cyber information sharing - federal business council, inc. › e › cyberusa › presentations ›...
TRANSCRIPT
![Page 1: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/1.jpg)
Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist
Ian Schmertzler President
Cyber Information Sharing
![Page 2: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/2.jpg)
Know Your Team Under Pressure
![Page 3: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/3.jpg)
Trust Your Eyes
![Page 4: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/4.jpg)
Know the Supply Chain
![Page 5: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/5.jpg)
Have Secondary Comms
![Page 6: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/6.jpg)
Do it Right, Make it Here
![Page 7: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/7.jpg)
![Page 8: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/8.jpg)
FIREWALLENDPOINT
SERVERGATEWAYEmail metadata Source email server identityWeb connection historyInbound attachmentsOutbound attachments
Administrative activityNetwork connectionsSuccessful / failed loginsSensitive docs accessedCompliance status
Security settings changesNetwork connectionsSuccessful / failed loginsSensitive docs accessedProcess behaviors
Inbound network trafficOutbound network trafficProtocol tunneling activityAdministrative activityInbound network traffic
![Page 9: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/9.jpg)
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
![Page 10: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/10.jpg)
GLOBALLY INFORMED SOLUTION SETTINGS
BENCHMARKINGACROSS PEERS
INDUSTRY‐TARGETED ATTACK CAMPAIGNS
ENDLESS USE CASES
![Page 11: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/11.jpg)
COLLECT
TOMORROW
TODAY
PARTNER
BUILD/ACQUIRE
INTERACTIVEANALYTICS
UNIFIED INCIDENTMGMT.
RISK ANALYSIS
INCIDENTINVESTIGATION
APP EXCHANGE
SOCIAL PLATFORM
![Page 12: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/12.jpg)
Top Rated
C&C DetectorNova Software
Load LookLevel2 Studio
Target SweepGO Getit EX
RemotecontrolElipse Strategy
Termin8erSupercoil Software
Secure CheckSupercoil Software
Information Sharing APP Exchange
Recently Viewed
Top Rated
New Releases
By Industry
Joe Admin – InfoSec Admin, Company 1
APPS
Developer Tool Package
Q&A
Database
Developer Zone
By Category
Logged In
Secure App News
17Sep2014“Load Look” by Level2 Studio, advances to the next level of protection.
17Sep2014 10 new compliance apps added.
16Sep2014Nova Software contributes robust C&C Detection tool.
16Sep2014 Supercoil Software enhances security prioritization and checklist features.
?
News Archive >>
Message Board
1hCheck out our latest development utilizing aggregated risk analysis tolerance feedback – Super Coil Software
1DDashboard elite is not all it’s cracked up to be, we’ve hit snags with the custom navigation integration module. – Joe
FREE TRIAL
FREE TRIAL
![Page 13: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/13.jpg)
Upcoming Events
Trending
Information SharingSocial Platform
Update My Status
Joe Admin
Groups
Interests
Contacts
Recommended
We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from?
POSTAll
Lisa Andrews Manufacturing CISOs Verified
Yes. I saw it a few weeks ago. seems to be related to the earlier attack. I’ll ask Dave to send you a source IP we have associated with that executable.
2 hours ago
Dave Admin Manufacturing Admin Verified
Hi Joe, we have traced the origin of foo.exe to the following IP: 172.16.254.11 hours ago
Joe Admin – InfoSec Admin, Company 1
Logged In?
Joe Admin Software Developer Verified
We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? 3 hours ago
172.16.254.1172.16.254.1Source:Source:
IP AddressIP AddressType:Type:
Forensic results:Forensic results:
Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14
Origin:Origin: UnknownUnknown
File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14
172.16.254.1Source:
IP AddressType:
Forensic results:
Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14
Origin: Unknown
File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14
Connection from SALLY_ANDROID_1 to 172.16.254.1 at 4:24:08 pm on 11/6/14
![Page 14: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/14.jpg)
STARTING POINT…CSF NIST ADOPTION
Copyright © 2017 Symantec Corporation
14
![Page 15: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/15.jpg)
Functions
ID Identify What assets need protection?
PR Protect What safeguards are available?
DE Detect What techniques can identify incidents?
RS Respond What techniques can contain impacts of incidents?
RC Recover What techniques can restore capabilities?
Core
CSF FUNCTIONS – BUILD PROFILE
Copyright © 2017 Symantec Corporation9
![Page 16: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/16.jpg)
UNDERSTAND YOUR MATURITY: SELF ASSESSMENT LED
PR.ATAwareness Training
DE.CMContinuous Monitoring
DE.AEAnomalies &
Events
DE.DPDetection Processes
RS.IMResponse
Improvements
RECOVER
RESPOND
DETECT
PROTECT
RS.MIResponse Mitigation
RS.ANResponse Analysis
RS.COResponse
Communications
RS.RPResponse Planning
RC.RP Recovery Planning
PR.ACAccessControl
IDENTIFYID.BE
OrganizationID.GV
GovernanceID.RA
Risk AssessmentID.RM
Risk Strategy MgtID.AM
Asset Mgt.
PR.DSData
Security
PR.IPInfo Processes &,
Procedures
RC.IMRecovery
Improvements
RC.CORecovery
Communications
Not At All Planned Partially Mostly In Place Optimized
![Page 17: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/17.jpg)
WHERE AM I
Fxn. Cat. Sub. Current Profile
ID ID.AM
ID.AM‐1
ID.AM‐2
ID.AM‐3
ID.AM‐4
ID.AM‐5
ID.AM‐6
Tier 1
Tier 1
Tier 2
Unused
Tier 4
Tier 3
Fxn. Cat. Sub. Target Profile
ID ID.AM
ID.AM‐1
ID.AM‐2
ID.AM‐3
ID.AM‐4
ID.AM‐5
ID.AM‐6
Tier 2
Unused
Tier 4
Tier 3
Tier 4
Tier 4
The image part with relationship ID rId3 was not found in the file.
This image cannot currently be displayed.
Enables a prioritizedaction plan
66
![Page 18: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/18.jpg)
Function Category Subcategory Informative References
Respond (RS)
Response Planning(RS.RP):
RS.RP‐1: Response plan is executed during
or after an event
• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443‐2‐1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800‐53 Rev. 4 CP‐2, CP‐10, IR‐4, IR‐8
Core
HOW CAN I ALIGN WITH BEST PRACTICES
Copyright © 2017 Symantec Corporation10
![Page 19: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/19.jpg)
CoreINFORMATIVE REFERENCES
Copyright © 2017 Symantec Corporation10
![Page 20: Cyber Information Sharing - Federal Business Council, Inc. › e › CyberUSA › presentations › ...Cyber Information Sharing . Know Your Team Under Pressure. Trust Your Eyes. Know](https://reader036.vdocuments.us/reader036/viewer/2022081402/5f1cb283a7b335568b1da971/html5/thumbnails/20.jpg)
• Information Risk Management & Reporting
Strategic Tactical
• Inventory & Asset Management• Mobility & Wireless
• .
Busine
ss Strategy
and Governa
nce
On‐Going
Com
pliance
and Security Ope
ratio
ns
• Security Policies and procedures
• Awareness and Training
• Security Team Structure, Roles & Responsibilities
• Information Risk Management & Reporting
• Digital Trust• High Assurance
• Identity Management• Authentication
• Information Risk Management & Reporting
• Data Loss Controls • Data Classification
• Encryption• Electronic Discovery
• Information Risk Management & Reporting
• Configuration & Patch Management
• Sys Integrity & Lockdown
Inform
ation
Protection
Infra
structure
Managem
ent
• Information Risk Management & Reporting
• Logging & Monitoring • Malicious Code Protection • Security Intelligence
• Secure Network Design• Network Perimeter Security
Infra
structure
Protection
GRC Policy
ENC
2FAPKI CASB
Mobile EPM
LOA3Secure Info
Access
ENTERPRISE TOOLKIT: A Mature Compliance and Security ModelBusiness Strategy and Governance driving Security Operations
Governance
(security, priva
cy,
complian
ce)
GRC Standards & UA GRC Dashboards
GRC Dashboards
GRC Dashboards
GRC Dashboards
GRC Dashboards
DLPGRC Policy
EPMHIPS
PEN TestEDRMSSPIR RetainerATP