GSF11 Session 2-1 - Cisco€¦ · Security in acquisitions Physical security Personnel security...
Transcript of GSF11 Session 2-1 - Cisco€¦ · Security in acquisitions Physical security Personnel security...
Cybersecurity:
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Cybersecurity: Trust, Visibility, Resilience
Tom Albert
Senior Advisor, Cybersecurity
“No single company can
solve the complex challenge
presented by the Internet,
but the inherent role of the
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
network positions Cisco as the
natural partner in developing
and executing a successful
cyber security strategy”
Cybersecurity Challenges
Operational
Management
Data
Capacity
Supply
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Business
Resiliency
Supply
Chain
Data
Loss
Federal Cybersecurity Priorities
Situational
Awareness
Real-time
Identity
Mgmt.Secure
Supply
Chain
Continuous
Monitoring
Vulnerabilit
y
Analysis/ID
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Real-time
Continuous
Monitoring
Application
Security
Education
and
Training
Vulnerability
Analysis/IDS
Application
Security
Analysis/ID
S
Limited
Access
Points
Security
Products
Visibility
Why Cisco?
Cisco’s Pervasive Footprint
The Network is the Sensor
Public/Private Partnerships
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
e
Embedded Security
Capabilities Cross
Architecture
Visibility Tools
Services
Trusted HW/SW
Public/Private Partnerships
Education
Certifications
Incident Response
Supply Chain Management
Inside Threat
Data Capacity
Access
Visibility
Trust
Mission: CybersecurityCisco IS the Cyber secure PlatformCisco IS the Cyber secure Platform
Customer
Requirements
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Data Loss
Trustworthiness
Resilience
Trust Identify and Manage
Challenges Solution Framework
Solutions Supply ChainPublic Policy Messaging Capture
Identity and Access Continuous Monitoring
Trust Visibility Resilience
Cisco Cyber Solutions
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
Identity and Access
Secure Mobility
Wireless Integrity
Configuration Assurance
Physical Security
Audit and Compliance
Continuous Monitoring
Data Exfiltration
Boundary Defense
Malware and APT Defense
Situational Awareness
COOP
Incident Handling
Availability
Service Level Assurance
Data Center/
Virtualization
Collaboration
• Cisco Works LMS 4.0
• Cisco Configuration Engine
• Cisco TrustSec (Identity)
• Cisco AnyConnect Client
• Cisco VPN Services
• Cisco Mobility Engine &
Wireless Solution
• Cisco Unified Border Element
• ASA Firewall
• IOS Firewall
TRUST
VISIBILITY
•Access Control
•Audit & Accountability
•Configuration Management
•Identification &
•Authentication
Maintenance
•System & Communication
Protection
NIS
T 8
00
-53
Critical Control Family
Identity and Access
Secure Mobility
Wireless Integrity
Audit and Compliance
Configuration Assurance
Physical Security
SOLUTION
S
ARCHITECTURESSTRATEGY
Borderless
Networks
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
•Contingency Planning
•System & Communication
Protection
•Incident Monitoring
•Physical & Environmental
• Performance Routing
• NSF/SSO
• EnergyWise
• Policy Based Routing
• Security Intelligence
Operations
• IPS 4200 Series
• Clean Air Technology
• NBAR
• IOS Intrusion Prevention
• IOS NetFlow
• Service Control Engine
• ASA BotNet Filter
VISIBILITY
RESILIENCE
•Security Assessment &
Authorization
•System & Communication
Protection
•System & Information
Integrity
•Incident Monitoring
NIS
T 8
00
-53
NIS
T 8
00
-53
Critical Control Family
Critical Control Family
Continuous Monitoring
Data Exfiltration
Boundary Defense
Malware Defense
Situational Awareness
COOP
Incident Handling
Availability
Service Level Assurance
Systems Integrators
SIEM Partners
Building solutions with best of breed ISVs & Technology Partners
Cybersecurity Partner Ecosystem:
• IRAD projects to address customer requirements
• Integrate component parts in proof-of-concept environments to foster
learning and innovation
• Ecosystem partners to meet diverse customer security incident and
event management requirements
• Cisco validated design and deployment methodologies
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
SIEM Partners
ImplementationPartners
Technology Partners
• Cisco validated design and deployment methodologies
• Cybersecurity focus partners to ensure consistent delivery of Cisco and
partner systems
• Agile custom solution development
• Complimentary technology partners to complete Cybersecurity solution
offerings
• Best of bread market proven technologies
The Cybersecurity Journey
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Regulatory Alignment
Private/Public PartnershipsCybersecurity Innovation
Thought leadership
Manufacturing Integrity
Education
Investment
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Managing RiskThrough Trust, Visibility, and Resilience
DGI Government Solutions Forum
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
Dr. Ron Ross
Computer Security Division
Information Technology Laboratory
March 1, 2011
The Stuxnet Worm
Targeting critical infrastructure companies—
� Infected industrial control systems around the world.
� Uploads payload to Programmable Logic Controllers.
� Gives attacker control of the physical system.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
� Gives attacker control of the physical system.
� Provides back door to steal data and remotely and secretly control critical plant operations.
� Found in Siemens Simatic Win CC software used to control industrial manufacturing and utilities.
The Flash Drive Incident
Targeting U.S. Department of Defense—
� Malware on flash drive infected military laptop computer at base in Middle East.
� Foreign intelligence agency was source of malware.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
� Foreign intelligence agency was source of malware.
� Malware uploaded itself to Central Command network.
� Code spread undetected to classified and unclassified systems establishing digital beachhead.
� Rogue program poised to silently steal military secrets.
The Stolen Laptop Incident
U.S. Department of Veterans Affairs—
� VA employee took laptop home with over 26 million veterans records containing personal information.
� Laptop was stolen from residence and information was
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
� Laptop was stolen from residence and information was not protected.
� Law enforcement agency recovered laptop; forensic analysis indicated no compromise of information.
� Incident prompted significant new security measures and lessons learned.
“Red Zone” Information Security
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
The New SP 800-39
TIER 1
Organization(Governance)
STRATEGIC RISK
FOCUS� Multi-tiered Risk Management Approach
� Implemented by the Risk Executive Function
� Enterprise Architecture and SDLC Focus
� Flexible and Agile Implementation
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
TIER 3
Information System(Environment of Operation)
TIER 2
Mission / Business Process(Information and Information Flows)
TACTICAL RISK
FOCUS
Tier 1 – Organization
� Governance
� Risk management strategy
� Investment strategy
� Risk tolerance
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
� Risk tolerance
� Trust
� Transparency
� Culture
Tier 2 – Mission/Business Process
� Influenced by risk management decisions at Tier 1.
� Identification of missions/business processes.
� Determination of information types and flows.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
� Identification of information security requirements.
� Development of enterprise architecture with embedded information security architecture.
Tier 3 – Information System
� Influenced by risk management decisions at Tiers 1 & 2.
� Allocation of necessary and sufficient security controls to information systems and environments of operation.
� Uses Risk Management Framework to guide process.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
� Uses Risk Management Framework to guide process.
� Information security managed as part of the SDLC.
� Feedback to Tiers 1 & 2 for continuous improvement.
Risk Management Framework
Security Life Cycle
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
MONITORSecurity Controls
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
Security Life Cycle
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
ASSESSSecurity Controls
control effectiveness.
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
based on risk assessment.
Risk Management Process
RRRRiskiskiskisk
RespondAssess
Risk Framing
Risk Framing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
RRRRiskiskiskisk
MonitorRisk Framing
Risk Framing
Unified Information Security Framework
The Generalized Model
Unique Information Security Requirements
The “Delta”
Intelligence Community
Department of Defense
Federal Civil Agencies
Private SectorState/Local Govt
CNSS
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
CommonInformation Security Requirements
The “Delta”
National security and non national security information systems
Foundational Set of Information Security Standards and Guidance
• Risk management (organization, mission, information system)• Security categorization (information criticality/sensitivity)• Security controls (safeguards and countermeasures)• Security assessment procedures• Security authorization process
Joint Task Force Transformation InitiativeCore Risk Management Publications
� NIST Special Publication 800-53, Revision 3Recommended Security Controls for Federal InformationSystems and Organizations
� NIST Special Publication 800-37, Revision 1
Completed
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
� NIST Special Publication 800-37, Revision 1Applying the Risk Management Framework to FederalInformation Systems: A Security Lifecycle Approach
� NIST Special Publication 800-53A, Revision 1Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
Completed
Completed
Joint Task Force Transformation InitiativeCore Risk Management Publications
� NIST Special Publication 800-39Managing Information Security Risk: Organization, Mission, and Information System View
� NIST Special Publication 800-30, Revision 1
Completed
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
� NIST Special Publication 800-30, Revision 1Guide for Conducting Risk Assessments
Projected April 2011 (Public Draft)
Defense-in-Depth
� Risk assessment
� Security planning, policies, procedures
� Configuration management and control
� Contingency planning
� Access control mechanisms
� Identification & authentication mechanisms
(Biometrics, tokens, passwords)
� Audit mechanisms
Links in the Security Chain: Management, Operational, and Technical Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Adversaries attack the weakest link…where is yours?
� Contingency planning
� Incident response planning
� Security awareness and training
� Security in acquisitions
� Physical security
� Personnel security
� Security assessments and authorization
� Continuous monitoring
� Audit mechanisms
� Encryption mechanisms
� Boundary and network protection devices
(Firewalls, guards, routers, gateways)
� Intrusion protection/detection systems
� Security configuration settings
� Anti-viral, anti-spyware, anti-spam software
� Smart cards
Focus Areas — 2011 and Beyond
� Complete Joint Task Force Publications and Unified Information Security Framework
� Continuous Monitoring Guideline
� Systems and Security Engineering Guideline
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
� Systems and Security Engineering Guideline
� Update to NIST Special Publication 800-53, Revision 4� Insider Threats
� Advanced Persistent Threats
� Industrial Control Systems
� Mobile Devices, Cloud Computing
� Privacy Controls
Contact Information
100 Bureau Drive Mailstop 8930Gaithersburg, MD USA 20899-8930
Project Leader Administrative Support
Dr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]
Senior Information Security Researchers and Technical Support
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Senior Information Security Researchers and Technical Support
Marianne Swanson Kelley Dempsey (301) 975-3293 (301) [email protected] [email protected]
Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 [email protected] [email protected]
Web: csrc.nist.gov Comments: [email protected]