NCI Tech Day

Bit9 + Carbon Black

Christopher Strand Sr. Director of Compliance and Governance Programs Jennifer Allen Information Security Compliance Specialist

Bit9 + Carbon Black: Arm Your Endpoints

Leader in Endpoint Threat Prevention, Detection, and Response

Large Partner Ecosystem and Integrations

• 1,000+ customers • 4M+ endpoints

• 25+ Fortune 100 • Large enterprise and SMB

Rapidly Detect & Respond to Threats

Reduce Your Attack Surface

2 1

Network Security Threat Intelligence IR & MSSP

25+ use

technology

SIEM and Analytics Endpoint Security

Bit9 + Carbon Black: Arm Your Endpoints

For IT and Security Teams Managing Desktops, Servers, and Fixed-function Devices + World’s most widely deployed application

control/whitelisting solution + Single agent for visibility, detection, response, prevention + Trust-based and policy-driven

The Most Comprehensive Endpoint Threat Protection Solution

For Security Operations Center and Incident Response Teams

+ Only solution with continuous recording; live response; threat isolation, termination and remediation

+ Real-time customizable detection + Complete kill chain analysis based on recorded history

and attack visualization

The Leading Endpoint Threat Detection and Response Solution

Open API and Integrations

Threat Intelligence Cloud Reputation Threat Indicators Attack Classification

Supported Operating Systems

Supported Operating Systems Network Security, Analytics and SIEM, In-House & Custom Tools

Arm Your Endpoints and Achieve Continuous Compliance

Real time Visibility of in-scope systems and events

Complete Protection from ALL malware threats on every in-scope system and beyond

Control over critical changes and system events

“Active Intelligence” to Measure risk and Prioritize events

Immediate Enforcement and Audit of security compliance policy and BAUs

Bit9+Carbon Black Compliance Coverage

Board Level Cyber security is the #1 worry of Directors

and Chief Legal Council.

CEO National retail CEO

was fired following a data breach.

Reputation 1 in 3 Consumers Stop Shopping at retailers

impacted by data breaches.

Stock Price A payment provider lost $800M in shareholder

value following breach.

Customer Impact 1 in 2 Americans impacted by data breach last year.

Legal Data breach reporting and litigation can costs

millions

Governance and Audit Increased focus and scrutiny by IT auditors, greater fines.

Merge Compliance and Security

Achieve Continuous Compliance and Strengthen Your Security Profile

You must validate both compliance and security with controls that:

CHALLENGE

Compliance Security =

5. Immediate Enforcement and Audit of Security Compliance Policy

4. Complete Protection from ALL Malware Threats

2. Stop Analyzing Change and Start Controlling it

1. Real Time Visibility

3. “Active Intelligence” and Always-on Monitoring

1. Identify, Classify & Scope and Critical Business Processes

2. Monitor & Prevent Change

3. Measure, Identify & Analyze Risk

4. Detect & Prevent Malware

5. Actively Enforce Policy

Continuous Security Compliance for Retail POS and PCI

Security Compliance

• Critical Data Protection and Classification (2.x) • Change Control (11.5) • Risk Analysis (6.1,6.2)

• Malware Protection (5.x) • Policy Enforcement (12.x)

Lower administration and speeds attainment • Real time Visibility of in-scope systems and events

• Control over critical changes and system events • “Active Intelligence” to Measure risk and Prioritize Events

• Complete protection from ALL malware threats on every in-scope system and beyond

• Immediate enforcement and audit of security compliance policy and BAUs

Current Vulnerabilities and Hazards

Windows EOL XP and 2003 – July 14th 2015

58% of businesses do not have a fully mature patch management process in place, and 12% do not have a patch management process in place at all.

* Trustwave 2014 State of Risk report

Even if support package is purchased from MS you do not get the moderate and low patches only critically deemed ones.

The absence of vulnerability and security patches leaves businesses at risk for satisfying compliance requirements (PCI, HIPAA) and increases company wide LIABILITY. Examples:

• PCI Requirement 6.2: update all critical in-scope systems with the latest security patches within 30 days.

• HIPAA Sec. 164.308 (a)(1) Security Management Process – Risk Analysis.

Unsupported OS and Applications: Compliance

Cost of Support

The estimated cost of premier support per 2K3 endpoint system is 3x cost of XP:

*Taken from Microsoft yearly Premier Support

• $200 per PC for the first year = $600 • $400 per PC for the second year = $1200 • $1,000 per PC for the third year = $3000

Premier support provides:

• Critical patches only • Important patches are available at an additional price. Historically, Microsoft labeled

many patches as ‘important’ that should have been labeled as ‘critical’ • No support for moderate-or low-priority security updates = Widening Threat Window

Windows Server 2003 End-of-Life Survey

Completed in March 2015, based on 500 IT leaders at medium and large enterprises in the US and UK:

34% of organizations are still using a combination of Windows XP and Windows Server 2003.

Another 10% of organizations continue to use Windows XP exclusively.

30% plan to continue to run WS2K3 after the July 14 deadline, leaving an estimated 2.7 million servers unprotected.

57% of enterprises do not know when the end of life deadline is.

14% of enterprises do not yet have an upgrade plan for WS2K3

Can’t Upgrade? Extend the Life of Your Systems with Compensating Controls There are three compensating controls that can keep your systems secure after end of life:

Network Isolation – isolate WS2K3 servers so that these machines cannot access your central services

Virtualization - virtual desktop infrastructure (VDI) where you host Windows 2003 (and the WS2K3 legacy application) on a PC running Windows 7 or Windows 8. (some risks involved)

Positive Security - a model based on known, ‘good’ applications and focuses on what you want to have happen on your systems

Third Party Risk – Do you know TPISA?

68% of businesses transfer sensitive data between locations; 58% of businesses use third parties to manage sensitive data, yet almost half (48%) do not have a third-party management program in place. Trustwave 2014 state of risk report

Things to consider in your TPISA Program:

Full data lifecycle analysis GRC programs for managing risks and

contract changes Escrow agreements and contract language SSAE16 standardized review and reporting Use cases and certifications

POS and ATMs

Terminals

Card Reader

Backend Servers

Loyalty Servers

Servers

Transactional

Data servers

Payment Processors And Integrate Systems

Block execution on every system

Block execution on every system

Block execution on every system

Block execution on every system

Block execution on every system

Block execution on every system

CNN Money ATM Bank Hacking

Current Compliance Requirements and Best Practice Standards for Continuous Monitoring

1. PCI 3.0 will affect a greater number of companies than it ever has before.

1. PCI 3.0 is increasing the scrutiny of security control measurement to a

greater degree than any of the previous versions of the standard. 1. PCI 3.0 is more technology agnostic than ever before. Opens the door

for businesses to consider alternate technologies as primary and compensating controls to meet PCI requirements.

PCI DSS 3.0

HIPAA and HITECH

Part 1: The HIPAA Omnibus Rule and Its Impact on Security https://www.youtube.com/watch?v=x__DfCo1HOc Part 3: Why a Risk Assessment Is Critical to HIPAA Compliance and Security https://www.youtube.com/watch?v=P5C4EBO9ZMs

According to the Fifth annual Ponemon study research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.

Utilities and Government NERC/FERC CIP-005-1-R1.6 states that “an electronic Security Perimeter should be established that provides . . . Monitor and Log Access 24X7X365.”

FISMA/FISMA 2—FISMA and FISMA 2 also require continuous monitoring activities that include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting

NIST 800-53: ISO/IEC 27001:

NIST and ISO

describes automated inspection items in connection with a CA-2 (security assessment), CA-4 (security certification) and CA-7 (continuous monitoring and vulnerability detection) continuous monitoring program.

provides a description of an information security management system that calls for continual process improvement in information security. To accomplish this goal, an organization must continuously monitor its own security-related processes and improve according to feedback from objective measurements

FFEIC Handbooks Security Monitoring:

Financial institutions should gain assurance of the adequacy of their risk mitigation strategy and implementation by monitoring network and host activity to identify policy violations and anomalous behavior;

Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events;

Analyzing the results of monitoring to accurately and quickly identify, classify, escalate, report, and guide responses to security events; and

Responding to intrusions and other security events and weaknesses to appropriately mitigate the risk to the institution and its customers, and to restore the institution's systems.

Governance and Risk

Complex overlap of IT Objectives

Governance

Situational security is an enterprise’s collective assessment of the threat posture, vulnerability posture, compliance posture, and incidents at a moment in time. Actionable intelligence from an enterprise’s circumstances and conditions is the essence of situational awareness.

Situational awareness is the state of vigilance where an enterprise is alert to the constantly changing threat landscape, constructively makes decisions, and responds proactively.

Who should own governance?

Risk Checklist for Success VULNERABILITY MANAGEMENT AND SECURITY TESTING PROGRAMs

Update your vulnerability management and penetration testing programs with the latest security requirements and ensure they are part of your risk, change control, compliance and corporate governance initiatives.

Prioritize any vulnerability findings and communicate them to allow senior management to help assess the level of risk.

Review the security model being used to secure your data, if you are using a third party to run your security management programs and to store your vulnerability database.

Confirm the vulnerability and associated risk is no longer present in your systems once you have mitigated a weakness.

Discussion

Aligning Business with Info Sec

Do you face the following challenges?

Senior management’s commitment to information security initiatives Management’s understanding of information security issues Information security planning prior to implementation of new technologies Integration between business and information security Alignment of information security with the enterprise’s objectives Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security

Verizon Report on Compliance and Business Strategy

There will always be constraints on the amount of people and money available, and it can be a challenge to convince senior management that these resources should be focused on “compliance” rather than, say, developing a new product line.

Unless they can see the relationship between the effort that they put in to compliance and the benefits they get out, the logical approach would be to do the bare minimum to comply. This is a challenge when security and compliance are there to avoid a possible negative outcome: how can you measure the cost of a breach that you avoided?

Many organizations are still either not sufficiently aware, or not capable of measuring the benefits of compliance to justify the investment in not just complying with the letter, but also the spirit of the rules.

There are many benefits of taking a holistic approach to governance, risk and compliance, both regulatory and operational.

Continuous measuring and monitoring of the operational benefits of compliance drives increased understanding and support for data protection, compliance, and eventually the acknowledgment that compliance can make a substantial contribution toward more effective business management. How do you put a value on compliance? Unlike many business investments, the ROI of compliance may not be immediately obvious in terms of bottom-line benefits. * Verizon Report 2015

Continuously Proactive

Value Proposition for Continuous Monitoring

Security Immediate visibility into everything running in your environment to prevent, detect & respond to threats that evade traditional security defenses Mitigate weakness in third-party applications Go beyond scanners point in time snapshots & signatures to prevent “alert fatigue”, identify threats in real-time & rapidly respond Eliminate the risk from malicious, illegal and unauthorized software.

Compliance

Compliance governing automation Support for legacy, orphaned, or end-of-life application & operating systems No need for scans or other performance burdensome procedures Aggregate big data to relieve data fatigue – integrate your data to personalize compliance stance in real time

Questions?