1. Cybersecurity:Trust, Visibility, ResilienceTom AlbertSenior Advisor, CybersecurityNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

2. No single company can solve the complex challengepresented by the Internet, but the inherent role of thenetwork positions Cisco as thenatural partner in developingand executing a successful cyber security strategyNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 3. Cybersecurity Challenges Operational ManagementDataCapacity Supply Chain BusinessData ResiliencyLoss NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY3 4. Federal Cybersecurity PrioritiesContinuousIdentityMonitoring Mgmt.SituationalSecureAwarenessSupply ChainVulnerabilit yReal-timeAnalysis/ID Continuous S Monitoring Education and Training ApplicationSecurityVulnerabilityLimited Analysis/IDSAccess Points Application NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYSecurity 4 5. Why Cisco? Security Ciscos Pervasive Footprint ProductsThe Network is the SensorPublic/Private Partnerships VisibilityTools EducationEmbeddedCertifications SecurityCapabilitiesCross ServicesIncident ResponseArchitecture Supply Chain Management Trusted HW/SW NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 6. Mission: Cybersecurity Cisco IS the Cyber secure Platform Access Trust Inside ThreatCustomerRequirements Data Capacity VisibilityTrustworthiness Data Loss ResilienceChallenges Solution FrameworkPublic Policy Supply ChainSolutions Trust Identify and Manage Messaging CaptureNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 7. Cisco Cyber SolutionsTrustVisibilityResilienceIdentity and Access Continuous MonitoringSecure Mobility Data Exfiltration COOPWireless IntegrityBoundary DefenseIncident HandlingConfiguration Assurance Malware and APT Defense AvailabilityPhysical Security Situational Awareness Service Level AssuranceAudit and ComplianceNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY7 8. STRATEGYSOLUTION ARCHITECTURESTRUSTSBorderless Data Center/ CollaborationAccess Control Networks VirtualizationAudit & Accountability Identity and Access Cisco Works LMS 4.0NIST 800-53Configuration Management Secure MobilityIdentification & Cisco Configuration EngineAuthenticationWireless Integrity Cisco TrustSec (Identity)Maintenance Audit and Compliance Cisco AnyConnect ClientSystem & Communication Configuration Assurance Cisco VPN ServicesProtection Cisco Mobility Engine &Physical Security Wireless SolutionCritical Control Family Cisco Unified Border Element ASA Firewall IOS FirewallVISIBILITYSecurity Assessment & Continuous MonitoringAuthorization Security IntelligenceNIST 800-53System & CommunicationData ExfiltrationOperationsProtection Boundary Defense IPS 4200 SeriesSystem & InformationMalware Defense Clean Air TechnologyIntegritySituational Awareness NBARIncident Monitoring IOS Intrusion Prevention IOS NetFlowCritical Control Family Service Control Engine ASA BotNet FilterRESILIENCEContingency PlanningCOOPNIST 800-53System & Communication Performance RoutingProtection Incident Handling NSF/SSOIncident Monitoring Availability EnergyWise NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGYPhysical & EnvironmentalService Level Assurance Policy Based Routing8Critical Control Family 9. Cybersecurity Partner Ecosystem: Building solutions with best of breed ISVs & Technology Partners IRAD projects to address customer requirements Systems Integrate component parts in proof-of-concept environments to fosterlearning and innovationIntegrators Ecosystem partners to meet diverse customer security incident andevent management requirementsSIEM Partners Cisco validated design and deployment methodologies Cybersecurity focus partners to ensure consistent delivery of Cisco andImplementationpartner systems Agile custom solution development Partners Complimentary technology partners to complete Cybersecurity solution Technology offerings Best of bread market proven technologies PartnersNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY9 10. The Cybersecurity JourneyInvestmentEducationManufacturing IntegrityThought leadership Regulatory AlignmentPrivate/Public Partnerships NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10Cybersecurity Innovation 11. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 12. Managing RiskThrough Trust, Visibility, and Resilience DGI Government Solutions Forum March 1, 2011Dr. Ron RossComputer Security DivisionInformation Technology LaboratoryNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY12 13. The Stuxnet WormTargeting critical infrastructure companies Infected industrial control systems around the world. Uploads payload to Programmable Logic Controllers. Gives attacker control of the physical system. Provides back door to steal data and remotely and secretly control critical plant operations. Found in Siemens Simatic Win CC software used to control industrial manufacturing and utilities. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY13 14. The Flash Drive IncidentTargeting U.S. Department of DefenseMalware on flash drive infected military laptopcomputer at base in Middle East.Foreign intelligence agency was source of malware.Malware uploaded itself to Central Command network.Code spread undetected to classified and unclassifiedsystems establishing digital beachhead.Rogue program poised to silently steal military secrets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 15. The Stolen Laptop IncidentU.S. Department of Veterans AffairsVA employee took laptop home with over 26 millionveterans records containing personal information.Laptop was stolen from residence and information wasnot protected.Law enforcement agency recovered laptop; forensicanalysis indicated no compromise of information.Incident prompted significant new security measuresand lessons learned. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 16. Red Zone Information SecurityNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16 17. The New SP 800-39Multi-tiered Risk Management Approach STRATEGIC RISKImplemented by the Risk Executive FunctionFOCUSEnterprise Architecture and SDLC Focus TIER 1Flexible and Agile ImplementationOrganization(Governance) TIER 2Mission / Business Process(Information and Information Flows)TACTICAL RISK FOCUS TIER 3Information System (Environment of Operation)NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 18. Tier 1 OrganizationGovernanceRisk management strategyInvestment strategyRisk toleranceTrustTransparencyCultureNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 19. Tier 2 Mission/Business ProcessInfluenced by risk management decisions at Tier 1.Identification of missions/business processes.Determination of information types and flows.Identification of information security requirements.Development of enterprise architecture with embeddedinformation security architecture.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 20. Tier 3 Information SystemInfluenced by risk management decisions at Tiers 1 & 2.Allocation of necessary and sufficient security controlsto information systems and environments of operation.Uses Risk Management Framework to guide process.Information security managed as part of the SDLC.Feedback to Tiers 1 & 2 for continuous improvement.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20 21. Risk Management Framework Starting PointCATEGORIZEInformation System Define criticality/sensitivity of information system according to MONITOR potential worst-case, adverseSELECT Security Controlsimpact to mission/business. Security ControlsContinuously track changes to theSelect baseline security controls;information system that may affect apply tailoring guidance andsecurity controls and reassesssupplement controls as neededcontrol effectiveness.based on risk assessment. Security Life Cycle AUTHORIZEIMPLEMENTInformation SystemSecurity Controls Determine risk to organizational Implement security controls within operations and assets, individuals, enterprise architecture using soundother organizations, and the Nation;ASSESSsystems engineering practices; apply if acceptable, authorize operation. Security Controlssecurity configuration settings. Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting securityrequirements for information system).NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 22. Risk Management ProcessRiskRiskFraming Framing Assess RespondRiskRiskRiskMonitor FramingFraming NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 23. Unified Information Security FrameworkThe Generalized ModelUniqueInformation CSecurity Intelligence DepartmentFederal Civil NPrivate SectorRequirements Communityof Defense Agencies SState/Local GovtSThe DeltaCommonFoundational Set of Information Security Standards and GuidanceInformation Risk management (organization, mission, information system)Security Security categorization (information criticality/sensitivity)Requirements Security controls (safeguards and countermeasures) Security assessment procedures Security authorization process National security and non national security information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 24. Joint Task Force Transformation InitiativeCore Risk Management PublicationsNIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal InformationSystems and Organizations CompletedNIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle ApproachCompletedNIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in FederalInformation Systems and Organizations: Building Effective CompletedAssessment Plans NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 25. Joint Task Force Transformation Initiative Core Risk Management PublicationsNIST Special Publication 800-39Managing Information Security Risk: Organization, Mission,and Information System ViewCompletedNIST Special Publication 800-30, Revision 1Guide for Conducting Risk AssessmentsProjected April 2011 (Public Draft)NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25 26. Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical ControlsRisk assessmentAccess control mechanismsSecurity planning, policies, proceduresIdentification & authentication mechanismsConfiguration management and control (Biometrics, tokens, passwords)Contingency planning Audit mechanismsIncident response planning Encryption mechanismsSecurity awareness and trainingBoundary and network protection devicesSecurity in acquisitions (Firewalls, guards, routers, gateways)Physical securityIntrusion protection/detection systemsPersonnel security Security configuration settingsSecurity assessments and authorization Anti-viral, anti-spyware, anti-spam softwareContinuous monitoringSmart cardsAdversaries attack the weakest linkwhere is yours?NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY26 27. Focus Areas 2011 and BeyondComplete Joint Task Force Publications and UnifiedInformation Security FrameworkContinuous Monitoring GuidelineSystems and Security Engineering GuidelineUpdate to NIST Special Publication 800-53, Revision 4 Insider Threats Advanced Persistent Threats Industrial Control Systems Mobile Devices, Cloud Computing Privacy ControlsNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 28. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930Project LeaderAdministrative SupportDr. Ron RossPeggy Himes(301) 975-5390(301) 975-2489ron.ross@nist.gov peggy.himes@nist.govSenior Information Security Researchers and Technical SupportMarianne SwansonKelley Dempsey(301) 975-3293(301) 975-2827marianne.swanson@nist.gov kelley.dempsey@nist.govPat TothArnold Johnson(301) 975-5140(301) 975-3247patricia.toth@nist.govarnold.johnson@nist.govWeb: csrc.nist.govComments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28