SESSION ID: CXO-T08

How to Make Sense of Cybersecurity Frameworks

Frank Kim
Founder / Instructor
ThinkSec / SANS Institute
@fykim
www.frankkim.net
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
 #RSAC

Three Types of Security Frameworks

Control Frameworks
– NIST 800-53
– CIS Controls (CSC)
Program Frameworks Risk

Time
– ISO 27001 Frameworks
– NIST CSF Program
Frameworks
Risk Frameworks Control
– NIST 800-39, 800-37, 800-30 Frameworks
– ISO 27005
– FAIR Experience

6
Control Frameworks
 #RSAC

Using a Control Framework

Use a Control Framework to:

– Identify baseline set of controls
– Assess state of technical capabilities
– Prioritize implementation of controls
– Develop an initial roadmap for the security team

8
 #RSAC

NIST SP 800-53
Configuration Media Protection
Access Control (AC) Risk Assessment (RA)
Management (CM) (MP)

Awareness and Contingency Planning Physical & Env. System and Services
Training (AT) (CP) Protection (PE) Acquisition (SA)

Audit and Identification and System & Comms

Planning (PL)
Accountability (AU) Authentication (IA) Protection (SC)

Security Assessment Incident Response Personnel Security System & Info

& Authz (CA) (IR) (PS) Integrity (SI)

Program Management
Maintenance (MA)
(PM)

9
 #RSAC

NIST SP 800-53 Overview

Comprehensive control catalog of security and privacy controls

– Family
– Control
– Control Enhancement
Controls can be implemented based on:
– Priority
o P1, P2, P3, P0
– Security Control Baselines
o Low-Impact, Moderate-Impact, High-Impact

10
 #RSAC

NIST SP 800-53 Control Example

Priority
Initial Control Baselines
Cntl
Control Name
No.
Low Mod High

AC-1 Access Control Policy & Procedures P1 AC-1 AC-1 AC-1

AC-2 (1) (2) (3) (4) (5)

AC-2 Account Management P1 AC-2 AC-2 (1) (2) (3) (4)
(11) (12) (13)

AC-5 Separation of Duties P1 Not selected AC-5 AC-5

AC-7 Unsuccessful Logon Attempts P2 AC-7 AC-7 AC-7

AC-9 Previous Logon (Access) Notification P0 Not selected Not selected Not selected

AC-11 Session Lock P3 Not selected AC-11 (1) AC-11 (1)

Family Control Enhancement

11
 #RSAC

CIS Controls
Basic Foundational Organizational
1 Inventory and Control of 7 Email and Web Browser 12 Boundary Defense 17 Security Awareness &
Hardware Protect Training Program

2 Inventory and Control of 8 13 Data Protection 18 Application Software

Malware Defenses
Software Security

3 Continuous Vuln 9 Limit & Control of Port, 14 Controlled Access on 19 Incident Response and
Management Protocol, Services Need to Know Management

4 Controlled Use 10 Data Recovery 15 Wireless Access 20 Penetration Tests & Red
of Admin Privileges Capabilities Control Team Exercises

5 Secure Config for Hardware 11 Secure Config for 16 Account Monitor and
& Software Network Devices Control

6 Maint., Monitoring &

Analysis of Audit Logs

12
 #RSAC

CIS Controls Success Stories

Large enterprises
– United States Department of State
o 90% Risk Reduction in Year 1
– Australian Defense Services Directorate
o Stopped 85% of intrusions
– United States Federal Reserve System
o Basis for Internal Audit to assess Cyber Security
Smaller organizations
– “A Small Business No Budget Implementation”

13
 #RSAC

Management Takeaways

Free resources
– AuditScripts Control Master Mapping
o Maps Controls to nearly every known regulatory compliance standard
– AuditScripts Control Manual Assessment Tool
o Self-assessment of current state of Controls implementation
– CIS Controls Implementation Guide
o Key questions to ask when implementing the Controls

14
Program Frameworks
 #RSAC

Using a Program Framework

Use a Program Framework to:

– Assess state of the overall security program
– Build a comprehensive security program
– Measure maturity and conduct industry comparisons
– Simplify communications with business leaders

16
 #RSAC

ISO 27000 Series Overview

Requirements Guidelines Sector-specific
27002 27011
27001 27007
Implementation guidance Telecom
ISMS Requirements Guidance for audits
for controls

27006 27003
27008 27017
Requirements for Implementation guidance
Guidance for auditors Cloud services
certification bodies for management

27009 27004
27014 27018
Sector specific Monitoring, measurement,
Governance PII in public clouds
requirements analysis, evaluation

27021
27005 27019
Competence reqs for
Risk management Energy and Utility
security professionals

17
 #RSAC

ISO 27001
ISO 27001
– Information Security Management System (ISMS) requirements
Defines areas of focus in building a security program
– Organizational context
– Leadership
– Planning
– Support
– Documentation
– Operation
– Performance evaluation
– Improvement

18
 #RSAC

ISO 27001 Control Objectives

Information security
Information security Communications
Access control incident
policies security
management
System acquisition, Security aspects of
Organization of
Cryptography development, and business continuity
information security
maintenance management
Physical and
Human resource
environmental Test data Compliance
security
security

Supplier
Asset management Operations security
relationships

19
 #RSAC

NIST Cybersecurity Framework (CSF)

Composed of three parts
Identify – Core, Implementation Tiers, and Profiles
Defines a common language for managing risk
Protect
– Core has five functions that provide a high-level,
strategic view of the security life cycle
Detect
Helps organizations ask:
– What are we doing today?
Respond – How are we doing?
– Where do we want to go?
Recover – When do we want to get there?

20
 #RSAC

Framework Categories
Function Category Composed of three parts
Asset Management
Business Environment – Core, Implementation Tiers, and Profiles
Governance
Identify Risk Assessment
Risk Management Strategy Defines a common language for
Supply Chain Risk Management
Identity Management, Authn & Access Control
managing security risk
Awareness & Training
Data Security – Core has five functions that provide a
Protect Information Protection Processes & Procedures high-level, strategic view of the security
Maintenance
Protective Technology life cycle
Anomalies & Events
Detect Security Continuous Monitoring
Detection Processes Helps organizations ask:
Response Planning
Communications
– What are we doing today?
Respond Analysis
Mitigation
– How are we doing?
Improvements – Where do we want to go?
Recover
Recovery Planning
Improvements – When do we want to get there?
Communications

21
 #RSAC

Framework Subcategory Examples

Function Category Subcategory Informative References
PR.AC-1: Identities and credentials are managed CSC 1, 5, 15, 16; NIST 800-53 AC-1, AC-2;
ID Mgt, Authn, PR.AC-2: Physical access to assets is managed NIST 800-53 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8
Access PR.AC-3: Remote access is managed CSC 12; NIST 800-53 AC-1, AC-17, AC-19, AC-20, SC-15
(PR.AC) PR.AC-4: Access permissions are managed CSC 3, 5, 12, 14, 15, 16, 18; NIST 800-53 AC-1, AC-2, AC-3, AC-5, AC-16, AC-14
PR.AC-5: Network integrity is protected CSC 9, 14, 15, 18; NIST 800-53 AC-4, AC-10, SC-7
PR.AT-1: All users are informed and trained CSC 17, 18; NIST 800-53 AT-2, PM-13
Awareness & PR.AT-2: Privileged users understand roles & responsibilities CSC 5, 17, 18; NIST 800-53 AT-3, PM-13
Training PR.AT-3: Third-party stakeholders understand roles and responsibilities CSC 17; NIST 800-53 PS-7, SA-9, SA-16
(PR.AT) PR.AT-4: Senior executives understand roles and responsibilities CSC 17, 19; NIST 800-53 AT-3, PM-13
PR.AT-5: Physical & security personnel understand roles and responsibilities CSC 17; NIST 800-53 AT-3, IR-2, PM-13
PR.DS-1: Data-at-rest is protected CSC 13, 14; NIST 800-53 MP-8, SC-12, SC-28
PR.DS-2: Data-in-transit is protected CSC 13, 14; NIST 800-53 SC-8, SC-11, SC-12
Data Security PR.DS-3: Assets are formally managed CSC 1; NIST 800-53 CM-8, MP-6, PE-16
(PR.DS) PR.DS-4: Adequate capacity to ensure availability CSC 1, 2, 13; NIST 800-53 AU-4, CP-2, SC-5
PR.DS-5: Protections against data leaks are implemented CSC 13; NIST 800-53 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13
PR.DS-6: Integrity checking mechanisms are used CSC 2, 3; NIST 800-53 SC-16, SI-7
Protect PR.IP-1: Baseline configuration created and maintained CSC 3, 9, 11; NIST 800-53 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
PR.IP-2: System Development Life Cycle implemented CSC 18; NIST 800-53 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17
PR.IP-3: Configuration change control processes CSC 3, 11; NIST 800-53 CM-3, CM-4, SA-10
PR.IP-4: Backups conducted, maintained, and tested CSC 10; NIST 800-53 CP-4, CP-6, CP-9
Info Protection PR.IP-5: Policy and regulations of physical environment NIST 800-53 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
Processes & PR.IP-6: Data is destroyed according to policy NIST 800-53 MP-6
Procedures PR.IP-7: Protection processes are continuously improved NIST 800-53 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
(PR.IP) PR.IP-8: Effectiveness of protection technologies is shared NIST 800-53 AC-21, CA-7, SI-4
PR.IP-9: Response & recovery plans in place CSC 19; NIST 800-53 CP-2, CP-7, CP-12, CP-13, IR-7, IR-8, IR-9, PE-17
PR.IP-10: Response and recovery plans are tested CSC 19, 20; NIST 800-53 CP-4, IR-3, PM-14
PR.IP-11: Cybersecurity is included in HR CSC 5, 16; NIST 800-53 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21
PR.IP-12: Vulnerability management plan CSC 4, 18, 20; NIST 800-53 RA-3, RA-5, SI-2
PR.PT-1: Audit/log records reviewed per policy CSC 1, 3, 5, 6, 14, 15, 16; NIST 800-53 AU Family
Protective
PR.PT-2: Removable media is protected CSC 8, 13; NIST 800-53 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8
Technology
PR.PT-3: Least functionality is implemented CSC 3, 11, 14; NIST 800-53 AC-3, CM-7
(PR.MA) PR.PT-4: Communications & control networks protected CSC 8, 12, 15; NIST 800-53 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21

22
 #RSAC

NIST CSF to CIS Control Mapping

Function Category CIS Control
Asset Management
Business Environment CIS Control #1, 2
Governance
Identify Risk Assessment
Risk Management Strategy CIS Control #3
Supply Chain Risk Management
Identity Management, Authentication and Access Control CIS Control #4, 9, 11, 12, 13, 14, 16
Awareness & Training CIS Control #4, 17
Data Security CIS Control #1, 2, 13, 14, 18
Protect Information Protection Processes and Procedures CIS Control #3, 5, 7, 10, 11
Maintenance CIS Control #4, 12
Protective Technology CIS Control #4, 6, 8, 11, 13, 14, 16
Anomalies & Events CIS Control #6, 9, 12, 19
Detect Security Continuous Monitoring
Detection Processes
CIS Control #3, 8, 19
CIS Control #6
Response Planning CIS Control #19
Communications CIS Control #19
Respond Analysis
Mitigation
CIS Control #3, 19
CIS Control #3, 19
Improvements CIS Control #19
Recovery Planning CIS Control #19
Recover Improvements
Communications
CIS Control #19
CIS Control #19

23
 #RSAC

Mapping Between Frameworks

Control and Program Frameworks

– Can be used together
– Are not mutually exclusive
– Support each other
Mapping connects them together
– NIST CSF Mapping
o Maps CSF to CSC, NIST 800-53, ISO 27001, COBIT, ISA
– AuditScripts Master Mapping
o Maps CSC to over 30 frameworks and compliance regimes

24
Risk Frameworks
 #RSAC

Using a Risk Framework

Use a Risk Framework to:

– Define key process steps for assessing and managing risk
– Structure risk management program
– Identify, measure, and quantify risk
– Prioritize security activities

26
 #RSAC

NIST Security Risk Standards

Risk management Assess 800-30

– NIST SP 800-39
o Overall risk management process
– NIST SP 800-37
o Risk management framework 800-39
800-37
(RMF) for federal information Frame
systems
Risk assessment
– NIST SP 800-30 Monitor Respond

o Risk assessment process

27
 #RSAC

NIST Risk Assessment Process

Step 1: Prepare for Assessment
Derived from Organizational Risk Frame

Step 2: Conduct Assessment

Step 3: Communicate Results

Identify Threat Sources & Events

Step 4: Maintain Results

Identify Vulnerabilities & Predisposing
Conditions

Determine Likelihood of Occurrence

Determine Magnitude of Impact

Determine Risk

28
 #RSAC

NIST Risk Management Framework (RMF)

Step 1
Categorize
Information System

Step 6 Step 2
Monitor Select
Security Controls Security Controls

Step 5 Step 3
Authorize Implement
Information System Security Controls

Step 4
Assess
Security Controls

29
 #RSAC

ISO 27005

ISO 27005 Context Establishment

Risk Comms & Consultation

– Information Security Risk

Risk Monitoring & Review

Risk Assessment
Management Risk Identification
Defines a systematic Risk Analysis
approach to manage
risks for an organization Risk Evaluation

Risk Treatment

Risk Acceptance

30
 #RSAC

Factor Analysis of Information Risk (FAIR)

International standard
– Quantifying information security and operational risk
– Provides a standard taxonomy and ontology for measuring risk
– Complement to other risk assessment and management frameworks
Supported by two organizations
– FAIR Institute
o Promotes FAIR
– Open Group
o Publishes Open FAIR risk taxonomy and analysis standards

31
 #RSAC

FAIR Model
Risk

Loss event Loss

frequency magnitude

Threat event Secondary

Vulnerability Primary loss
frequency risk

Secondary
Contact Threat
loss event
frequency capability
frequency

Secondary
Probability of Resistance
loss
action Strength
magnitude

32
 #RSAC

Risk Definition
Risk = Impact × Likelihood
Risk = Impact x (Vulnerability × Threat)

NIST definition
– “A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of: (i) the adverse
impacts that would arise if the circumstance or event occurs; and (ii) the
likelihood of occurrence”
FAIR definition
– “Probable frequency and magnitude of future loss”

33
 #RSAC

Intrusion Kill Chain

Attackers must progress through each phase of the chain to

achieve their goal
– Breaking just one link in the chain disrupts the adversary
– By understanding the attackers’ perspective, defenders can gain an edge
o Against even the most sophisticated attackers
o Protect against zero-day exploits
• Which is just one link in the chain

Recon Weaponization Delivery Exploitation Installation C2 Actions

34
Summary
 #RSAC

In Summary
As you mature your security program
– Choose one (or more) framework from each category
Control Framework
– Identify baseline controls to implement
Program Framework
Risk
– Build a comprehensive security program

Time
Frameworks
Program
– Simplify communications with business Frameworks
Control
Risk Framework Frameworks

– Prioritize security activities appropriately Experience

36
 #RSAC

Key Action Items

Next week you should:

– Identify the security frameworks used within your organization
Within three months you should:
– Understand how those frameworks are leveraged
– Define how they are mapped to each other
Within six months you should:
– Update your security program plan to leverage each of the three types
of frameworks
– Socialize the plan with technical, operations, and executive leaders

37
Frank Kim
@fykim
[email protected]
www.frankkim.net

Material based on SANS MGT512

Security Leadership Essentials for Managers