The CISO as a Systems Integrator

Transcription

1 The CISO as a Systems Integrator AKA: Building Your Network Defense through Bad Car Analogies and Idioms Joe McMann Cyber Strategy Leader 2017 LEIDOS. ALL RIGHTS RESERVED. 17-Leidos PIRA #DIS The wording LEIDOS used throughout is a registered trademark in the U.S. Patent and Trademark Office owned by Leidos, Inc.

2 Cybersecurity as a Racetrack Going round and round Why are we here? Why are we still here? How do we get secure? Why aren t we secure yet? Why is this so hard? Why is this still so hard? 2017 LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

3 Kicking the can down the road. Solutions come and go yet the questions persist. Are we asking the right questions? Is there a finish line? LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

4 Slow and steady wins the race. Success [in cybersecurity] is a journey, not a destination. Map: Executable strategy Vehicles: Solution delivery models to suit Travel Companions: Trusted advisors & proven practitioners Snacks: Training, frameworks, tailored technology Cyber is a forever challenge LEIDOS. ALL RIGHTS RESERVED.

5 Siri, how do I get to Secure? Cyber Journey Best practices baseline Turn right Drive towards intelligence Arrive at waypoint, plot next objective Intelligence is the collection of information of value and the ability to acquire and apply knowledge and skills LEIDOS. ALL RIGHTS RESERVED.

6 The CISO as a Systems Integrator Systems integrators generally have to be good at matching customers needs with existing products The current problem is how to harness all the information available, from the various information generators (or sensors) into one complete picture As well as the design of the actual interfaces much effort is being put into presenting the information in a useful manner. Wikipedia Objective: Find those elements which bring value and apply them across people, process, and technology to create a sum greater than it s parts LEIDOS. ALL RIGHTS RESERVED.

7 All roads lead to Rome. At least they should. Establish operations: Develop capabilities Refine processes Train skillsets Evolve tradecraft: Encourage mindset Empower the analyst Gather expertise Build a foundation: Define the mission Form relationships Manage information Ensure visibility LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

8 Case Study: Putting the cart before the horse. Large, international enterprise with federated business units Many non-standardized external connections Proposed a big-data analytics solution for threat hunting Challenges: Incomplete data-set. Solution applied to a limited % of primary gateways. Unknown number of non-standard ingress/egress methods. Post-event detection only. No active mitigations or controls LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

9 Rome wasn t built in a day. Five Essential Components for Success Mission focused organization Structured process strategy Visibility, awareness and control Repeatable analysis framework Measurement and accountability 2017 LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

10 Organizational Integration The mission depends on collaboration across the entire organization Strive to operate in a culture of yes, we ll find the right way Cybersecurity no longer exists as a Black Box. CISO organization stands at center of bi-directional feedback loop between CND operations and the rest of the business and must broker inputs and outputs LEIDOS. ALL RIGHTS RESERVED.

11 Analysts Corporate Comms Physical Security Network Defense Engineering & Development Counter-Intelligence Perimeter Physical Security Human Resources CISO Enterprise Controls Host Identity & Asset Management Corporate IT Business Units Policy & Compliance Education & Awareness LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

12 Process Integration Strategy Plan out processes from the ground up: Define inputs and outputs for each Understand interface points and relationships Build from daily operations Foundational processes should feed, inform, and guide strategic efforts Ask yourself if a process stands on it s own, with limited connectivity back to the core, is it providing value? Does the process belong in this mission for this organization? LEIDOS. ALL RIGHTS RESERVED.

13 Incident Response Communicate Internal Drivers Coordination Employees Detections and Alerts Triage Leadership & LOBs Employee Notifications Detection & Analysis Remediate Public, LE, Government Testing & Simulation Real-time External Drivers Historical Mitigations & Protections Measure & Report Industry Partnerships Pivoting & Hunting Network Activity Intelligence Host Effectiveness Vendors & Suppliers Tactical & Strategic Impact 2017 LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

14 Technical Integration Where the rubber hits the road. Not just a collection of solutions Understand how they fit, how they integrate, how they flow Source: The Racetrack Model: Driving Informed Defense Through Analytic Completeness 2016 Lockheed Martin. All rights reserved LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

15 Go with the flow. Map out capabilities in a logical flow Intrinsic values Order of operations? Active/Passive? Derived values What information do they provide? What happens if? Source: The Racetrack Model: Driving Informed Defense Through Analytic Completeness 2016 Lockheed Martin. All rights reserved LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

16 Case Study: Getting a tune-up. Prime utility company, pieces in place across organization and process. Technology portfolio largely built out, needed to enhance the SIEM capabilities for analysts Challenges: While baseline capabilities existed, available data was not being utilized Some controls feeding SIEM were pushing high-noise, low-value events Limited ability to measure, record, and report on effectiveness of tuning LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

17 Souvenirs Build on a strong foundation Understand dependencies in the simplest form: People without technology are frustrated Technology without people lacks context and impact People and technology without process leads to chaos Visibility is paramount. Always start there. If you can t see it, you can t detect it. If you can t detect it, you can t analyze it. If you can t analyze it, you ll never know how to stop it LEIDOS. ALL RIGHTS RESERVED. 17-Leidos

18 Thank you. Questions and Discussion