CIS the Center for Internet Security Growing Up In Cyber but is Cyber Growing Up Todays Cyber Learning Model Risk ID: 909184
Download Presentation The PPT/PDF document "Tony Sager Senior VP & Chief Evangel..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Tony SagerSenior VP & Chief EvangelistCIS (the Center for Internet Security)
Growing Up In Cyber…
but is Cyber Growing Up?
Slide2Today’s Cyber Learning Model ?
Slide3Risk =
{ } Classic Risk Equation
f
Vulnerability, Threat, Consequence
controls
Slide4The Long and Winding Road….
Slide5Seismic Shifts
Communications Security
“Cyber”
Mathematics CS, Networking,
Opns
, Analytics
Technology Information, Operations
Government monopoly user/market driven
“Control Model” of security open market
National Security economic/social Risk
Slide6A few cybersecurity lessons
Knowing about flaws doesn’t get them fixedCyber Defense => Information Managementwhen you see “share”, replace with “translate” and “execute”The Bad Guy doesn’t perform magicThere’s a large but limited number of defensive choices
and the 80/20 rule applies (The Pareto Principle)
Cybersecurity is more like “Groundhog Day” than “Independence Day”
Slide7“The
Fog of More”
standards
SDL
supply-chain security
security
bulletins
user awareness training
browser isolation
two-factor authentication
encryption
incident response
security controls
threat intelligence
whitelisting
need-to-know
SIEM
virtualization
sandbox
compliance
maturity model
anti-malware
penetration testing
audit logs
baseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessment
best practice
governance
Slide8The Defender’s Dilemma
What’s the right thing to do?and how much do I need to do?How do I actually do it?And how can I demonstrate to others (many others) that I have done the right thing?
Slide9A Cyberdefense OODA Loop
(“patch Tuesday”)
Slide10“Dueling OODAs”
There are many loops, often connected“farther in space, earlier in time”The Bad Guy’s loop is an opportunity
(and
the role of Threat Intelligence
, Analytics)
Slide11An Effective Cyberdefense “info machine” should be…
based on a model of Attacks, Attackers, and defensive choicesand focused on categories, types, patterns, templates, etc. driven by datamanaged within an open, standards-based framework
account for “community risk”, but be tailorable
repeatable, dynamic, feedback-driven
demonstrable, negotiable for Real People
Slide12Evolution of the CIS Controls
NSA/DoD Project
The Consensus Audit Guidelines (CSIS)
“The SANS Top 20”
(the SANS Institute)
The Critical Security Controls
(CCS/CIS)
The CIS Controls™️
Slide13The Original Controls Principles
Prioritize: “Offense Informs Defense”Implement:” Action today beats elegance tomorrow (or someday. Or never.)”Sustain:
“It’s not about the list"
Align:
“ To win the cyberwar, we need peaceful co-existence”
Slide14CIS Best Practice Workflow
Slide15CIS Controls Version 7
Slide16Ecosystem of Resources
Mappings to other FrameworksSpecial focus on NIST CSF [updated!]CIS Risk Assessment Method (CIS-RAM) [new]ICS Companion Guide to the Controls [drafted]Measures and Metrics [updated]SME Implementation GuideCIS Community Attack ModelPrivacy and the Controls
Slide17Recent References to the CIS Controls
California Attorney General’s 2015 Data Breach ReportThe NIST Cybersecurity FrameworkSymantec 2016 Internet Security Threat Report and Verizon DBIR, HP, Palo Alto,
Solutionary
…)
National Governor’s Association
National Consortium for Advanced Policing
Conference of State Bank Supervisors
UK Critical Protection for National Infrastructure
Zurich Insurance
ENISA, ETSI
Slide18Website:
www.cisecurity.orgEmail: Controlsinfo@cisecurity.orgTwitter: @
CISecurity
Facebook: Center for Internet Security
LinkedIn Groups:
Center for Internet Security
20 Critical Security Controls