CSO Summit ARAP tackles Computer Security Controls June 2

16/3/2016

Walk This WayRobin Basham, Vice President Information Security Risk and Compliance, Chief Compliance OfficerCavirin

Presented to CISO Forum, June 2nd 2016

6/3/2016Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054

[email protected] https://www.linkedin.com/in/robinbasham 1

Risk: What could go wrong?• Reputation is a new target for cyber attacks • Criminals value our information – financial, health, critical

infrastructure• Cyber risk is challenging to understand and address, increased

regulation imposed • The changing pace of technology increases unknown

dependency on third parties and shadow IT• We cannot trace or control our data – data exfiltration occurs• The role of government and information custody is often

misunderstood

6/3/2016 2Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

Accountability vs. Compliance• We have false confidence in published assessment reports. • This deck includes three scenarios where applying principles of CIS Critical

Security Controls (Top 20) and other compliance frameworks make it possible to detect conditions, that left unchecked, would unravel both the company’s investments and controls.

Let’s talk about you.6/3/2016 3Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054

[email protected] https://www.linkedin.com/in/robinbasham

AWS & Secure Cloud

Ransomware & Data

ExfiltrationCyber

Insurance

46/3/2016

You’re a CISO (i.e. Rock Star)

6/3/2016 Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

4Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin. We are inspired by his music.

56/3/2016

You’re a CISO (Cowboy –Rancher)

You’ve some experience herding cattle and cats


5Images not property of Cavirin but could not locate copy owner via tinyeye or research.

You have a Cybersecurity Mission: Resilience

• Know the critical assets and who’s responsible for them

• Get everyone involved in cyber-resilience • Assure they have the knowledge and

autonomy to make good decisions• Be prepared for both unsuccessful AND

successful attack• Prevent a cyber attack from throwing your

organization into complete chaos.

6

Define

Establish

ImplementAnalyze Report

Respond

Review Update

Continuous Monitoring maps to risk tolerance,

adapts, actively involves

management


You’re in a continuous compliance conversation

6/3/2016 7

Just FIX IT(CIO)

Manage Risk –Prioritized Road Map

Drives FIX(CSO)

IT Plan Integrates FIX to business objectives

(IT Ops)

Just tell me how to FIX; tack it onto tonight's change

ticket(Engineer)

Did you FIX it?Sends list of fails

to the board(Audit)

Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

You’ve adapted those lyrics

•CRAWL this Way

6/3/2016 Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham 8

Steve Tyler, lead singer for Aerosmith, is not associated in any capacity to Cavirin..

CISOPCI DSS

SOC2

HITECH

Cyber Security

Framework

ISO27002NIST 53 v4 CIC CSC

Top 20

DISA STIGS

FedRamp

SIG Due Diligence

RMF, FAIR, COSO ERM

CISO Roles - Environments - Measures

CISOBuild Business

Sell Security

Govern Security

Operate Securely

Identity & Access

Risk Management Legal

Interface

Compliance

Security Architecture

Budget Security

Roadmap

PMO Security Roadmap

6/3/2016 Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA 95054 [email protected] https://www.linkedin.com/in/robinbasham

9

IaaSPaaS

SaaSCloud

Data Centers

Containers

Hybrid

Cloud

Accountability vs. Compliance means, you’re readyto address the elephant in the room


No elephants were harmed in the making of this slide deck.

All the babies want their candy


Credit to Monument Partners -

You simply need an analysis of attack surface so you can justify the spend, find and stop the bleeding


• We have too many products with conflicting and overlapping opinions.

• We can’t tie a single platform to the results on all attack vectors.

Cavirin is an advisory partner to the Center for Internet Security – We give them our mapping– CIS certifies our output using their benchmarks

• CIS supports standard benchmark guidance for most OS and networking devices

• Cavirin supplies our collective 25 years of expertise to tie those assertions to assessment frameworks and standards

• Cavirin software automates the collection, interpretation and reporting for your environment’s system information. These results tell you if compliance is even possible. Findings include a severity score and enabled control processes.



146/3/2016

3 Use Cases for Management of Cyber ThreatCompliance in the CloudCyber Insurance PostureUsing CSC Controls for Resilience to Ransomware and Data Exfiltration


6/3/2016 14

Center for Internet Security – states up to 80% of cyber attacks could be prevented by• Maintaining an inventory of authorized and

unauthorized devices• Maintaining an inventory of authorized and

unauthorized software• Developing and managing secure

configurations for all devices• Conducting continuous (automated)

vulnerability assessment and remediation• Actively managing and controlling the use of

administrative privileges



• 84 Docker Container Policies

• 43 AWS Cloud Policies published by CIS

166/3/2016

AWS - Compliance in the Cloud.Authorities are CIS-CSC Top 20, AWS, Gartner, NIST 53 v.4


6/3/2016 16

Gartner Study and Recommendation for AWS• Gartner’s Strategic Planning Assumption• Through 2020, 80% of cloud breaches will be due to customer

misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.

• https://www.gartner.com/doc/reprints?id=1-2K4XVSV&ct=150729&st=sb• The mismanagement of recommended configuration is both in and beyond

our locus of control, however, cloud breaches impact everyone’s brand. Laws put increasing responsibility for all consumers of the cloud to increase accountable oversight to their providers of cloud services, i.e. dependency responsibilities


https://www.gartner.com/doc/reprints?id=1-2K4XVSV&ct=150729&st=sb

Automated Risk Assessment Platform must haves• Cloud Native platform supporting 12-factor patterns (things like port binding, logs,

concurrency…)• A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability

domains• Must work with Private, Hybrid, and Public Clouds• Support AWS, Azure, GCP (Google Cloud Platform)• Manage thousands of out-of-box policies, well curated and certified (SCAP, XCCDF,

OVAL, CCI)• Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC2, FedRamp, CIS

Benchmark, DISA, CIS CSC, CSF)• Have CIS Certified security content (Multiple OS, Docker, AWS Cloud)• Be AWS Security Certified

6/3/2016 20

Dr. Ravi Rajamiyer, VP of Engineering

Copyright © Cavirin www.cavirin.com 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

http://www.cavirin.com/

The cloud model for locus of control

SERVICE LEVEL factors that can be measured (AWS specific)• Compliance and Governance –

validation of “Best Practices” for GRC

• Architectural Baselines – Policies can be set with notifications on violations

• AWS Cloud Configuration -Automating for Compliance EC2 Instances

• Deployment & Management –validating IAM credentials for “Best Practices”



Information factors that can be measured (AWS specific)• AWS VPC (Default) -

validation of policies between regions

• AWS Identity and Access Management (IAM) - validation of policies



Software as a Service factors that can be measured (AWS specific)• AWS Simple Storage

Service (S3) – validation of configuration for S3

• Monitoring capabilities -AWS CloudTrail & AWS CloudWatch

– *not SaaS service, but can be viewed as such for AWS users



Platform & Infrastructure as a Service factors that can be measured (AWS specific)• Many ways to secure

infrastructure (IaaS) –ARAP validates those by CIS Benchmarks

• Provision only what you need – customize policies to suit your need (SPF)


Features • API First Strategy (Following OWASP for API Security Standards)• Simple and Fast – OBA (One Button Assessment, an aggregate report, for

example, by NIST family, SOC2, HIPAA, PCI or CSC Top 20 groupings)• Vendor/Partner Risk Assessment & Report• Scalability - 100K up to 1M devices• Customized Scripted Policy Framework (extensible, adoptable, deployable)• Security & Compliance across IaaS and PaaS (RDS, SQS, BeanStalk)• Input Connector Architecture (Amazon Inspector, Nessus/Qualys Scans,

Docker Scans, continuous additions as needed)• Output Connector Architecture (Puppet/Chef Automation integration,

Remediation workflow integration – JIRA, ServiceNow, etc.)


6/3/2016 23

246/3/2016

Cyber InsuranceAre you insurable? Are you culpable?


6/3/2016 24

According To Higher Education Information Security Council © 2015 EDUCAUSE • Most institutions that purchase a cyber

policy have limits of $5 million or less and deductibles of $50,000 or less.

• Policies require attestation to the maturity of information technology and information security programs

• Subject to Independent audit of your IT and IT security

• Inaccuracies may render claims invalid or provide an opportunity for the insurer to void the policy altogether.


NACD National Association of Certified Directors– Cyber Handbook• How to disclose a cyber event• NIST Cyber Security Framework, voluntarily measure and benchmark IT and

Security Program effectiveness• Boards require active reporting on Cyber preparedness

• Understanding risk appetite• Exposure points

• Directors are exposed by third party dependencies, especially those dependencies that exist in the cloud

• Credit card issuers and Healthcare providers are increasingly experiencing recourses against Boards of Directors


Using CSC CIS to Mitigate Expertise Risk – Prove existence of IT Security Program at OS, Environment, Device levels

• Security and Compliance experts map compliance process and testing to specific assertions of best practice across operating systems, environments, and devices.

• When best practice criteria are not met, an aggregate score is presented with exact steps for remediation


CSF (Cyber Security Framework) provides a cyber security model

IdentifyCMDB, People,

Process, Technology,

relationships, alignment to

controls

ProtectArchitecture,

Infrastructure, Monitoring

DetectDefined Sources,

Collection, Interpretation,

Reporting Methods

RespondRCA, Corrective

Action, Management

Meetings, Plans, Optimization

Targets

RecoverConfiguration

baselines, response plans, lessons learned,

Wiki, documentation,

BIA


6/3/2016

Report against NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A

29Copyright © Cavirin (www.cavirin.com) 5201 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

6/3/2016

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

306/3/2016

Resilience to Ransomware & Data Exfiltration• Backup your data• Keep your anti-virus software current• Screen emails for phishing/malware• Authenticate the sources of email• Sandboxing suspicious software http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html


6/3/2016 30

http://www.networkworld.com/article/3062901/security/with-some-advanced-preparation-you-can-survive-a-ransomware-attack.html

Endpoint – user access to sensitive data, at risk

employees• Increasing granularity of data

policies and controls• Start with most sensitive

data in high frequency locations like email, CRM,

financial systems

Network – high volume, high risk protocols and exit

points• Increasing monitored protocols and endpoints

• Start with known vulnerable algorithms and protocols (SSL 3, TLS 1.0, DES, RC4

Storage • Increasing allowable and monitored locations for data• File servers, Exchange DB

• SharePoint, Database Servers• Virtual Storage CIF

• Web Servers

DLP PolicyMonitoring &

preventionDiscovery & protection

Crawl, Walk, Run• Qualitative risk

assessment • Leverage existing BIA

and Data Retention Strategy

• Information Security Threat analysis, and

• Integrate with Goals for enterprise IT


31

NSA Recommended: Top initiatives to provide most protection (including Ransomware Attack and Data Exfiltration)

1. Control Administrative Privileges2. Limiting Workstation-to-Workstation

Communication3. Antivirus File Reputation Services4. Anti-Exploitation5. Host Intrusion Prevention (HIPS)

Systems6. Secure Baseline Configuration!!!!!7. Web Domain Name System (DNS)

Reputation

8. Take Advantage of Software Improvements

9. Segregate Networks and Functions10. Application Whitelisting


https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_ControlAdministrativePrivileges_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_LimitingWtWCommunication_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntivirusFileReputationServices.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntiExploitationFeatures_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_HostIntrusionPreventionSystems.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SecureHostBaseline_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_WebDomainNameSystemReputation_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SoftwareImprovements_Print.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SegregatingNetworksAndFunctions_Web.pdf

https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/SlickSheet_ApplicationWhitelisting_Standard.pdf

Group controls to risks associated with their absence– Report under the assessment type that matters to your board

ISO/IEC 27002:2013 €


Assessment Testing Ransomware Exfiltration Mapping QueryISMS_12.2.1 Controls against malware Protection from malware

ISMS_12.3.1 Information backup Backup

ISMS_13.2.1 Information transfer policies and procedures Information transfer

ISMS_13.2.3 Electronic messaging Information transfer

ISMS_17.1.2 Implementing information security continuity Information security continuity

ISMS_7.1.2 Terms and conditions of employment Prior to employment

ISMS_7.3.1 Termination or change of employment responsibilities

Termination and change of employment

ISMS_9.2.2 User access provisioning User access management

ISMS_9.2.4 Management of secret authentication information of users

User access management

Group controls to risks associated with their absence– Report under the assessment type that matters to your boardNIST 800-53 r4


Assessment Testing Ransomware Exfiltration Mapping QueryAU-9 PROTECTION OF AUDIT INFORMATION AU-9.1 HARDWARE WRITE-ONCE MEDIA

AU-9 PROTECTION OF AUDIT INFORMATION AU-9.2 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

PE-3 PHYSICAL ACCESS CONTROL PE-3.2 FACILITY/INFORMATION SYSTEM BOUNDARIES

PL-8 INFORMATION SECURITY ARCHITECTURE PL-8.1 DEFENSE-IN-DEPTH

SC-3 SECURITY FUNCTION ISOLATION SC-3.2 ACCESS/FLOW CONTROL FUNCTIONS

SC-7 BOUNDARY PROTECTION SC-7.7 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

SC-7 BOUNDARY PROTECTION SC-7.10 PREVENT UNAUTHORIZED EXFILTRATION

SI-4 INFORMATION SYSTEM MONITORING SI-4.16 CORRELATE MONITORING INFORMATION

SI-4 INFORMATION SYSTEM MONITORING SI-4.18 ANALYZE TRAFFIC / COVERT EXFILTRATION

Group controls to risks associated with their absence– Report under the assessment type that matters to your boardCenter for Internet Security Critical Security Controls Version 6.0 CSC-13: Data Protection

1. Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls2. Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.3. Deploy an automated tool on network perimeters that monitors for sensitive information (e.g., personally identifiable information), keywords, and other document

characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel.

4. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in clear text. These tools, which search for patterns that indicate the presence of sensitive information, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information.

5. If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.

6. Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them.

7. Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often use an encrypted channel to bypass network security devices.

8. Therefore it is essential that organizations be able to detect rogue connections, terminate the connection, and remediate the infected system.9. Block access to known file transfer and e-mail exfiltration websites.10.Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off a server. In most organizations, access to the data is controlled

by ACLs that are implemented on the server. Once the data have been copied to a desktop system, the ACLs are no longer enforced and the users can send the data to whomever they want.


• Engineers don’t have time to translate their workloads into “audit speak”.

• Auditors can’t provide value in engineering domains.

6/3/2016 36Image is the harmless nocturnal monster from final episode of the revived X-Files, FOX Networks.

Cavirin (www.cavirin.com) 521 Great America Parkway Suite 419, Santa Clara, CA [email protected] https://www.linkedin.com/in/robinbasham

Crawl, walk, run, fly• Understand your environment• Identify open wounds, stop bleeding• Factor risk against attention and

resource, tie out engineering to audit• Gain consistency across devices,

environments, businesses• Achieve continuous automated risk

assessment, stitch greatest risk into automation in your continuous compliance platform


37

About CavirinCavirin’s Automated Risk Analysis Platform (ARAP) is a scalable, extensible fabric that provides instant security visibility on cloud based (private, hybrid, and public) infrastructure, offering continuous risk assessment. Through its agentless discovery mechanism, ARAP deep scans very large sets of assets, applying rich “out-of-the-box” policy covering sought-after security standards, generating action oriented reports and aligning actual to best practice and regulatory compliance requirements. Its open “connector” architecture allows enterprises to deploy on a hyper-plane that integrates popular cloud-based assessment services such as Amazon Inspector, delivering a business and industry specific reporting enabled by Scripted Policy Framework.

6/3/2016 38

Cavirin services are cloud agnostic, recently releasing Docker and Azure policy, is an Amazon Web Services Certified Security vendor, and an authorized partner for its Inspector service. The ARAP content library includes PCI DSS, DISA & CIS Benchmark, CIS Critical Security Controls, ISO 27002, NIST 53 v.4, CSF, SOC2, and HIPAA Common Security Framework.


About your speaker: Robin Basham, VP Information Security Risk and Compliance, & CCO

Robin Basham, M.Ed, M.IT, CISSP, CISA, CGEIT, CRISC, serves as Cavirin’s Vice President Information Security Risk and Compliance, providing thought leadership to industries ranging from large enterprise to soaring SMB, delivering concrete programs that transform compliance burden to strategic advantage. Robin is a Certified Information Systems Security, Audit, Governance and Risk professional, earning multiple master’s degrees in Technology and Education. She is an Enterprise ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud and Virtualization. Industry experience includes program direction, architecting and management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense and High Tech. Robin has held positions in Technology as an Officer at State Street Bank, Lead Process Engineering for a major New England CLEC, and Sr. Director Enterprise Technology for multiple advisory firms. Robin has delivered more than 75 compliance engineering products, and run two governance software companies. Most recently she served as Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Robin’s expertise and knowledge are highly recognized in Boston, Mid Atlantic, Silicon Valley and East Bay, where she has served hundreds of clients and is a frequent speaker, educator, and board contributor.


6/3/2016 41

Questions


Documents

CSO Summit ARAP tackles Computer Security Controls June 2