1 / 52

Christopher Strand, Carbon Black Security Risk and Compliance Officer

S taying ahead of the Game, Leveraging C ompliance and Best of Breed S ecurity for the Future. Christopher Strand, Carbon Black Security Risk and Compliance Officer AKA – Chief Compliance Evangelist March 22, 2016. Agenda. 3,710,630,722 Global records Lost since 2013 ….

jodye
Download Presentation

Christopher Strand, Carbon Black Security Risk and Compliance Officer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Staying ahead of the Game,Leveraging Compliance and Best of Breed Security for the Future Christopher Strand, Carbon Black Security Risk and Compliance Officer AKA – Chief Compliance Evangelist March 22, 2016

  2. Agenda

  3. 3,710,630,722 Global records Lost since 2013 … Why we focus on our approach… * Breach Level Index

  4. Compliance Baseline Controls and Themes/Frameworks

  5. Compliance and Audit Ecosystem • PARTNER • Third-party Risk Policy • Risk Assessment • CORPORATE • Data Retention • Data Privacy • Data Protection • Licensing • INDUSTRY • PCI DSS • HIPAA • SOX/GLBA • NERC • GOVERNMENT • Data Privacy and Protection • Federal Data Regulations • EU Data Protection • Eliminate Control Clutter – Unite Business silos, empowering the executive office • Increase Worker Efficiency – Spend less on resources and maintain compliance • Improve Compliance Adoption – Speed attainment and reduce administration • Extend the Value of Technology Investments – Consolidate existing infrastructure

  6. Merge Compliance and Security CHALLENGE = Achieve Continuous Compliance andStrengthen Your Security Profile Compliance Security You mustvalidate both compliance and security with controls that: 1. Identify, Classify & Scope and Critical Business Processes 1. Real Time Visibility 2. Stop Analyzing Change and Start Controlling it 2. Monitor & Prevent Change 3. “Active Intelligence” and Always-on Monitoring 3. Measure, Identify & Analyze Risk 4. Complete Protection from ALL Malware Threats 4. Detect & Prevent Malware 5. Immediate Enforcement and Audit of Security Compliance Policy 5. Actively Enforce Policy

  7. Best Practices and Frameworks

  8. The Trend Between Frameworks and Requirements

  9. Compliance: Past Present Future…

  10. Compliance: Past Present Future…

  11. Compliance: Past Present Future…

  12. Proactively Managing and Measuring Compliancevia Frameworks

  13. FFIEC Cyber Security Assessment Tool (CAT)

  14. FFIEC Cyber security Assessment Tool

  15. Identifying factors contributing to and determining the institution’s overall cyber risk Assessing the institution's cyber security preparedness. Evaluating whether the institutions cyber security preparedness is aligned with its risks Determining risk management practices and controls that could be taken to achieve the institutions desired state of cyber preparedness Informing risk management strategies. Benefits of the CAT to Institutions

  16. FFIEC Cybersecurity Assessment Tool Inherent Risk Profile – 39 Questions on Risk Cybersecurity Maturity – 494 Y/N Questions • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domain 1: Cyber Risk Management & Oversight • Domain 3:Cybersecurity Controls • Domain 2: Threat Intelligence & Collaboration

  17. Risk Maturity Matrix

  18. How to use the CAT – Common Compliance Workflow

  19. Negative Security Approach

  20. Negative Security Model using Anti-Malware Signatures IOC’s Detect & Protect Value Detect & Protect Value Time Time Machine Learning Heuristics Detect & Protect Value Detect & Protect Value Time Time

  21. Positive Security Approach

  22. Positive Security Model Positive Security Model Detect & Protect Value Time

  23. Key Considerations While Using the CAT Focus on Innovative Cyber Security Maturity Proactive or real time detection and response Automation to gain metrics and reporting Focus Threat analytics that matter Baseline risk measurement for Discovery

  24. The FFIEC and CAT through time…

  25. Sarbanes-Oxley (SOX), COBIT5, and COSO IT Audit Controls

  26. COBIT Mapping for COSO and SOX Control Matrix

  27. COBIT reference:(EDM01, EDM03, and EDM05) Ensure Governance Framework Setting amongst all stakeholders across all Frameworks Ensures ownership COSO Control Environment Component

  28. COBIT Reference: Manage Risk (APO12) Risk assessment: Crucial for SOX standard: Determine the significance of Financial Data disclosure relative to each controls in place. Selection and scope of controls to test Determination of audit necessary for a given control COSO Risk Assessment Component

  29. COBIT Reference: Manage Human Resources and Quality (APO07 and APO11) Four types of control activities: • Data center operation controls • System software controls • Access security controls • Application system development and maintenance controls COSO Control Activities Component

  30. COBIT Reference: (APO01 and EDM05) Manage the IT Management Framework Ensure Stakeholder Transparency COSO Information and Communication Component

  31. COSO Monitoring Activities Component FIC/FIM Visibility into transaction data – chain of command Reporting and audit • Visibility and control • Eliminate the noise associated with monitoring controls like File Integrity Monitoring and immediately identify critical changes • Proactive analysis of risk on in-scope endpoints • Proactive monitoring for of regulatory scope- Gain immediate Risk, threat and trust measureacross the entire enterprise, Trace entire security event. • Enforcement and protection of all in-scope systems • Ensure total enforcement, compliance, and audit with security policy;Move from patch mitigation to threat mitigation

  32. Evolution of COBIT – Audit to True Enterprise IT Measurement

  33. Modern Baseline Framework – PCI DSS Prioritized Approach.

  34. 100% of Companies that were breached in 2015 were non-Compliant 100% of Companies Were Failing Compliance PCI DSS Gradual shift from Checkbox to Compliance Measure 0 IN TEN YEARS “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”

  35. Future of PCI

  36. Snapshot: Top 5 Critical Security Controls and PCI DSS 3.0 Inventory of Authorized and Unauthorized Devices CSC 1 Requirement 2.4 Inventory of Authorized and Unauthorized Software CSC 2 Requirement 2.4.a Secure Configurations for Hardware and Software CSC 3 Requirements 2.2, 6.2, 11.5 Continuous Vulnerability Assessment and Remediation CSC 4 Requirements 6.1, 6.2 CSC 5 Requirements 5.1, 5.2, 5.4 Malware Defenses

  37. CSC & PCI CSC 1PCI DSS 2.4 Inventory of Authorized andUnauthorized Devices Maintain an inventory of system components that are in scope for PCI DSS Visibility Quick Win:Change your system to a proactive posture in order to speed up the attainment of pre-compliance data gathering.

  38. CSC & PCI DSS CSC 2PCI DSS 2.4.a Inventory of Authorized and Unauthorized Software Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each Visibility Quick Win: Introduce real-time, instant visibility into what applications and processes are running on all endpoints and servers, including version information

  39. CSC & PCI DSS CSC 3PCI DSS 2.2, 6.2, 11.5 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Develop configuration standards for all system components [that] address all known security vulnerabilities. • Protect critical system files. Configuration Monitoring Quick Win:Prevent unauthorized change and set up real-time monitoring and recording of critical changes

  40. CSC & PCI DSS CSC 4PCI DSS 6.1, 6.2, 11.2 Continuous Vulnerability Assessment and Remediation Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities and file assets. Vulnerability Analysis & Response Quick Win:Apply Real Time Vulnerability and Threat Analysis to all in-scope systems

  41. CSC & PCI DSS CSC 5PCI DSS 5.1 Malware Defenses • Deploy anti-virus software • Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software • Deploy anti-virus software • Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. • How long does it take the system to identify any malicious software that is installed, attempted to be installed, executed, or attempted to be executed on a computer system (time in minutes)? Malware Quick Wins:Actively block all unknown and untrusted processes

  42. Common Security Control Focus Across all Frameworks:Focus on Success

  43. Common Critical Security Controls Required for Success FIC/FIM Visibility into transaction data Reporting and audit • Visibility and control • Eliminate the noise associated with monitoring controls like File Integrity Monitoring and immediately identify critical changes • Proactive analysis of risk on in-scope endpoints • Proactive monitoring for of regulatory scope- Gain immediate Risk, threat and trust measureacross the entire enterprise, Trace entire security event. • Enforcement and protection of all in-scope systems • Ensure total enforcement, compliance, and audit with security policy;Move from patch mitigation to threat mitigation

  44. POSTIVE SECURITY: FILE INTEGRITY CONTROL • Detect changes as they occur or are attempted • Use policies to establish what is allowed – block everything else • Respond to alerts in real-time, not after file changes have been collated and analyzed

  45. POSTIVE SECURITY: PROACTIVE ANALYSIS OF RISK • Prevents unauthorized processes from occurring • Eliminates the need to keep up with negative or staticblacklists – an impossible task anyway

  46. POSTIVE SECURITY: SECURITY AND COMPLIANCE POLICY ENFORCEMENT • Enforce security and compliance policies in real-time • Provides a compensating control systems and applications • Automatically educate users about compliance policy as it’s being enforced

  47. Practice Best of Breed Security to Enable Compliance and Risk Measure

  48. Compliance and Security Control Example (PCI) • Example of Compliance Coverage across the Kill Chain • Threat to Compliance • Failure of Requirements leads to Compromise: Action C2 Exploitation Installation Delivery Weaponization Reconnaissance Attacker attempts to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker researches potential victim Req. 5.1 Req. 5.4 Req. 6.1 Req. 6.2 Req. 11.5 Req. 10.5.5 Req. 11.5 Req. 10.x Req. 5.3 Req. 2.2 Req. 12.x PREVENTION • Multiple, customizable forms of prevention DETECTION AND RESPONSE • How did it start? • Where did it spread? • What did it do? • What do I do now?

  49. From Checking the Box to Becoming Innovative in Security • Level 4 • Best protection • Level 3 • Strong posture • Level 2 • Reduced risk • Level 1 • Vulnerable Visibility Detection Prevention Response Integration

More Related