Post on 07-Apr-2018
Enterprise Information Security Office
NYS Forum Cyber Security
Presentation
Overview of NYS Cyber Security
Jim Garrett, Enterprise CISO
Agenda
• NYS enterprise landscape
• What ‘good’ looks like
• Major Initiatives 2016
NYS ITS Enterprise Landscape
Securing a Large Complex Technology Landscape
• 50 Agencies Supported (Regulated Data: HIPAA, PCI, TAX, PII, CJIS)
• 2 Major ITS Data Centers – Albany and Utica
• Hundreds of Critical applications
• 99,000+ Desktops & Laptops
• 20,000+ Mobile devices (MDM)
• 1000s of remote virtual connections
• Many Active Directory Domains
• 150,000+ Accounts
• 14+ Million Citizen Accounts
Threats to the State Enterprise and Citizen
Partners/Suppliers Citizens
Employees3rd Parties and
Contractors
Agencies
Contractual Requirements
Regulatory Attestation
Best Practice Controls
Awareness
Self Enforcement
Unified Posture
Cyber Expertise
Expect Secure Access
Expect Privacy
Expect Data Accuracy
Security Maturity
Assessment Volume
Governance/Annual Review
Compliance to Regulation
Denial of Service
Web Application Attack
Social Engineering
Malware
Credit Card Fraud
Spear Phishing
Spin
Insider threat
Hactivism
Non-Standard Practices
Regulatory Differences
Various levels of Cyber Expertise
What Good Looks Like
Establish Best Practice Control Standards - NIST 800.53*
Categories
Domains(Each domain
contains
specific security
and privacy
controls; over
300 controls in
total)
* Security and Privacy Controls for
Federal Information Systems and
Organizations; Provided by the
National Institute of Standards and
Technology (NIST)
NIST Top 20
• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Control of Network Ports, Protocols, and Services
• CSC 10: Data Recovery Capability
• CSC 11: Secure Configurations for Network Devices
• CSC 12: Boundary Defense
• CSC 13: Data Protection
• CSC 14: Controlled Access Based on a Need to Know
• CSC 15: Wireless Access Control
• CSC 16: Account Monitoring and Control
• CSC 17: Security Skills Assessment and Appropriate Training
• CSC 18: Application Software Security
• CSC 19: Incident Response and Management
• CSC 20: Penetration Tests and Red Team Exercises
NIST Top 20
Defense in Depth Layers
Govern with a Best Practice Framework – ISO27001:2013
New York State Confidential Information – Do No Forward or Disseminate
ISO 27001 Governance Cycle
1.
2.
4.
3.
Risk Reduction Through Continuous Improvement
Major Initiatives 2016
Organized for NYS Enterprise Governance
Chief Information
Security Officer
Platform and
Network Security
Standards
• DB Configurations
• *nix Configurations
• Wintel Configurations
• Release Checklist
• Patch Management
• Web Configurations
• Metrics
Portfolio
Management &
Planning
Cluster ISOs
Penetration
Assessments
• Platform, Network,
Application PENX
• Quarterly Testing
• Metrics
ITS Cyber
Command
Center
CIRT Manager
SOC Analytics Manager
SIEM Architecture
Manager
Forensics Manager
• Custer Incident Escalations
• Assessment, Scanning Coordination
• Remediation Tracking
• Awareness/Communications
Web Application
Security
Standards
• OWASP Top 10
• White/Black box Test
• Coding Standard
• Metrics
Governance,
Risk
Management and
Compliance
NIST 800.53
Assessment Lead
PCI Certification Lead
HIPAA Assessment
Lead
TAX Assessment Lead
3rd Party Assessments
• Administration
• PM Standards
• Budget
• HR
• Metrics
• Executive Reporting
• Enterprise Awareness
• Events Coordination
• Training Scheduling
• Cluster Communications
Identity and
Access
Management
• Policy and Procedure
• Enterprise Workflow Design
• ITSM Design
• 24x7 Central Support
• Cluster coordination
• Tool Deployment (2Factor, BYOD)
• Metrics
Architecture Lead
(CTO Office)
• Performance
• Scaling
• Consolidation
Consolidation
Implementation
Consultant/Manager
• Entitlement Definition
• Critical App Definition
• Consolidation Phases
• Data Clean Up Phases
• Work Flow Design
• Communication
Awareness and
Training
Exec Admin
Device Vulnerability
Assessments
• Platform weekly scans
Application Vulnerability
Assessments
• Critical Application
annual scans
Identify/Protect Identify/Protect Protect Protect Detect/Respond/Recover RecoverIdentify/Protect
1. Building out the Enterprise Information Security Organization, defining
clear roles and responsibilities, and ensuring expertise and training
2. Ensuring Critical Processes, Applications, and Infrastructure are
inventoried
3. Cycling through Application Security Assessment for priority
applications
4. Cycling through Infrastructure Security Assessments for priority devices
5. Conducting enterprise assessments to NIST 800.53 standards and
ensuring compliance to regulatory controls
6. Broadening ITS Cyber Command Center capability and effectiveness
7. Standardizing of identity management processes and standards
8. Rationalizing our Security Defense in Depth Standards
Key Initiatives
4/15/2016
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5
CSC 6 CSC 7 CSC 8 CSC 9 CSC 10
CSC 11 CSC 12 CSC 13 CSC 14 CSC 15
CSC 16 CSC 17 CSC 18 CSC 19 CSC 20
NIST Top 20 Heat Map
1. NIST Assessment
2. Critical Asset Inventory
3. Application Security Assessments
4. Patch Management and Vulnerability Scanning
5. Enterprise Identity Access Management (EIAM)
6. Cyber Command Center
7. Security Architecture Defense in Depth
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5
CSC 6 CSC 7 CSC 8 CSC 9 CSC 10
CSC 11 CSC 12 CSC 13 CSC 14 CSC 15
CSC 16 CSC 17 CSC 18 CSC 19 CSC 20
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5
CSC 6 CSC 7 CSC 8 CSC 9 CSC 10
CSC 11 CSC 12 CSC 13 CSC 14 CSC 15
CSC 16 CSC 17 CSC 18 CSC 19 CSC 20
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5
CSC 6 CSC 7 CSC 8 CSC 9 CSC 10
CSC 11 CSC 12 CSC 13 CSC 14 CSC 15
CSC 16 CSC 17 CSC 18 CSC 19 CSC 20
Key Initiatives Cross-Mapping
Enterprise Governance, Risk
Management and ComplianceDeb Snyder, Deputy CISO
Enterprise Security Governance
• Comprehensive strategy for reducing risk to information assets (data, systems, infrastructure)
• Federal and State Security Mandates
• NYS Policies, Standards
• Sector-specific compliance objectives
• Industry standards-based, consistent, matured processes
• ISO27001/27005
• National Cyber Security Framework & NIST 800-53
• CIS Top 20 Critical Controls
• Performance metrics
Risk-based Decision Process
Priority Initiatives
• Critical Asset Inventory - critical assets (services, applications, infrastructure are inventoried)
• Enterprise Risk Assessment - baselines in critical areas
• Focused Assessments & Reviews
− CSC Top 20 Gap Assessment
− Priority Application Resiliency & Security assessments
− Layered Assessment; “Security Lens”
− PeopleSoft (pilot)
− Citizen Services Cluster (center of excellence)
− Clusters – priority apps; integration into SSDLC
− Compliance Assessments – CJIS, FISMA, HIPAA, etc.
− Agency/Cluster compliance checks – e.g. DTF Pub. 1075, Public Safety CJIS assessment
− ISO27001 Data Center Certification
• DR Assessment
Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.
Layered Assessment Process
Layer Method / Activities NIST 800-53 Top 20 Validation / Metrics
Business Impact &
Privacy
Interviews – identify business
functions, risk
COOP/DR Plans
IR-1, IR-2, IR-3, IR-4
IR-5, IR-6, IR-7, IR-8
IR-10
CSC 19: Incident Response and Management Incident management procedures
exist
Compliance Interview, questionnaire
Prior security review & audit
results/findings
Incidents if any
CA-7, CM-8, IA-3, SA-4
SC-17, SI-4, PM-5
CSC 1: Inventory of Authorized/Unauthorized
Devices
CSC 2: Inventory of Authorized/Unauthorized
Software
Information and system owners
identified, applicable laws and
regulations identified
Secure Design Plan Information security plan
Identity Assurance worksheet (roles,
separation of duties)
AC-2, AC-6, AC-17
AC-19, CA-7, IA-4
IA-5, SI-4
CSC 5: Controlled Use of Administrative Privileges
CSC 14: Controlled Access Based on Need to
Know
CSC 16: Account Monitoring and Control
SSDLC, access matrix, data flow
diagrams, system and business
function documentation
Web Site/Application Web app scanning
(Qualys/WebInspect)
Application code scan/review
Code review
Pen-testing
CA-2, CA-5, CA-6
CA-8, RA-6, SI-6
PM-6, PM-14
CSC 7: Email and Web Browser Protections
CSC 20: Penetration Tests and Red Team
Exercises
encryption in transit/rest, pen test
results
Application, core
services & databases
Discovery & Relationship Mapping
(ITSM CMDB); dependencies
Application code scan/review
Code review
Database configuration & control
review
CA-2, CA-7, RA-5
SC-34, SI-4, SI-7, AT-1
AT-2, AT-3, AT-4, SA-11
SA-16, PM-13, PM-14
PM-16
CSC 4: Continuous Vulnerability Assessment and
Remediation
CSC 9: Limitation and Control of Network Ports,
Protocols, and Services
CSC 13: Data Protection
CSC 18: Application Software Security
Web, network and code scan results,
SSDCL documentation
Platform (host, cloud) Configuration assessment (CIS-
CAT; DISA, Qualys, Nessus,
hardening guidance)
Network & Host Vulnerability
scanning (authenticated)
CAIQ & 3rd party practices
CA-7, CM-2, CM-3
CM-5, CM-6, CM-7
CM-8, CM-9, CM-11
MA-4, RA-5, SA-4
SC-15, SC-34, SI-2
CSC 3: Secure Configurations
CSC 6: Maintenance, Monitoring, and Analysis of
Audit Logs
CSC 11: Secure Configurations for Network
Devices
Secure configuration standards and
secure configuration scan results
Infrastructure Network Mapping & Scanning
Service Level Agreements
Resiliency Level (Incidents,
RTO/RPO objectives)
AC-4, AC-17, AC-20
CA-3, CA-7, CA-9
CM-2, SA-9, SC-7
SC-8, SI-4
CSC 8: Malware Defenses
CSC 10: Data Recovery Capability
CSC 12: Boundary Defense
CSC 15: Wireless Access Control
SLA documentation and aligned with
business mission and criticality.
Network diagrams with PDS/IDS.
Te
ch
nic
al
Ad
min
istr
ati
ve
Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.
Layered Assessment Process
Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.
Layered Assessment Process
Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.
Layered Assessment Process
Business, Operational and Technical Risk
Standardized process to identify and assess risks, develop a roadmap for
remediation to reduce operational and technical risk at the application level
Identified risks will be managed along 3 streams:
1. Strategic Roadmap – insights and perspectives across the enterprise will enable prioritization and executive decision-making on systemic and broad impact areas
2. Tactical Initiatives - designed to address control gaps and enhance capabilities
3. Remediation objectives – individual risk items identified for resolution.
Centrally prioritized & tracked; reporting metrics (dashboard).
Remediation
Scott Rogler
Platform and Network Security
Platform and Network Security
Vulnerability Scanning and Configuration Assessments
Patch Management
Release Management
Standard Configuration Development
and Maintenance
Enterprise Security and
Risk Assessment
Support
Secure Architecture /
Secure Engineering
(SASE)
Platform and Network Security
Platform and Network Security
• Vulnerability Scanning and Configuration Assessments
• Enterprise tools to detect, prioritize & remediate
• Identifying and classifying network and system resources
• Assigning relative levels of importance to the resources
• Quantify potential threats to each resource
• Developing a strategy to prioritize the most serious potential problems first
• Defining and implementing ways to minimize the consequences if an attack occurs.
Vulnerability Scanning and Configuration Assessments
Platform and Network Security
• Patch Management
• Understand the Risk of Patching vs. Not Patching
• Process is important
• Baseline and Harden
• Develop a Test Environment
• Develop Back out plans
• Patch Evaluation and Collection
• Integration with Configuration, Change and Release management for patch rollout
Patch Management
Platform and Network Security
• Release Management
• Ensure that the integrity of the live environment is protected and that the correct components are released
• ITIL 2011 Release Management - detailed planning of Release build, Release test and Release deployment.
• Define levels – Major, Minor, Emergency
• Can’t forget the verification!
Release Management
Platform and Network Security
• Standard Configuration Development and Maintenance
• Formal Baselines and Configuration Items (CIs)
• Configuration Control Boards (CCBs)
• Supported with Technical Review Boards (TRBs)
• Change and Release management
• CM Audits
• Internal CM
• Internal Baselines – what work for the enterprise
• CM of Design, Code, Hardware Items, Test Articles
Standard Configuration Development
and Maintenance
Platform and Network Security
• Enterprise Security and Risk Assessment Support
• SSDLC
• Secure by Design
• Not a check list by a framework for building into the process
• Buy or Build
• Forward looking
• Lifecycle
• Technical guidance
Enterprise Security and
Risk Assessment
Support
Platform and Network Security
• Secure Architecture / Secure Engineering (SASE)
• Guide project teams in secure systems design, following the Secure Systems Development Life Cycle Standard and NIST Standards
• SSDLC toolkit and outreach
• Over 60 projects this year
• Core transformation initiatives
• ITSM 2.0 integration
Secure Architecture /
Secure Engineering
(SASE)
Platform and Network Security
• Secure Architecture / Secure Engineering (SASE)
• Assists State business owners in translating business and regulatory compliance requirements into operational security objectives and controls
• HIPAA, FERPA, CJIS, Pub-1075…
• Guide development of security policies related to designing and maintaining secure systems
http://www.its.ny.gov/tables/technologypolicyindex
Web Application Security Standards
Paul Bolk
• Web Application Scanning• EISO
• Cluster
• Source Code Application Scanning
• Penetration Testing
Karen Sorady
New York StateCyber Command Center
Cyber Command Center
• Unit Mission: Provide a centralized service for detection, analysis, tracking, response to and reporting of, cyber threats and incidents through a program of infrastructure monitoring, threat analytics, incident management and coordinated information sharing.
• Scope: Any NY State or local government entity
Cyber Command Center
• Products/Services*:
Identify
Protect
Detect
Respond
Analyze
Cyber Threat
Notifications
Cyber Threat
Intelligence
Digital
Forensics
Log Monitoring
Cyber Incident
Response
*Aligned with NIST Cyber Security Framework
NYS Cyber Command Center Capabilities
• Incident monitoring/detection/escalation
• Cyber threat intelligence
• Digital forensics• Volatile and non-volatile
• Physical, virtual and mobile devices
• Network forensics• Log analysis
• Network capture analysis
• Malware analysis• Reverse engineering
• Static & Active
• Exploit research and development• Validation
NYS Cyber Command Center Tiered Structure
Preliminary Analysis
550 Events
Event Detection
13,419 Events
Intake/ Triage
216 Billion Events
Intake/Triage/Ticket Management
-Security Event Logs
-Third Party Notifications
-Phone Calls/Email
-Research
Preliminary Event Analysis/Response
-Eliminate False Positives
-Obtain Additional Information to Support Tickets
-Response Activity
Incident Response
Digital Forensics
Threat Intelligence
and
Information Sharing
Incident
Response/
Forensics
229
Incidents
Incident Response Objectives
• Assess the scope and magnitude
• Quantify the damage
• Identify root cause
• Remediation
• Prevent reoccurrence
• Lessons learned
NYS Cyber Incident Response Standard - Steps
1 –Preparation Contacts, tools,
training
2 –
Identification IDS/IPS, AV, users,
other
3 –
Containment Stop the bleeding,
analyze the artifacts, logs etc.
4 –
Eradication Clean up, restore,
reimage
5 –
Recovery Back online,
monitor closely
6 –
Lessons-Learned
Reflect, improve, policy, architecture,
scanning, monitoring,
NYS Cyber Incident Response Standard - Categories
Incident Categories
Category Name Description
0Exercise / Network Defense
Testing
Used during state, federal, national, international exercises and approved activity testing of internal/external
network defenses or responses.
1 Unauthorized AccessAn individual gains logical or physical access without permission to a NYS or local government network,
system, application, data, or other resource.
2 Denial of Service
An attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or
applications by exhausting resources. This activity includes being the victim of or participating in the Denial
of Service (DoS).
3 Malicious CodeSuccessful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious
entity) that infects an operating system or application.
4 Improper Usage A person who knowingly or unknowingly violates acceptable computing use policies.
5Scans / Probes / Attempted
Access
Includes any activity that seeks to access or identify a NYS or local government computer, open ports,
protocols, service, or any combination for later exploit. This activity does not directly result in a compromise
or denial of service. Unauthorized internal scans are considered incidents. Most external scans are
considered to be routine, and on a case-by-case basis may require response and investigation.
6 InvestigationUnconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to
warrant further review.
NYS Cyber Incident Response Standard - Severity
Incident Severity Matrix
Level Definition Examples
High
Incidents that have a severe
impact on operations
— Compromise of sensitive data
— Widespread malcode attack
— Unauthorized access to critical systems
— DoS affecting the entire enterprise
Medium
Incidents that have a significant
impact, or the potential to have a
severe impact, on operations
— Small-scale DoS attack
— Website compromises
— Unauthorized access (brute force attacks
against FTP, ssh, and other protocols)
Low
Incidents that have a minimal
impact with the potential for
significant or severe impact on
operations
— Network probes or system scans
— Isolated virus infections
— Acceptable use violations
Number of Incidents Requiring Advanced Analysis
#
0
50
100
150
200
250
20112012
20132014
2015
Incidents
#
YEAR # Incidents
2012 39
2012 62
2013 115
2014 168
2015 229
Advanced Analysis by Category - 2015
Cyber Command Threat Intelligence Program
Cooperative systems, processes and personnel aligned to:
• Develop and integrate internal/external threat intelligence into EISO monitoring and
incident reporting systems
• Provide a cooperative mechanism to share intelligence and situational awareness:
• NYSIC/MS-ISAC/DHS Automated Information Sharing Initiative
• Translate analysis into proactive security control implementation
• Develop deliverable products from correlated intelligence:
• Bulletins, Activity Reports, Briefings, Demonstrations, White Papers, etc.
• Track attack vectors, threat actors, campaigns and trends
• Leverage vulnerability scan data
• Identify Tactics, Techniques, and Procedures (TTPs), categorize campaigns, and
catalog trends to discover how attackers behave in relation to the overall NYS
attack surface
Information Sharing
• Cyber Partners Working Group
• Federal Bureau of Investigation, New York State Police Computer Crimes Unit & Cyber Analysis Unit, National Guard
• Collaborate on incident response and information sharing
• Cyber Threat Intelligence Coordinating Group (CTICG)
• Founding member of national workgroup to facilitate valuable situational awareness and identification of interrelationships between physical and cyber security activities
• Comprised of law enforcement, government and private sector entities with a vested interest in
cyber or physical security
• Multi-State Information Sharing and Analysis Center (MS-ISAC) Intelligence and Analysis Workgroup
• National workgroup focused on promoting the development, understanding and awareness of actionable intelligence and analysis
Liz Farrell
Awareness and Training
Awareness and Training
Provide opportunities to increase awareness, knowledge, competencies, and skills to reduce overall security risk
• Citizen and workforce outreach
• Awareness activities and events
• Federal, state, and local government partnerships
• Cyber training and exercise initiatives
• Promote available resources
Cyber Security Awareness Resources
• Cyber Security Awareness Toolkits• Posters, Calendars
• Cyber Security Guides• How to Get Started
• Resources for Local Government, Small-Medium Businesses, Parents and Children
• Cyber Tips Newsletters
• Training Material and Videos
• Upcoming Events
Annual NYS Cyber Security Conference
19th Annual NYS Cyber Security Conference
Empire State Plaza, Albany
June 8-9, 2016
Annual K-12 Student Poster Contest
Charlie Nagy
Portfolio Management
Unit Mission
Provide ‘Gold Star’ support services
that allow EISO’s security specialists
to concentrate on their
critical areas of responsibility
Functional Responsibilities
Functional Responsibilities
Functional Responsibilities
Noteworthy Activities
• Produced, vetted and delivered Quarter 1 Staffing Plan
• Implementing Security Metrics program
• Drafted SFY 16-17 EISO Spend Plan
• Creating standardized security language for RFP’s, contracts, etc.
• Worked with State CPO to develop ITS work intake process
• Assist on procurement contracts (PBITS, Umbrella, RFP’s)
• Manage the EISO procurement lifecycle
• Support the development of Functional Unit Charters
• Assist with high-level project planning
• Built site and established use of SharePoint for project reporting
• Facilitate all personnel matters, including Individual Performance Plans
• Manage Executive correspondence, calendars and phone calls
Questions