Implementing a Security Management Framework

Improving
Your
Security
Program
Security Management Framework
Joe Wynn
President
WynnSecure, LLC
www.WynnSecure.com

Joe Wynn
• Founded WynnSecure, LLC in 2016
• Cofounded Seiso, LLC in 2017
• Held positions of CISO in higher education and energy sectors
• Consulted in healthcare in a security leadership position
• Built business-aligned security programs from ground up
• Leads the delivery of executive-level information security strategy
• Over 25 years experience in information technology
• Over 20 years specializing in information security
• Education
• BS of Computer Science Degree from Duquesne University
• Master’s Degree from Carnegie Mellon University
• Earned CISSP and other certifications
• Cofounder of BSidesPGH information security conference in 2011

Agenda
Why
What’s the issue
What are the problems
What can you do
Here’s a way
Discussion

Why be able to explain your program?
So you can succeed
4/6/2017 © WynnSecure, LLC - www.WynnSecure.com 5

So your company can succeed

Companies are getting

No
one
will
come
to
your
party

Why be
able to
explain
your
program?
4/6/2017© WynnSecure, LLC - www.WynnSecure.com 9

What’s the Issue?
Discussion
Can anyone share why they think their program is successful?
 What did you do to make it successful?
Does your management think your program runs well?
Are they aware of which parts of the program are well managed?
What happens when the primary resource is out?
 Who does the mandatory daily tasks?

What’s the Issue?
1. Sometimes…
2. Explaining your information security
program to executives
 Which parts are well managed?
 Which parts run ad hoc?
 Easily calculate number of resources for a
successful program?
 Explain what risks are inherently being
accepted?
 Explain residual risks?
3. Not operationalizing the security
program

What’s the Problem?
Discussion
Does anyone have a story about “someone you
know” who doesn’t complete all of the mandatory
processes each day?
What kinds of risks can this cause in ‘their” program?
Do you have to fight for your budget and resources
or does management just give it to you?

What’s the
Problem?
• Skipped processes
increase organizational
information security
risks
• Management can’t
make informed
decisions on
undocumented risks
• Management doesn’t
invest in
undocumented
programs

What can you do?
Discussion
• What are program
metrics?
Anyone track those?
• Who formally tracks risk
appetite?

What can you do?
• Organize your program so it can be managed and
communicated
• Track your program’s metrics
Not talking about technical metrics, like number of spam email or
viruses seen.
 Note: I looked it up… plural of virus is viruses, not viri.
I’m talking about how well your processes are operating.
 And if you have the right processes and they are working, then you will be on your
path to good security.
• Ensure your program operates within risk appetite tolerance
• Request program investment for areas of unacceptable risk

How?
Discussion
Can anyone talk about how they have their security
processes aligned to a framework?

How?
• Get organized
• Organize program into a framework
… to manage security
Maybe call it … a “Security Management Framework”
• Allows it to be managed
• Provides ability to explain it
• Shows gaps in program
• Report on program health

What is a Security Management Framework?
• A collection of SERVICES and PROCESSES along with important information
about them, called ATTRIBUTES
• Organized into a table
• A Service is delivered through one or more processes
Can have sub processes
• Each (sub) process is defined by attributes
 Description
 Owner
 Primary Resource
 Backup Resource
 Customer
 Event Driven or Scheduled
 Frequency
 Process Details
 Hours / Month
 Annualized Hours
 Metrics
 Tools
 Escalation Process
 Process Maturity Rating
 Process Improvement Project

Here’s a way
Building your
Security Management Framework
(“SMF”)

Process Overview
1 • Choose Framework
2 • Choose Services
3 • Define Processes
4 • Add Attributes
5 • Populate Data
6 • Data Analysis
7 • Summarize Opportunities
8 • Risk Review with Management
9 • Update Risk Register
10 • Treat or Accept Risks

What do you need to start?
A Security Framework
and a Spreadsheet
Start Simple
1. Pick a security standard /
framework to align to
NIST CSF will do
2. Choose what services you
will perform
3. Define some processes you
will follow to manage
controls that are important
to you.
Who’s familiar with the NIST CSF?
“The way to get started is to quit
talking and begin doing.”
-- Walt Disney

NIST Cybersecurity Framework
• NIST
• National Institute of Standards and Technology
• https://www.nist.gov/cyberframework
• 5 Functions
• Identify
• Protect
• Detect
• Respond
• Recover
• Broken out into 22 categories
Categories are a good starting point for your
Services
• Further broken out into 98 subcategories
• You can map processes to the categories for
your SMF

“Cybersecurity Framework Overview”
• The following slides are from
NIST’s March 1, 2017
“Cybersecurity Framework
Overview” virtual event.
https://www.nist.gov/news-
events/events/2017/03/cybersecurity-
framework-virtual-events

Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and
resilience of the Nation’s critical infrastructure and to maintain a
cyber environment that encourages efficiency, innovation, and
economic prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties”
Executive Order 13636
February 12, 2013
Slide Credit: “Cybersecurity Framework Overview” virtual event - https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events

The Cybersecurity Framework...
Includes a set of standards, methodologies, procedures, and processes
that align policy, business, and technological approaches to address
cyber risks.
Provides a prioritized, flexible, repeatable, performance-based, and
cost-effective approach, including information security measures
and controls, to help owners and operators of critical infrastructure
identify, assess, and manage cyber risk.
Identifies areas for improvement to be addressed through future
collaboration with particular sectors and standards-developing
organizations.
Is consistent with voluntary international standards.

The Framework Is for Organizations…
• Of any size, in any sector in (and outside of) the critical
infrastructure.
• That already have a mature cyber risk management and
cybersecurity program.
• That don’t yet have a cyber risk management or
cybersecurity program.
• Needing to keep up-to-date managing risks, facing
business or societal threats.
• In the federal government, too…since it is compatible with
FISMA requirements and goals.

Core
Cybersecurity Framework Component
27
Function Category ID
What processes and
assets need
protection?
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
What safeguards are
available?
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
What techniques can
identify incidents?
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
What techniques can
contain impacts of
incidents?
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
What techniques can
restore capabilities?
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO

Core Cybersecurity
Framework Component
28
Function Category ID
Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management
Strategy
ID.RM
Protect
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection
Processes & Procedures
PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect
Anomalies and Events DE.AE
Security Continuous
Monitoring
DE.CM
Detection Processes DE.DP
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO
Subcategory Informative References
ID.BE-1: The
organization’s role in
the supply chain is
identified and
communicated
COBIT 5 APO08.04, APO08.05,
APO10.03, APO10.04, APO10.05
ISO/IEC 27001:2013 A.15.1.3,
A.15.2.1, A.15.2.2
NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The
organization’s place in
critical infrastructure
and its industry sector
is identified and
communicated
COBIT 5 APO02.06, APO03.01
NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for
organizational
mission, objectives,
and activities are
established and
communicated
COBIT 5 APO02.01, APO02.06,
APO03.01
ISA 62443-2-1:2009 4.2.2.1,
4.2.3.6
NIST SP 800-53 Rev. 4 PM-11, SA-
14
ID.BE-4:
Dependencies and
critical functions for
delivery of critical
services are
established
ISO/IEC 27001:2013 A.11.2.2,
A.11.2.3, A.12.1.3
NIST SP 800-53 Rev. 4 CP-8, PE-9,
PE-11, PM-8, SA-14
ID.BE-5: Resilience
requirements to
support delivery of
critical services are
established
COBIT 5 DSS04.02
ISO/IEC 27001:2013 A.11.1.4,
A.17.1.1, A.17.1.2, A.17.2.1
NIST SP 800-53 Rev. 4 CP-2, CP-
11, SA-14 28

NIST Control Examples
The Following Slides are NIST Control Examples
• This was prepared for a ransomware talk
• Info pulled from NIST’s document NISTIR 7621r1
 “Small Business Information Security: The Fundamentals”
• These are activities you may do (processes)
• We will touch on a few

Identify
Category Control
Asset Management • Document where your systems and data are located
• Endpoints (laptops / desktops)
• Servers
• Cloud services
Governance • Create policies and procedures for information security that direct the
activities you should perform to minimize probability of being affected
by ransomware and reduce the impact of an attack.
• Acceptable use
• Backup and recovery
• Security awareness training
Risk Assessment • Perform risk assessments against environment to understand your
threats and vulnerabilities
• Information security program maturity assessments
• Vulnerability assessments
• Penetration tests

Protect (1 of 3)
Category Control
Access Control • Require individual user accounts for each employee
• Assign users the least amount of access needed to function (least
privilege principle)
• Note: Limiting access to a user can reduce how much the
ransomware can encrypt
• Everything in all of their shared / mapped drives is at risk
• Do not give users administrative rights to their computers
• Chances of restoring files increased if user is not an admin.
• Perform regular user access reviews
• Remove unneeded access (especially when someone changes
roles)
Awareness and
Training
• Train your users when hired and at least annually
• Don’t click on links in emails that you are not confident of
• Learn to identify phishing attacks
• Do not open unexpected emails or attachments
• Ensure employees know who to call when they notice an issue.
Quicker response can reduce impact.
• Perform ransomware focused table top exercises

Protect (2 of 3)
Category Control
Data Security • Ensure antivirus / anti-malware, end point protection, endpoint
detection and response tools are working and automatically updating
Information
Protection
Processes &
Procedures
• Backups are conducted and tested frequently
• Response and recovery plans / playbooks are in place and tested
• Do you have a Ransomware Response Plan documented? See
article: “What Should Be In Your Ransomware Response Plan”
• Do you know how to acquire Bitcoin?
• Can you assist your clients or firm with a large Bitcoin payment?
• Have you coordinated with authorities as part of your planning
process before an incident?
• Do you have agreements in place with incident response
professionals that specialize in ransomware response?
• A vulnerability management plan is developed and implemented.
• Ensure you are applying operating system and application security
patches timely

Protect (3 of 3)
Category Control
Protective
Technology
• Block macros from running automatically in your Office software
• Email Protections
• Ensure you have anti-spam / anti-phishing protections in place
• Block certain file-types from being delivered (.exe. files, .zip files,
files with macros or scripts)
• Alert when password protected files are sent.
• They can’t be scanned and hackers use them to get past
filters
• Do not auto download pictures
• Web / URL Filters – configure to block known malicious websites
• Lock down volume shadow copies.
• These are automatic file backups that you can revert to. Turning
these off and deleting them is one of the first activities
ransomware does before encrypting your data.

Detect
Category Control
Anomalies and
Events
• Ensure you have good logging in place and in a system that can alert you
when the right combination of events occurs, like a SIEM (Security
Information and Event Management) tool.
• Ensure antivirus alerts are reviewed
Security
Continuous
Monitoring
• Make sure your antivirus tools are receiving updates (multiple times per
day) and scanning regularly
Detection
Processes
• Ensure someone is monitoring log events so they will know if something
has happened.
• You may be able to hire a managed service to review the most
critical logs that would indicate an issue.

Respond
Category Control
Response Planning • Be sure to use the plans you built in the Protect function
Communications • Ensure you know how to keep your stakeholders updated appropriately
• Public Relations: Ensure everyone is clear on what to say to media and
your clients.
• Will your clients feel like you are in control of the situation?
Analysis • When the alerts go off, based on your controls in the Detect function,
make sure they are investigated
Mitigation • Have plans in place to contain the incident quickly
Improvements • Learn from previous incidents and improve your plans

Recover
Category Control
Recovery Planning • Check for decryption options.
• Is there a master key available? Decryption tools are available for
some variants.
• If you are going to pay:
• Do you have Bitcoin available?
• Can you negotiate?
• Can you get proof the decryption will work?
• Restoration - Be prepared to recover your systems
• Do you have a disaster recovery plan?
• Have you tested your backup / recovery plans?
• Ensure you close the vulnerability / holes of initial incident
Communications • Continue managing the media and client expectations

Choose Some Categories
For this exercise, I will choose
a few categories for our
services
1. Asset Management
2. Governance
3. Risk Assessment
4. Access Control
5. Awareness and Training
6. Data Security
7. Security Continuous Monitoring
8. Analysis
9. Improvements
10. Recovery Planning

Define Some Processes
• Where can I find process descriptions? You can consider
The Center for Internet Security’s Critical Security Controls
 https://www.cisecurity.org/critical-controls.cfm
o Originally developed in 2008 by SANS Institute*
o In 2013 transferred to Council for Cyber Secuirty
o In 2015 transferred to Center for Internet Security
NIST 800-53r4, a catalog of security controls
 https://nvd.nist.gov/800-53
 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• Use NIST CSF to map to the control reference in the “Informative
References” column
Let me show you how…
* https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense

NIST CSF “Informative References”
Council for Cyber Security / Center for Internet Security – Critical Security Controls
NIST SP 800-53r4: Catalog of Security Controls

“Informative References” Closer Look
Council for Cyber Security / Center for Internet Security – Critical Security Controls
NIST SP 800-53r4: Catalog of Security Controls

CIS CSC Example

NIST 800-53r4 Example

Process Build – Recap
What we did:
• Chose some information security
services using the NIST CSF
categories to run your
operationalized information
security program
• Selected appropriate processes
using the detailed control
information from the
“Informative References” column
of the NIST CSF
Now we will add those processes
to our table.
1
• Choose Framework
2
• Choose Services
3
• Define Processes

Process Example

Process Example - Zoomed

What to Measure?
• What data (attributes) about your processes do you want to track?
• Earlier I suggested these attributes:
 Description
 Owner
 Primary Resource
 Backup Resource
 Customer
 Event Driven or Scheduled
 Frequency
 Process Details
 Hours / Month
 Annualized Hours
 Metrics
 Tools
 Escalation Process
 Process Maturity Rating
 Process Improvement Project
“If you can’t measure it, you can’t manage it.”
--Peter Drucker

Example Framework
• In the following example, the framework data is exaggerated
• 4 process owners
• 4 resources assigned to the processes
• Fictional hours for the processes

Populate the Framework
• We’ve populated the framework.
• Analysis:
 There are some processes without backup resources
 A total of 5640 resource-hours needed to perform the selected processes
 We added some maturity ratings to the processes (more on that later)

Using the SMF
• Analysis: What’s missing from your program
Backup resources
Efficient Tools
 A lot is being done with spreadsheets, documents, and free tools
• What can you do with your data?
Perform a maturity review of your processes
Create projects to increase process / program maturity
Add up the FTE hours needed to execute the processes
Track program metrics
 How often have you executed each process on time?
 When have processes not been completed and why?
 Are processes taking more time than estimated to complete?
Forecast security program budget
You can add additional attributes
 Cost to execute process
 Risk of failing to perform process to specifications

Do The Math
• Resource analysis
• We have 4 resources
• (Larry, Curly, Kramden, and Norton)
• A resource is available 1296 hours after PTO,
training, admin time, meetings…
• 4 resources have 5184 hours available for operations
• Add up the annual FTE hours in the SME to perform
the work.
• 5640
• The maths tell us there is a 456 hour deficit.
• This is just an example.
• We all know we work way more than 2080 hours
• Don’t get caught up in the details – use the process
• What else can you do?
• Add up the project budget required to close the
gaps
Discussion
Annual
Hours
Hours left for
operations
1 FTE 2080 2080
3 weeks PTO 120 1960
2 weeks training 80 1880
10% time on admin activities 208 1672
Allocation for various meetings
8 hours / week for working
weeks
376 1296
Number Resources 4
Available hours for operations 5184
Total hours needed from SMF 5640
Hours Difference -456

Assess Maturity
http://en.wikipedia.org/wiki/File:Characteristics_of_Capability_Maturity_Model.svg

Explain Risks To Management
• Show up with solutions, not problems
• Get management buy-in on what must be done
• Show management what can and cannot be done
• Document risks in risk register
Are they willing fund improvements?
• Make your budget requests to close gaps and
improve maturity
• Get management signoff on risks
This should not be your burden to bear
• Spend your money wisely
• If management doesn’t fund the program and
doesn’t accept the risks?
Update your resume
Time to move on
53

Process Recap
1 • Choose Framework
2 • Choose Services
3 • Define Processes
4 • Add Attributes
5 • Populate Data
6 • Data Analysis
7 • Summarize Opportunities
8 • Risk Review with Management
9 • Update Risk Register
10 • Treat or Accept Risks

Implementing a Security Management Framework

More Related Content

What's hot

Similar to Implementing a Security Management Framework

Recently uploaded

Implementing a Security Management Framework