SlideShare a Scribd company logo
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
Walk This Way:
Using CIS Critical Security Controls and NIST
Cybersecurity Framework to accomplish
Cyber Threat Resilience – A Tools Approach
Robin Basham, Chief Compliance Officer, VP
Information Security Risk & Compliance, Cavirin
Cybersecurity Essentials – E32
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cyber Risk Recap: What could go wrong?
• Reputation is a cyber target
• Criminals value information – financial, health,
critical infrastructure
• The pace of technology intensifies and blurs
dependencies
• We can’t trace, never mind control our data
• Exfiltration happens
• The role of government and information custody is
flat out unclear
2
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Cybersecurity Mission: Resilience
• Know the critical assets and who’s
responsible for them
• Get everyone involved in cyber-
resilience (discovery)
• Assure they have the knowledge and
autonomy to make good decisions
• Be prepared for both unsuccessful AND
successful attack
• Prevent a cyber attack from throwing
the organization into complete chaos.
3
Define
Establish
Implement
Analyze
Report
Respond
Review
Update
Continuous
Monitoring
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
IT’S ALL GOOD,
YOU’RE A ROCK STAR,
YOU’RE SUPERHUMAN – YOU CAN HERD CATS
4
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin.
We are inspired by his music.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things SOC2 – PCI – NIST
CSF – HITRUST – SOX
- FedRamp
Control Matrix –
COSO – NIST 800
53r4 – Cobit –Risk
Management
Frameworks
Configuration Rules –
CIS – DISA for
example, can be
automated for
detection
Things – Servers –
Routers –
Containers – Apps
– all have
configuration
values that can
pass or fail
5
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Assessing Things – In Reality
Things
Configuration
Rules
Controls
Assessment
Models – SOC –
PCI – CSF –
HITRUST – SOX -
FedRamp
6
xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_
Ensure_Load_and_unload_device_drivers_is_set_
to_Administrators
To establish the recommend-ed configuration via
GP, set the following UI path to Administrators
Computer ConfigurationPoliciesWindows
SettingsSecurity SettingsLocal PoliciesUser
Rights AssignmentLoad and unload device drivers
Impact
If you remove the Load and unload device drivers
user right from the Print Operators group or other
accounts you could limit the abilities of users who
are assigned to specific administrative roles in
your environment. You should ensure that
delegated tasks will not be negatively affected.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CISOPCI DSS
SOC2
HITECH
Cyber
Security
Framework
ISO27002
NIST 800-
53 r4,
Appendix J
CIC CSC
Top 20
DISA STIGS
FedRamp
SIG Due
Diligence
RMF, FAIR,
COSO ERM
Security Roles - Environments - Measures
CISOBuild
Business
Sell Security
Govern
Security
Operate
Securely
Identity &
Access
Risk
Management Legal
Interface
Compliance
Security
Architecture
Budget
Security
Roadmap
PMO Security
Roadmap
7
IaaS
PaaS
SaaS
Cloud
Hybrid
Cloud
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Containers
Requirements
CIS
Benchmark
DISA STIGS
NIST 800-53
v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF
CSF Cyber
Security
Framework
ISO27002 CIS CSC Top
20
RMF
FedRamp
CJIS
UK Cyber
Essentials
FFIEC
GLBA
Rules run on Environments – are tagged to controls
8
IaaS
PaaS
SaaS
Cloud
Data Centers
Hybrid
Cloud
Assessment
Score
WIN2008R1
& R2
WIN20012R1
& R2
CentOS 6
CentOS7
RHEL6
RHEL7
UBUNTU12 UBUNTU14
AWS EC2
ESX 5.5
Azure
Docker
Windows 7
Windows 10
2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF
CISACGEIT CSXCISMCRISC
CRAWL THIS WAY
9
Steve Tyler, lead singer for Aerosmith, is
not associated in any capacity to Cavirin..
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl: Top initiatives to provide most protection
• Control Administrative Privileges
• Limiting Workstation-to-Workstation
Communication
• Antivirus File Reputation Services
• Anti-Exploitation
• Host Intrusion Prevention (HIPS) Systems
• Secure Baseline Configuration!!!!!
• Web Domain Name System (DNS)
Reputation
• Patching: Take Advantage of Software
Improvements
• Segregate Networks and Functions
• Application Whitelisting
• Think about your tools
10
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Tools (Solutions) are Overwhelming
11
Credit to Monument Partners
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Accountability +Compliance – crawl then walk
• We fear false confidence in published assessment reports.
• CIS Critical Security Controls (Top 20) and NIST Cybersecurity
framework make it possible to organize detected conditions, that
left unchecked, would unravel both the company’s investments and
controls.
• Using the 80/20 rule, crawl = secure host baseline, walk = CSC and
NIST CSF
12
AWS, Azure,
Docker (Cloud)
Ransomware &
Data
Exfiltration
Cyber
Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
From a cyber perspective, why does managing
configuration baseline matter?
To start, you have to
• Understand your a kill chain
• Handle changes to major US regulations
• Transfer cyber risk accountability
• Insurance requires evidence of due diligence, i.e. consistent
practice of risk assessment and remediation
• Because lateral movement and exfiltration doesn’t care
which devices are in your audit scope.
• Because there are too many environment and too many
things.
13
AWS, Azure,
Docker, Google
(Cloud)
Ransomware
& Data
Exfiltration
Cyber
Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
A successful kill only requires 5 elements
Risk
Scenarios
Events
Resources
Time
Threats
Actors
14
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Let’s take out a target
Get access to the target’s outlook calendar (schedule)
Discover the route they travel (location)
Get fake uniforms so we blend in (identity)
Distract the guards (opportunity)
Interrupt the live camera feed so they don’t see us (time)
Purchase a weapon that can’t be traced (malware, spyware…)
Go – Go – Go: Take out the target
Burn down the structure so there’s nothing left, or just encrypt
everything and sell the target their own key. (ransomware)
15
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
To disrupt a kill chain, what do we assess?
• Environment is “hardened”
against types of threats
• Limits to bad Actors –
technical behaviors
• Time: environments
remain resilient to threats
(Drift)
• Resources: engineers will
not cause us to fail an
audit.
16
Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Risk Assessments frame risk conversation
• Assessments are industry focused and often repeat the same topics
• “Risk” Assessments have context and use an industry approved
model (an abstraction) to organize many “things”
• All industries struggle to gather technical evidence of implementing
their assessed controls.
• Control bypass and poor process often make it impossible for
engineers to configure to the requirements of security and
compliance – many times, the requirements are not understood
17
18
2016 SF ISACA FALL CONFERENCE – “SWEET 16” 19
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security Critical Security
Controls v. 6.1
• Updated by cyber experts based on actual attack data
pulled from a variety of public and private threat
sources.
• CIS Controls are likely to prevent majority of cyber-
attacks.
• Concise, prioritized set of cyber practices created to stop
today's most pervasive and dangerous cyber-attacks.
20
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC 6.1 Mapped to Rules for Configuration
21
Provide metrics for IT personnel to
understand, continuously diagnose
and mitigate risks, and automate
defenses to ensure compliance with
the controls.
With regard to Critical Security Controls, CSC
“…failure to implement all of the controls that
apply to an organization’s environment constitutes
a lack of reasonable security.”
Kamala Harris, Attorney General, CA Breach
Report 2016
22
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT
Security Program at OS, Environment, Device levels
• Map compliance
testing to assertions
of good practice
across enterprise
environments
• Unmet criteria
triggers notification
with steps for
remediation
23
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST Cybersecurity Framework: The CHALLENGE
US Executive Order 13636 on Improving
Critical Infrastructure Cybersecurity requires
accountability to assure cybersecurity
readiness.
Financial, Communications, Manufacturing,
Defense, Energy, Emergency Services, Food
and Agriculture, Healthcare, IT, Utilities,
Chemical, Water, Nuclear Reactors,
Materials, & Waste and Transportation
sectors are expected to initiate currently
“voluntary” compliance with the NIST
Cybersecurity Framework.
24
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NIST CSF provides a cyber security functions model
Identify
CMDB, People,
Process,
Technology,
relationships,
alignment to
controls
Protect
Architecture,
Infrastructure,
Monitoring
Detect
Defined Sources,
Collection,
Interpretation,
Reporting
Methods
Respond
RCA, Corrective
Action,
Management
Meetings, Plans,
Optimization
Targets
Recover
Configuration
baselines,
response plans,
lessons learned,
Wiki,
documentation,
BIA
25
2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26
Assessment Testing Ransomware Exfiltration Mapping Query
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA
AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES
PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH
SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS
SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION
SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION
Group controls to risks associated with their absence
– Report under the assessment type that matters to your board
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
CIS CSC and NIST CSF Risk Assessment Context
• CIS Critical Security Controls
AND NIST Cybersecurity
security models play nicely
• You should understand DISA
STIG and CIS Benchmarks in
design of and implementation
of secure configuration
baseline
• You may need to consider if
you are use case A or B
27
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Case – A or B
Hi, I assess OS for
non-government
systems.
Hi, I assess OS for
government
systems.
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – How to assess an Operating System
I do that too, but I
use CIS Benchmarks
xccdf.
In government we examine
system rules by scanning
with DISA STIG xccdf.
I run rule checks
using OVALs, CCE,
CVE
I run rule checks
using OVALs, CCE,
CVE too
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Do we need DISA?
Nope, we just prioritize as
Level 1 and Level 2 and
end user applies what they
want.
Cool! Do you
classify your target
systems?
I’m A I’m B
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Use Cases – Classified v. Non Classified
CIS Benchmarks enable a lot
of assessments, like SOC, CIS
CSC, NIST CSF, HITRUST CSF,
ISO27002, and PCI 3.2 for non
classified environments.
FISMA requires us to use
DISA and map to NIST.
We have to classify our
endpoints.
I’m A I’m B
We also use USGCBs
(United States Government
Configuration Baseline) for
baseline configurations on
Information Technology
products widely deployed
across federal agencies.
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Business
Requirements
CIS
Benchmark
DISA STIGS
NIST 53 v4
PCI DSS 3.2
SOC2 2016
HIPAA
HITECH CSF CSF Cyber
Security
Framework
ISO27002
CIS CSC Top
20
Risk
Management
Framework
FedRamp
Customers come
from lots of
industries, but
solutions start by
asking one
question.
YES, the target
environment is
government
classified? I’ll use
DISA
Is the target environment government
classified?
For non classified assessment
models, I’m going to use CIS
Benchmarks to evaluate our host
baseline configurations
Industry and Data Classification
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Center for Internet Security – states up to
80% of cyber attacks could be prevented by
• Maintaining an inventory of authorized
and unauthorized devices
• Maintaining an inventory of authorized
and unauthorized software
• Developing and managing secure
configurations for all devices
• Conducting continuous (automated)
vulnerability assessment and remediation
• Actively managing and controlling the use
of administrative privileges
33
• 84 Docker
Container
Policies
• 43 AWS Cloud
Policies
published by CIS
AWS, Azure,
Docker (Cloud)
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Gartner Study and Recommendation for AWS
• Gartner’s Strategic Planning Assumption
• Through 2020, 80% of cloud breaches will be due to customer
misconfiguration, mismanaged credentials or insider theft, not
cloud provider vulnerabilities.
• The mismanagement of recommended configuration is both in
and beyond our locus of control, however, cloud breaches
impact everyone’s brand.
34
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Automated Risk Analysis Platform must haves
• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,
concurrency…)
• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability
domains
• Must work with Private, Hybrid, and Public Clouds
• Support AWS, Azure, GCP (Google Cloud Platform)
• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,
OVAL, CCI)
• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS
Benchmark, DISA, CIS CSC, CSF)
• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)
• Be AWS Security Certified
20
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
According To Higher Education Information Security Council ©
2015 EDUCAUSE
• Most institutions that purchase a cyber
policy have limits of $5 million or less and
deductibles of $50,000 or less.
• Policies require attestation to thematurity
of information technology and
information security programs
• Subject to Independent audit of your IT
and IT security
• Inaccuracies may render claims invalid or
provide an opportunity for the insurer to
void the policy altogether.
36
Cyber
Insurance
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
NACD National Association of Certified Directors
– Cyber Handbook
• How to disclose a cyber event
• NIST Cyber Security Framework, voluntarily measure and
benchmark IT and Security Program effectiveness
• Boards require active reporting on Cyber preparedness
– Understanding risk appetite
– Exposure points
• Directors are exposed by third party dependencies, especially those
dependencies that exist in the cloud
• Credit card issuers and Healthcare providers are increasingly
experiencing recourses against Boards of Directors
3710/27/16
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Resilience to Ransomware & Data Exfiltration
• Backup your data
• Keep your anti-virus software current
• Screen emails for phishing/malware
• Authenticate the sources of email
• Sandboxing suspicious software
• http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html
38
Ransomware &
Data
Exfiltration
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Endpoint – user access to
sensitive data, at risk
employees
•Increasing granularity of data
policies and controls
•Start with most sensitive data
in high frequency locations like
email, CRM, financial systems
Network – high volume,
high risk protocols and
exit points
•Increasing monitored
protocols and endpoints
•Start with known
vulnerable algorithms and
protocols (SSL 3, TLS 1.0,
DES, RC4
Storage
•Increasing allowable and
monitored locations for data
•File servers, Exchange DB
•SharePoint, Database Servers
•Virtual Storage CIF
•Web Servers
DLP Policy
Monitoring &
prevention
Discovery &
protection
Crawl, Walk, Run
• Qualitative risk
assessment
• Leverage existing BIA
and Data Retention
Strategy
• Information Security
Threat analysis, and
• Integrate with Goals
for enterprise IT
39
2016 SF ISACA FALL CONFERENCE – “SWEET 16”
Crawl, walk, run – Be the force
• Understand your environment
• Identify open wounds, stop
bleeding
• Factor risk against attention and
resource, tie out engineering to
audit
• Gain consistency across devices,
environments, businesses
• Achieve continuous automated
risk assessment, stitch greatest
risk into automation in your
continuous compliance platform
40
About Cavirin
Cavirin’s Automated Risk Analysis Platform (ARAP)
is a scalable, extensible fabric that provides instant
security visibility on cloud based (private, hybrid,
and public) infrastructure, offering continuous risk
assessment. Through its agentless discovery
mechanism, ARAP deep scans very large sets of
assets, applying rich “out-of-the-box” policy
covering sought-after security standards,
generating action oriented reports and aligning
actual to best practice and regulatory compliance
requirements. Its open “connector” architecture
allows enterprises to deploy on a hyper-plane that
integrates popular cloud-based assessment
services such as Amazon Inspector, delivering a
business and industry specific reporting enabled
by Scripted Policy Framework.
10/27/16 41
Cavirin services are cloud agnostic, recently
releasing Docker and Azure policy, is an Amazon
Web Services Certified Security vendor, and an
authorized partner for its Inspector service. The
ARAP content library includes PCI DSS, DISA & CIS
Benchmark, CIS Critical Security Controls, ISO
27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common
Security Framework.
Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
robin@cavirin.com https://www.linkedin.com/in/robinbasham
About your speaker: Robin Basham, VP Information Security Risk and
Compliance, & CCO
Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as
Cavirin’s Vice President Information Security Risk and Compliance,
providing thought leadership to industries ranging from large
enterprise to soaring SMB, delivering concrete programs that
transform compliance burden to strategic advantage. Robin is a
Certified Information Systems Security, Audit, Governance and Risk
professional, earning multiple master’s degrees in Technology and
Education. She is an Enterprise ICT GRC expert and early adopter in
both certifying and offering certification programs for Cloud and
Virtualization. Industry experience includes program direction,
architecting and management of systems, controls and data for
SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education,
Defense and High Tech. Robin has held positions in Technology as
an Officer at State Street Bank, Lead Process Engineering for a
major New England CLEC, and Sr. Director Enterprise Technology for
multiple advisory firms. Robin has delivered more than 75
compliance engineering products, and run two governance
software companies. Most recently she served as Director
Enterprise Compliance for a major player in the mortgage industry,
Ellie Mae. Robin’s expertise and knowledge are highly recognized in
Boston, Mid Atlantic, Silicon Valley and East Bay, where she has
served hundreds of clients and is a frequent speaker, educator, and
board contributor.
10/27/16
42Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054
robin@cavirin.com https://www.linkedin.com/in/robinbasham

More Related Content

What's hot

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 

What's hot (20)

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 

Similar to Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
Scott Geye
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Dominique Dessy
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
Shawn Wells
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security Report
James Gachie
 
Cisco asr-2016-160121231711
Cisco asr-2016-160121231711Cisco asr-2016-160121231711
Cisco asr-2016-160121231711
Trainning Educação
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security Report
The Internet of Things
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report
Steve Fantauzzo
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
The Internet of Things
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
Hafid CHEBRAOUI
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Eric Andresen
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks  Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 

Similar to Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule (20)

Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
2014-12-16 defense news - shutdown the hackers
2014-12-16  defense news - shutdown the hackers2014-12-16  defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Cisco 2016 Annual Security Report
Cisco 2016 Annual Security ReportCisco 2016 Annual Security Report
Cisco 2016 Annual Security Report
 
Cisco asr-2016-160121231711
Cisco asr-2016-160121231711Cisco asr-2016-160121231711
Cisco asr-2016-160121231711
 
Cisco Annual Security Report
Cisco Annual Security ReportCisco Annual Security Report
Cisco Annual Security Report
 
Cisco 2016 Security Report
Cisco 2016 Security Report Cisco 2016 Security Report
Cisco 2016 Security Report
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks  Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 

More from EnterpriseGRC Solutions, Inc.

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
EnterpriseGRC Solutions, Inc.
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
EnterpriseGRC Solutions, Inc.
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
EnterpriseGRC Solutions, Inc.
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
EnterpriseGRC Solutions, Inc.
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
EnterpriseGRC Solutions, Inc.
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
The value of our data
The value of our dataThe value of our data
The value of our data
EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
Green Tech
Green TechGreen Tech

More from EnterpriseGRC Solutions, Inc. (18)

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Green Tech
Green TechGreen Tech
Green Tech
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule

  • 1. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF CISACGEIT CSXCISMCRISC Walk This Way: Using CIS Critical Security Controls and NIST Cybersecurity Framework to accomplish Cyber Threat Resilience – A Tools Approach Robin Basham, Chief Compliance Officer, VP Information Security Risk & Compliance, Cavirin Cybersecurity Essentials – E32
  • 2. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Cyber Risk Recap: What could go wrong? • Reputation is a cyber target • Criminals value information – financial, health, critical infrastructure • The pace of technology intensifies and blurs dependencies • We can’t trace, never mind control our data • Exfiltration happens • The role of government and information custody is flat out unclear 2
  • 3. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Cybersecurity Mission: Resilience • Know the critical assets and who’s responsible for them • Get everyone involved in cyber- resilience (discovery) • Assure they have the knowledge and autonomy to make good decisions • Be prepared for both unsuccessful AND successful attack • Prevent a cyber attack from throwing the organization into complete chaos. 3 Define Establish Implement Analyze Report Respond Review Update Continuous Monitoring
  • 4. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF CISACGEIT CSXCISMCRISC IT’S ALL GOOD, YOU’RE A ROCK STAR, YOU’RE SUPERHUMAN – YOU CAN HERD CATS 4 Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin. We are inspired by his music.
  • 5. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Assessing Things SOC2 – PCI – NIST CSF – HITRUST – SOX - FedRamp Control Matrix – COSO – NIST 800 53r4 – Cobit –Risk Management Frameworks Configuration Rules – CIS – DISA for example, can be automated for detection Things – Servers – Routers – Containers – Apps – all have configuration values that can pass or fail 5
  • 6. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Assessing Things – In Reality Things Configuration Rules Controls Assessment Models – SOC – PCI – CSF – HITRUST – SOX - FedRamp 6 xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_ Ensure_Load_and_unload_device_drivers_is_set_ to_Administrators To establish the recommend-ed configuration via GP, set the following UI path to Administrators Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers Impact If you remove the Load and unload device drivers user right from the Print Operators group or other accounts you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks will not be negatively affected.
  • 7. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” CISOPCI DSS SOC2 HITECH Cyber Security Framework ISO27002 NIST 800- 53 r4, Appendix J CIC CSC Top 20 DISA STIGS FedRamp SIG Due Diligence RMF, FAIR, COSO ERM Security Roles - Environments - Measures CISOBuild Business Sell Security Govern Security Operate Securely Identity & Access Risk Management Legal Interface Compliance Security Architecture Budget Security Roadmap PMO Security Roadmap 7 IaaS PaaS SaaS Cloud Hybrid Cloud
  • 8. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Containers Requirements CIS Benchmark DISA STIGS NIST 800-53 v4 PCI DSS 3.2 SOC2 2016 HIPAA HITECH CSF CSF Cyber Security Framework ISO27002 CIS CSC Top 20 RMF FedRamp CJIS UK Cyber Essentials FFIEC GLBA Rules run on Environments – are tagged to controls 8 IaaS PaaS SaaS Cloud Data Centers Hybrid Cloud Assessment Score WIN2008R1 & R2 WIN20012R1 & R2 CentOS 6 CentOS7 RHEL6 RHEL7 UBUNTU12 UBUNTU14 AWS EC2 ESX 5.5 Azure Docker Windows 7 Windows 10
  • 9. 2016 SF ISACA FALL CONFERENCE OCTOBER 24-26 HOTEL NIKKO - SF CISACGEIT CSXCISMCRISC CRAWL THIS WAY 9 Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin..
  • 10. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Crawl: Top initiatives to provide most protection • Control Administrative Privileges • Limiting Workstation-to-Workstation Communication • Antivirus File Reputation Services • Anti-Exploitation • Host Intrusion Prevention (HIPS) Systems • Secure Baseline Configuration!!!!! • Web Domain Name System (DNS) Reputation • Patching: Take Advantage of Software Improvements • Segregate Networks and Functions • Application Whitelisting • Think about your tools 10
  • 11. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Tools (Solutions) are Overwhelming 11 Credit to Monument Partners
  • 12. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Accountability +Compliance – crawl then walk • We fear false confidence in published assessment reports. • CIS Critical Security Controls (Top 20) and NIST Cybersecurity framework make it possible to organize detected conditions, that left unchecked, would unravel both the company’s investments and controls. • Using the 80/20 rule, crawl = secure host baseline, walk = CSC and NIST CSF 12 AWS, Azure, Docker (Cloud) Ransomware & Data Exfiltration Cyber Insurance
  • 13. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” From a cyber perspective, why does managing configuration baseline matter? To start, you have to • Understand your a kill chain • Handle changes to major US regulations • Transfer cyber risk accountability • Insurance requires evidence of due diligence, i.e. consistent practice of risk assessment and remediation • Because lateral movement and exfiltration doesn’t care which devices are in your audit scope. • Because there are too many environment and too many things. 13 AWS, Azure, Docker, Google (Cloud) Ransomware & Data Exfiltration Cyber Insurance
  • 14. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” A successful kill only requires 5 elements Risk Scenarios Events Resources Time Threats Actors 14
  • 15. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Let’s take out a target Get access to the target’s outlook calendar (schedule) Discover the route they travel (location) Get fake uniforms so we blend in (identity) Distract the guards (opportunity) Interrupt the live camera feed so they don’t see us (time) Purchase a weapon that can’t be traced (malware, spyware…) Go – Go – Go: Take out the target Burn down the structure so there’s nothing left, or just encrypt everything and sell the target their own key. (ransomware) 15
  • 16. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” To disrupt a kill chain, what do we assess? • Environment is “hardened” against types of threats • Limits to bad Actors – technical behaviors • Time: environments remain resilient to threats (Drift) • Resources: engineers will not cause us to fail an audit. 16 Business Requirements CIS Benchmark DISA STIGS NIST 53 v4 PCI DSS 3.2 SOC2 2016 HIPAA HITECH CSF CSF Cyber Security Framework ISO27002 CIS CSC Top 20 Risk Management Framework FedRamp
  • 17. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Risk Assessments frame risk conversation • Assessments are industry focused and often repeat the same topics • “Risk” Assessments have context and use an industry approved model (an abstraction) to organize many “things” • All industries struggle to gather technical evidence of implementing their assessed controls. • Control bypass and poor process often make it impossible for engineers to configure to the requirements of security and compliance – many times, the requirements are not understood 17
  • 18. 18
  • 19. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” 19
  • 20. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Center for Internet Security Critical Security Controls v. 6.1 • Updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources. • CIS Controls are likely to prevent majority of cyber- attacks. • Concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-attacks. 20
  • 21. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” CIS CSC 6.1 Mapped to Rules for Configuration 21 Provide metrics for IT personnel to understand, continuously diagnose and mitigate risks, and automate defenses to ensure compliance with the controls. With regard to Critical Security Controls, CSC “…failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security.” Kamala Harris, Attorney General, CA Breach Report 2016
  • 22. 22
  • 23. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT Security Program at OS, Environment, Device levels • Map compliance testing to assertions of good practice across enterprise environments • Unmet criteria triggers notification with steps for remediation 23
  • 24. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” NIST Cybersecurity Framework: The CHALLENGE US Executive Order 13636 on Improving Critical Infrastructure Cybersecurity requires accountability to assure cybersecurity readiness. Financial, Communications, Manufacturing, Defense, Energy, Emergency Services, Food and Agriculture, Healthcare, IT, Utilities, Chemical, Water, Nuclear Reactors, Materials, & Waste and Transportation sectors are expected to initiate currently “voluntary” compliance with the NIST Cybersecurity Framework. 24
  • 25. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” NIST CSF provides a cyber security functions model Identify CMDB, People, Process, Technology, relationships, alignment to controls Protect Architecture, Infrastructure, Monitoring Detect Defined Sources, Collection, Interpretation, Reporting Methods Respond RCA, Corrective Action, Management Meetings, Plans, Optimization Targets Recover Configuration baselines, response plans, lessons learned, Wiki, documentation, BIA 25
  • 26. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” 26 Assessment Testing Ransomware Exfiltration Mapping Query AU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION Group controls to risks associated with their absence – Report under the assessment type that matters to your board
  • 27. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” CIS CSC and NIST CSF Risk Assessment Context • CIS Critical Security Controls AND NIST Cybersecurity security models play nicely • You should understand DISA STIG and CIS Benchmarks in design of and implementation of secure configuration baseline • You may need to consider if you are use case A or B 27
  • 28. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Use Case – A or B Hi, I assess OS for non-government systems. Hi, I assess OS for government systems. I’m A I’m B
  • 29. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Use Cases – How to assess an Operating System I do that too, but I use CIS Benchmarks xccdf. In government we examine system rules by scanning with DISA STIG xccdf. I run rule checks using OVALs, CCE, CVE I run rule checks using OVALs, CCE, CVE too I’m A I’m B
  • 30. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Use Cases – Do we need DISA? Nope, we just prioritize as Level 1 and Level 2 and end user applies what they want. Cool! Do you classify your target systems? I’m A I’m B
  • 31. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Use Cases – Classified v. Non Classified CIS Benchmarks enable a lot of assessments, like SOC, CIS CSC, NIST CSF, HITRUST CSF, ISO27002, and PCI 3.2 for non classified environments. FISMA requires us to use DISA and map to NIST. We have to classify our endpoints. I’m A I’m B We also use USGCBs (United States Government Configuration Baseline) for baseline configurations on Information Technology products widely deployed across federal agencies.
  • 32. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Business Requirements CIS Benchmark DISA STIGS NIST 53 v4 PCI DSS 3.2 SOC2 2016 HIPAA HITECH CSF CSF Cyber Security Framework ISO27002 CIS CSC Top 20 Risk Management Framework FedRamp Customers come from lots of industries, but solutions start by asking one question. YES, the target environment is government classified? I’ll use DISA Is the target environment government classified? For non classified assessment models, I’m going to use CIS Benchmarks to evaluate our host baseline configurations Industry and Data Classification
  • 33. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Center for Internet Security – states up to 80% of cyber attacks could be prevented by • Maintaining an inventory of authorized and unauthorized devices • Maintaining an inventory of authorized and unauthorized software • Developing and managing secure configurations for all devices • Conducting continuous (automated) vulnerability assessment and remediation • Actively managing and controlling the use of administrative privileges 33 • 84 Docker Container Policies • 43 AWS Cloud Policies published by CIS AWS, Azure, Docker (Cloud)
  • 34. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Gartner Study and Recommendation for AWS • Gartner’s Strategic Planning Assumption • Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities. • The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand. 34
  • 35. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Automated Risk Analysis Platform must haves • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…) • A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability domains • Must work with Private, Hybrid, and Public Clouds • Support AWS, Azure, GCP (Google Cloud Platform) • Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL, CCI) • Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF) • Have CIS Certified security content (Multiple OS, Docker, AWS Cloud) • Be AWS Security Certified 20
  • 36. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” According To Higher Education Information Security Council © 2015 EDUCAUSE • Most institutions that purchase a cyber policy have limits of $5 million or less and deductibles of $50,000 or less. • Policies require attestation to thematurity of information technology and information security programs • Subject to Independent audit of your IT and IT security • Inaccuracies may render claims invalid or provide an opportunity for the insurer to void the policy altogether. 36 Cyber Insurance
  • 37. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” NACD National Association of Certified Directors – Cyber Handbook • How to disclose a cyber event • NIST Cyber Security Framework, voluntarily measure and benchmark IT and Security Program effectiveness • Boards require active reporting on Cyber preparedness – Understanding risk appetite – Exposure points • Directors are exposed by third party dependencies, especially those dependencies that exist in the cloud • Credit card issuers and Healthcare providers are increasingly experiencing recourses against Boards of Directors 3710/27/16
  • 38. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Resilience to Ransomware & Data Exfiltration • Backup your data • Keep your anti-virus software current • Screen emails for phishing/malware • Authenticate the sources of email • Sandboxing suspicious software • http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html 38 Ransomware & Data Exfiltration
  • 39. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Endpoint – user access to sensitive data, at risk employees •Increasing granularity of data policies and controls •Start with most sensitive data in high frequency locations like email, CRM, financial systems Network – high volume, high risk protocols and exit points •Increasing monitored protocols and endpoints •Start with known vulnerable algorithms and protocols (SSL 3, TLS 1.0, DES, RC4 Storage •Increasing allowable and monitored locations for data •File servers, Exchange DB •SharePoint, Database Servers •Virtual Storage CIF •Web Servers DLP Policy Monitoring & prevention Discovery & protection Crawl, Walk, Run • Qualitative risk assessment • Leverage existing BIA and Data Retention Strategy • Information Security Threat analysis, and • Integrate with Goals for enterprise IT 39
  • 40. 2016 SF ISACA FALL CONFERENCE – “SWEET 16” Crawl, walk, run – Be the force • Understand your environment • Identify open wounds, stop bleeding • Factor risk against attention and resource, tie out engineering to audit • Gain consistency across devices, environments, businesses • Achieve continuous automated risk assessment, stitch greatest risk into automation in your continuous compliance platform 40
  • 41. About Cavirin Cavirin’s Automated Risk Analysis Platform (ARAP) is a scalable, extensible fabric that provides instant security visibility on cloud based (private, hybrid, and public) infrastructure, offering continuous risk assessment. Through its agentless discovery mechanism, ARAP deep scans very large sets of assets, applying rich “out-of-the-box” policy covering sought-after security standards, generating action oriented reports and aligning actual to best practice and regulatory compliance requirements. Its open “connector” architecture allows enterprises to deploy on a hyper-plane that integrates popular cloud-based assessment services such as Amazon Inspector, delivering a business and industry specific reporting enabled by Scripted Policy Framework. 10/27/16 41 Cavirin services are cloud agnostic, recently releasing Docker and Azure policy, is an Amazon Web Services Certified Security vendor, and an authorized partner for its Inspector service. The ARAP content library includes PCI DSS, DISA & CIS Benchmark, CIS Critical Security Controls, ISO 27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common Security Framework. Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054 robin@cavirin.com https://www.linkedin.com/in/robinbasham
  • 42. About your speaker: Robin Basham, VP Information Security Risk and Compliance, & CCO Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor. 10/27/16 42Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054 robin@cavirin.com https://www.linkedin.com/in/robinbasham