Is Cyber Resilience Really That Difficult?
- 1. May 18, 2016 John M. Gilligan Is Cyber Resilience Really That Difficult? 6th Cyber Resiliency Workshop
- 2. Cyber Resilience: A Personal Journey • The Early Days • Chasing the Dream • The Dark Ages of Cybersecurity • Dawn of the Internet • The “Cat is Out of the Bag” • Everyone’s Challenge 2
- 3. Personal Conclusions • Achieving original dream of resilience is a (very) long term objective • Cyber resiliency is a complex, system of systems engineering challenge • Cyber risk management requires knowledge most organizations do not possess • Market forces are not well aligned to achieve resiliency • Weak focus by IT development and operations communities hampers progress toward resilience 3
- 4. A Useful Framework For Addressing Cyber Resilience Sophisticated Unsophisticated Low HighMISSION/FUNCTION CRITICALITY THREAT 4
- 5. A Top Level Resilience Strategy Accept Risk (Low Risk) Deploy Targeted Advanced Security Controls/Methods Implement Comprehensive Baseline of Security Controls (“Good Hygiene”) Low High MISSION/FUNCTION CRITICALITY Sophisticated Unsophisticated THREAT 5
- 6. Implementing Resilience Step 2: Expand control coverage/augment methods to address sophisticated threats and reduce risk footprint as appropriate Deploy Targeted Advanced Security Controls/Methods Implement Comprehensive Baseline of Security Controls Step 1: Build CSS Baseline HighLow MISSION/FUNCTION CRITICALITY Sophisticated Unsophisticated THREAT 6 Accept Risk
- 7. Comprehensive Baseline of Security Controls (CIS Critical Security Controls – Version 6) 7
- 8. Comprehensive Baseline of Security Controls (CIS Critical Security Controls – Version 6) Basic Hygiene: 80+% of Threats!* 8* Australian Signals Directorate Study
- 9. Cybersecurity Resiliency Framework: Economic Considerations* Sophisticated Unsophisticated MISSION/FUNCTION CRITICALITY Investment in Cyber Operations and Security (High Return for Modest or No Investment) THREAT Low High Targeted Investment (Careful Risk-Return Analysis) No Investment *See also “The Economics of Cyber Security: Part I and Part II”, AFCEA Cyber Committee, October 2013 and April 2014. 9
- 10. Cybersecurity Resilience Maturity Framework* Maturity Level Employment of Security Controls Security Tailored to Mission Participate in Information Sharing (threat/vul) Response to Cyber Threats Resilience to Cyber Attack s Level 5: Resilient Augment CSC Based on Mission Mission Assurance Focused Real Time Response to Inputs Anticipate Threats Operate Through Sophisticated Attack Level 4: Dynamic Augment CSC Based on Mission Mission Focused Real Time Response to Inputs Rapid Reaction To Threats Able to respond to Sophisticated Attack Level 3: Managed CSC Integrated and Continuously Monitored Partially Mission Focused Respond to Information Inputs Respond to Attacks After the Fact Protection against Unsophisticated Attack Level 2: Performed Foundational/ Critical Security Controls (CSC) Implemented Mission Agnostic Inconsistent Response to Information Inputs Respond to Attacks After the Fact Some Protection Against Unsophisticated Attacks Level 1: No Resilience Inconsistent Deployment of Security Controls None None Step 1: Implement CSC Baseline Step 2: Address Sophisticated Attacks Most Organizations Today *Reference Robert Lentz “Cyber Security Maturity Model”, Presentation 2011 10
- 11. Characteristics • Security controls are implemented in an ad hoc or fragmented manner • Response to threats/attacks is as a result of outside stimulus (e.g., CERT notification of successful attack) • Intermittent participation in sharing of threat and vulnerability information • No discrimination of protection among missions • Unsophisticated attacks have high probability of success Maturity Level Employment of Security Controls Mission Tailoring Information Sharing (threat/vul.) Threat Response Cyber Attack Response Level 1: No Resilience Inconsistent Deployment of Security Controls None None No Response Susceptible to Unsophisticated Attacks Level 1: No Resilience 11
- 12. Maturity Level Employment of Security Controls Mission Tailoring Information Sharing (threat/vul.) Threat Response Cyber Attack Response Level 2: Performed Foundational/ Critical Security Controls (CSC) Implemented Mission Agnostic Inconsistent Response to Information Inputs Respond to Attacks After the Fact Some Protection Against Unsophisticated Attacks Characteristics • Critical Security Controls implemented across the organization but in a delegated or fragmented approach • Organization implements critical security controls although implementation is “tailored” by sub organizations and/or implementation of critical controls is incomplete • Mission Agnostic • All missions are protected equally • Inconsistent Response to Information Inputs • Inconsistent or periodic engagement and response to malware/CERT community updates on threats/vulnerabilities • Respond to Attacks (after the fact) • Organizations deploy countermeasures as they are available and they have the opportunity to respond • Some protection against unsophisticated attack • Critical Security Controls that are implemented will be effective against most unsophisticated attacks • Overlapping and inconsistent implementation of critical security controls leave protection “gaps” that could be exploited by relatively unsophisticated attacks Level 2: Performed 12
- 13. Maturity Level Employment of Security Controls Mission Tailoring Information Sharing (threat/vul.) Threat Response Cyber Attack Response Level 3: Managed CSC Integrated and Continuously Monitored Partially Mission Focused Respond to Information Inputs Respond to Attacks After the Fact Protection against Unsophisticated Attack Characteristics • Critical Security Controls integrated across enterprise with continuous monitoring • Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls • Partially Mission Focused • Clear understanding of mission critical information and systems • Protection focused on most critical mission capabilities • Respond to Information Inputs • Cooperation with larger malware/CERT community for updates on threats/vulnerabilities • Respond to Attacks (after the fact) • Deploy countermeasures as they are available • Protection against unsophisticated attack • Critical Security Controls will be effective against 80+% of attacks • Continuous monitoring and threat/vulnerability information sharing will provide ability to respond to some sophisticated attacks Level 3: Managed 13
- 14. Maturity Level Employment of Security Controls Mission Tailoring Information Sharing (threat/vul.) Threat Response Cyber Attack Response Level 4: Dynamic Augment CSC Based on Mission Mission Focused Real Time Response to Inputs Rapid Reaction To Threats Respond to Sophisticated Attack Characteristics • Augment Critical Security Controls based on Mission • Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls • Mission Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for cyber protection/restoral • The architecture of the organization implements boundaries between • Real Time Response to Inputs • Cyber intelligence program (Multiple Sources, Disciplined Indications and Warning, Good understanding of sector- specific threats) • Incident response baked into defensive posture • Rapid Reaction To Threats • Cooperation with larger malware/CERT community • Deploy countermeasures as they are available • Respond to sophisticated attack • After recognizing attack, assess impact and implement response (e.g., disconnect/shut down system, block attack, etc.) • Ability to respond to most sophisticated attacks Level 4: Dynamic 14
- 15. Level 5: Resilient Maturity Level Employment of Security Controls Mission Tailoring Information Sharing (threat/vul.) Threat Response Cyber Attack Response Level 5: Resilient Augment CSC Based on Mission Mission Assurance Focused Real Time Response to Inputs Anticipate Threats Operate Through Sophisticated Attack Characteristics • Augment Critical Security Controls based on Mission • Risk evaluation focused on priority missions matched against past and emerging threats guides risk-benefit decision regarding fielding controls to augment foundation/critical controls • Mission Assurance Focused • Analysis of spectrum of mission and information criticality results in agreement of priorities for protection and how to assure continued operation in the face of cyber attacks • Real Time Response to Inputs • Cyber intelligence program (Multiple Sources: Both classified and unclassified, Disciplined Indications and Warning, Good understanding of sector-specific threats) • Cyber Operators and Development team working together (also relevant to operating through attacks) • Incident response baked into defensive posture • Anticipate Threats • Malware/Attack Pattern Analysis Program with large repository of samples from which to extract unique signatures (potential use of Honeypots to gain attack insights) • Cooperation with larger malware/CERT community • Operate through sophisticated attack • Workforce culture of “cyber warfare” ensures real time response to attacks and preservation of priority missions during attack by a “nation state” class of threat 15
- 16. Cybersecurity Resilience Maturity Framework Maturity Descriptor Employment of Security Controls Security Tailored to Mission Participate in Information Sharing (threat/vul.) Response to Cyber Threats Resilience to Cyber Attacks Level 5: Resilient Augment CSC Based on Mission Mission Assurance Focused Real Time Response to Inputs Anticipate Threats Operate Through Sophisticated Attack Level 4: Dynamic Augment CSC Based on Mission Mission Focused Real Time Response to Inputs Rapid Reaction To Threats Able to respond to Sophisticated Attack Level 3: Managed CSC Integrated and Continuously Monitored Partially Mission Focused Respond to Information Inputs Respond to Attacks After the Fact Protection against Unsophisticated Attack Level 2: Performed Foundational/ Critical Security Controls (CSC) Implemented Mission Agnostic Inconsistent Response to Information Inputs Respond to Attacks After the Fact Some Protection Against Unsophisticated Attacks Level 1: No Resilience Inconsistent Deployment of Security Controls None None No Response Susceptible to Unsophisticated Attacks Step 1: Implement CSC Baseline Step 2: Address Sophisticated Attacks 16
- 17. Summary • Achieving high resilience is possible today • High levels of resilience can be achieved without additional cost • Resilience must be a structured journey, not a random walk • Fundamental improvements in resiliency of HW and SW necessary to get ahead of sophisticated attacks 17
- 18. Contact Information John M. Gilligan Center for Internet Security (CIS) John.gilligan@cisecurity.org 703-503-3232 518-266-3460 18