SlideShare a Scribd company logo

Solving the CIO’s Cybersecurity Dilemma

Download as PPTX, PDF
John Gilligan
John Gilligan

Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.

1 of 22
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan www.gilligangroupinc.com National Summit on Planning and Implementing the 20 Critical Controls November 12, 2009
Topics • Background • Philosophy and Approach for the “20 Critical Controls” • Control Examples and List of Controls • Relationship of 20 Critical Controls to FISMA • Recommendations • Final thoughts 2
A CIO’s Environment • We are in a cyber “war” and are losing badly! • The IT industry has produced an inherently unsecure environment—total is security not achievable • CIO mandates exceed time and resources available • Cyber security is an enormously complex challenge—there are very few true experts It is time for CIOs and CISOs to focus on ways to make real and measurable improvements in security 3
The Challenge • CIOs/CISOs can lead global change • In the near-term, we must focus and measure progress • Automation of security control implementation and continuous assessment is essential • A well managed system is a harder target to attack and costs less to operate 4 CIOs/CISOs must take the lead in fighting the cyber war
FISMA Was Well Intended; What is Not Working?? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 5 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
Analogy of Current Cybersecurity Approach • An ambulance shows up at a hospital emergency room with a bleeding patient • Hospital takes a detailed medical history, gives inoculations for seasonal flu, swine flu, tetanus, shingles, and vaccination updates • Hospital tests for communicable diseases, high blood pressure, sends blood sample for cholesterol check, gives eye exam, checks hearing, etc. • At some point, a nurse’s aid` inquires about the red fluid on the floor 6 Implementation of FISMA has Resulted in a Checklist Approach: Not A Focus on Biggest Cyber Threats/Risks!
Meanwhile, the patient is bleeding to death!! 7 We Need Cybersecurity Triage— Not Comprehensive Medical Care
An “Aha” Moment! • Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems • Objective: Embarrass DoD CIOs for failure to provide adequate security. • Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others • Realization: Let’s use NSA’s offensive capabilities to guide security investments 8 Let “Offense Inform Defense”!
“20 Critical Controls”: The Philosophy • Assess cyber attacks to inform cyber defense – focus on high risk technical areas first • Ensure that security investments are focused to counter highest threats — pick a subset • Maximize use of automation to enforce security controls — negate human errors • Define metrics for critical controls • Use consensus process to collect best ideas 9 Focus investments by letting cyber offense inform defense
Approach for developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 10  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Coordinate with Congress regarding FISMA updates  Engage the best security experts:
Top 20 Attack Patterns—the biggest risks* 1. Scan for unprotected systems on networks 2. Scan for vulnerable versions of software 3. Scan for software with weak configurations 4. Scan for network devices with exploitable vulnerabilities 5. Attack boundary devices 6. Attack without being detected and maintain long-term access due to weak audit logs 7. Attack web-based or other application software 8. Gain administrator privileges to control target machines 9. Gain access to sensitive data that is not adequately protected 10. Exploit newly discovered and un-patched vulnerabilities 11. Exploit inactive user accounts 12. Implement malware attacks 13. Exploit poorly configured network services 14. Exploit weak security of wireless devices 15. Steal sensitive data 16. Map networks looking for vulnerabilities 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel 18. Attack systems or organizations that have no or poor attack response 19. Change system configurations and/or data so that organization cannot restore it properly 20. Exploit poorly trained or poorly skilled employees 11 * Developed as a part of developing 20 Critical Controls and not in priority order
Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolate new systems (Min--24 hours; best practice--less than 5 minutes) 12
Example--Critical Control #3 Secure Configurations for Hardware and Software on Laptops, Workstations and Servers • Attacker Exploit: Automated search for improperly configured systems • Control: – QW: Define controlled standard images that are hardened versions – QW: Negotiate contracts for secure images “out of the box” – Config/Hygiene: Tools enforce configurations; executive metrics with trends for systems meeting configuration guidelines • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6 • Automated Support: Employ SCAP compliant tools to monitor/validate HW/SW/Network configurations • Evaluation: Introduce improperly configured system to test response times/actions (Minimum--24 hours; best practice--less than 5 min) 13
20 Critical Controls for Effective Cyber Defense (1 of 2) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 14
20 Critical Controls for Effective Cyber Defense (2 of 2) Additional Critical Controls (partially supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps 15 Federal CIO Observation: The 20 Critical Controls are nothing new; they are recognized elements of a well managed enterprise
Complying with FISMA and NIST Guidelines • FISMA – Implement security protection commensurate with risk – Develop and maintain minimum controls – Selection of specific security solutions left to agencies – Ensure independent testing and evaluation of controls • NIST Guidelines – Use risk assessment to categorize systems – Select controls based on risk – Assess security controls 16
Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 17 20 Critical Controls are designed to help agencies comply with FISMA and NIST guidance!
20 Critical Controls—Implementation Recommendations Step 1: Accept CAG consensus threats as risk baseline for your organization Step 2: Implement 20 Critical Controls Step 3: Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4: Use automated tools and periodic evaluations to continuously measure compliance (demonstrate risk reduction) Step 5: Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 18
Final Thoughts • CIOs must lead global change • In the near-term CIOs/CISOs must focus and measure • Automation of security control implementation and continuous assessment is essential • A well managed system is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO 19 It is all about leadership. We need to stop the bleeding—Now!
Contact Information 20 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
FISMA Original Intent • Framework to ensure effective information security controls • Recognize impact of highly networked environment • Provide for development and maintenance of minimum controls • Improved oversight of agency information security programs • Acknowledge potential of COTS capabilities • Selection of specific technical hardware and software information security solutions left to agencies • Provide independent evaluation of security program 21 However: FISMA has evolved to “grading” agencies based largely on secondary artifacts
22 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.

Recommended

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
EnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 

Recommended

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
EnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
EnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
Edgar Alejandro Villegas
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
Hafid CHEBRAOUI
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
EnclaveSecurity
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
Tripwire
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
Tieu Luu
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
Donald E. Hester
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
Tahir Abbas
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
William McBorrough
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
Tripwire
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
John Gilligan
 

More Related Content

What's hot

The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
EnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
Edgar Alejandro Villegas
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
Hafid CHEBRAOUI
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
EnclaveSecurity
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
Tripwire
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
Tieu Luu
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
Donald E. Hester
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
Tahir Abbas
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
William McBorrough
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
Tripwire
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 

What's hot (20)

The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 

Similar to Solving the CIO’s Cybersecurity Dilemma

Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
John Gilligan
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
John Gilligan
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
FizZaShYkh
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
John Gilligan
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual MonitoringTripwire
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
ssuser50c54b
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 

Similar to Solving the CIO’s Cybersecurity Dilemma (20)

Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual Monitoring
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 

More from John Gilligan

Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
John Gilligan
 
Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT Management
John Gilligan
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
John Gilligan
 
Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08
John Gilligan
 
Cyber Security - the 21st Century Domain
Cyber Security - the 21st Century DomainCyber Security - the 21st Century Domain
Cyber Security - the 21st Century Domain
John Gilligan
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
John Gilligan
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply Chain
John Gilligan
 

More from John Gilligan (7)

Understanding Technology Stakeholders
Understanding Technology StakeholdersUnderstanding Technology Stakeholders
Understanding Technology Stakeholders
 
Automating Enterprise IT Management
Automating Enterprise IT ManagementAutomating Enterprise IT Management
Automating Enterprise IT Management
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08
 
Cyber Security - the 21st Century Domain
Cyber Security - the 21st Century DomainCyber Security - the 21st Century Domain
Cyber Security - the 21st Century Domain
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply Chain
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 

Solving the CIO’s Cybersecurity Dilemma

  • 1. Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan www.gilligangroupinc.com National Summit on Planning and Implementing the 20 Critical Controls November 12, 2009
  • 2. Topics • Background • Philosophy and Approach for the “20 Critical Controls” • Control Examples and List of Controls • Relationship of 20 Critical Controls to FISMA • Recommendations • Final thoughts 2
  • 3. A CIO’s Environment • We are in a cyber “war” and are losing badly! • The IT industry has produced an inherently unsecure environment—total is security not achievable • CIO mandates exceed time and resources available • Cyber security is an enormously complex challenge—there are very few true experts It is time for CIOs and CISOs to focus on ways to make real and measurable improvements in security 3
  • 4. The Challenge • CIOs/CISOs can lead global change • In the near-term, we must focus and measure progress • Automation of security control implementation and continuous assessment is essential • A well managed system is a harder target to attack and costs less to operate 4 CIOs/CISOs must take the lead in fighting the cyber war
  • 5. FISMA Was Well Intended; What is Not Working?? • Original intent was good: – Ensure effective controls – Improve oversight of security programs – Provide for independent evaluation • Implementation took us off course – Agencies unable to adequately assess cyber risks – (Lots of) NIST “guidance” became mandatory – No auditable basis for independent evaluation – Grading became overly focused on paperwork 5 Bottom Line: OMB mandates and paperwork debates has distracted CIOs/CISOs from achieving real security improvements
  • 6. Analogy of Current Cybersecurity Approach • An ambulance shows up at a hospital emergency room with a bleeding patient • Hospital takes a detailed medical history, gives inoculations for seasonal flu, swine flu, tetanus, shingles, and vaccination updates • Hospital tests for communicable diseases, high blood pressure, sends blood sample for cholesterol check, gives eye exam, checks hearing, etc. • At some point, a nurse’s aid` inquires about the red fluid on the floor 6 Implementation of FISMA has Resulted in a Checklist Approach: Not A Focus on Biggest Cyber Threats/Risks!
  • 7. Meanwhile, the patient is bleeding to death!! 7 We Need Cybersecurity Triage— Not Comprehensive Medical Care
  • 8. An “Aha” Moment! • Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems • Objective: Embarrass DoD CIOs for failure to provide adequate security. • Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others • Realization: Let’s use NSA’s offensive capabilities to guide security investments 8 Let “Offense Inform Defense”!
  • 9. “20 Critical Controls”: The Philosophy • Assess cyber attacks to inform cyber defense – focus on high risk technical areas first • Ensure that security investments are focused to counter highest threats — pick a subset • Maximize use of automation to enforce security controls — negate human errors • Define metrics for critical controls • Use consensus process to collect best ideas 9 Focus investments by letting cyber offense inform defense
  • 10. Approach for developing 20 Critical Controls • NSA “Offensive Guys” • NSA “Defensive Guys” • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • FBI and IC-JTF 10  Identify top attacks—the critical risk areas  Prioritize controls to match successful attacks—mitigate critical risks  Identify automation/verification methods and measures  Engage CIOs, CISOs, Auditors, and oversight organizations  Coordinate with Congress regarding FISMA updates  Engage the best security experts:
  • 11. Top 20 Attack Patterns—the biggest risks* 1. Scan for unprotected systems on networks 2. Scan for vulnerable versions of software 3. Scan for software with weak configurations 4. Scan for network devices with exploitable vulnerabilities 5. Attack boundary devices 6. Attack without being detected and maintain long-term access due to weak audit logs 7. Attack web-based or other application software 8. Gain administrator privileges to control target machines 9. Gain access to sensitive data that is not adequately protected 10. Exploit newly discovered and un-patched vulnerabilities 11. Exploit inactive user accounts 12. Implement malware attacks 13. Exploit poorly configured network services 14. Exploit weak security of wireless devices 15. Steal sensitive data 16. Map networks looking for vulnerabilities 17. Attack networks and systems by exploiting vulnerabilities undiscovered by target system personnel 18. Attack systems or organizations that have no or poor attack response 19. Change system configurations and/or data so that organization cannot restore it properly 20. Exploit poorly trained or poorly skilled employees 11 * Developed as a part of developing 20 Critical Controls and not in priority order
  • 12. Example--Critical Control #1 Inventory of Authorized and Unauthorized Devices • Attacker Exploit: Scan for new, unprotected systems • Control: – Quick Win: Automated asset inventory discovery tool – Visibility/Attribution: On line asset inventory of devices with net address, machine name, purpose, owner – Configuration/Hygiene: Develop inventory of information assets (incl. critical information and map to hardware devices) • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 • Automated Support: Employ products available for asset inventories, inventory changes, network scanning against known configurations • Evaluation: Connect fully patched and hardened test machines to measure response from tools and staff. Control identifies and isolate new systems (Min--24 hours; best practice--less than 5 minutes) 12
  • 13. Example--Critical Control #3 Secure Configurations for Hardware and Software on Laptops, Workstations and Servers • Attacker Exploit: Automated search for improperly configured systems • Control: – QW: Define controlled standard images that are hardened versions – QW: Negotiate contracts for secure images “out of the box” – Config/Hygiene: Tools enforce configurations; executive metrics with trends for systems meeting configuration guidelines • Associated NIST SP 800-53 Rev 3 Priority 1 Controls: – CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6 • Automated Support: Employ SCAP compliant tools to monitor/validate HW/SW/Network configurations • Evaluation: Introduce improperly configured system to test response times/actions (Minimum--24 hours; best practice--less than 5 min) 13
  • 14. 20 Critical Controls for Effective Cyber Defense (1 of 2) Critical Controls Subject to Automated Collection, Measurement, and Validation: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 14
  • 15. 20 Critical Controls for Effective Cyber Defense (2 of 2) Additional Critical Controls (partially supported by automated measurement and validation): 16. Secure Network Engineering 17. Penetration Tests and Red Team Exercises 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps 15 Federal CIO Observation: The 20 Critical Controls are nothing new; they are recognized elements of a well managed enterprise
  • 16. Complying with FISMA and NIST Guidelines • FISMA – Implement security protection commensurate with risk – Develop and maintain minimum controls – Selection of specific security solutions left to agencies – Ensure independent testing and evaluation of controls • NIST Guidelines – Use risk assessment to categorize systems – Select controls based on risk – Assess security controls 16
  • 17. Relevance of 20 Critical Controls to FISMA and NIST Guidelines FISMA and NIST 1. Assess cyber security risk in an organization 2. Implement security based on risk 3. Select controls from NIST SP 800-53 to mitigate risk areas 4. Objectively evaluate control effectiveness 20 Critical Controls 1. Based on government-wide (shared) risk assessment 2. Controls address top cyber risks 3. 20 Critical Controls are subset of 800-53 Priority 1 controls 4. Use automated tools and periodic evaluations to provide continuous monitoring 17 20 Critical Controls are designed to help agencies comply with FISMA and NIST guidance!
  • 18. 20 Critical Controls—Implementation Recommendations Step 1: Accept CAG consensus threats as risk baseline for your organization Step 2: Implement 20 Critical Controls Step 3: Use organization specific risk assessment to select and implement additional controls from 800-53 – Focus on unique, mission critical capabilities and data Step 4: Use automated tools and periodic evaluations to continuously measure compliance (demonstrate risk reduction) Step 5: Partner with senior management and auditors to motivate compliance improvement – Use examples and lessons learned from State Dept. and others 18
  • 19. Final Thoughts • CIOs must lead global change • In the near-term CIOs/CISOs must focus and measure • Automation of security control implementation and continuous assessment is essential • A well managed system is a harder target to attack and costs less to operate – the ultimate “no brainer” for a CIO 19 It is all about leadership. We need to stop the bleeding—Now!
  • 20. Contact Information 20 John M. Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com
  • 21. FISMA Original Intent • Framework to ensure effective information security controls • Recognize impact of highly networked environment • Provide for development and maintenance of minimum controls • Improved oversight of agency information security programs • Acknowledge potential of COTS capabilities • Selection of specific technical hardware and software information security solutions left to agencies • Provide independent evaluation of security program 21 However: FISMA has evolved to “grading” agencies based largely on secondary artifacts
  • 22. 22 NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.