Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
KeepYourGuard:StayCompliantandBeSecureSeptember14th,2016
Presenters
Director, Product Management IT Security and Risk Strategist
Twitter: @terlin [email protected]
Vice President, Services
Tim Erlin Karl Perman Bill Kearson
Director, Information Security
3
Current State of Industry Tripwire Research: http://www.tripwire.com/company/research
Could a cyberattack on operational technology in your organization cause physical damage?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas
4
Current State of Industry Tripwire Research: http://www.tripwire.com/company/research
Does your organization have the ability to accurately track all the threats targeting your OT networks?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas
5
Current State of Industry Tripwire Research: http://www.tripwire.com/company/research
What compliance requirements are the biggest driver for your purchase of cyber security products?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas
ComplianceChallenge:Baselines• WhatdoesNERCCIPrequire:
– CIP-010R1:DevelopconfiguraLonbaselines,authorizeanddocumentchangestobaselines(OSincludingfirmware,soQware,ports,securitypatches)
– CIP-010R2:MonitorandinvesLgatechangestobaselines• TipsforAchievingandMaintainingCompliance
– AutomaLon;reducingmanualeffortcandramaLcallyreduceauditburden.
– DefinebaselineprocessforyourorganizaLon– HaveaconfiguraLonchangemanagementsystemincludingchangeauthorizaLonprocess
ComplianceChallenge:Logging• WhatdoesNERCCIPrequire:
– CIP-007R4:Logsecurityevents,generatealerts,retainandreviewlogs– CIP-006R2.2:Loggingofvisitoraccess– CIP-009R1.5:DatapreservaLonfordeterminingcauseofCyberSecurityIncident– CIP-005R1.5:DetecLngmaliciouscommunicaLons
• TipsforAchievingandMaintainingCompliance– NormalizaLonrules;chooseaproductthatcannormalizelogsfromsystemsinyour
environment.– Don’tpayforlogstorage;chooseatoolthatlicensesbyasset,notbyeventsper
secondordatastored.– ImplementaloggingprocessincludingclearlydefinedrolesandresponsibiliLes
ComplianceisNotSecurity
Security:SecureConfiguraLons• WhatgapsdoesCIPcomplianceleaveopen:
– Frequencyofreview;35daysisnotoQenenough!– UseofconfiguraLoninformaLon– Rememberoffenseaswellasdefense
• TipsforgoingbeyondNERCCIPcompliancetosecurity– UseaconfiguraLonbaselinetoolthatcanmonitorinrealLme.– ExpandthebaselineconfiguraLonitemspromulgatedbyCIP– FuseconfiguraLondatawiththreatintelligence
Security:SecurityEventManagement
• WhatgapsdoesCIPcomplianceleaveopen:– StatefulcorrelaLonofevents;5failedloginsfollowedbysuccess
– TrackeventsthatmafertoyourorganizaLoninaddiLontoCIPrequirements
• TipsforgoingbeyondNERCCIPcompliancetosecurity– Usealogmanagementtoolthatcantrackstateacrossevents– UsekeyperformanceindicatorstomeasureeffecLveness– Eventanalysiscorrelatedwiththreatintelligence
Conclusion• CIPisonlyabaseline;gofurtherforsecurity• GoodCIPcompliancemaynotprotectyoufromallofthecurrentsecuritythreats
• Aprocessdrivenapproachshouldmakecompliancelessburdensomeinthelongrun(definedandrepeatableprocesses)
• Automatewhereyoucanasmanualprocessesarefraughtwithresourceconstraintsanderrors
TRIPWIREPROPRIETARY&CONFIDENTIAL.NOTFORDISTRIBUTION.INTERNALUSEONLY.
Questions