NIST Critical Security Framework (CSF)
-
Upload
priyanka-aash -
Category
Technology
-
view
307 -
download
13
Transcript of NIST Critical Security Framework (CSF)
![Page 1: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/1.jpg)
Critical Security Framework MEASURING Security
Dick Bussiere | Technical Director | Asia Pacific
![Page 2: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/2.jpg)
Agenda
Some Opening Observations What is the NIST Cybersecurity
Framework? Why YOU should care? How would I apply it? How would I measure my
effectiveness?
![Page 3: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/3.jpg)
Would you drive BLINDFOLDED?
![Page 4: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/4.jpg)
Things to Ponder
205 Days until breach detected (APAC Average)?
Can you say with certainty that you are 100% Secure?
Do you know with certainty that you have NOT been breached?
![Page 5: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/5.jpg)
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
![Page 6: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/6.jpg)
A false sense of security?
![Page 7: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/7.jpg)
![Page 8: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/8.jpg)
Yet breaches continue to increase at an unprecedented
rate
Companies spent
$76.9B
in 2015 on information security
![Page 9: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/9.jpg)
Without a Security Framework…
![Page 10: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/10.jpg)
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
![Page 11: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/11.jpg)
IF YOU CAN’TMEASUREYOU CAN’TITCONTROL
![Page 12: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/12.jpg)
IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE
![Page 13: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/13.jpg)
The Survey Says…
Security Frameworks guide the way…•84% Leverage a security framework•Broad range of company sizes
Wide Range of Frameworks Utilized•44% used more than one framework•EOY 2016 - CSF (43%), CIS (44%) ISO (44%)
Best practice & requirements drive CSF adoption•70% adopted CSF because they consider it best practice•29% adopted CSF because a partner required it
Security Framework Adoption is a Journey•Only 1 in 5 rank their organization as very mature•More than half of CSF adopters require significant investment to fully conform
Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US
![Page 14: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/14.jpg)
Executive Order 13636
![Page 15: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/15.jpg)
Why Cyber Security Framework? Asks the question “what are you doing to improve”
rather than “did you implement control XYZ” Results in a shift from compliance to action and specific
outcomes Business oriented
Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it
more appealing to business
![Page 16: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/16.jpg)
Repeatable Flexible Technology
Neutral Cost Effective Measurable!
Common Language
Why Cyber Security Framework?
![Page 17: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/17.jpg)
Objectives of CSF in a nutshell
Describe Current Security Posture
Describe Target
Security Posture
Continuous Improvement
Assess Progress towards Target Posture
Communicate Risk
![Page 18: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/18.jpg)
A Framework of Frameworks
ISO/IEC 27001
CCS CSC1 ISA 62443
NIST SP 800-53 COBIT 5
NIST CYBERSECURITY FRAMEWORK
![Page 19: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/19.jpg)
Framework Profile(Where you are and where
you want to go)
Framework Implementation
Tiers(How you view cybersecurity)
CSF Core(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization
•Required Tier based on perceived risk/benefit analysis
•Identify•Protect•Detect•Restore•Recover
The Cyber Security Framework at 40,000 feet…
![Page 20: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/20.jpg)
CSF Component 1 – Framework Core
Framework Core
Identify
Detect
Respond
Recover
Protect
![Page 21: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/21.jpg)
5 Core CSF Functions Explained…
Identify• Understand what’s important to the business and what the risks are
Protect• Develop safeguards to ensure CIA
Detect• Find bad things
Respond• What you do when bad things happen
Recover• How to restore what the bad guys broke
![Page 22: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/22.jpg)
Structure
![Page 23: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/23.jpg)
Function Unique Identifier
FunctionCategory Unique Identifier
Category Subcategory
Informative References
ID Identify
ID.AM-1 Asset Management
Physical devices
within the organization
are inventoried
• CCS-CSC1
• COBIT 5• ISA-
62443-2-1:2009
ID.AM-2 Asset Management
Software Platforms and Applications within the organization are inventoried
• CCS-CSC1
• COBIT 5• ISA-
62443-2-1:2009
Structure Example
![Page 24: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/24.jpg)
Everything kinda looks the same…
![Page 25: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/25.jpg)
Risk Profile, Requirements & Resources
ISO/IEC27001
Tailored Control Framework
NISTCybersecurity
Framework
ISA62443
Use CSF as ingredient to Custom Control Framework
![Page 26: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/26.jpg)
Risk Profile, Requirements & Resources
ISO/IEC27001
NIST Cybersecurity Framework
CIS CriticalSecurity Controls
ISA62443
“Normalization Layer”
Use CSF to “Normalize to Common Language
Existing Frameworks
![Page 27: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/27.jpg)
CSF Component 2 – Framework Implementation Tiers
PartialRisk Informed
Repeatable
Adaptable
How cybersecurity risks and processes are viewed within organization
Soph
isti
cati
on
![Page 28: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/28.jpg)
CSF Component 3 – Framework Profile
Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources
Used to define current state and desired state Can help measure progress...
![Page 29: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/29.jpg)
A Common Language for All LevelsPriorities
Risk AppetiteBudget
Framework Profile
Implementation Progress
Vulnerabilities, Threats, Assets
Status, Changes in
Risk
Executive LevelFocus: Organizational risk
Actions: Risk Decision/Priority
Operations LevelFocus: Risk Management
ImplementationActions: Secure Infrastructure,
Implement Profile
Process LevelFocus: Risk Management
Actions: Select Profile, Allocate Budget
![Page 30: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/30.jpg)
Process
Prioritize and
ScopeBusiness Objective
sPriorities Strategy
Orient Related Systems Assets Regulatio
ns
Risk Assessme
ntExposure Tolerance
Create Current Profile
Where you are
now
Create Target Profile
Where you need
to be
Gap Analysis
Delta between
Current/Target
Action Plan MEASURE
![Page 31: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/31.jpg)
How is CSF Different?
Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –
can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls
while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity
effectiveness independent of existing framework
![Page 32: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/32.jpg)
CSF helps you to do all these great things…
How does CSF help you?
Reduce chance of breach, liability
Ability to know status “on the fly”
Communicate adherence to business, business partners, customers and auditors
Meet contractual obligations
Prioritize, evaluate security investments
Reduce resource drain and impact of multiple audits
![Page 33: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/33.jpg)
*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821
The CSF is an absolute minimum
of guidance for new or existing cybersecurity
risk programs…
“ ”Gartner Says…
![Page 34: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/34.jpg)
By 2020, more than 50 percent of organizations will use the NIST
Cybersecurity Framework, up from the current 30 percent in 2015
Gartner predicts:
“ ”*Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821
![Page 35: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/35.jpg)
To MEASURE, you need DATA…
![Page 36: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/36.jpg)
…and MORE DATA...
![Page 37: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/37.jpg)
Endpoint Assessment
Network Monitoring
Analytics
Event Monitoring
Ingredients to Measuring Compliance
![Page 38: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/38.jpg)
![Page 39: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/39.jpg)
![Page 40: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/40.jpg)
Three Year Action Plan Tool..
http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool
![Page 41: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/41.jpg)
Contact me:[email protected]
Websitehttp://www.tenable.com
blog.tenable.com tenable.com/podcast youtube.com/tenablesecurity discussions.nessus.org
![Page 42: NIST Critical Security Framework (CSF)](https://reader035.fdocuments.in/reader035/viewer/2022081421/58eee91a1a28ab96428b4647/html5/thumbnails/42.jpg)
Thank You Dick Bussiere |Technical Director |Asia
Pacific