1 / 18

Tony Sager Senior VP & Chief Evangelist CIS (the Center for Internet Security)

Tony Sager, Senior VP & Chief Evangelist CIS, discusses the evolution of cybersecurity and the challenges faced in today's digital landscape. He explores the classic risk equation and provides insights into the importance of information management and defensive choices. This article also highlights the role of threat intelligence, analytics, and the Cyberdefense OODA Loop in effective cybersecurity. It introduces the CIS Controls and their impact on improving security posture.

kquick
Download Presentation

Tony Sager Senior VP & Chief Evangelist CIS (the Center for Internet Security)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Growing Up In Cyber… but is Cyber Growing Up? Tony Sager Senior VP & Chief Evangelist CIS (the Center for Internet Security)

  2. Today’s Cyber Learning Model ?

  3. Classic Risk Equation f Risk = {} Vulnerability, Threat, Consequence controls

  4. The Long and Winding Road….

  5. Seismic Shifts • Communications Security  “Cyber” • Mathematics  CS, Networking, Opns, Analytics • Technology  Information, Operations • Government monopoly  user/market driven • “Control Model” of security  open market • National Security  economic/social Risk

  6. A few cybersecurity lessons • Knowing about flaws doesn’t get them fixed • Cyber Defense => Information Management • when you see “share”, replace with “translate” and “execute” • The Bad Guy doesn’t perform magic • There’s a large but limited number of defensive choices • and the 80/20 rule applies (The Pareto Principle) • Cybersecurity is more like “Groundhog Day” than “Independence Day”

  7. DLP anti-malware governance certification continuous monitoring penetration testing threat feed baseline configuration assessment best practice audit logs standards SDL SIEM virtualization risk management framework sandbox compliance encryption securitybulletins threat intelligence incident response user awareness training two-factor authentication browser isolation security controls maturity model need-to-know supply-chain security whitelisting “The Fog of More”

  8. The Defender’s Dilemma • What’s the right thing to do? • and how much do I need to do? • How do I actually do it? • And how can I demonstrate to others (many others) that I have done the right thing?

  9. (“patch Tuesday”) A Cyberdefense OODA Loop

  10. (and the role of Threat Intelligence, Analytics) “Dueling OODAs” • There are many loops, often connected • “farther in space, earlier in time” • The Bad Guy’s loop is an opportunity

  11. An Effective Cyberdefense “info machine” should be… • based on a model of Attacks, Attackers, and defensive choices • and focused on categories, types, patterns, templates, etc. • driven by data • managed within an open, standards-based framework • account for “community risk”, but be tailorable • repeatable, dynamic, feedback-driven • demonstrable, negotiable for Real People

  12. Evolution of the CIS Controls NSA/DoD Project The Consensus Audit Guidelines (CSIS) “The SANS Top 20” (the SANS Institute) The Critical Security Controls (CCS/CIS) The CIS Controls™️

  13. The Original Controls Principles • Prioritize: • “Offense Informs Defense” • Implement: • ” Action today beats elegance tomorrow (or someday. Or never.)” • Sustain: • “It’s not about the list" • Align: • “ To win the cyberwar, we need peaceful co-existence”

  14. CIS Best Practice Workflow

  15. CIS Controls Version 7

  16. Ecosystem of Resources • Mappings to other Frameworks • Special focus on NIST CSF [updated!] • CIS Risk Assessment Method (CIS-RAM) [new] • ICS Companion Guide to the Controls [drafted] • Measures and Metrics [updated] • SME Implementation Guide • CIS Community Attack Model • Privacy and the Controls

  17. Recent References to the CIS Controls • California Attorney General’s 2015 Data Breach Report • The NIST Cybersecurity Framework • Symantec 2016 Internet Security Threat Report • and Verizon DBIR, HP, Palo Alto, Solutionary…) • National Governor’s Association • National Consortium for Advanced Policing • Conference of State Bank Supervisors • UK Critical Protection for National Infrastructure • Zurich Insurance • ENISA, ETSI

  18. Website: www.cisecurity.org Email: Controlsinfo@cisecurity.org Twitter: @CISecurity Facebook: Center for Internet Security LinkedIn Groups: • Center for Internet Security • 20 Critical Security Controls

More Related