NIST Critical Security Framework (CSF)
Download as PPTX, PDF3 likes2,195 views
The document discusses the importance of the NIST Cybersecurity Framework (CSF) for organizations to effectively measure and improve their security posture amidst increasing breaches. It highlights statistics that reveal a significant number of organizations prioritize security, yet many lack a structured approach to cybersecurity management. The CSF promotes a common language for evaluating security practices, guiding organizations from compliance to actionable outcomes while emphasizing continuous improvement and communication of risks.
NIST Critical Security Framework (CSF)
- 1. Critical Security Framework MEASURING Security Dick Bussiere | Technical Director | Asia Pacific
- 2. Agenda SomeOpening Observations Whatisthe NISTCybersecurityFramework? Why YOUshould care? How wouldIapplyit? How wouldImeasuremy effectiveness?
- 3. Would you drive BLINDFOLDED?
- 4. Things to Ponder 205 Days until breach detected (APAC Average)? Can you say with certainty that you are100% Secure? Do you knowwith certainty that you haveNOT beenbreached?
- 5. Heard on the street… Of organizations believesecurity should be a top orhigh priority of the business Of CEO’s viewsecurity as a top orhigh priority to the business Of organizationscompletely agree that the businesshasthe ability to defend itself from securityattacks
- 6. A false senseof security?
- 8. Yet breaches continue to increase at an unprecedented rate Companies spent $76.9Bin 2015 on information security
- 9. Without a Security Framework…
- 10. Heard on the street… Of organizations believesecurity should be a top orhigh priority of the business Of CEO’s viewsecurity as a top orhigh priority to the business Of organizationscompletely agree that the businesshasthe ability to defend itself from securityattacks
- 11. IF YOU CAN’T MEASUREYOU CAN’T CONTROL
- 12. IF YOU CAN’T MEASUREYOU CAN’T IMPROVE
- 13. The Survey Says… Security Frameworks guide the way… •84% Leverage a security framework •Broad range of company sizes Wide Range of Frameworks Utilized •44% used more than one framework •EOY 2016 - CSF (43%), CIS (44%) ISO (44%) Best practice & requirements drive CSF adoption •70% adopted CSF because they consider it best practice •29% adopted CSF because a partner required it Security Framework Adoption is a Journey •Only 1 in 5 rank their organization as very mature •More than half of CSF adopters require significant investment to fully conform Survey conducted by Dimensional Research, March 2016 316 IT and Security Professionals interviewed in US
- 15. Why Cyber Security Framework? Asksthe question“whatareyoudoing toimprove” ratherthan“did youimplement controlXYZ” Results in a shiftfrom compliance to actionand specificoutcomes Businessoriented Has built-inmaturitymodel andgap analysis No need to overlay another maturity modelon top of CSF Measureswhereyou areand whereyou need to go Can be implemented“piecemeal”as required,makingit moreappealing to business
- 16. Repeatable Flexible TechnologyNeutral CostEffective Measurable! CommonLanguage WhyCyber Security Framework?
- 17. Objectives of CSF in a nutshell Describe Current Security Posture Describe Target Security Posture Continuous Improvement Assess Progress towards Target Posture Communicate Risk
- 18. A Frameworkof Frameworks ISO/IEC27001 CCSCSC1 ISA62443 NISTSP 800-53 COBIT 5 NISTCYBERSECURITY FRAMEWORK
- 19. Framework Profile (Where you are and where you want to go) Framework Implementation Tiers (How you view cybersecurity) CSF Core (What it does) •Defines (measures) current state •Defines (measures) desired state •Tiers (4) that show how cybersecurity risks and processes are viewed within an organization •Required Tier based on perceived risk/benefit analysis •Identify •Protect •Detect •Restore •Recover The Cyber Security Framework at 40,000 feet…
- 20. CSF Component 1 – FrameworkCore Framework Core Identify Detect RespondRecover Protect
- 21. 5 Core CSF Functions Explained… Identify • Understand what’s importantto the business and what the risks are Protect • Developsafeguardsto ensureCIA Detect • Find bad things Respond • What youdo whenbad things happen Recover • Howto restorewhat the bad guys broke
- 23. Function Unique Identifier Function Category Unique Identifier Category Subcategory Informative References ID Identify ID.AM-1 Asset Management Physical devices within the organization are inventoried • CCS- CSC1 • COBIT 5 • ISA- 62443-2- 1:2009 ID.AM-2 Asset Management Software Platforms and Applications within the organization are inventoried • CCS- CSC1 • COBIT 5 • ISA- 62443-2- 1:2009 Structure Example
- 24. Everything kinda looks thesame…
- 25. Risk Profile, Requirements & Resources ISO/IEC 27001 Tailored Control Framework NIST Cybersecurity Framework ISA 62443 Use CSF as ingredient to Custom Control Framework
- 26. Risk Profile, Requirements & Resources ISO/IEC 27001 NIST Cybersecurity Framework CIS Critical Security Controls ISA 62443 “Normalization Layer” Use CSF to “Normalize to Common Language Existing Frameworks
- 27. CSF Component 2 – FrameworkImplementation Tiers Partial Risk Informed Repeatable Adaptable How cybersecurity risks and processes are viewed within organization Sophistication
- 28. CSF Component 3 – FrameworkProfile Presents overview of present and future cybersecurity posture BusinessRequirements RiskTolerance Resources Usedtodefine currentstate and desired state Canhelp measure progress...
- 29. A Common Language for All Levels Priorities RiskAppetite Budget FrameworkProfile ImplementationProgress Vulnerabilities,Threats,Assets Status,Changesin Risk ExecutiveLevel Focus:Organizationalrisk Actions:Risk Decision/Priority Operations Level Focus: RiskManagement Implementation Actions:Secure Infrastructure, Implement Profile ProcessLevel Focus:RiskManagement Actions:SelectProfile,AllocateBudget
- 30. Process Prioritize and Scope Business Objectives Priorities Strategy Orient Related Systems Assets Regulations Risk Assessment Exposure Tolerance Create Current Profile Where you are now Create Target Profile Where you need to be Gap Analysis Delta between Current/Target Action Plan MEASURE
- 31. How is CSF Different? Expresses cybersecurity activities in a common language Leverages existing standards –does not reinvent the wheel –can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls while maintaining a focus on business objectives Provides a vehicle to effectively measurecybersecurityeffectiveness independent of existing framework
- 32. CSF helps you to do all these great things… How does CSF help you? Reduce chance of breach, liability Ability to know status “on the fly” Communicate adherence to business, business partners, customers and auditors Meet contractual obligations Prioritize, evaluate security investments Reduce resource drain and impact of multiple audits
- 33. *Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821 The CSF is an absolute minimum of guidance for new or existing cybersecurity risk programs… “ ” Gartner Says…
- 34. By 2020, more than 50 percent of organizations will use the NIST Cybersecurity Framework, up from the current 30 percent in 2015 Gartner predicts: “ ” *Gartner webinar: Using the NIST Cybersecurity Framework, https://www.gartner.com/user/registration/webinar?resId=3163821
- 35. To MEASURE, you need DATA…
- 40. ThreeYear Action Plan Tool.. http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool
- 41. Contact me: dbussiere@tenable.com Website http://www.tenable.com blog.tenable.com tenable.com/podcast youtube.com/tenablesecurity discussions.nessus.org
- 42. Thank You Dick Bussiere |Technical Director |Asia Pacific
Editor's Notes
- #7: Do you know the full extent of the risk you are exposed to?
- #8: Maybe not…
- #9: defensive technologies are in place, but they were not aligned with the core functions of the network they were protecting. Buying defensive security products alone does not make you secure. Security comes from deploying these products as part of a comprehensive security strategy, designed to minimize your risk.
- #10: Some comments – I see customers all the time all over Asia Pacific. One thing that strikes me is how many still don’t use a formal framework methodology to help define, manage, control and measure. Yet, people still make technology purchases without this information!
- #15: This man started it. Executive Order 13636, Improving Critical Infrastructure Cybersecurity issued in 2013. Defined what critical infrastructure is, ordered policies & procedures for interagency information sharing and coodination, The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the "Director") to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised. (b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
- #19: Framework of frameworks – Leverages many different standards at the same time.
- #21: Identify Understand what’s important to the business and what the risks are Protect Develop safeguards to ensure CIA Detect Find bad things Respond What you do when bad things happen Recover How to restore what the bad guys broke Defines set of activities that achieve specific cybersecurity outcomes Functions define 5 basic cybersecurity activities: Identify, Protect, Detect, Respond, Recover Closely align with existing methodologies for Incident Management Categories subdivide functions into program needs and activities: Examples: Asset Management, Event Detection, Access Control Subcategories divide category into specific management or technical activities Examples: Data in transit is protected, Malware is detected Informative References are specific standards, guidelines, practices, etc Maps into existing frameworks
- #22: The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- #28: Four Tiers that show how cybersecurity risks and processes are viewed within an organization Required Tier based on perceived risk/benefit analysis Tier 1 – Partial Tier 2 – Risk Informed Tier 3 – Repeatable Tier 4 - Adaptive Tier 1: Processes not formalized, risk managed ad-hoc and reactive. Cybersecurity activities not related to organizational risk objectives, threats, business requirements, etc Tier 2: Risk management practices approved by management but not organizational wide policy. Cybersecurity activities related to organizations risk objectives, threat environment. Tier 3: Risk management practices are formal policies. Cybersecurity practices updated continuously based on changing business requirements and risks. Tier 4: Organization changes cybersecurity practices based on lessons learned and predictive indicators from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.