Enterprise Information Security Office NYS Forum Cyber … · Enterprise Information Security...

Enterprise Information Security Office

NYS Forum Cyber Security

Presentation

Overview of NYS Cyber Security

Jim Garrett, Enterprise CISO

Agenda

• NYS enterprise landscape

• What ‘good’ looks like

• Major Initiatives 2016

NYS ITS Enterprise Landscape

Securing a Large Complex Technology Landscape

• 50 Agencies Supported (Regulated Data: HIPAA, PCI, TAX, PII, CJIS)

• 2 Major ITS Data Centers – Albany and Utica

• Hundreds of Critical applications

• 99,000+ Desktops & Laptops

• 20,000+ Mobile devices (MDM)

• 1000s of remote virtual connections

• Many Active Directory Domains

• 150,000+ Accounts

• 14+ Million Citizen Accounts

Threats to the State Enterprise and Citizen

Partners/Suppliers Citizens

Employees3rd Parties and

Contractors

Agencies

Contractual Requirements

Regulatory Attestation

Best Practice Controls

Awareness

Self Enforcement

Unified Posture

Cyber Expertise

Expect Secure Access

Expect Privacy

Expect Data Accuracy

Security Maturity

Assessment Volume

Governance/Annual Review

Compliance to Regulation

Denial of Service

Web Application Attack

Social Engineering

Malware

Credit Card Fraud

Spear Phishing

Spin

Insider threat

Hactivism

Non-Standard Practices

Regulatory Differences

Various levels of Cyber Expertise

What Good Looks Like

Establish Best Practice Control Standards - NIST 800.53*

Categories

Domains(Each domain

contains

specific security

and privacy

controls; over

300 controls in

total)

* Security and Privacy Controls for

Federal Information Systems and

Organizations; Provided by the

National Institute of Standards and

Technology (NIST)

NIST Top 20

• CSC 1: Inventory of Authorized and Unauthorized Devices

• CSC 2: Inventory of Authorized and Unauthorized Software

• CSC 3: Secure Configurations for Hardware and Software on Mobile

Devices, Laptops, Workstations, and Servers

• CSC 4: Continuous Vulnerability Assessment and Remediation

• CSC 5: Controlled Use of Administrative Privileges

• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

• CSC 7: Email and Web Browser Protections

• CSC 8: Malware Defenses

• CSC 9: Control of Network Ports, Protocols, and Services

• CSC 10: Data Recovery Capability

• CSC 11: Secure Configurations for Network Devices

• CSC 12: Boundary Defense

• CSC 13: Data Protection

• CSC 14: Controlled Access Based on a Need to Know

• CSC 15: Wireless Access Control

• CSC 16: Account Monitoring and Control

• CSC 17: Security Skills Assessment and Appropriate Training

• CSC 18: Application Software Security

• CSC 19: Incident Response and Management

• CSC 20: Penetration Tests and Red Team Exercises

NIST Top 20

Defense in Depth Layers

Govern with a Best Practice Framework – ISO27001:2013

New York State Confidential Information – Do No Forward or Disseminate

ISO 27001 Governance Cycle

1.

2.

4.

3.

Risk Reduction Through Continuous Improvement

Major Initiatives 2016

Organized for NYS Enterprise Governance

Chief Information

Security Officer

Platform and

Network Security

Standards

• DB Configurations

• *nix Configurations

• Wintel Configurations

• Release Checklist

• Patch Management

• Web Configurations

• Metrics

Portfolio

Management &

Planning

Cluster ISOs

Penetration

Assessments

• Platform, Network,

Application PENX

• Quarterly Testing

• Metrics

ITS Cyber

Command

Center

CIRT Manager

SOC Analytics Manager

SIEM Architecture

Manager

Forensics Manager

• Custer Incident Escalations

• Assessment, Scanning Coordination

• Remediation Tracking

• Awareness/Communications

Web Application

Security

Standards

• OWASP Top 10

• White/Black box Test

• Coding Standard

• Metrics

Governance,

Risk

Management and

Compliance

NIST 800.53

Assessment Lead

PCI Certification Lead

HIPAA Assessment

Lead

TAX Assessment Lead

3rd Party Assessments

• Administration

• PM Standards

• Budget

• HR

• Metrics

• Executive Reporting

• Enterprise Awareness

• Events Coordination

• Training Scheduling

• Cluster Communications

Identity and

Access

Management

• Policy and Procedure

• Enterprise Workflow Design

• ITSM Design

• 24x7 Central Support

• Cluster coordination

• Tool Deployment (2Factor, BYOD)

• Metrics

Architecture Lead

(CTO Office)

• Performance

• Scaling

• Consolidation

Consolidation

Implementation

Consultant/Manager

• Entitlement Definition

• Critical App Definition

• Consolidation Phases

• Data Clean Up Phases

• Work Flow Design

• Communication

Awareness and

Training

Exec Admin

Device Vulnerability

Assessments

• Platform weekly scans

Application Vulnerability

Assessments

• Critical Application

annual scans

Identify/Protect Identify/Protect Protect Protect Detect/Respond/Recover RecoverIdentify/Protect

1. Building out the Enterprise Information Security Organization, defining

clear roles and responsibilities, and ensuring expertise and training

2. Ensuring Critical Processes, Applications, and Infrastructure are

inventoried

3. Cycling through Application Security Assessment for priority

applications

4. Cycling through Infrastructure Security Assessments for priority devices

5. Conducting enterprise assessments to NIST 800.53 standards and

ensuring compliance to regulatory controls

6. Broadening ITS Cyber Command Center capability and effectiveness

7. Standardizing of identity management processes and standards

8. Rationalizing our Security Defense in Depth Standards

Key Initiatives

4/15/2016

CSC 1 CSC 2 CSC 3 CSC 4 CSC 5




NIST Top 20 Heat Map

1. NIST Assessment

2. Critical Asset Inventory

3. Application Security Assessments

4. Patch Management and Vulnerability Scanning

5. Enterprise Identity Access Management (EIAM)

6. Cyber Command Center

7. Security Architecture Defense in Depth













Key Initiatives Cross-Mapping

Enterprise Governance, Risk

Management and ComplianceDeb Snyder, Deputy CISO

Enterprise Security Governance

• Comprehensive strategy for reducing risk to information assets (data, systems, infrastructure)

• Federal and State Security Mandates

• NYS Policies, Standards

• Sector-specific compliance objectives

• Industry standards-based, consistent, matured processes

• ISO27001/27005

• National Cyber Security Framework & NIST 800-53

• CIS Top 20 Critical Controls

• Performance metrics

Risk-based Decision Process

Priority Initiatives

• Critical Asset Inventory - critical assets (services, applications, infrastructure are inventoried)

• Enterprise Risk Assessment - baselines in critical areas

• Focused Assessments & Reviews

− CSC Top 20 Gap Assessment

− Priority Application Resiliency & Security assessments

− Layered Assessment; “Security Lens”

− PeopleSoft (pilot)

− Citizen Services Cluster (center of excellence)

− Clusters – priority apps; integration into SSDLC

− Compliance Assessments – CJIS, FISMA, HIPAA, etc.

− Agency/Cluster compliance checks – e.g. DTF Pub. 1075, Public Safety CJIS assessment

− ISO27001 Data Center Certification

• DR Assessment

Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.

Layered Assessment Process

Layer Method / Activities NIST 800-53 Top 20 Validation / Metrics

Business Impact &

Privacy

Interviews – identify business

functions, risk

COOP/DR Plans

IR-1, IR-2, IR-3, IR-4

IR-5, IR-6, IR-7, IR-8

IR-10

CSC 19: Incident Response and Management Incident management procedures

exist

Compliance Interview, questionnaire

Prior security review & audit

results/findings

Incidents if any

CA-7, CM-8, IA-3, SA-4

SC-17, SI-4, PM-5

CSC 1: Inventory of Authorized/Unauthorized

Devices

CSC 2: Inventory of Authorized/Unauthorized

Software

Information and system owners

identified, applicable laws and

regulations identified

Secure Design Plan Information security plan

Identity Assurance worksheet (roles,

separation of duties)

AC-2, AC-6, AC-17

AC-19, CA-7, IA-4

IA-5, SI-4

CSC 5: Controlled Use of Administrative Privileges

CSC 14: Controlled Access Based on Need to

Know

CSC 16: Account Monitoring and Control

SSDLC, access matrix, data flow

diagrams, system and business

function documentation

Web Site/Application Web app scanning

(Qualys/WebInspect)

Application code scan/review

Code review

Pen-testing

CA-2, CA-5, CA-6

CA-8, RA-6, SI-6

PM-6, PM-14

CSC 7: Email and Web Browser Protections

CSC 20: Penetration Tests and Red Team

Exercises

encryption in transit/rest, pen test

results

Application, core

services & databases

Discovery & Relationship Mapping

(ITSM CMDB); dependencies

Application code scan/review

Code review

Database configuration & control

review

CA-2, CA-7, RA-5

SC-34, SI-4, SI-7, AT-1

AT-2, AT-3, AT-4, SA-11

SA-16, PM-13, PM-14

PM-16

CSC 4: Continuous Vulnerability Assessment and

Remediation

CSC 9: Limitation and Control of Network Ports,

Protocols, and Services

CSC 13: Data Protection

CSC 18: Application Software Security

Web, network and code scan results,

SSDCL documentation

Platform (host, cloud) Configuration assessment (CIS-

CAT; DISA, Qualys, Nessus,

hardening guidance)

Network & Host Vulnerability

scanning (authenticated)

CAIQ & 3rd party practices

CA-7, CM-2, CM-3

CM-5, CM-6, CM-7

CM-8, CM-9, CM-11

MA-4, RA-5, SA-4

SC-15, SC-34, SI-2

CSC 3: Secure Configurations

CSC 6: Maintenance, Monitoring, and Analysis of

Audit Logs

CSC 11: Secure Configurations for Network

Devices

Secure configuration standards and

secure configuration scan results

Infrastructure Network Mapping & Scanning

Service Level Agreements

Resiliency Level (Incidents,

RTO/RPO objectives)

AC-4, AC-17, AC-20

CA-3, CA-7, CA-9

CM-2, SA-9, SC-7

SC-8, SI-4

CSC 8: Malware Defenses

CSC 10: Data Recovery Capability

CSC 12: Boundary Defense

CSC 15: Wireless Access Control

SLA documentation and aligned with

business mission and criticality.

Network diagrams with PDS/IDS.

Te

ch

nic

al

Ad

min

istr

ati

ve

Holistic review from business, regulatory & technical perspectives. Comprehensive technical control review from public interfaces to supporting infrastructure.

Layered Assessment Process

Business, Operational and Technical Risk

Standardized process to identify and assess risks, develop a roadmap for

remediation to reduce operational and technical risk at the application level

Identified risks will be managed along 3 streams:

1. Strategic Roadmap – insights and perspectives across the enterprise will enable prioritization and executive decision-making on systemic and broad impact areas

2. Tactical Initiatives - designed to address control gaps and enhance capabilities

3. Remediation objectives – individual risk items identified for resolution.

Centrally prioritized & tracked; reporting metrics (dashboard).

Remediation

Scott Rogler

Platform and Network Security


Vulnerability Scanning and Configuration Assessments

Patch Management

Release Management

Standard Configuration Development

and Maintenance

Enterprise Security and

Risk Assessment

Support

Secure Architecture /

Secure Engineering

(SASE)



• Vulnerability Scanning and Configuration Assessments

• Enterprise tools to detect, prioritize & remediate

• Identifying and classifying network and system resources

• Assigning relative levels of importance to the resources

• Quantify potential threats to each resource

• Developing a strategy to prioritize the most serious potential problems first

• Defining and implementing ways to minimize the consequences if an attack occurs.

Vulnerability Scanning and Configuration Assessments


• Patch Management

• Understand the Risk of Patching vs. Not Patching

• Process is important

• Baseline and Harden

• Develop a Test Environment

• Develop Back out plans

• Patch Evaluation and Collection

• Integration with Configuration, Change and Release management for patch rollout

Patch Management


• Release Management

• Ensure that the integrity of the live environment is protected and that the correct components are released

• ITIL 2011 Release Management - detailed planning of Release build, Release test and Release deployment.

• Define levels – Major, Minor, Emergency

• Can’t forget the verification!

Release Management


• Standard Configuration Development and Maintenance

• Formal Baselines and Configuration Items (CIs)

• Configuration Control Boards (CCBs)

• Supported with Technical Review Boards (TRBs)

• Change and Release management

• CM Audits

• Internal CM

• Internal Baselines – what work for the enterprise

• CM of Design, Code, Hardware Items, Test Articles

Standard Configuration Development

and Maintenance


• Enterprise Security and Risk Assessment Support

• SSDLC

• Secure by Design

• Not a check list by a framework for building into the process

• Buy or Build

• Forward looking

• Lifecycle

• Technical guidance

Enterprise Security and

Risk Assessment

Support


• Secure Architecture / Secure Engineering (SASE)

• Guide project teams in secure systems design, following the Secure Systems Development Life Cycle Standard and NIST Standards

• SSDLC toolkit and outreach

• Over 60 projects this year

• Core transformation initiatives

• ITSM 2.0 integration

Secure Architecture /

Secure Engineering

(SASE)


• Secure Architecture / Secure Engineering (SASE)

• Assists State business owners in translating business and regulatory compliance requirements into operational security objectives and controls

• HIPAA, FERPA, CJIS, Pub-1075…

• Guide development of security policies related to designing and maintaining secure systems

http://www.its.ny.gov/tables/technologypolicyindex

http://www.its.ny.gov/tables/technologypolicyindex

Web Application Security Standards

Paul Bolk

• Web Application Scanning• EISO

• Cluster

• Source Code Application Scanning

• Penetration Testing

Karen Sorady

New York StateCyber Command Center

Cyber Command Center

• Unit Mission: Provide a centralized service for detection, analysis, tracking, response to and reporting of, cyber threats and incidents through a program of infrastructure monitoring, threat analytics, incident management and coordinated information sharing.

• Scope: Any NY State or local government entity

Cyber Command Center

• Products/Services*:

Identify

Protect

Detect

Respond

Analyze

Cyber Threat

Notifications

Cyber Threat

Intelligence

Digital

Forensics

Log Monitoring

Cyber Incident

Response

*Aligned with NIST Cyber Security Framework

NYS Cyber Command Center Capabilities

• Incident monitoring/detection/escalation

• Cyber threat intelligence

• Digital forensics• Volatile and non-volatile

• Physical, virtual and mobile devices

• Network forensics• Log analysis

• Network capture analysis

• Malware analysis• Reverse engineering

• Static & Active

• Exploit research and development• Validation

NYS Cyber Command Center Tiered Structure

Preliminary Analysis

550 Events

Event Detection

13,419 Events

Intake/ Triage

216 Billion Events

Intake/Triage/Ticket Management

-Security Event Logs

-Third Party Notifications

-Phone Calls/Email

-Research

Preliminary Event Analysis/Response

-Eliminate False Positives

-Obtain Additional Information to Support Tickets

-Response Activity

Incident Response

Digital Forensics

Threat Intelligence

and

Information Sharing

Incident

Response/

Forensics

229

Incidents

Incident Response Objectives

• Assess the scope and magnitude

• Quantify the damage

• Identify root cause

• Remediation

• Prevent reoccurrence

• Lessons learned

NYS Cyber Incident Response Standard - Steps

1 –Preparation Contacts, tools,

training

2 –

Identification IDS/IPS, AV, users,

other

3 –

Containment Stop the bleeding,

analyze the artifacts, logs etc.

4 –

Eradication Clean up, restore,

reimage

5 –

Recovery Back online,

monitor closely

6 –

Lessons-Learned

Reflect, improve, policy, architecture,

scanning, monitoring,

NYS Cyber Incident Response Standard - Categories

Incident Categories

Category Name Description

0Exercise / Network Defense

Testing

Used during state, federal, national, international exercises and approved activity testing of internal/external

network defenses or responses.

1 Unauthorized AccessAn individual gains logical or physical access without permission to a NYS or local government network,

system, application, data, or other resource.

2 Denial of Service

An attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or

applications by exhausting resources. This activity includes being the victim of or participating in the Denial

of Service (DoS).

3 Malicious CodeSuccessful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious

entity) that infects an operating system or application.

4 Improper Usage A person who knowingly or unknowingly violates acceptable computing use policies.

5Scans / Probes / Attempted

Access

Includes any activity that seeks to access or identify a NYS or local government computer, open ports,

protocols, service, or any combination for later exploit. This activity does not directly result in a compromise

or denial of service. Unauthorized internal scans are considered incidents. Most external scans are

considered to be routine, and on a case-by-case basis may require response and investigation.

6 InvestigationUnconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to

warrant further review.

NYS Cyber Incident Response Standard - Severity

Incident Severity Matrix

Level Definition Examples

High

Incidents that have a severe

impact on operations

— Compromise of sensitive data

— Widespread malcode attack

— Unauthorized access to critical systems

— DoS affecting the entire enterprise

Medium

Incidents that have a significant

impact, or the potential to have a

severe impact, on operations

— Small-scale DoS attack

— Website compromises

— Unauthorized access (brute force attacks

against FTP, ssh, and other protocols)

Low

Incidents that have a minimal

impact with the potential for

significant or severe impact on

operations

— Network probes or system scans

— Isolated virus infections

— Acceptable use violations

Number of Incidents Requiring Advanced Analysis

#

0

50

100

150

200

250

20112012

20132014

2015

Incidents

#

YEAR # Incidents

2012 39

2012 62

2013 115

2014 168

2015 229

Advanced Analysis by Category - 2015

Cyber Command Threat Intelligence Program

Cooperative systems, processes and personnel aligned to:

• Develop and integrate internal/external threat intelligence into EISO monitoring and

incident reporting systems

• Provide a cooperative mechanism to share intelligence and situational awareness:

• NYSIC/MS-ISAC/DHS Automated Information Sharing Initiative

• Translate analysis into proactive security control implementation

• Develop deliverable products from correlated intelligence:

• Bulletins, Activity Reports, Briefings, Demonstrations, White Papers, etc.

• Track attack vectors, threat actors, campaigns and trends

• Leverage vulnerability scan data

• Identify Tactics, Techniques, and Procedures (TTPs), categorize campaigns, and

catalog trends to discover how attackers behave in relation to the overall NYS

attack surface

Information Sharing

• Cyber Partners Working Group

• Federal Bureau of Investigation, New York State Police Computer Crimes Unit & Cyber Analysis Unit, National Guard

• Collaborate on incident response and information sharing

• Cyber Threat Intelligence Coordinating Group (CTICG)

• Founding member of national workgroup to facilitate valuable situational awareness and identification of interrelationships between physical and cyber security activities

• Comprised of law enforcement, government and private sector entities with a vested interest in

cyber or physical security

• Multi-State Information Sharing and Analysis Center (MS-ISAC) Intelligence and Analysis Workgroup

• National workgroup focused on promoting the development, understanding and awareness of actionable intelligence and analysis

Liz Farrell

Awareness and Training

Awareness and Training

Provide opportunities to increase awareness, knowledge, competencies, and skills to reduce overall security risk

• Citizen and workforce outreach

• Awareness activities and events

• Federal, state, and local government partnerships

• Cyber training and exercise initiatives

• Promote available resources

Cyber Security Awareness Resources

• Cyber Security Awareness Toolkits• Posters, Calendars

• Cyber Security Guides• How to Get Started

• Resources for Local Government, Small-Medium Businesses, Parents and Children

• Cyber Tips Newsletters

• Training Material and Videos

• Upcoming Events

Annual NYS Cyber Security Conference

19th Annual NYS Cyber Security Conference

Empire State Plaza, Albany

June 8-9, 2016

Annual K-12 Student Poster Contest

For More Information…

Visit www.its.ny.gov/eiso

http://www.its.ny.gov/eiso

Charlie Nagy

Portfolio Management

Unit Mission

Provide ‘Gold Star’ support services

that allow EISO’s security specialists

to concentrate on their

critical areas of responsibility

Functional Responsibilities

Noteworthy Activities

• Produced, vetted and delivered Quarter 1 Staffing Plan

• Implementing Security Metrics program

• Drafted SFY 16-17 EISO Spend Plan

• Creating standardized security language for RFP’s, contracts, etc.

• Worked with State CPO to develop ITS work intake process

• Assist on procurement contracts (PBITS, Umbrella, RFP’s)

• Manage the EISO procurement lifecycle

• Support the development of Functional Unit Charters

• Assist with high-level project planning

• Built site and established use of SharePoint for project reporting

• Facilitate all personnel matters, including Individual Performance Plans

• Manage Executive correspondence, calendars and phone calls

Questions

Enterprise Information Security Office NYS Forum Cyber … · Enterprise Information Security...

Documents

Transcript of Enterprise Information Security Office NYS Forum Cyber … · Enterprise Information Security...