how the 20 critical controls address real threats
DESCRIPTION
In this exclusive webinar, Tony Sager – Chief Technologist of the Council on CyberSecurity – discussed how organizations can implement a third-party-validated, authoritative framework called the 20 Critical Security Controls to prioritize their efforts and make security practical, effective and aligned to the business. Dwayne Melançon, Tripwire’s CTO, joined Sager as the webinar moderator. In this webcast, we: - Discussed how to translate security information into specific and scalable action - Described the remediation plan for the controls, starting with the Top 5 - Discussed how the Council on CyberSecurity uses a community approach to this translation problem to create and sustain the Critical Security Controls. - Discussed how the community will help advise and support your risk management efforts with a formalized framework The full recording of the webcast that accompanies this slide deck is available here: http://www.tripwire.com/register/how-the-20-controls-address-real-threats/TRANSCRIPT
How The 20 Controls Address Real Threats
WITH TONY SAGER AND DWAYNE MELANÇON
How the 20 Controls Address Real Threats
With Tony Sager and Dwayne Melançon
3
Today’s Presenters
Tony SagerChief Technologist, the Council on CyberSecurity
Dwayne Melançon CTO, Tripwire
How the 20 Critical Critical Controls Address Real Threats
Tony SagerChief Technologist, the Council on CyberSecurity
Risk = { }
Classic Risk Equation
Vulnerability, Threat, Consequence
countermeasures
6
The Security “Fog of More”
standards SDL
supply-chain security
security bulletinsuser awareness training
browser isolationtwo-factor authentication
encryptionincident response
security controls
threat intelligence
whitelistingneed-to-know
SIEMvirtualizationsandbox
compliance
maturity model
anti-malware
penetration testing
audit logsbaseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessmentbest practice
governance
7
The Defender’s ChallengesWho can I trust to help me sort thru this?
– “…cut through the fog…”
How do I get a more complete picture? – ‘’…extend my information ‘reach’…”
What does the data tell me I should do?– “…translate into prioritized action…”
When will I know if something relevant changes?– …the variables in Risk change constantly…”
How can I do the right thing – and then prove it?!?
8
The Critical Security Controls
1 23
4
5
6
7
89
10111213
14
15
16
17
1819
20
1) Inventory of Authorized and Unauthorized Devices
11) Limitation and Control of Network Ports, Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware, Software on Laptops, Workstations, Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Mobile Device Control
8) Data Recovery Capability
9) Security Skills Assessment, Appropriate Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls, Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense12) Controlled Use of
Administrative Privileges
16) Account Monitoring and Control
9
Evolving a Threat Modelfor the Critical Security Controls
• Gather friends that I trust• and guide to consensus
• Add thousands of friends • and repeat
• Translate/map from an authoritative source of data• Verizon DBIR 2013, 2014
• Add numerous sources of data• Standardize language, workflow
• Align with Risk Management Frameworks, models• Building a “Community Threat Model”
10
Why a Community Threat Model?• Extend our information reach
• “volume, velocity, variety”
• Most Enterprises can’t do it on their own• or cannot do it more than once
• And even if you could, does that make sense…• in a dynamic, connected world?• where trust and risk are dynamic, and must be
negotiated?
11
The Council on CyberSecurityWebsite: www.counciloncybersecurity.orgEmail: [email protected]: @CouncilonCyberFacebook: Council on CyberSecurity
Critical Security Controls Close The Threat Gap
DWAYNE MELANÇON, CISA
CHIEF TECHNOLOGY OFFICER
13
Enterprise Threat Gap
DETECTION
REMEDIATION
PREVENTION
Prevention GapTime to put preventative
measures in place to avoid repeated attacks
Can we avoid this happening again?
Remediation GapTime between discovery to remediation to limit damage
How bad is it?
Detection GapTime between actual breach and discovery
Have we been breached?
14
20 Critical Security Controls NSA RankTripwire
Solutions
CSC1Inventory H/W Assets, Criticality, and Location
Very High
CSC2Inventory S/W Assets, Criticality,and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4Vulnerability Assessment and Remediation
Very High
CSC5 Malware Protection High/Medium
CSC6 Application Security High
CSC7 Wireless Device Control High
CSC8 Data Recovery Medium
CSC9 Security Skills Assessment Medium
CSC10 Secure Config-Network High/Medium
20 Critical Security Controls NSA RankTripwire
Solutions
CSC11Limit and Control Network Ports, Protocols, and Services
High/Medium
CSC12 Control Admin Privileges High/Medium
CSC13 Boundary Defense High/Medium
CSC14Maintain, Monitor, and Analyze Audit Logs
Medium
CSC15 “Need-to-Know” Access Medium
CSC16 Account Monitoring and Control Medium
CSC17 Data Loss Prevention Medium/Low
CSC18 Incident Response Medium
CSC19Secure Network Engineering (secure coding)
Low
CSC20Penetration Testing and Red Team Exercises
Low
Critical Security ControlsTripwire solution support for the 20 Critical Security Controls (CSC)
15
Critical Security ControlsTripwire solution support for the 20 Critical Security Controls (CSC)
20 Critical Security Controls NSA RankTripwire
Solutions
CSC1Inventory H/W Assets, Criticality, and Location
Very High
CSC2Inventory S/W Assets, Criticality,and Location
Very High
CSC3 Secure Configuration Servers Very High
CSC4Vulnerability Assessment and Remediation
Very High
16
Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap
Tripwire System State Intelligence
Asset Discovery &
Profiling
Good & Bad Change
Who & When
Business Context &
Priority
Vulnerability &
Risk
ConfigurationContext
TargetedAttack
Detection
State History
17
Tripwire Platform for Advanced Threat ProtectionClosing the Retail Security Threat Gap
Tripwire Vulnerability Management
Tripwire Security Configuration Management
Tripwire Log Intelligence
Tripwire System State Intelligence
Asset Discovery &
Profiling
Good & Bad Change
Who & When
Business Context &
Priority
Vulnerability &
Risk
ConfigurationContext
TargetedAttack
Detection
State History
18
Tripwire Platform for Advanced Threat ProtectionClosing the Security Threat Gap
Tripwire Vulnerability Management
Tripwire Security Configuration Management
Tripwire Log Intelligence
Tripwire System State Intelligence
Asset Discovery &
Profiling
Good & Bad Change
Who & When
Business Context &
Priority
Vulnerability &
Risk
ConfigurationStrength &
Context
TargetedAttack
Detection
State History
Tripwire Reporting & Analytics
Attack Surface Reduction
APT / MPS
SIEM
Big Data/Security Analytics
Threat Intelligence
Reduce Threat Gap Cycle Time
19
Tripwire: Reducing The Enterprise Threat Gap
DETECTIONGAP
RESPONSEGAP
PREVENTIONGAP
DETECTIONGAP
RESPONSEGAP
PREVENTIONGAP
Threat Prevention Gap Discover & profile all IT
infrastructure Minimize vulnerabilities and
harden configurations to reduce threat surface
Threat Detection Gap Real-time detection of
suspicious behavior Forward events of interest to
focus and enrich analysis & correlation
Threat Response Gap Prioritize based on business context Identify compromise by comparison
against baseline Support forensic & incident response
tripwire.com | @TripwireInc
Q & A
tripwire.com | @TripwireInc
TONY SAGER
DWAYNE MELANÇON
THANK YOU