Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Cyber security readiness for manufacturing:
NIST SP 800-171 Compliance to meet DFARS 252.204.7012 Regulations
Cytellix, Cyber Security Division of IMRI | Aliso Viejo, CACopyright © 2017 IMRI. All rights reserved. Proprietary Information
Who am I?
Spencer Cobb, 20 years experience in Cyber security. Various roles in multiple cutting edge start ups helping global organizations secure their networks and confidential information.
Cytellix, is the commercial cyber security division of IMRI.
IMRI, Delivering comprehensive IT and engineering solutions since 1992
Successfully delivered over $150 Million in technology contracts. Secure over 1500 networks with 7M endpoints. Army, DISA, Missile Defense Agency are customers.
We are focused on helping small manufacturers meet new Federal Supply chain compliance guidelines around cyber security readiness.
Partnered with Manufacturing Extension Partnerships around the U.S.
- 2 -
Quick survey…
• Raise your hand if….(Keep them up please)• You or someone you know has had their
personal credit card or identity stolen.• Your company or a company you know has
been hacked.• Your company or a company you know has
been hit with ransomware.• Your company or a company you know has
paid ransom ware…
You are likely running out of hands and your arms are getting tired.
- 3 -
Cyber attacks on the rise!
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Attacks are becoming common place. Hacking is a fact of life.
Cyber attacks on the rise!
60% of SMB cybercrime victims go out of
business within 6 months of attack (NCSA)
50% of all surveyed in 2014 reported being victims of cyber attacks. (National SBA)
70% of all targeted attacks struck small to mid‐sized organizations in 2016.(SMB Group)
50% of small and midsized businesses have fallen victim to ransomware
48% of those paid a ransom, (2017 Ponemon Institute)
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Small business getting attacked
79% percent of small businesses do not have an incident response plan. Without one, you may never be able to fully recover when a cybersecurity incident becomes a reality.
75% of spear-phishing attacks in 2015 targeted businesses less than 250 employees.
53% of small businesses reported they do not allocate budget for risk mitigation services because they do not store valuable data, yet the majority of respondents reported they store email addresses (68%) and phone numbers (65%), along with other valuable Personal information.
56% of SMB’s are unprepared to identify and respond to a security event (EiQ Networks 2017)
75% of SMB’s admitted a small-to-nonexistent IT security staff, with zero to two employees dedicated to that role. (EiQ Networks 2017)
- 6 -
Who is attacking?
Nation states
- 7 -
Hacktivists
Organized Crime
Why are we being attacked?
- 8 -
Value at Risk
- 9 -
256 days Average time to detect malware*
$5,850,000 / US Average total cost of a data breach**
*Beyond Trust** Ponemon Institute
Costing a data breach: Brand value Intellectual propertyCustomer relations Supplier relationsCompetitive information Information Recovery Systems Recovery RemediationDamage Control DowntimeLegal costs Forensics
What is being stolen?
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Hackers stealing IP from DoD and its suppliers
And Replicating our technology!
These successful attacks have led to stricter guidelines for protecting information in DoD supply chain. Hence, DFARS 252.204.7012 for data protection.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
DoD Supply Chain Protection: New Cyber Security Guidelines
• OUSD Announced DFARS 252.204.7012: “Compliance with safeguarding covered defense in information controls” (Oct 2016)
• DFARS points to NIST 800-171 for guidelines aroundControlled Unclassified Information in Non Federal Info Systems & Orgs DoD contractors including small businesses must adhere to two basic cybersecurity requirements1. Must provide adequate security for information that resides
in or transits through internal unclassified systems2. Must rapidly report cyber incidents and cooperate with the
DoD to respond to security incidentshttps://www.archives.gov/cui/registry/category‐list
- 12 -
The sum of the parts
- 13 -
Safeguarding Unclassified Controlled Technical Information
Cyber Security Evaluation Tool (CSET®)
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
Cybersecurity for Manufacturers
- 14 -
All contractors must implement full compliance no later than December 31, 2017
Contractors must notify the DoD, of any security gaps, within 30‐days of any contract award Adequate security is defined as a minimum in NIST 800‐171 with the 14 controls ( to protect controlled, unclassified data):
• Access Control• Awareness and Training• Audit & Accountability• Configuration Management• Identification & Authentication• Incident Response• Maintenance
• Media Protection• Personnel Security• Physical Protection• Risk Assessment• Security Assessment• System & Com Protections• System & Info Integrity
800-171 Controls
3.11 Risk Assessment3.11.1 Periodically assess the risk to organizational operations (including missions, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI
3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified.
3.11.3 Remediate vulnerabilities in accordance with assessments of risk.
- 15 -
800-171 Controls
3.12. Security Assessments 3.12.1 Periodically assess the security controls in organizational systems to determine if controls are effective in their application
3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities.
3.12.3 Monitor security controls on an ongoing basis to ensure continued effectiveness of the controls.
- 16 -
800-171 Controls
3.6 Incident Response3.6.1 Establish an operational incident-handling capability for organizational systems that involves adequate preparation, detection, analysis, containment, recover, and user response activities.
3.6.2 Track, document and REPORT incidents to appropriate officials and/ or authorities both internal and external to the organization.
*incident response requires continuous monitoring.
- 17 -
What is needed?
- 18 -
• CSET completed – (DHS Self Assessment tool)
• GAP analysis completed with a plan of action for remediation and priority list defined
• Have a continuous improvement and awareness program in place (continuous monitoring)
• Prepare for notification to your contractor should you be hacked
Other questions
• What skills are need to accomplish this?Outsource or become an expert.
• Are there services that provide a complete documentation and improvement program?
Yes, look for a single service provider that can take you through the entire process.
• What happens if the supplier doesn’t do this?Business will suffer in a couple ways
• You will be hacked, no question (not if but when)
• Your contractor is required to have proof of compliance to give you new contracts
- 19 -
CYTELLIX – Trusted Leader in Managed Cyber Security
IMRI, Delivering comprehensive IT and engineering solutions since 1992
Successfully delivered over $150 Million in technology contracts
Computer Operations:Manages over $300 million
Cybersecurity:Over 1500 networks, 7 million devices;
Engaged with U.S Army Network Enterprise Technology Command; Missile Defense
Agency; U.S Army Corps of Engineers; DISA
Data Center/Cloud Computing:15 facilities, 4 million users, 2800 applications
Data Center Consolidation:22 operations with merger of $2 billion
in assets
Software Development:Application modernization and software
development planning and implementation
Certifications:ISO 9001 / AS9100; CMMI compliant; industry and professional certifications
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Cytellix outsourced Cyber
- 21 -
Cytellix provides a turnkey, affordable, comprehensive solution to help the small and medium business meet Cyber requirements
1. CSET Assessment management & report
2. Network scan and real-time assessment & report
3. Gap Analysis & Assessment of 14 controls & report
4. Continuous network asset monitoring and threat detection
5. Remediation and compliance service – best practices & practical implementation
6. Secure Portal to manage all reporting, documentation and incident response.
Business Value Delivered
Cytellix provides a complete turn-key solution: • Cloud based, agentless, compliance as a service. • Affordably priced.• Options for complete outsourced, managed service.
Assessment Continuous Monitoring Remediation Services
• Gap analysis• Compliance posture• Network scan• Identified vulnerabilities• Documentation
• Reports• Customized alerts• Parameters of monitoring• Policies managed / reported• Dashboards developed
• *Automated remediation's• *Best practices• Services for network changes• 3rd party integration services• Customized reports
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
CYTELLIX Solution –Network Situational Awareness
Network behavioral analytics
Performs real-time continuous monitoring
Discovers every device connected to the network(Physical, Virtual, Cloud,
Wireless)
Proactive threat identification
Identify
Protect
Detect
Respond
Recover
Monitor
SecurityStrategy
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Identify your Network Topology
- 24 -
Network maps identifySegmentationDevice ConnectionsInventory of connectedDevice Types
Provides your organization with “privilege” from a legal context.
Copyright © 2016 IMRI Translating business needs into technology solutions
Key Differentiators
1) Complete Turn key service which includes everything a customer needs to be compliant with NIST800-171:CSET, Network Scan & Real Time Vulnerability Scan (with Reports), GAP analysis, Continuous (improvement) monitoring, remediation and compliance services…2) The entire service and reporting is designed for and correlated with NIST 800-171 compliance.3) Cloud based and Clientless (agentless + passive) no heavy on premise installation.4) Affordably priced. (The IBM’s of the world have a difficult time servicing a 50 person company.)5) Available through local MEP
- 25 -
Cytellix Service Packages
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
*Turnkey pricing is tiered based on the size of the customer/ number of employees .
Managed Cybersecurity Services "Snap Shot" (Under 20 employees)
Turnkey Compliance (Under 50 employees)
Service Summaries One‐time YearlyConsulting Interview NIST 800‐171, CSET Assessment, Documentation Vulnerability Assessment, Review, Documentation Network Situational Awareness Scan, Report Gap Analysis, Top Vulnerabililities, Recommendations Cytellix Customer Portal and Stored Documentation Cytellix Continuous Monitoring (CCM) with Real‐time Alerts
Periodic Vulnerability Scans Best Practices for Proper Cyber Posture Updated CSET and Gap Analysis Post Remediation
Client Costs $2,995 $10,871Manufacturing Extension Partner Discount 10% 20%
**Cytellix provides remediation services on an hourly basis.
Cytellix – Additional Services
Cytellix’ managed security operation center (SOC) is an upgrade to the turnkey package which allows customers to completely outsource the Cytellix cyber readiness service, including remediation, mitigations and reporting.
Optional Services Provided: Security Operations Center (less than 50 employees)
Yearly24x7 Outsourced Continuous Monitoring Investigation, Mitigation, and Intelligence Analytics Monitoring of Open/Closed Sources
Client Costs $2,070Manufacturing Extension Partner Discount 20%
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
*Managed SOC pricing is tiered based on the size of the customer/ number of employees .
�������
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Spencer CobbCytellixDirector, Strategy & Business Dev.(404)‐844‐[email protected]
Report Summary 14 Controls
- 29 -
10
15
20
10
18
25
30
5 010
5
25
105
14 Controls Summary
Categories of attacks in SMB
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Root causes of attacks – ex.
Confidential & Proprietary © 2017 IMRI Translating business needs into technology solutions
Real world anecdotes
Manufacturer in MI: Hit by ransomware 3 different times. Paid increasing amounts of ransom to decrypt files.
Industrial Materials Manufacturer in PA: Hit by ransomware twice. Paid $10,000.
Manufacturer in NJ: Put out RFP for components. Provided information about its products to bidders. Later found out it was being hacked. FBI found out that a Chinese company which had bid on the RFP had hacked the company and stolen IP, reproduced their product for sale on Chinese black market.
- 32 -
Security Challenges
- 33 -
What do we know?What do we know?Constant system upgrades, moves and changesResources in IT and Cyber are limited in most organizationsReal time analysis across the entire enterprise or cloud is requiredAwareness of every computer, network, device (IoT) and route is required for true situational awareness
We need to understand attack paths, risks and data leaksIncreased requirements for Cyber Security Compliance and Policies
Common TTP’sCommon Tools, Tactics & Procedures in manufacturing attacks
- 34 -
Phishing, spear‐phishing, SQLi, malvertising>>>account hijacking or malware infection, for data exfiltration or ransomware (encryption)