Upload
priyanka-aash
View
178
Download
2
Embed Size (px)
Citation preview
Critical Security Framework MEASURING Security
Dick Bussiere | Technical Director | Asia Pacific
Turbo Agenda
What is the NIST Cybersecurity Framework?
Why YOU should care? How would I apply it? How would I measure my
effectiveness?
Things to Ponder
205 Days until breach detected (APAC Average)?
Can you say with certainty that you are 100% Secure?
Do you know with certainty that you have NOT been breached?
Heard on the street…Of organizations believe security should be a top or high priority of the business
Of CEO’s view security as a top or high priority to the business
Of organizations completely agree that the business has the ability to defend itself from security attacks
88%
68%
16%
IF YOU CAN’TMEASUREYOU CAN’TITCONTROL
IF YOU CAN’TMEASUREYOU CAN’TITIMPROVE
Communication Gap?
Executive:
• Brand & Reputation of Business
• Ongoing Business Operations
• Risk to Customers
IT Team:
• Is risk at an acceptable level?
• What level of risk are we exposed to?
• Are we compliant with all the regulations that apply to us?
• Is the cybersecurity platform operating as well as it should be?
• Where should we spend additional money?
The Survey Says…Security Frameworks guide the way…• 84% Leverage a security framework• Broad range of company sizes
Wide Range of Frameworks Utilized• 44% used more than one framework• EOY 2016 - CSF (43%), CIS (44%) ISO (44%)Best practice & requirements drive CSF adoption• 70% adopted CSF because they consider it best practice• 29% adopted CSF because a partner required it
Security Framework Adoption is a Journey• Only 1 in 5 rank their organization as very mature• More than half of CSF adopters require significant
investment to fully conform
Survey conducted by Dimensional Research, March 2016316 IT and Security Professionals interviewed in US
Why Cyber Security Framework? Asks the question “what are you doing to improve”
rather than “did you implement control XYZ” Results in a shift from compliance to action and specific
outcomes Business oriented
Has built-in maturity model and gap analysis No need to overlay another maturity model on top of CSF Measures where you are and where you need to go Can be implemented “piecemeal” as required, making it
more appealing to business
Repeatable Flexible Technology
Neutral Cost Effective Measurable!
Common Language
Why Cyber Security Framework?
Objectives of CSF in a nutshellDescribe Current Security Posture
Describe Target
Security Posture
Continuous
Improvement
Assess Progress towards Target
Posture
Communicate Risk
A Framework of Frameworks
ISO/IEC 27001
CCS CSC1 ISA 62443
NIST SP 800-53 COBIT 5
NIST CYBERSECURITY FRAMEWORK
5 in 1!
Framework Profile(Where you are and where
you want to go)
Framework Implementation
Tiers(How you view cybersecurity)
CSF Core(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how cybersecurity risks and processes are viewed within an organization
•Required Tier based on perceived risk/benefit analysis
•Identify•Protect•Detect•Restore•Recover
The Cyber Security Framework at 40,000 feet…
CSF Component 1 – Framework Core
Framework Core
Identify
Detect
Respond
Recover
Protect
Structure
Risk Profile, Requirements & Resources
ISO/IEC27001
NIST Cybersecurity Framework
CIS CriticalSecurity Controls
ISA62443
“Normalization Layer”
Use CSF to “Normalize to Common Language
Existing Frameworks
CSF Component 2 – Framework Implementation Tiers
PartialRisk Informed
Repeatable
Adaptable
How cybersecurity risks and processes are viewed within organization
Soph
isti
cati
on
CSF Component 3 – Framework Profile
Presents overview of present and future cybersecurity posture Business Requirements Risk Tolerance Resources
Used to define current state and desired state Can help measure progress...
How is CSF Different?
Expresses cybersecurity activities in a common language Leverages existing standards – does not reinvent the wheel –
can map existing processes/guidelines into CSF Provides crucial guidance for reinforcing security controls
while maintaining a focus on business objectives Provides a vehicle to effectively measure cybersecurity
effectiveness independent of existing framework
Endpoint Assessment
Network Monitoring
Analytics
Event Monitoring
Ingredients to Measuring Compliance
Thank YouDick Bussiere | Technical Director | Asia
Pacific