rethinking cybersecurity from the inside out
TRANSCRIPT
![Page 1: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/1.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Rethinking Cybersecurity from the Inside Out
An Engineering and Life Cycle-Based Approach
for Building Trustworthy Resilient Systems
Dr. Ron RossComputer Security DivisionInformation Technology Laboratory
![Page 2: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/2.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
The current landscape.
![Page 3: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/3.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Our appetite for advanced technology is rapidly exceeding our
ability to protect it.
![Page 4: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/4.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Complexity.An adversary’s most effective weapon
in the 21st century.
![Page 5: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/5.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
One organization’s IT product feature is another organization’s
attack surface.
![Page 6: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/6.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Estimating Number of Vulnerabilities
So, 50mLOC / 1kLOC * 4.9 Flaws / 1kLOC ≅ 245,000 flawsOr approximately 2,400 to 12,200 potential security vulnerabilities.Source: Security Vulnerabilities in Software Systems - A Quantitative Perspective, O.H. Alhazmi.
Between 1%and 5% of software flaws are security vulnerabilities.
Source: Software Assessments, Benchmarks, and Best Practices, C. Jones.
![Page 7: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/7.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
The n + 1 vulnerabilities problem.Unconstrained due to increasing attack surface.
![Page 8: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/8.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
When culture clashes with science…Science wins.
![Page 9: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/9.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
The hard cybersecurity problems are buried below the water line…
In the hardware, software, and firmware.
![Page 10: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/10.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
SystemHarden the
targetLimit damage to the target
Make the target survivable
Reducing susceptibility to cyber threats requires a
multidimensional systems engineering approach.
Security Architecture and Design
Achieving Trustworthiness and Resiliency
![Page 11: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/11.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Bottom up, instead of top down.
Outside in, instead of inside out.
Tactical instead of strategic.
We are managing the trees, but not the forest.
How we do security today…
![Page 12: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/12.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
The road ahead.
![Page 13: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/13.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Institutionalize.
Operationalize.
The ultimate objective for security.
![Page 14: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/14.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
NIST Special Publication 800-160
Systems Security EngineeringAn Integrated Approach to Building Trustworthy
Resilient Systems
On the Horizon…
![Page 15: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/15.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Multidisciplinary integration of security best practices.
![Page 16: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/16.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Command and control of the security space.
![Page 17: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/17.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Technical Processes
Business or mission analysis
Stakeholder needs and requirements definition
System requirements definition
Architecture definition
Design definition
System analysis
Implementation
Integration
Verification
Transition
Validation
Operation
Maintenance
Disposal
ISO/IEC/IEEE 15288:2015
Systems and software engineering — System life cycle processes
![Page 18: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/18.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Nontechnical Processes
Project planning
Project assessment and control
Decision management
Risk management
Configuration management
Information management
Measurement
Quality assurance
Acquisition and Supply
Life cycle model management
Infrastructure management
Portfolio management
Human resource management
Quality management
Knowledge management
ISO/IEC/IEEE 15288:2015
Systems and software engineering — System life cycle processes
![Page 19: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/19.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
An example.
![Page 20: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/20.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
“The purpose of the Human Resource Management process is to ensure the organization is provided with necessary human resources and to maintain their competencies, consistent with business needs.”
-- ISO/IEC/IEEE 15288-2008. Reprinted with permission from IEEE, Copyright IEEE 2008, All rights reserved.
Human Resource
Management Process
Systems Engineering View
![Page 21: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/21.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
“Systems security engineering, as part of the Human Resource Management process, defines the criteria for qualification, assessment, and ongoing training of individuals that apply scientific, engineering, and information assurance principles to deliver trustworthy and resilient systems that satisfy stakeholder needs and requirements within their established risk tolerance.”
-- NIST Special Publication 800-160.
Human Resource
Management Process
Systems Security Engineering View
![Page 22: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/22.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
Required system security engineering skills are identified.
System security engineering skills are developed, maintained or enhanced.
Individuals with system security engineering skills are provided to projects.
System security engineering knowledge, skills, and information are collected, shared, reused and improved throughout the organization.
Systems Security Engineering HR Management Process Outcomes
![Page 23: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/23.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
HR-1 IDENTIFY SYSTEMS SECURITY ENGINEERING SKILLS
HR-1.1 Identify systems security engineering skills needed based on current and expected projects.
Supplemental Guidance: The National Cybersecurity Workforce Framework defines various categories and specialty areas of cybersecurity work including systems security engineering and also identifies common tasks and knowledge, skills, and abilities (KSA's) associated with each specialty area. The framework can be used by government, industry, and academia to describe cybersecurity work and workforces, and related education, training, and professional development. The cybersecurity categories include: securely provision; operate and maintain; protect and defend; investigate; collect and operate; analyze; and oversight and development.
HR-1.2 Identify systems security engineering skills of organizational personnel and conduct a skills gap analysis.
Supplemental Guidance: Comparing the systems security engineering skills of organizational personnel with the skills needed to support current and expected projects can serve to inform training and education requirements and activities.
References: National Cybersecurity Workforce Framework: http://csrc.nist.gov/nice/framework.Cybersecurity Framework, Identify Function: http://www.nist.gov/cyberframework.
Human Resource Management ProcessSecurity-Related Activities and Tasks
![Page 24: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/24.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
SP 800-160 References Section
Incorporating by reference and aligning, national and international security standards, guidelines, frameworks, and best practices.
30 ISO/IEC/IEEE 15288 Engineering Process Steps
Demonstrating in a transparent and inclusive manner, that multiple security solutions and approaches can be employed to achieve trustworthy resilient systems.
![Page 25: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/25.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Chapter 1 INTRODUCTION Chapter 2 THE FUNDAMENTALS Chapter 3 THE PROCESSES
SP 800-160 Structure and Content
Appendix A REFERENCES Appendix B GLOSSARY Appendix C ACRONYMS Appendix D SUMMARY OF ACTIVITIES AND TASKS Appendix E ROLES AND RESPONSIBILITIES Appendix F SECURITY DESIGN PRINCIPLES Appendix G HARDWARE, SOFTWARE, AND SYSTEM ASSURANCE Appendix H INFORMATION SECURITY RISK MANAGEMENT Appendix I SYSTEM AND CYBER RESILIENCY Appendix J ENTERPRISE ARCHITECTURE INTEGRATION Appendix K DOD ENGINEERING SUPPLEMENT
![Page 26: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/26.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Some final thoughts.
![Page 27: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/27.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
A Winning Strategy
“Build the Right Solution”Meets operational intent
A two-pronged attack on the threat space
Systems EngineeringSoftware AssuranceSystem Life CycleTesting/EvaluationTrustworthinessResiliencyDesignArchitectureAcquisitionSecure CodingStatic Code AnalysisSystems IntegrationSystems Security Engineering
Security ConfigurationsOngoing Authorization
Separation of DutiesSoftware Patching
Traffic AnalysesSecurity State
Asset InventoryNetwork Sensors
Incident ResponseThreat Assessment
Situational AwarenessAdministrative PrivilegesVulnerability Assessment
Critical Missions and Business
Functions
Foundation of Components, Systems, Services
Cyber Threat
To survive in the digital age of
total IT dependence…
“Build the Solution Right”Meets design intent
“Continuously Monitor”Preserves operational intent over time
“Continuously Maintain”Preserves design intent over time
![Page 28: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/28.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Be proactive, not reactive when it comes to protecting your organizational assets from cyber threats.
![Page 29: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/29.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Security should be a by-product of good design and development practices—integrated throughout the organization.
![Page 30: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/30.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Security is a team sport.
Industry
Government Academia
![Page 31: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/31.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
![Page 32: Rethinking Cybersecurity from the Inside Out](https://reader034.vdocuments.us/reader034/viewer/2022051712/586a3cde1a28ab063d8bb306/html5/thumbnails/32.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
Contact Information
100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative Support
Dr. Ron Ross Peggy Himes
(301) 975-5390 (301) 975-2489
[email protected] [email protected]
LinkedInhttp://www.linkedin.com/in/ronrossnist
Senior Information Security Researchers and Technical Support
Pat Toth Kelley Dempsey
(301) 975-5140 (301) 975-2827
[email protected] [email protected]
Web: csrc.nist.gov Comments: [email protected]