Keynote Session : NIST - Cyber Security Framework Measuring Security
-
Upload
priyanka-aash -
Category
Technology
-
view
181 -
download
2
Transcript of Keynote Session : NIST - Cyber Security Framework Measuring Security
![Page 1: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/1.jpg)
Critical Security Framework MEASURING Security
Dick Bussiere | Technical Director | Asia Pacific
![Page 2: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/2.jpg)
Turbo Agenda
What is the NIST Cybersecurity Framework?
Why YOU should care? How would I apply it? How would I measure my
effectiveness?
![Page 3: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/3.jpg)
Things to Ponder
205 Days until breach detected (APAC Average)?
Can you say with certainty that you are 100% Secure?
Do you know with certainty that you have NOT been breached?
![Page 4: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/4.jpg)
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
![Page 5: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/5.jpg)
IF YOU CAN’TMEASUREYOU CAN’TITCONTROL
![Page 6: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/6.jpg)
IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE
![Page 7: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/7.jpg)
Communication Gap?
Executive:
• Brand & Reputation of Business
• Ongoing Business Operations
• Risk to Customers
IT Team:
• Is risk at an acceptable level?
• What level of risk are we exposed to?
• Are we compliant with all the regulations that apply to us?
• Is the cybersecurity platform operating as well as it should be?
• Where should we spend additional money?
![Page 8: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/8.jpg)
The Survey Says…Security Frameworks guide the way…• 84% Leverage a security framework• Broad range of company sizes
Wide Range of Frameworks Utilized• 44% used more than one framework• EOY 2016 - CSF (43%), CIS (44%) ISO (44%)Best practice & requirements drive CSF adoption• 70% adopted CSF because they consider it best practice• 29% adopted CSF because a partner required it
Security Framework Adoption is a Journey• Only 1 in 5 rank their organization as very mature• More than half of CSF adopters require significant
investment to fully conform
Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US
![Page 9: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/9.jpg)
Why Cyber Security Framework? Asks the question “what are you doing to improve”
rather than “did you implement control XYZ” Results in a shift from compliance to action and specific
outcomes Business oriented
Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it
more appealing to business
![Page 10: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/10.jpg)
Repeatable Flexible Technology
Neutral Cost Effective Measurable!
Common Language
Why Cyber Security Framework?
![Page 11: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/11.jpg)
Objectives of CSF in a nutshellDescribe Current Security Posture
Describe Target
Security Posture
Continuous
Improvement
Assess Progress towards Target
Posture
Communicate Risk
![Page 12: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/12.jpg)
A Framework of Frameworks
ISO/IEC 27001
CCS CSC1 ISA 62443
NIST SP 800-53 COBIT 5
NIST CYBERSECURITY FRAMEWORK
5 in 1!
![Page 13: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/13.jpg)
Framework Profile(Where you are and where
you want to go)
Framework Implementation
Tiers(How you view cybersecurity)
CSF Core(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization
•Required Tier based on perceived risk/benefit analysis
•Identify•Protect•Detect•Restore•Recover
The Cyber Security Framework at 40,000 feet…
![Page 14: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/14.jpg)
CSF Component 1 – Framework Core
Framework Core
Identify
Detect
Respond
Recover
Protect
![Page 15: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/15.jpg)
Structure
![Page 16: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/16.jpg)
Risk Profile, Requirements & Resources
ISO/IEC27001
NIST Cybersecurity Framework
CIS CriticalSecurity Controls
ISA62443
“Normalization Layer”
Use CSF to “Normalize to Common Language
Existing Frameworks
![Page 17: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/17.jpg)
CSF Component 2 – Framework Implementation Tiers
PartialRisk Informed
Repeatable
Adaptable
How cybersecurity risks and processes are viewed within organization
Soph
isti
cati
on
![Page 18: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/18.jpg)
CSF Component 3 – Framework Profile
Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources
Used to define current state and desired state Can help measure progress...
![Page 19: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/19.jpg)
How is CSF Different?
Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –
can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls
while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity
effectiveness independent of existing framework
![Page 20: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/20.jpg)
Endpoint Assessment
Network Monitoring
Analytics
Event Monitoring
Ingredients to Measuring Compliance
![Page 21: Keynote Session : NIST - Cyber Security Framework Measuring Security](https://reader031.fdocuments.us/reader031/viewer/2022032108/587085381a28ab57368b7759/html5/thumbnails/21.jpg)
Thank YouDick Bussiere | Technical Director | Asia
Pacific