master Blueprint PRG‐06: Identity Governance PRG‐08: Monitoring & Alerting Center 183.3 Security as a Service (SaaS)
19 Option 1: Corporate Security Operations Center (SOC) Option 2: Outsourced Managed Cybersecurity Services Option 3: Co‐Managed Cybersecurity Services Option 4: Hybrid Cybersecurity Services4.0 The Controls Testing
204.1 Controls Testing Guidelines
4.2 Controls Testing Techniques
4.3 Controls Assessment Procedures
4.1 Controls Testing Guidelines
21 Open Source Security Testing Methodology Manual (OSSTMM) Cybersecurity Assessments Critical Infrastructure Security Analysis (CRISALIS) NIST 800‐115: Technical Guide to Information Security Testing and Assessment Information Systems Security Assessment Framework (ISSAF) Experimental Cyber Immersion Training & Exercises (EXCITE)4.2 Controls Testing Techniques
22 TST‐03: White Box Testing TST‐02: Grey Box Testing TST‐01: Black Box TestingNo TST‐01: Black Box Testing TST‐02: Grey Box Testing TST‐03: White Box Testing 1 The Internal Workings of an application are not required to be known Somewhat knowledge of the Internal Workings are known Tester has full knowledge of the Internal Workings of the application 2 Also known as closed box testing, data driven testing and functional testing Another term for grey box testing is translucent testing as the tester has limited knowledge of the insides of the application Also known as clear box testing, structural testing or code based testing 3 Performed by end users and also by testers and developers Performed by end users and also by testers and developers
Normally performed by testers and developers 4 Testing is based on external expectations. Internal behavior of the application is unknown Testing is done on the basis of high level database diagrams and data flow diagrams Internal workings are fully known and the tester can design data accordingly 5 This is the least time consuming and exhaustive Partly time consuming and exhaustive The most exhaustive and time
consuming type of testing 6 Not suited to algorithm testing Not suited to algorithm testing Suited to algorithm testing 7 This can only be done by trial and error method Data domains and Internal boundaries can be
tested, if known Data domains and Internal boundaries can be better tested Evaluate Design of Controls Document Significant Business Processes & Controls Remediate Exceptions Perform Year End Activities Test Operating Effectiveness of Key Controls Perform Scoping Analysis • Document process flows and develop control sets for all significant business processes and applications / IT • Confirm location where significant processes are performed • Confirm control sets with business process owners • Business units perform Self‐Assessments for all documented control activities • Identify significant changes in processes and system quarterly • Identify control exception and root cause • Work with business owners to determine remediation plan • Analyze remediation items (individual and in aggregate) • Implement remediation plan • Monitor and track remediation progress • Define scope and approach for Q4 testing • Perform '4Q / Update' testing (e.g., retesting of remediated items, high risk) • Analyze remediation items (individual and in aggregate) • Report on evaluation of internal controls • Design and develop test plans • Determine level of testing for each location • Execute test plans (Internal Audit, External Audit) • Identify significant business applications, modules, line items and accounts • Map processes and systems to significant accounts • Determine locations / departments where significant business processes are performed (individual important, significant risk, significant when aggregated)
4.3 Controls Assessments Procedures
23 24Cybersecurity Testing Center
Endpoint Devices Test Center 1 Enterprise Applications Test Center Network Security Test Center Data Center Systems Test Center Database Security Test Center Identity Governance Test Center 8 7 6 5 4 3 2 Data Governance Test Center Monitoring & Response Center Cybersecurity Controls Test CenterIdentify NIST Controls Framework Attack Chain 1 2 3 4 5 6 7 Management Controls (ISO 27001:2013) Technical Controls (Council on Cyber‐security CSC) General Computer Controls (ISO 27001:2013) Controls Standards Programs & Projects Technology & Services Cybersecurity Controls Mapping Database Security Security Operations 1 2 3 4 5 6 7 8 Endpoint Devices Application Security Network Security Data Center Systems Identity Governance Data Governance
Controls Mapping
Testing Center Cybersecurity Testing Guides, Techniques, Assessment ProceduresPhase 1: Before an Attack Phase 2: During an Attack Phase 3: After an Attack Attack Phase Testing Approach 1 2 3 4 Cybersecurity Controls Testing Center
Protect Detect Respond Recover
FAIR Risk Model
26 Factor Analysis of Information Risk (FAIR) Terminology: Risk – The probable frequency and probable magnitude of future loss Loss Event Frequency – The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset Loss Magnitude – The magnitude of loss resulting from a loss event Threat Event Frequency – The probable frequency, within a given timeframe, that a threat agent will act against an asset Vulnerability ‐ The probability that an asset will be unable to resist the actions of a threat agent Primary Loss – Consists of asset loss factors and threat loss factors Secondary Loss – Consists of organizational loss factors and external loss factors Contact Frequency ‐ Occurs when a threat agent establishes a physical or virtual (e.g., network) connection to an asset Probability of Action ‐ An act taken against an asset by a threat agent. Requires contact occur between the asset and threat agent Threat Capability ‐ The probable level of force that a threat agent is capable of applying against an asset. Resistive Controls ‐ The resistive strength of a control as compared to a baseline measure of force.Risk Management Approach
27Cybersecurity Program Summary
Threats Vulnerabilities ControlsThe Risk = Unmanaged Assets
Our Assets Where does our business stand on basic cybersecurity hygiene? Known Assets 1. Do we know what’s connected to our systems and networks? Managed Assets 2. Do we know what’s running or trying to run on our systems and networks? Managed Assets 3. Are we limiting the number of people with administrative privileges to change, bypass or override the security settings? Managed Assets 4. Do we have continuous processes backed by security technologies that allow us to prevent most breaches, rapidly detect all that do succeed and minimize damage to our business and customers? Cybersecurity Testing Center 5. Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
28
