operationalizing the cis top 20 critical security controls · 2020-05-16 · operationalizing the...
TRANSCRIPT
![Page 1: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/1.jpg)
Copyright©2016SplunkInc.
OperationalizingtheCIS“Top20”CriticalSecurityControlswithSplunkEnterprise
AnthonyPerez– SecurityArchitect,Splunk
![Page 2: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/2.jpg)
RoadmapforToday’sSession
▸ Framingourdiscussion▸ Thelegacychallenge▸ Anapproachforoperationalization▸ Impactsonsecuritymaturity▸ LiveDemonstration
2
![Page 3: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/3.jpg)
FramingourDiscussion
![Page 4: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/4.jpg)
Organizationalsecurityshouldbeviewedasacontinuumversusanend-state▸ Viewingsecurityasacontinuumpositionsorganizationstofocusoncontinuousimprovement§ “Wecanalwaysimprovesomething.”
▸ Thesecuritycontinuumconceptcanalsodriveintrospectionfororganizations§ “Whatisoursecuritymaturitytoday?”
▸ Introspectiononanorganization’ssecuritymaturityoftenfeedsstrategicthinking§ “Let’smapoutstepstoraiseouroverallsecuritymaturity.”
4
![Page 5: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/5.jpg)
Regardlessofwhereanorganizationexistsonthesecuritycontinuum,theirfoundationshouldbebuiltuponbest-practices
▸ Acceptingthatfoundationalsecurityisbuiltuponbestpractices–Westillneedtoidentifywhatbestpracticesactuallyare
▸ Organizationsalsoneedtoestablishpoliciesandproceduresaimedatkeepingtheirbest-practicesrelevantasthethreatlandscapechanges
▸ Beyondpoliciesandprocedures,organizationsneedtoestablishaplanforoperationalizationofthesebestpracticesaswell
5
![Page 6: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/6.jpg)
Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach
▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof
leadingexpertsfromaroundtheworld
6
https://www.cisecurity.org/critical-controls.cfm
KeyInsight:“TheNationalGovernorsAssociationrecommends thatstatesturntotheCriticalSecurityControlsforabaselineofeffectivecybersecuritypractices…”
NationalGovernorsAssociationActandAdjust:ACalltoActionforGovernorsforCybersecuritySeptember2013
![Page 7: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/7.jpg)
Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach
▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof
leadingexpertsfromaroundtheworld
7
https://www.cisecurity.org/critical-controls.cfm
KeyInsights:§ TheCIScontrolsareanalogoustocomponentsofmultipleUSFederalinformationsecurityframeworkssuchas
FISMA,DFARS,andRMF
§ TheControlsalsomapcloselytoAustralianSignalsDirectorate“Top4”andISO/IEC27001
![Page 8: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/8.jpg)
TheLegacyChallenge
![Page 9: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/9.jpg)
Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults
9
“Usethese10solutions togainvisibility” “Runthisscannerwhenyouwanttogenerateareport”
“Hireustobuild yousomethingfromscratch”
“LeverageyourlegacySIEMtogetsomeofthewaythere”
![Page 10: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/10.jpg)
Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults
10
“Usethese10solutionstogainvisibility” “Runthisscannerwhenyouwanttogenerate areport”
“Hireustobuildyousomethingfromscratch”
“Leverage yourlegacySIEMtogetsomeofthewaythere”
▸ Commoncomments/questionsonoperationalizationinclude:§ “Thisissuchabigproject,IhavenoideawhereIshouldevenstart…”§ “Whycan’t IusemylegacySIEM?”
- Rigid(datasource-specific)andconventionalsecuritydataonly§ “WhataboutES?”
- Flexible,capable,butsomeorganizationsaren’tsizedorstructuredtoneed ESforoperations
![Page 11: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/11.jpg)
AnApproachforOperationalization
![Page 12: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/12.jpg)
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
12
KeyInsight:CISstates:§ “OrganizationsthatapplyjustthefirstfiveCISControlscanreduce
theirriskofcyberattackbyaround85percent.”
§ “Implementingall20CISControls increasestheriskreduction toaround94percent”
https://www.cisecurity.org/critical-controls.cfm
![Page 13: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/13.jpg)
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software
13
![Page 14: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/14.jpg)
ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols
§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity
▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software
▸ SplunkEnterprise
14
![Page 15: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/15.jpg)
Combiningtheseingredientscandrive“quickwin”visibilityintosecurityposturerelevanttotheCIScontrols▸ Basicstepsforoperationalizationinclude:
1. IngestdatarelevanttothecontrolcategoriesintoSplunkEnterprise2. EnsurethatdataiscompliantwithSplunk’sCommonInformationModel(CIM)3. InstalltheCISCriticalSecurityControls appforSplunk4. Updatelookupfileswithintheappbasedondomainknowledgeaboutyour
organization
15
![Page 16: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/16.jpg)
What’sreallymakingthispossibleonthebackend?
▸ TheSplunkCommonInformationModel(CIM)§ The“RosettaStone”thatprovidesdatanormalization
▸ CIM-compliantsearches§ Provideflexibilityandvendor/data-agnosticvisibility intotheenvironment
▸ Splunklookupfiles§ Providedataenrichment– specificallyrelevanttoyourorganization
▸ OpensourceThreat/IOClists
16
![Page 17: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/17.jpg)
ImpactonSecurityMaturity
![Page 18: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/18.jpg)
Whatimpactsshouldorganizationsanticipatefortheirsecuritymaturity?▸ Visibility:
§ Holisticvisibility intoyourorganization’ssecurityposturewithrespecttobestpracticesinnear-time
▸ Flexibility:§ Vendor/sourcetype-agnosticarchitecture(viaCIM)buildsinflexibilityasyour
infrastructureandorganizationchanges
▸ Efficiency:§ Increasedefficienciesfromanoperationalperspective, freeingtimeformore
value-addsecurityactivity
▸ FederalRelevance:ThecontrolsareanalogoustocomponentsofmultipleFederalsecuritymandatessuchasFISMA,DFARS,andRMF
Lowest HighestSecurity0Maturity
Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0
searching
Ostrichapproach
ManualReview Splunk>0
(+0SPLICE)Splunk> +
Enterprise0Security0app
+
![Page 19: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/19.jpg)
WhatshouldIexpectbasedonmyorganization’scurrentsecurity-maturitylevel?▸ Organizationswillgainutilityregardlessofwheretheyexistonthesecuritymaturitycontinuum
▸ Fornascentsecurityprograms§ Quicktime-to-valueonbest-practices tiedtocurrentreal-worldthreats
▸ Formid-maturitysecurityprograms§ ^+automationthatcreatesefficienciesforsmallerteams,enablingtimefor
morevalue-addactivities suchasproactiveanalysis
▸ Forhigh-maturitysecurityprograms§ ^+consolidatedreportsandvisualizationsthatareeasily integratedintoexisting
workflows
19Lowest HighestSecurity0Maturity
Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0
searching
Ostrichapproach
ManualReview Splunk>0
(+0SPLICE)Splunk> +
Enterprise0Security0app
+
![Page 20: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/20.jpg)
LiveDemonstration
![Page 21: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/21.jpg)
Questions
![Page 22: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/22.jpg)
Announcements
![Page 23: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/23.jpg)
.conf2017iscomingtoWashington,D.C.!
23
September25-28,2017WalterE.WashingtonConventionCenter
Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!
Reserveyourspottoday,paylater!
SignUpToday:http://live.splunk.com/LP=1822
Afterregistrationopens, youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.
VisittheInformationKioskintheSolutionPavilion!
![Page 24: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/24.jpg)
SupportOperationHomefront!
24
EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram foreveryattendee thatcompletes theirmissionofearning6sponsorbadges.Theprogramwillprovidemeals
toourlocalmilitaryfamiliesthisholidayseason.Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldoublethe$3,500donationto
$7,000!
![Page 25: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/25.jpg)
Workshops:GetSplunkHands-onExperienceAttendaSplunkWorkshop
UpcomingSchedule▸ December1:IntroductiontoSplunk Enterprise
▸ December14:IntroductiontoSplunk ITTroubleshooting
▸ January11:IntroductiontoSplunk EnterpriseSecurity
▸ January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop
▸ January25:IntroductiontoSplunk ITServiceIntelligence
▸ January25:NEW! Splunk AppDevelopmentWorkshop
Location▸ SplunkOfficeMcLean,VA
Visithttp://www.doyouknowsplunk.com/workshops
VisittheInformationKioskintheSolutionPavilion!
![Page 26: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/26.jpg)
SplunkUserGroups- ConnectwithLocalSplunkers
NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html
DCMeetsthelastWednesdayofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html
BaltimoreMeetsthe3rdMondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html
VisittheInformationKioskintheSolutionPavilion!
![Page 27: Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the CIS “Top 20” Critical Security Controls with Splunk Enterprise Anthony Perez](https://reader036.vdocuments.us/reader036/viewer/2022062505/5ec5a4c52ad13414087cd313/html5/thumbnails/27.jpg)
TaketheGovSummitPostEventSurvey!
27
Wevalueyourfeedback!Taketheposteventsurvey ontheiPadsinthefoyerstartingat2:30pm!