More practical insights on the 20 critical controls

1,470 views
1,410 views

Published on

This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,470
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Description:       This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
  • More practical insights on the 20 critical controls

    1. 1. More Practical Insights on the 20 Critical ControlsCase Studies & Practical What WorksJames Tarala, Enclave Security
    2. 2. Information Security Standards• Presently there are a number of information security standards available• But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines The Consensus Audit Guidelines © Enclave Security 2010
    3. 3. One Option: 20 Critical Controls• Developed at a tool for organizations responsible for NIST 800-53• Priorities for which controls will make the most impact to stop dedicated attackers• Written in response to compromised US government agencies & contractors• Collaborative effort by over 100 different government, military, & civilian experts The Consensus Audit Guidelines © Enclave Security 2010
    4. 4. 20 CC Project Guiding Principles• Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. The Consensus Audit Guidelines © Enclave Security 2010
    5. 5. Project Guiding Principles (2) • Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. • To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense. The Consensus Audit Guidelines © Enclave Security 2010
    6. 6. Why are the Controls Important?• Cyber security is complex and becoming even more complicated every day• Organizations are being compromised, even after spending large portions of their budget on infosec• CIOs & CISOs need prioritized controls to get the most return from their investment• More controls rarely hurt, but how do we decide which controls to start with?• It’s critical that we have priorities! The Consensus Audit Guidelines © Enclave Security 2010
    7. 7. Why are the Controls Important? (2) • We need agreement between: – Inspector Generals (IGs – auditors) – Operations (sys-admins) – Security Engineers • We need metrics and measurements that everyone can agree to use • We need to stop people from violating systems & compromising the C-I-A of our data The Consensus Audit Guidelines © Enclave Security 2010
    8. 8. Why are the Controls Important? (3) • It is a triage strategy for enterprise defense • Most organizations are already bleeding, so how can we perform first aid? • The 20 Critical Controls are meant: – To prioritize controls – To prioritize resources – To give enterprises a list of what to do first – To define controls effective at stopping attacks The Consensus Audit Guidelines © Enclave Security 2010
    9. 9. Current Related Efforts• US Department of State iPost System• Security Content Automation Protocol (SCAP)• Continuous Monitoring Efforts• International Government Efforts The Consensus Audit Guidelines © Enclave Security 2010
    10. 10. US Dept of State iPost• Used to protect OpenNet, the DoS Sensitive But Unclassified (SBU) network• Consists of 5,000 routers and switches, and more than 40,000 hosts• The Risk Scoring program at DoS evolved in three separate stages. – Deployment of Enterprise management tools – Delivery of operational data to the field in an integrated application, iPost – Establishment of a risk scoring program The Consensus Audit Guidelines © Enclave Security 2010
    11. 11. iPost ReportingThe Consensus Audit Guidelines © Enclave Security 2010
    12. 12. iPost Reporting (2)The Consensus Audit Guidelines © Enclave Security 2010
    13. 13. iPost Reporting (3)The Consensus Audit Guidelines © Enclave Security 2010
    14. 14. iPost Data FeedsThe Consensus Audit Guidelines © Enclave Security 2010
    15. 15. SCAP• Security Content Automation Protocol (SCAP)• “SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities”• Three Primary NIST Publications: – NIST SP 800-117 – NIST SP 800-126 – NIST IR 7511• More information can be found at: – http://scap.nist.gov/
    16. 16. SCAP (2)• Multiple existing specifications in affiliation with SCAP• Protocols: – Security Content Automation Protocol (SCAP) – ver. 1.0• Languages: – The eXtensible Configuration Checklist Description Format (XCCDF) – Open Vulnerability and Assessment Language (OVAL)
    17. 17. SCAP (3)• Enumerations: – Common Configuration Enumeration (CCE) – Common Platform Enumeration (CPE) – Common Vulnerabilities and Exposures (CVE)• Metrics: – Common Vulnerability Scoring System (CVSS)• For more information visit: – http://scap.nist.gov/revision/1.0/index.html
    18. 18. SCAP (4)• Multiple emerging specifications in affiliation with SCAP• Languages: – Asset Reporting Format (ARF) – Open Checklist Interactive Language (OCIL) – Open Checklist Reporting Language (OCRL)• Metrics: – Common Configuration Scoring System (CCSS) – Common Misuse Scoring System (CMSS)• For more information visit: – http://scap.nist.gov/emerging-specs/listing.html
    19. 19. Continuous Monitoring• The idea is to use automation and real time information feeds to report on historical risk levels within organizations• Many groups are currently working to develop ways to encourage these activities: – US Federal Agencies (NIST, OMB) – Individual Gov’t& private sector groups (NASA) – Research Groups (such as CSIS & SANS) – SIEM Vendors (ArcSight, Splunk, Red Seal, etc) The Consensus Audit Guidelines © Enclave Security 2010
    20. 20. OMB Memos• OMB m09-29: Reporting Instructions for FISMA• OMB m10-15: Reporting Instructions for FISMA• OMB m10-19: Fiscal Year 2012 Budget Guidance• OMB m10-30: Science and Technology Priorities for the FY 2012 Budget The Consensus Audit Guidelines © Enclave Security 2010
    21. 21. CyberScope• New tool for reporting FISMA compliance status for US federal agencies• An automated process of recording information, meant to replace paperwork reporting tools• Purpose is to save money through automation, and increase security through continuous monitoring• Deadline for agencies to begin using the tool is Nov 2010• Additional FISMA dashboard to be released spring 2011 The Consensus Audit Guidelines © Enclave Security 2010
    22. 22. OMB m10-30• Science and Technology Priorities for the FY 2012 Budget• “Developing the technologies to protect our troops, citizens, and national interests: – Support cybersecurity R&D to investigate novel means for designing and developing trustworthy cyberspace—a system of defensible subsystems that operate safely in an environment that is presumed to be compromised. Agencies should respond to the call in the President’s Cyberspace Policy Review for R&D in game-changing technologies, including moving target defense strategies, tailored trustworthy spaces, and cyber incentives.” The Consensus Audit Guidelines © Enclave Security 2010
    23. 23. NIST & Continuous Monitoring• NIST also is publishing guidance for continuous monitoring for information security• Many of these NIST and OMB recommendations are reflecting the 20 Critical Controls• NIST has released two guides: – An FAQ for Continuous Monitoring – An updated version of NIST 800-37: Risk Management Framework The Consensus Audit Guidelines © Enclave Security 2010
    24. 24. NASA & Continuous Monitoring• Defined in NASA Information Technology Requirement (NITR) 2810-12• For NASA, the purpose is for: – Configuration Management & Control – Security Control Monitoring – Status Reporting & Documentation The Consensus Audit Guidelines © Enclave Security 2010
    25. 25. European Union Security Efforts The Consensus Audit Guidelines © Enclave Security 2010
    26. 26. Abu Dhabi (UAE) Security Efforts The Consensus Audit Guidelines © Enclave Security 2010
    27. 27. Practical Tips Learned So Far• The philosophy must be embraced by everyone, not just a few engineers• Don’t prioritize too many priorities, focus• Strategic tool selection is critical to success• Automation must be planned from the beginning of the project• Effectiveness comes when we can show historical reports to executives The Consensus Audit Guidelines © Enclave Security 2010
    28. 28. Concluding Thoughts• Much of what we are doing for enterprise defense is not working• What we need is: – Clear, coordinated leadership on the issue – Consistent, effective guidance on how to protect information assets – Metrics that can be used to evaluate an agency’s performance – Resources to be allocated to the task The Consensus Audit Guidelines © Enclave Security 2010
    29. 29. Further Questions• If you have further questions & want to talk more…• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – CSIS & SANS 20 Critical Controls – OMB Memorandum M-10-15 & NIST FAQ – NIST Security Control Automation Protocol (SCAP) The Consensus Audit Guidelines © Enclave Security 2010

    ×