Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the...

Copyright©2016SplunkInc.

OperationalizingtheCIS“Top20”CriticalSecurityControlswithSplunkEnterprise

AnthonyPerez– SecurityArchitect,Splunk

RoadmapforToday’sSession

▸ Framingourdiscussion▸ Thelegacychallenge▸ Anapproachforoperationalization▸ Impactsonsecuritymaturity▸ LiveDemonstration

2

FramingourDiscussion

Organizationalsecurityshouldbeviewedasacontinuumversusanend-state▸ Viewingsecurityasacontinuumpositionsorganizationstofocusoncontinuousimprovement§ “Wecanalwaysimprovesomething.”

▸ Thesecuritycontinuumconceptcanalsodriveintrospectionfororganizations§ “Whatisoursecuritymaturitytoday?”

▸ Introspectiononanorganization’ssecuritymaturityoftenfeedsstrategicthinking§ “Let’smapoutstepstoraiseouroverallsecuritymaturity.”

4

Regardlessofwhereanorganizationexistsonthesecuritycontinuum,theirfoundationshouldbebuiltuponbest-practices

▸ Acceptingthatfoundationalsecurityisbuiltuponbestpractices–Westillneedtoidentifywhatbestpracticesactuallyare

▸ Organizationsalsoneedtoestablishpoliciesandproceduresaimedatkeepingtheirbest-practicesrelevantasthethreatlandscapechanges

▸ Beyondpoliciesandprocedures,organizationsneedtoestablishaplanforoperationalizationofthesebestpracticesaswell

5

Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach

▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof

leadingexpertsfromaroundtheworld

6

https://www.cisecurity.org/critical-controls.cfm

KeyInsight:“TheNationalGovernorsAssociationrecommends thatstatesturntotheCriticalSecurityControlsforabaselineofeffectivecybersecuritypractices…”

NationalGovernorsAssociationActandAdjust:ACalltoActionforGovernorsforCybersecuritySeptember2013

Thebest-practicesselectedforthatfoundationshouldberootedinthedefenseagainstcurrent real-worldthreatactivity▸ TheoriginsoftheCIScontrolsmaptoa2008requestfromtheOfficeoftheSecretaryofDefensetotheNSAregardinghelpprioritizingthevariouscontrolsavailable§ Thisdrovean“offensemustinformdefense”approach

▸ ThisapproachpersistsintheCISCSC§ TheCISControlsaredeveloped,refined,andvalidatedbyacommunityof

leadingexpertsfromaroundtheworld

7


KeyInsights:§ TheCIScontrolsareanalogoustocomponentsofmultipleUSFederalinformationsecurityframeworkssuchas

FISMA,DFARS,andRMF

§ TheControlsalsomapcloselytoAustralianSignalsDirectorate“Top4”andISO/IEC27001

TheLegacyChallenge

Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults

9

“Usethese10solutions togainvisibility” “Runthisscannerwhenyouwanttogenerateareport”

“Hireustobuild yousomethingfromscratch”

“LeverageyourlegacySIEMtogetsomeofthewaythere”

Bestpracticessecurityrecommendationshavebeenaroundforsometime,butoperationalizationremainsfractured▸ Googlingforideasonwheretobeginwithoperationalizationreturnsuniformlyunhelpfulresults

10

“Usethese10solutionstogainvisibility” “Runthisscannerwhenyouwanttogenerate areport”

“Hireustobuildyousomethingfromscratch”

“Leverage yourlegacySIEMtogetsomeofthewaythere”

▸ Commoncomments/questionsonoperationalizationinclude:§ “Thisissuchabigproject,IhavenoideawhereIshouldevenstart…”§ “Whycan’t IusemylegacySIEM?”

- Rigid(datasource-specific)andconventionalsecuritydataonly§ “WhataboutES?”

- Flexible,capable,butsomeorganizationsaren’tsizedorstructuredtoneed ESforoperations

AnApproachforOperationalization

ThreekeyingredientsareneededtoeffectivelyoperationalizetheCIScontrolsinyourenvironment▸ Datarelevanttothecontrols

§ Deviceinventory§ Softwareinventory§ HW/SWconfigurations§ Vulnerabilityscanresults§ Administratoractivity

12

KeyInsight:CISstates:§ “OrganizationsthatapplyjustthefirstfiveCISControlscanreduce

theirriskofcyberattackbyaround85percent.”

§ “Implementingall20CISControls increasestheriskreduction toaround94percent”




▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software

13



▸ Domainknowledgeaboutyourorganization§ Systemowners§ Approveddevices&software

▸ SplunkEnterprise

14

Combiningtheseingredientscandrive“quickwin”visibilityintosecurityposturerelevanttotheCIScontrols▸ Basicstepsforoperationalizationinclude:

1. IngestdatarelevanttothecontrolcategoriesintoSplunkEnterprise2. EnsurethatdataiscompliantwithSplunk’sCommonInformationModel(CIM)3. InstalltheCISCriticalSecurityControls appforSplunk4. Updatelookupfileswithintheappbasedondomainknowledgeaboutyour

organization

15

What’sreallymakingthispossibleonthebackend?

▸ TheSplunkCommonInformationModel(CIM)§ The“RosettaStone”thatprovidesdatanormalization

▸ CIM-compliantsearches§ Provideflexibilityandvendor/data-agnosticvisibility intotheenvironment

▸ Splunklookupfiles§ Providedataenrichment– specificallyrelevanttoyourorganization

▸ OpensourceThreat/IOClists

16

ImpactonSecurityMaturity

Whatimpactsshouldorganizationsanticipatefortheirsecuritymaturity?▸ Visibility:

§ Holisticvisibility intoyourorganization’ssecurityposturewithrespecttobestpracticesinnear-time

▸ Flexibility:§ Vendor/sourcetype-agnosticarchitecture(viaCIM)buildsinflexibilityasyour

infrastructureandorganizationchanges

▸ Efficiency:§ Increasedefficienciesfromanoperationalperspective, freeingtimeformore

value-addsecurityactivity

▸ FederalRelevance:ThecontrolsareanalogoustocomponentsofmultipleFederalsecuritymandatessuchasFISMA,DFARS,andRMF

Lowest HighestSecurity0Maturity

Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0

searching

Ostrichapproach

ManualReview Splunk>0

(+0SPLICE)Splunk> +

Enterprise0Security0app

+

WhatshouldIexpectbasedonmyorganization’scurrentsecurity-maturitylevel?▸ Organizationswillgainutilityregardlessofwheretheyexistonthesecuritymaturitycontinuum

▸ Fornascentsecurityprograms§ Quicktime-to-valueonbest-practices tiedtocurrentreal-worldthreats

▸ Formid-maturitysecurityprograms§ ^+automationthatcreatesefficienciesforsmallerteams,enablingtimefor

morevalue-addactivities suchasproactiveanalysis

▸ Forhigh-maturitysecurityprograms§ ^+consolidatedreportsandvisualizationsthatareeasily integratedintoexisting

workflows

19Lowest HighestSecurity0Maturity

Traditional0SIEMsCLI0utilities0+0point0solutions0 +0scripts0for0

searching

Ostrichapproach

ManualReview Splunk>0

(+0SPLICE)Splunk> +

Enterprise0Security0app

+

LiveDemonstration

Questions

Announcements

.conf2017iscomingtoWashington,D.C.!

23

September25-28,2017WalterE.WashingtonConventionCenter

Reserveyourseatfor.conf2017nowthroughNovember30th togetthesupersaverdiscount!

Reserveyourspottoday,paylater!

SignUpToday:http://live.splunk.com/LP=1822

Afterregistrationopens, youwillhave60daystocompleteyourregistrationtosecurethesupersaverrate.

VisittheInformationKioskintheSolutionPavilion!

SupportOperationHomefront!

24

EarnYour6SponsorBadges!Splunk willdonate$10Dollarsto OperationHomefront’s HolidayMealsforMilitaryFamiliesProgram foreveryattendee thatcompletes theirmissionofearning6sponsorbadges.Theprogramwillprovidemeals

toourlocalmilitaryfamiliesthisholidayseason.Plusabonus ifwehit350 numberofcompletedmissions.Splunkwilldoublethe$3,500donationto

$7,000!

Workshops:GetSplunkHands-onExperienceAttendaSplunkWorkshop

UpcomingSchedule▸ December1:IntroductiontoSplunk Enterprise

▸ December14:IntroductiontoSplunk ITTroubleshooting

▸ January11:IntroductiontoSplunk EnterpriseSecurity

▸ January11:NEW! DatabasePerformanceTuningandCapacityPlanningWorkshop

▸ January25:IntroductiontoSplunk ITServiceIntelligence

▸ January25:NEW! Splunk AppDevelopmentWorkshop

Location▸ SplunkOfficeMcLean,VA

Visithttp://www.doyouknowsplunk.com/workshops


SplunkUserGroups- ConnectwithLocalSplunkers

NorthernVirginiaMeetsthelast3rd Thursdayofeverymonthhttps://usergroups.splunk.com/group/northern-virginia-splunk-user-group.html

DCMeetsthelastWednesdayofeverymonthhttps://usergroups.splunk.com/group/washington-dc-splunk-user-group.html

BaltimoreMeetsthe3rdMondayofeverymonthhttps://usergroups.splunk.com/group/baltimore-splunk-user-group.html


TaketheGovSummitPostEventSurvey!

27

Wevalueyourfeedback!Taketheposteventsurvey ontheiPadsinthefoyerstartingat2:30pm!

Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the...

Documents

Transcript of Operationalizing the CIS Top 20 Critical Security Controls · 2020-05-16 · Operationalizing the...