Tony Sager Senior VP & Chief Evangelist - PowerPoint Presentation

Slide1

Tony SagerSenior VP & Chief EvangelistCIS (the Center for Internet Security)

Growing Up In Cyber…

but is Cyber Growing Up?

Today’s Cyber Learning Model ?

Risk =

{ } Classic Risk Equation

f

Vulnerability, Threat, Consequence

controls

The Long and Winding Road….

Seismic Shifts

Communications Security

 “Cyber”

Mathematics  CS, Networking,

Opns

, Analytics

Technology  Information, Operations

Government monopoly  user/market driven

“Control Model” of security  open market

National Security  economic/social Risk

A few cybersecurity lessons

Knowing about flaws doesn’t get them fixedCyber Defense => Information Managementwhen you see “share”, replace with “translate” and “execute”The Bad Guy doesn’t perform magicThere’s a large but limited number of defensive choices

and the 80/20 rule applies (The Pareto Principle)

Cybersecurity is more like “Groundhog Day” than “Independence Day”

“The

Fog of More”

standards

SDL

supply-chain security

security

bulletins

user awareness training

browser isolation

two-factor authentication

encryption

incident response

security controls

threat intelligence

whitelisting

need-to-know

SIEM

virtualization

sandbox

compliance

maturity model

anti-malware

penetration testing

audit logs

baseline configuration

risk management framework

continuous monitoring

DLP

threat feed

certification

assessment

best practice

governance

The Defender’s Dilemma

What’s the right thing to do?and how much do I need to do?How do I actually do it?And how can I demonstrate to others (many others) that I have done the right thing?

A Cyberdefense OODA Loop

(“patch Tuesday”)

“Dueling OODAs”

There are many loops, often connected“farther in space, earlier in time”The Bad Guy’s loop is an opportunity

(and

the role of Threat Intelligence

, Analytics)

An Effective Cyberdefense “info machine” should be…

based on a model of Attacks, Attackers, and defensive choicesand focused on categories, types, patterns, templates, etc. driven by datamanaged within an open, standards-based framework

account for “community risk”, but be tailorable

repeatable, dynamic, feedback-driven

demonstrable, negotiable for Real People

Evolution of the CIS Controls

NSA/DoD Project

The Consensus Audit Guidelines (CSIS)

“The SANS Top 20”

(the SANS Institute)

The Critical Security Controls

(CCS/CIS)

The CIS Controls™️

The Original Controls Principles

Prioritize: “Offense Informs Defense”Implement:” Action today beats elegance tomorrow (or someday. Or never.)”Sustain:

“It’s not about the list"

Align:

“ To win the cyberwar, we need peaceful co-existence”

CIS Best Practice Workflow

CIS Controls Version 7

Ecosystem of Resources

Mappings to other FrameworksSpecial focus on NIST CSF [updated!]CIS Risk Assessment Method (CIS-RAM) [new]ICS Companion Guide to the Controls [drafted]Measures and Metrics [updated]SME Implementation GuideCIS Community Attack ModelPrivacy and the Controls

Recent References to the CIS Controls

California Attorney General’s 2015 Data Breach ReportThe NIST Cybersecurity FrameworkSymantec 2016 Internet Security Threat Report and Verizon DBIR, HP, Palo Alto,

Solutionary

…)

National Governor’s Association

National Consortium for Advanced Policing

Conference of State Bank Supervisors

UK Critical Protection for National Infrastructure

Zurich Insurance

ENISA, ETSI

Website:

www.cisecurity.orgEmail: Controlsinfo@cisecurity.orgTwitter: @

CISecurity

Facebook: Center for Internet Security

LinkedIn Groups:

Center for Internet Security

20 Critical Security Controls