NIST CyberSecurity

Framework+Brian Ventura

SANS Community InstructorISSA Portland, Director of Education

Information Security Architect, City of Portlandwater@bighead.org

@brianwifaneye

Who am I?

Brian Ventura

Information Security Architect, SANS Instructor

20+ years in Information Technology, ranging from systems administration to

project management and information security. Currently an Information Security

Architect for the City of Portland, volunteer as the Director of Education for the

Portland ISSA Chapter, and SANS Instructor. Brian holds his CISSP, GSEC, GCFA, and

GCCC, as well as other industry certifications.

As the ISSA Director of Education, Brian coordinates relevant local and online

training opportunities.

Timbers Army, Thorns Riveter, bike commuter, Land Cruiser enthusiast

https://www.sans.org/instructors/brian-ventura

SEC440: Critical Security Controls: Planning, Implementing and Auditing

SEC566: Implementing and Auditing the Critical Security Controls - In-Depth

MGT414: SANS Training Program for CISSP® Certification

SEC401: Security Essentials Bootcamp Style

Goals

Introduction to SANS, MS-ISAC and CIS

NIST CyberSecurity Framework basics

City of Portland use case, NIST CSF+

SEC 401: Security Essentials

Bootcamp Style

SEC 504: Hacker Tools,

Techniques, Exploits, and

Incident Handling

…to…

SEC 562: CyberCity Hands-on

Kinetic Cyber Range Exercise

SEC 760: Advanced Exploit

Development for Penetration

Testers

What is SANS

The MS-ISAC is the focal point for

cyber threat prevention, protection,

response and recovery for the nation's

state, local, tribal and territorial

(SLTT) governments. The MS-ISAC 24x7

cybersecurity operations center

provides real-time network

monitoring, early cyber threat

warnings and advisories, vulnerability

identification, and mitigation and

incident response.

Included in Membership

INCIDENT RESPONSE SERVICES

ADVISORY SERVICES

THREAT NOTIFICATION

VULNERABILITY ASSESSMENT

INFORMATION SHARING AND COMMUNICATIONS

EDUCATION AND AWARENESS

DHS INITIATIVES COORDINATION

Fee Based

SECURITY DEVICE MONITORING: NETWORK

MONITORING & ANALYSIS (ALBERT)

SECURITY DEVICE MONITORING: MANAGED

SECURITY SERVICES (MSS)

VULNERABILITY ASSESSMENT SERVICES

CONSULTING SERVICES

Goals

Introduction to SANS, MS-ISAC and CIS

NIST CyberSecurity Framework basics

City of Portland use case, NIST CSF+

City of Portland

Delivery of services and

value to Bureaus

Align security strategy

with business risk

NIST Framework

Goals

Introduction to SANS, MS-ISAC and CIS

NIST CyberSecurity Framework basics

City of Portland use case, NIST CSF+

NIST Framework+

City of Portland’s Adoption of CSF

• Risk & remediation prioritization

• Maturity gaps and selective metrics

• Alignment of business risk to CSC

• Budget & resource prioritization

NIST Framework+

NIST Framework+

InfoSec Service Catalog

Risk Management

CSC Top Twenty

Budget:

- Actual

- Unfunded

- Projections 3 year plan

Maturity Matrix

- Current State

- Challenges

- Progress - Investment

- Future State

KPI – Metrics

3-year Quarter by Quarter

Project Roadmap

NIST Framework+

NIST Framework+ Service Catalog

NIST+ Risk and Critical Security Controls

NIST+ Budget

NIST+ Maturity

NIST Roadmap

Governance

Operations

Category InfoSec Service Catalog RiskCSC Top

20

FY-15

$

FY-16

$

FY-17

$

NIST

Pol.0 1 2 3 4 5 6

FY1

6-

Q1

FY1

6-

Q2

FY1

6-

Q3

FY1

6-

Q4

FY1

7-

Q1

FY1

7-

Q2

FY1

7-

Q3

FY1

7-

Q4

FY1

8-

Q1

FY1

8-

Q2

FY1

8-

Q3

FY1

8-

Q4

Asset Management Ops. Sec. - Asset Management

- Physical and Environmental

4

7 1,2

$xxx

$xxx

DI

DMAsset Strategy Review Project 7A

Business

Environment

Governance - Regulatory, Legal,

Compliance All - $xxxAP Metrics Risk Program

GovernanceGovernance

- Security Information 5 - $xxx

AU

PLPolicy Dev. Policy Review

Risk Assessment Security and Risk Assessments 5a 4 $xxx $xxx AR AutomateDashboard

Risk Management Governance - Risk Management 5b - AR Integration 1Integration 2Integration 3 Review

Access Control

Identity and Access Management

(IAM)

- IAM

- SSO

- NAC

- RBAC

2

3

6

9

5, 9

11, 12

13, 14

15, 16

$xxx

$xxx

$xxx

$xxx $xxx $xxx

AC

IANAC SSO - Phase 0 IAM SSO - Phase 3

Awareness and Awareness and Training 10 5,17 $xxx AT Metrics Alignment Review Review

Data Security Security Architecture and Design (Life 13 1,2 $xxx CA Report Report Report

Information

Protection Processes

and Procedures

Governance - Proactive Protection -

- Policies, Standards, Guidelines

- ITSM Process governance and

maturity 11

3, 4

7, 9

10, 11

18, 19

MP

PE

SA

SC

Metrics (e-discovery)MD

M

IT

Serv

ice

Man

Revi

ew

Maintenance Operations Security - Asset

Maintenance14

3 ,4

5, 11

12 $xxxMA

Ass

et

Man

Full

Ass

et Protective

Technology

Operations Security

- Change Management 15

5, 6

7, 8 $xxx $xxx $xxxCM

ITS

M

Cha

nge

Revi

ew

Anomalies and

Events

Monitor, Alerts and Reports - SIEM-

Vuln 1b

6, 9

12, 19 $xxx $xxx $xxxSI Metrics Pen-Test Pen-Test

Exte

rnal Pen-Test

Exte

rnal Pen-Test

Security Continuous

MonitoringMonitor, Alerts and Reports

1a

4, 8

16, 19 $xxx $xxxExpand 3 Expand 4 Expand 5

Detection Processes Monitor, Alerts and Reports - DLP1 19

$xxx

$xxx $xxx $xxxDLP Phase 2 DLP Phase 3

Response Planning Gov. - Bus. Impact Analysis 5c 19 BIA - Phase 1 BIA - Phase 3

Communications Incident Response - Alignment 8d 19 Architecture Process Mapping

Analysis Incident Response - Risk 8a 6,19 $xxx Risk Mapping Formal Review Formal Review

Mitigation Incident Response8c 4,19

IR CIRT Test 1 CIRT Full Test CIRT Test 3

Improvements Incident Response - Maturity 8e 19,20 $xxx External Risk AssessmentRemediate External Risk Assessment Remediate

Recovery Planning Ops. Security - Bus. Continuity 8 10 $xxx $xxx CP DR Plan Test BC Plan Test BC Plan

Improvements Ops. Security - Downtime Mgmt.8b 20

DocumentStan

dard

Test

Dow

Test

Dow

Communications Ops. Security - Svc. Alignment 12 - $xxx LMS ReviewMid-yearLMS ReviewMid-yearLMS ReviewMid-year

Action Plan FY2018

Identify

Protect

Detect

Respond

Recover

Function

Information Security Risk-Aligned Framework Maturity Model Action Plan FY2016 Action Plan FY2017

NIST Functions

Risk Priorities & Appetite - Internal/External

Service Catalog

Budgets:Funded -Unfunded -

Policy Alignment

"Tiers" -Maturity Map

Three Year Action Plan -NIST "Profiles" by Quarter

Sample Projects CMM -metrics

Challenges identified

Maturity -progress

Key initiatives nested and

NIST Cybersecurity Framework, adapted by Christopher Paidhrin, CISSP, CRISC https://www.linkedin.com/in/chris

Current State

Future

NIST CybersecurityEnterprise-AlignedFramework:

- Risks- Service

Catalog- Priorities- Maturity- Metrics- 3-Year

Project,Program &InitiativeRoadmap

IT Service

Aligned Standards Continuous Process and Service Improvement

Business View / Priorities / Risk-Alignment

Questions?

SANS Security Awareness Training

• Recognition: Employees are vulnerable access point

• Short pulse, video training is mapped to the Critical

Security Controls audit framework

• Available 24/7

• Test question after each video

• Updated annually

• Supporting 25+ languages

• Phishing service

• 6.5 million end users from 1,500+ organizations

• Gartner Magic Quadrant – Highest ‘Ability to Execute’

• “SANS STH has been a blessing. We really are very

thankful for the ease of use and access to the system.

Having the ability to track all employees on our

program and who has started or completed the training

has helped in many ways.”

• Nic Lee, Northrop Grumman IS35

Links and Resources

MS-ISAC: https://msisac.cisecurity.org

Center for Internet Security (CIS):

https://www.cisecurity.org/

NIST Cyber Security Framework (CSF):

http://www.nist.gov/cyberframework/

CSF planning spreadsheet:

http://www.tenable.com/whitepapers/nist-csf-

implementation-planning-tool

CIS Critical Security Controls (CSC):

https://www.cisecurity.org/critical-controls.cfm

SANS: https://www.sans.org

https://www.sans.org/instructors/brian-ventura