Jake Margolis, CISSPChief Information Security OfficerMetropolitan Water District of Southern California

Introduction

Threat and Risk Analysis

Implementing the Basics

Responding to Incident

The Basics in Ten Steps

Questions

Starting the Cybersecurity Program

Rule 1: There is no silver bullet

There is no single technology or stack that will defend your enterprise

Learn to understand and assess threat and then decide what you will do when cyber attacks occur

Rule 2: The only constant in Cybersecurity is Change

Cyberthreats evolve quickly

the ability to identify and respond to threats needs to be equally agile

Rule 3: You can’t fix stupid, but you have to try.

Users will always click on phishing links, bring in thumb drives not issued by the organization, try to connect personally owned devices to the network, carry around sensitive data on unencrypted storage, write down their passwords, etc.

You have to change culture through relevant awareness training

Is Cybersecurity Primarily a technology issue or a policy issue?

We need to change the conversation about Cybersecurity. This topic is usually given context as an Information Technology issue or problem. The reality is, Cybersecurity is a Public Safety issue and should be treated by all organizations accordingly.

The Office of Enterprise Cybersecurity will implement and maintain sufficient administrative and technical controls on a continuous basis to ensure adequate safeguards exist to mitigate threats to MWD Information and Operational Technology systems from inadvertent and/or deliberate harm.

Our Mission is accomplished through the following:People – Cyber Security Awareness Training (Provide online training and continuous education for MWD Employees)

Process – Policy, Practices, Plans and Procedures (develop cybersecurity governance and implement administrative guidance on access to and use of technology assets)

Technology – Technical Safeguard Innovation (continuously strive to improve technical safeguards to provide the greatest level of risk mitigation)

Validation – Cyber Resilience Reviews aka; Assessments, Audits and Testing to validate the effectiveness of Cyber Security Controls

EXAMPLE MISSION STATEMENT

Understand the Business

•Core Competency

•Business Processes

•Desired Outcomes

•Classification of Data

•Business Continuity Requirements

Understand the Potential Motivations for Bad Actors

•Disrupt Operations

•Theft of PII

•Ransom Sensitive Data and Vulnerable Systems

•Make a Political Statement

Who could the Bad Actors Be?

•Nation States

•Hacktivist

•Cybercriminals

TTPs the Bad Actor Will Use

•Phishing Campaigns

•APTs

•Social Engineering

•Web Site Defacement

What Outcomes are the Bad Actors Seeking

•Political Gain

•Notoriety

•Financial Gain

•Harassment

•Damage the Organizations Reputation

Assess

Risk

https://calcsic.org/?AspxAutoDetectCookieSupport=1

MS-ISAC Provided Anomali

Example: Anomali Threat Model

There are no wrong or right decision, there are only decisions based on assessment of risk or decisions based on lack of understanding of risks

Understand your organizations risk tolerance

DHS Cyber Resilience Review

• Asset Management

• Controls Management

• Change & Configuration Management

• Vulnerability Management

• Incident Management

• Service Continuity Management

• Risk Management

• External Dependencies Management

• Training & Awareness

• Situational Awareness

NIST Cyber Security Framework

• Identify

• Protect

• Detect

• Respond

• Recover

DHS CRR + NIST CSF = THE ABILITY TO MEASURE EXPOSURE

Ask, “Is it a Feeling or a Fact?” when identifying and assessing risks

Domains DescriptionsAsset Management Identify, document, and manage assets (people, information,

technology, facilities) during their life cycle to ensure sustained productivity to support critical services.

Control Management Identify, analyze, and manage controls in a critical service’s operating environment.

Configuration & Change Management

Establish processes to ensure the integrity of assets using change control and change control audits.

Vulnerability Management Identify, analyze, and manage vulnerabilities in a critical service’s operating environment.

Incident Management Establish processes to identify and analyze events, detect incidents, and determine an organizational response.

Service Continuity Management

Ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an

incident, disaster, or other disruptive event.

IT Risk Management Identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services.

External Dependencies Management

Establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and

assets that are dependent on the actions of external entities.

IT Security Training & Awareness

Develop skills and promote awareness for people with roles that support the critical service.

Situational Awareness. Actively discover and analyze information related to immediate operational stability and security and to coordinate such

information across the enterprise to ensure that all organizational units are performing under a common operating

picture.

Defensive Posture

People

Process

Technology

Organizational Culture

Internal Audit

Self AssessmentThird Party

Audit/Assessment

Self Assessment

The Assessment Program evaluates practices across a range of domains.

Assessment will need to become a continuous process for agencies. The process is kicked off by internal audit review, then followed by self assessment to ensure remediation of findings is on track, validated by third party audit services and refined by follow up self assessment to ensure the organization is improving

The assessments should measure existing agency resilience as well as provide a gap analysis for improvement based on recognized best practices and the agency adopted cybersecurity framework

Cyber Threat Intelligence and

Risk Assessment

People, Process,

Technology, and Culture

Cyber Incident Response and

Recovery

Assessing threats and identifying risks coupled with a clear understanding of how the organization will respond when attacks occur drives policy, process, design and procurement decisions

Zero Trust:based on the idea that nobody or nothing is automatically trusted regardless of logical location. Before gaining access to a given part of the enterprise the network, users, machines and apps must be authenticated through technologies that validate the authenticity of the user or thing accessing the network

Defense in Depth:In this approach, defensive technologies are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.

Defense in Depth Zero Trust

Reconnaissance

• WAF

• Cybersecurity Awareness Training

Weaponization

•Patch and Vulnerability Management

Delivery

• Secure Email Gateways

• Securing External Storage (USB)

Exploitation

• End Point Advanced Threat Protection

Installation

• Identity and Access Management and PAM

• MFA

Command & Control

• Web Proxy w/ Advanced Threat Protection / Secure DNS

• Next Gen Firewalls

Exfiltration or Actions

• SIEM

• Data Loss Prevention (DLP)

• AI / ML Network Monitoring

Develop Cyber Incident Response Plans, Playbooks, and Reporting Templates

How do you manage the incident?

What does recovery look like for you?

Recommended Practice Implementation Example

1 Eliminate Any Exposure of Equipment to External Networks ➢ Administrative “Jump” Host is required for management of IT/OT applications and systems

2 Implement Network Segmentation and Apply Firewalls ➢ Separate control zones (DMZs) are established➢ Policy Based segmentation➢ Network addressing is unique to business

systems, application servers, management VLANs, Domain Controllers, and OT networks

➢ VLAN Pruning and Router on a Stick

3 Use Secure Remote Access Methods ➢ Secure VPN is required for remote access➢ Require MFA for all remote connections➢ Use VDI and other EMM solutions

4 Establish Role-Based Access Controls and Implement System Logging

➢ Implementation of holistic Identity (role) Access Management system with MFA – Role Based Authentication

➢ Advanced System Logging is enabled

Recommended Practice Implementation Example

5 Use Only Strong Passwords, Change Default Passwords, and Consider Other Access Controls

➢ MFA implemented for systems access➢ Where MFA is not possible for frequent

password changes (90 days or less)➢ Where MFA is not feasible, use as complex

of a password as systems allow

6 Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Update

➢ Implement an Enterprise level vulnerability scanner

➢ Monthly scans are conducted on all systems and networks

➢ Regular patch advisories are issued and executed

7 Develop and Enforce Policies on Mobile Devices ➢ Implement a mobile device management and/or BYOD policies

➢ Implement a holistic enterprise mobility management solution

➢ Require enrollment of mobile devices in EMM in order to gain access to resources

Recommended Practice Implementation Example

8 Implement an Employee Cybersecurity Training Program

➢ All employees are directed to complete online Cybersecurity Awareness Training

➢ All contractors / consultants requiring access to networks must complete online Cybersecurity Awareness Training

➢ Publish regular reminders and advisories to create a cybersecurity awareness culture

➢ Use internal phishing campaigns to build test training effectiveness

9 Involve Executives in Cybersecurity ➢ Quarterly security briefings for the non-IT executive leadership

➢ Monthly Security / Cybersecurity Governance meeting

10 Implement Measures for Detecting Compromises and Develop a Cybersecurity Incident Response Plan

➢ Implement Security Information and Event Monitoring (SIEM) technology

➢ Establish local Security Operations Center➢ Outsource or share responsibility with

Managed Security Service Provider➢ Establish Cyber Incident Response Plan