This presentation was given at CampIT. It motivated the need for a high level of maturity of the enterprise security program, by striving for cyber resiliency.

1. John D. Johnson
CEO/Founder Aligned Security

2. John D. Johnson, Ph.D., CISSP, CRISC
www.johndjohnson.com
@johndjohnson

3. The journey begins…
•Where are we and how did we get here?
•Where are we going?
•Why are we going there?
•What will it take to get there?
•Are we there yet?
•Why aren’t we stopping?
“I’m going
on an
adventure!”

4. Defining Resilience

5. Cyber Resilience
Capability
Maturity
Enterprise
Risk
Mgmt
Corporate
Culture
*As I view it…
• Basic Hygiene
• Compliance and Audit Process
• Risk Based Security Management
• Anchor to Standards Frameworks
• Threat Assessment & Modeling
• Threat Intelligence
• Information Sharing
• Use Layered Security to Address
Gaps – People/Process/Tools
• Assess Effectiveness/Efficacy of
Controls with Meaningful Metrics
• Integrate with Enterprise
Risk Council
• Utilize Consistent
Methodology and
Taxonomy
• Communicate Risk
Effectively to Stakeholders
• Develop Cyber Response
& Recovery Playbooks
• Build Security Aware
Culture
• Security Seen as
Change Agent
• Security Enables
Business Value at Risk
(VaR)
Goal: Prevent or respond
quickly to reduce the impact
and duration of threat events
to your organization, and
through preparation, restore
normal business operations
sooner.

6. Source:http://info.resilientsystems.com/ponemon-institute-study-the-2016-cyber-
resilient-organization

7. Source:http://info.resilientsystems.com/ponemon-institute-study-the-2016-cyber-
resilient-organization

9. There was a time when nobody worried
about security…

10. In the early days, we had security
through obscurity.

11. Defending The Castle
In the 1990s we implemented a castle defense
to keep out the bad guys.

12. The Castle Model of Defense
• What is the advantage of a castle?
• The castle is built on high ground
• The castle has visibility to see enemies approaching far away
• The castle has thick, impervious walls
• Guards watch everyone coming and going
• It is very difficult and expensive for enemies to breach a castle
• Why is our enterprise not a castle?
• The Internet has no high ground
• We don’t have good visibility to threats
• We have lots of holes in our walls
• We don’t inspect all the traffic coming and going
• A castle is not resilient. It takes a long time to rebuild a wall after it gets hit by a catapult.
• The Asymmetric Problem: It is expensive to defend, but the adversary only needs to find one
hole to breach the enterprise

14. Different Stakeholders Want to Use
Technology Differently
• Different Employee Segments
• Business Partners
• Customers
• Dealers / Resellers
• Business Leaders

15. Technology as a Business Advantage
Risk Opportunity

18. Source: https://www.trystenergy.com/blog/

21. Cybersecurity Spending in U.S. (%GDP)

22. Rise in Data Breaches
Source: https://www.bluefin.com/bluefin-news/continued-rise-data-breaches-start-going-2017/

23. Source:
http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg

24. Source:
http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg

25. Source:
http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg

27. Source: https://cybersec.buzz/the-bakerhostetler-2017-data-security-incident-response-report/

28. Great opportunities, but are our IT staff ready to secure
products, IoT, ICS, OT?
Product Security

29. Physical and Cyber Infrastructure are Reliant on Each Other for Resiliency
29
Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure

30. “There is a massive lack of security awareness in
the industrial control systems community.”

32. Threat Actors
Source: Carbon Black

33. Threat Actors
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

34. Threat Capabilities - 2010
Source: Invincea
Sophistication

35. Threat Capabilities - Today
Source: Invincea
Sophistication

36. Top Global Risks for 2017
Risk 2017 Rating 2016 Rating
Economic Conditions 6.61 5.83
Regulatory Changes and Scrutiny 6.51 6.06
Cyberthreats 5.91 5.80
Speed of Disruptive Innovation 5.88 5.48
Privacy or Identity Management & Information Security 5.87 5.55
Succession Challenges, Ability to Attract and Retain Talent 5.76 5.63
Global Market and Currency Volatility 5.67 5.33
Organizational Culture Hindering Escalation of Risk Issues 5.66 5.30
Resistance to Change Operations 5.63 5.40
Sustaining Customer Loyalty and Retention 5.62 5.28
Source: http://www.journalofaccountancy.com/news/2016/dec/top-business-risks-for-2017-201615723.html

37. The Situation Today
We cannot enable
business
transformation
if we are still trying to
defend a castle.
We need to mature our
capabilities and
strive for cyber
resiliency.
The Perimeter is Evolving
The Volume and Sophistication of
Attacks is Rapidly Increasing
Global Regulatory Changes
Variety and Use of
Technology

39. Maturing Capabilities

40. Capability Maturity
As the security program matures, more fundamental pieces will be in place to support
advanced toolsets and capabilities necessary to protect against more advanced threats,
respond faster to attacks and recover. The pace of threats, regulatory change and
advancing technology require maturity and resiliency.
Informal
1
Planned &
Tracked
2
Well Defined
3
Quantitatively
Controlled
4
Continuously
Improving
5
Improved ability to anticipate, execute & respond quickly/effectively
N.B. – Ponemon Self-Assessment ranges from -2 to +2
Basic
Hygiene
Resilient
Siloed
Top-Down
Pervasive

41. Anchor Cybersecurity Program Using
Standard Frameworks
* NIST Cybersecurity Framework

42. Cybersecurity Domains
Source: Henry Jiang, https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp

48. Basic Hygiene
We start with ”Basic Hygiene”, such as CIS Top 20 Critical Security Controls.
Source: https://learn.cisecurity.org/20-controls-download

49. Baseline Configurations
CIS also has baseline security configurations for systems and software. This allows you to set a
security baseline (with documented variances) which maps back to a framework (NIST CSF) –
good security based on industry standards which you can audit against using automation.
• OS Platforms: Linux, Novell, Unix, MS Windows, Apple Mac OS
• Amazon AWS (Hardened virtual images in EC2)
• Browsers: Chrome, Firefox, MS IE, Opera, Safari
• Microsoft Office, SharePoint, MS Exchange, Apache, IIS
• Mobile Device Platform OS: Apple iOS, Android
• Network Devices: Cisco Devices, Juniper, Palo Alto, CheckPoint, Wireless Network Devices
• Multifunction Printers
• Databases: IBM DB2, MS SQL, Oracle MySQL, Oracle DB, Sybase
• Virtualization: Docker, VMware, Citrix Xen

50. Risk Based Security Management Roadmap
• Understand Current State
• Environment (assets (value/inventory/vulns/compliance…), networks, data, applications)
• Business knowledge (requirements, processes…)
• Regulatory environment
• Threats (std process for threat modeling/assessment)
• Capability maturity
• Determine Risk
• Prioritize Security Portfolio
• Business Alignment and Enablement
• Reduce Risk (Business will choose to Accept, Transfer or Mitigate)
• Build capabilities (maturity)
• Develop Metrics (operational  tactical  strategic)
• Measure effectiveness of controls at risk reduction
• Measure efficiency (are resources going where they add the most value?)
• Communicate Business Value
If everything is
protected equally,
nothing is protected
adequately.

51. A Cyber Risk Framework Improves Resiliency
Source: http://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf

52. IT Risk Management Life Cycle
IT Risk
Identification
IT Risk
Assessment
Risk
Response &
Mitigation
Risk & Control
Monitoring &
Reporting
Source: COBIT

53. IT Risk in the Risk Hierarchy
Source: COBIT

54. BOARD-LEVEL RISK SECURITY PROGRAM ELEMENTS
Board Level Risk Categories Business Areas with Security-related Risk Security Program: Security Strategies/Mitigation
Financial
• Asset Management
• Accounting & Reporting
• Market Fluctuations
• Asset Protection
• Exceptions Management
• Violation Detection and Reporting
• Allegation of Manipulation Investigations
• Regulatory Inquiries
Business Continuity & Resiliency
• R&D and Manufacturing
• Logistics
• Environment & Safety
• Distribution
• Business Continuity
• Outsourcing
• Branding
• Information Safeguards and Intellectual Property Protection
• Disruption Detection
• Mitigation Management
• Emergency Response
• Disaster Recovery Plans
Reputation & Ethics
• Customer Relationship Data
• Community Relations
• Corporate Governance
• Privacy Policies & Compliance
• Law Enforcement & Liaison
• Regulatory Security Adherence
• Allegation Response
Human Capital
• Misconduct
• Environmental Hazards
• Turnover
• Employee Skills & Performance
• Compensation & Benefits
• Labor Union Issues
• Services
• Background Checks
• Awareness & Training
• Code of Conduct
• Drug Testing
• Benefits Loss Prevention
• Labor Disruption Planning
• Intellectual Property Protection
Information
• Intellectual Property
• Information & Privacy
• Networks
• Applications
• Hardware
• New Technologies
• Data Classification
• Intrusion Detection
• Authentication and Access Control
• Physical Access Controls
• Digital ID Management
Legal, Regulatory/Compliance & Liability
• Antitrust Violations
• Noncompliance
• Audits
• Accreditation
• Third-party Vendors
• Supply Chain
• Liability
• Litigation
• Partnerships & Service Providers
• Sales & Marketing
• Procurement
• Regulatory Controls
• Risk Assessment
• Security Programs Certification
• Partner Due Diligence
• Records Retention Policy
• Investigations
• Program Integrity
• Regulatory Compliance
• Vendor Contracts/Code of Ethics
New or Emerging Markets for Business
• Global/International
• Mergers & Acquisitions
• Competition
• Intelligence Analysis and Mitigation
• Country Business Risk Assessment
• Due Diligence Investigations
• Business Intelligence Gathering
• Information Safeguards
Physical/Premises & Product
• Partnerships
• Inventory & Products
• Unauthorized Access
• Warehouse Facility Protection
• Product Protection Program
• Property Protection Program
• Facility Access Policy
©Security Executive Council

55. Risk Identification Process
Identify Assets
Identify Threats
Identify Existing Controls
Identify Vulnerabilities
Identify Consequences
Risk
Estimation
Process
Feeds
Into
Source: COBIT

56. Control Category Interdependencies
Threat
Event
Detective
Control
Deterrent
Control
Threat
Compensating
Control
Vulnerability
Preventative
Control
Impact
Corrective
Control
Creates
Reduces
Likelihood
Of
Discovers
Reduces
Likelihood
Of
Triggers
Reduces
Protects
Exploits
Decreases
Results In
Source: COBIT

57. Calculate Risk
Source: http://www.fairinstitute.org

58. Risk Analysis (Example)

59. Risk Analysis and Response
Source: COBIT

60. Information Security Risk Management
Process
Establish
Context
Identify
Risk
Risk
Analysis
Risk
Evaluation
Risk
Treatment
Communication and Consultation
Monitoring and Review
Source: COBIT

62. Situational Awareness – Understanding the
Current State
• Can’t assess risk without knowledge; turn uncertainty into a risk
measurement (risk-based security management)
• Know the Enterprise: Assets, Data, Applications, Network, Identities…
• Know the Business: What is important, learn business processes
• Know the Enemy: A case for actionable Threat Intelligence
• Root Cause Analysis and Attribution can tell you where to focus (access to
historical and forensic data)

63. If you’ve ever travelled you are well aware
that most people have no situational
awareness!

64. Asset Vulnerabilities and Value
• Knowledge of posture gives vulnerability, and along with
understanding threats and value of resources, risk can be calculated
• Look for solutions that help you aggregate information from disparate
sources about assets (much different from SIEM):
• System configuration, patch levels and OS details
• Details about desktops, servers, cloud-hosted, BYOD, non-compliant
systems, OT systems and ICS
• Inventory of software and versions installed
• This is not the same as vulnerability scanning
• Centralizing this information is key – avoid delays from running to
various IT teams whenever you need to gather compliance/IR details

65. Cyber Risk Analysis: Threat Modeling
Target
•Data (DAR, DIM, DIU)
•Code/Software
•Services
•Databases
•Operating Systems
•Networks/Infrastructure
•Platforms/Hardware/Firmware
Threat
Vector
•Copy, Exfiltrate
•Modify, Corrupt
•Destroy, Denial of
Service
Threat
Source
• Insider
• Hacktivists
• Motivated Hobbyist
• Corporate Espionage
• Cybercriminals
• Nation State
Requirements
• Level of
knowledge
required
• Ability, Expertise
• Proximity required
• Access required
• Resources
required
• Time required
Motivations
• Money
• Ideology
• Coercion
• Ego
Risk can be mitigated; the threat landscape remains unchanged.
Threat Intel
• Industry Peer
Groups;
ISACs
• Threat Intel
Feeds
• Private/Public
Partnerships

66. Attack Chain Mapping and Threat Modeling
Recon Penetrate Co-Opt Conceal
Irreversible
Action

67. Risk Scenario Overview
Source: COBIT

68. Black Swan Events
• Can’t predict well – statistical methods, extrapolating from trend data
fails
• If you know:
• your organization – strengths and weaknesses
• which adversaries might want to attack you
• what those adversaries might want to accomplish
(money, ideology, disruption)
• what they would target
• their capabilities
• Then you can focus resources to make it costly for the adversaries
• And you can focus your resources at protecting what is at greatest
risk
• This applies to adversaries as well as natural disasters
Reference: US Cyberconsequences Unit, http://www.usccu.us

70. So why do we want security metrics?
• Are we being effective?
• Performance
• Controls/Processes
• Risk Management
• Are we efficient?
• Are we strategically aligned?
• Are we maturing our capabilities?
• Are we doing well compared to others?

71. Metrics Measure Effectiveness of Controls

72. Filling the Gaps with Layered Security
Once we have assessed our security risk and measured where we are effective/efficient,
we identify additional security layers to improve and mature our security program. This
involves People, Processes and Technology.
Risk can never be
eliminated, but it can be
mitigated. Layered
security is the most
effective way to do this.

74. Additional Risk Mitigation
Areas that need more focus in the future and emerging security
technologies to consider to provide cyber resiliency:
• Keys and Certificate Management
• Cloud Security Access Brokers & Cloud Proxies
• Solutions to help give you situational awareness, such as Endpoint
Inventory, Compliance, Vulnerability Management
• Improved Threat Intelligence (timely, detailed)
• Continuous Risk Profiling
(if you have Posture, Value and Threat Info = RISK)
• I suggest as technology improves and converges that you can have near real-
time view to quantitative and actionable enterprise risk
• There are vendors today that will give you an overall risk score that you can
compare to peers in your industry – not perfect but proven beneficial

75. Fog of War – Deception Technology
• Raise the bar for the adversary – Reduce adversary’s operating surface
and increase their economic cost
• Assume applications know what transactions are legitimate. By adding lots
of noise for adversaries it becomes hard to avoid false leads. No false
positives for incident response team.

76. AI and Machine Learning
• With the volume, velocity, variety and sophistication of attacks, it can be
very difficult for humans to sort through and triage events and incidents
• SIEM is a partial solution that requires a lot of up front work, as you are
typically looking for what you expect
• Tier I in the future will need to be AI, identifying patterns that are too fast or
too slow or fly under the radar for humans with eyes that are tired of
starting at a pane of glass
• Humans have an important role, but emerging technologies can help your
IR staff detect and respond to incidents quicker and better

77. Cyber Insurance
• Cyber insurance is one way to transfer risk
• Cyber insurance won’t absorb all the cost, but helps to reduce the impact
of a breach or incident
• Today, no two cyber insurers are the same
• Cyber insurers are motivated to help you become cyber resilient (they
don’t LIKE to pay out)
• Cyber insurance is a necessity these days, but don’t think it lets you off the
hook for not doing your due diligence

78. Training Security Staff
• Your security staff, and others in your organization (as you embed security
across the organization) will need appropriate training.
• Example: Can your IT staff really apply IP network security techniques to
secure OT or product?
• Training, mentoring and providing a career path is also key for attracting
and retaining the best
• Smaller organizations may not be able to support the number of experts
(or attract and retain) and should consider MSSP

79. Perform Exercises and Practice

80. Key Aspects of a Successful Awareness
Program
Security awareness should have:
• Executive sponsorship – walk the walk
• Targeted content and delivery methods depending on the audience
• Classroom, CBT, Teachable Moments, Easy to find Policies & Procedures
• Clearly articulated goals
• Metrics to measure program efficacy and success
• Metrics and surveys to ensure program improvements
• Content that emphasizes in a meaningful way, why security is an important
part of every employee’s job
• Understand the impact to the company and consequences of not following the rules
• Security solutions should be designed with the user experience in mind
• If the secure way is the easiest way, people are less likely to choose Shadow IT

81. Cyber Value at Risk (VaR)
• Classifying risks in broad terms such as “high,” “medium,” or “low” does not truly support effective
risk management decisions and resource allocation. The cyber value-at-risk (VaR) concept offers
firms a game-changing new approach.
• VaR both quantifies risk and expresses it in economic terms that can be understood by boards and
throughout the executive suite.
• VaR aggregates cyber risk with other operational risks in the enterprise risk management
framework.
• VAR approach will put CISOs in a much better position to offer objective answers to fundamental
questions from executives and the board, such as:
• What are our top cyber risks in terms of probability and severity?
• What impact will risk mitigation/transfer plans have on these risks?
• How large are our cyber risks compared to other enterprise risks?
• How might our business expansion plans increase our cyber risks?
• What are our most cost-effective risk management strategies?
Source: https://www.afponline.org/trends-topics/topics/articles/Details/cybersecurity-quantifying-value-at-risk/
Source: http://www.fairinstitute.org/blog/what-is-a-cyber-value-at-risk-model

82. Risk Communication Components
Effective IT
Risk
Communication
Expectation:
Strategies,
Policies,
Procedures,
Awareness,
Training, etc.
Capability:
Risk
Management
Process
Maturity
Status: Risk
Profile, Key
Risk
Indicators,
Loss Data,
etc.
Source: COBIT

83. Security Metrics for Management
• Find a way to add business value
• Meeting regulatory requirements
• Consolidation of tools, reduction of resources
• Demonstrate reduced costs by reduction in help desk cases
• Business leaders take the loss of IP seriously
• Have security seen as a business enabler. New technologies come with risks, but
they may also lead to new innovations and competitive advantage.
• Explain it in language business leaders understand
• Make presentations clear & concise
• Avoid IT jargon
• Provide the information executives need to make informed decisions
83

84. Where does the CISO report?
• The ability to communicate and be effective as a CISO can be hindered by
an inefficient organizational structure.
• Where does your CISO report? Most continue to report to the CIO,
although some organizations have a deeper hierarchy or dotted line
reporting.
• The key is for the CISO to have access across the business and up to the
executive level. This is important for breaking down siloes and improving
the cross-team effectiveness necessary.
• The CISO should have authority and a budget which will not be at the
mercy of IT budget planning and cuts. Because the value of security
measures may still be difficult to sell to IT management, less mature
organizations will see their security budgets cut, which may prevent them
from building the capabilities they need to be cyber resilient.

85. Security Leadership
• A more mature organization runs security “like a business” in a very
strategic and measured way, aligning with business objectives
• Metrics demonstrate that resources are going where there is greatest
risk/need
• Security leaders should lead by example
• Leadership is key to successfully achieving cyber resilience
• Learn to communicate well to various audiences/stakeholders
• The role of security is to express risk in the context of the business to
business leaders so they can make informed decisions

86. Building Cyber Resiliency

87. Key takeaways from a Forbes survey of 300 CIOs and
CISOs: Investing in Cyber Resilience
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf

88. With data breaches averaging $4 million, what are exec
priorities?
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf

89. What technologies do execs feel have biggest security
implications?
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf

90. Cyber Resilience Levers
McKinsey outlines 7 levers for achieving cyber resilience that
help integrate security into the overall business:
1. Prioritize information assets based on business risks
2. Provide differentiated protection for the most important assets
3. Integrate cybersecurity into enterprise-wide risk management and
governance processes
4. Enlist frontline personnel to protect the information assets they use
5. Integrate cybersecurity into the technology environment
6. Deploy active defenses to engage attackers
7. Test continuously to improve incident response across business
functions
Source: https://www.upguard.com/hubfs/UpGuard/ebooks/pdfs/eBook_itil-guide-cyber-resilience-UpGuard.pdf

91. Cyber Resilience Review (DHS)
• The Cyber Resilience Review (CRR)[1] is an assessment method developed
by the United States Department of Homeland Security (DHS).
• It is a voluntary examination of operational resilience and cyber
security practices offered at no cost by DHS to the operators of
critical infrastructure and state, local, tribal, and territorial
governments.
• The CRR comprises 42 goals and 141 specific practices extracted from the
CERT-RMM (Resilience Management Model) and organized in 10 domains):
• Asset Management
• Controls Management
• Configuration and Change Management
• Vulnerability Management
• Incident Management
• Service Continuity Management
• Risk Management
• External Dependency Management
• Training and Awareness
• Situational Awareness
[1] "Cyber Resilience Review Fact Sheet" (PDF). Retrieved 27 February 2015.

93. Barriers to Cyber Resilience
• Lack of enterprise awareness
• Poor communication
• Lack of leadership
• Too much focus on compliance and not enterprise risk
• Silo mentality
• Not having a balance of operational, tactical and strategic; cyber
resilience demands “whole system” approach
• Lack of new thinking for new problems
• Cyber resilience needs to be ingrained in your organizational culture

94. Summary
1. Anchor to standard frameworks
2. Perform basic hygiene
3. Implement risk-based security to prioritize your risk response
• Focus on high value/mission critical assets
4. Gain situational awareness (assets, data, access, identity…)
5. Model potential threats and risk scenarios (and Black Swans)
• Develop incident response plans involving preparedness, detection and recovery
• Consider the use of new security technology to mitigate risk from use of disruptive technologies
6. Make use of and understand limitations of Cyber Insurance
7. Invest in training and awareness to build culture of security (resilience)
8. Develop SMART and meaningful metrics
9. Develop CISO leadership and communication skills and consider new reporting
structures
10. Exchange information on threats and best practices with peers, vendors, business
partners & government

95. Instead of fighting the headwinds…

96. Change your tack and make them an advantage!
Cyber resilience is a journey, not a destination

97. Questions?
Contact:
John D. Johnson, Ph.D., CISSP, CRISC
www.johndjohnson.com
@johndjohnson