Introducing RESILIA: Cyber-Resilience for the 21st Century

Session 610 Introducing RESILIA:
Cyber-Resilience for the 21st Century
David Moskowitz
RESILIA Practitioner
ITIL Expert
Agile Mentor & Coach
Additional Information
• Membership (CODE: HDI16)
http://www.itsmmentorstore.com/videotraining.asp
• RESILIA Foundation:
http://www.careeracademy.com/?RESILIAFd_Series
• RESILIA Practitioner:
http://www.careeracademy.com/?RESILIAPr_Series
• Executive overview (30 minute):
https://www.youtube.com/watch?v=xjmaZhVc7KY
It Can’t Happen Here!
Recent Small Sample
•
•
•
•
•
•
•
types of companies.
US Government OPM: 21.5 million Two
The ones that have been
hacked and ones that
T-Mobile: 15 million applicants
don’t know it.
Premera Blue Cross: 11 million
(In 2015) new account
Anthem: 80 million
(CC) fraud more than
doubled over 2014.
Ashley Madison: 32 million
2016 Identity Fraud
Study, Javelin Strategy &
Sony: terabytes of data
Research
Home Depot: 56 million payment, 53 million
email addresses
• JP Morgan: 83 million
• Target: 110 million
Getting Worse, Not Better!!
The Pace of Change
www.glasbergen.com ― ©2006 Randy Glasbegen
What is Cyber Security?
• Security is not a preventative!
• Purpose: keep them out long enough
– Delay tactic!!!
– When they get in…
• Whatever you’re trying to protect
• No longer sensitive, valuable or meaningful
• Not enough!
– Need capability to detect & correct
– Average time to detect breech???
Reported
hacks/month outside
of government
• More than 50
• 83% financial
companies
• 44% retail
Average time to
detect more than 6
months
http://www.zdnet.co
m/article/businessestake-over-six-monthsto-detect-databreaches/ May, 2015
Report: Property & Casualty 360
What’s Wrong with This Pikture
When Bad Things Happen to Good People
• It’s not if, but when you will experience an…
–
–
–
–
Information breach
Malicious software
Cyber attack
Accident !!!!
• Prevention alone is not a realistic strategy
– You have to be right all the time
– … they only have to be right once
• Loss of trust & Loss of reputation,
• Financial loss & … careers
• Cyber Resilience controls (3-legged stool)
– Prevention
– Detection
– Correction
Missing a leg?
Now what?
Shift of Paradigm
• Change thinking from
– Security to resilience
– Analytical thinking to systems thinking
• Analytical  Independent variables
• Systems  Interdependent variables
• Use new thinking to find proper balance
– Start where you are  accept where you are
– Focus on value balance
• Prevent: what you can
• Detect: what you missed
• Correct: business impact & improve
Cyber Resilience (CR)
• Cyber Resilience
– “The ability to prevent, detect & correct any
impact that incidents have on the information
required to do business.”
• RESILIA™ = CR best practice framework
– Adopt & adapt similar to ITIL®
– Uses ITSM lifecycle
• …and ITSM and a management system
Critical Elements of Effective CR
• Board-level ownership & responsibility for CR
• Adopt tailored learning & development for all staff
• Leads to:
– Clear understanding of critical (information) assets
– Clear view of organizational key threats & vulnerabilities
• Customers
• Partners
• Supply chain
– Adopting a common language,
• Used by all stakeholders
– Assessment of the organizations CR maturity
– Appropriate balance of controls
Benefits of Cyber Resilience
• Aligned to business outcomes
• Implement balanced controls
– Prevent CR incidents you can
– Detect CR incidents not prevented
– Correct to protect business
• Builds trust within value network
– Optimize the value created
– Increase competitive advantage
– Improve operational efficiency
“Recognizing that 100% risk
mitigation is not possible on any
complex system, the overarching
goal of a risk-based approach to
cyber security is system resilience to
survive and quickly recover from
attacks and accidents.” Partnering
for Cyber Resilience, World
Economic Forum, January, 2013
• Balance
– Protection of assets
– Ability to innovate
• Requires single, coherent risk-based strategy
– Must align with organization’s risk appetite
• Delivered via a management systems
Prevent
Detect & Correct
Risk? Really??
Manage cyber resilience
• Manage risks
• Identify what might happen
• Assess likelihood & impact
• Decide on action
• Select risk approach
• ISO 31000
• M_O_R™
• RESILIA™
Management Systems
• Management systems exist everywhere
– Formal & informal
• Driven by strategic goals
• Provides basis for governance & management
– Processes, roles, organizational design, metrics (CSF & KPI)
– Directing, leading & reporting
• AXELOS Cyber Resilience uses the ITSM Lifecycle
–
–
–
–
–
Strategy
Design
Transition
Operation
Continual Improvement
• Defined by the ITIL®
– Service Management Lifecycle
CR, People, Process & Technology
• Avoid overreliance on technology
• Strike a balance
– People
– Process
– … & technology
• Cyber Resilience requires
– Well informed & educated people
– Well designed processes
• People, Process & Technology
– Must fit together without gaps
– Act in a complementary manner
– Include physical & personnel
• … to ensure completeness
What is a Process?
• Structured set of activities designed to
accomplish a specific objective. ITIL Glossary
– Established plan and set of activities
– Produces a measurable outcome for a stakeholder
• Revise the definition: Process is a structure set
of activities… with the necessary controls
– RESILIA adds CR controls to ITSM
RESILIA Adds CR Controls to ITSM
• Take lifecycle approach
• Already doing something
• Start where you are
– Improve what you have
– Start with CSI (continual improvement)
– Determine which controls are needed
• Modify or add processes
• Examine existing business strategy
– Add CR considerations
– Set stage for governance & management
•
•
•
•
Design to meet strategy
Transition to verify & validate accomplishment
Operate CR (IT operations)
Get better at it (CSI – keep momentum going)
– CR constant moving target
Don’t limit thinking!
ITSM isn’t just for IT!
Why RESILIA & ITSM
• CISO gets alert on IP address
– Without good configuration
management…
– Where it is?
– What data is on it?
– How sensitive is the data?
– What flows through it?
• Service desk gets a report
– Transaction that worked, doesn’t
– Without
• Change management et al
• Incident & problem management
• Known error database (KEDB)
Planning CR initiative consider:
• RESILIA best-practice approach
for implementing Cyber
Resilience
• Includes practical guidance
• Based on something you
already know: ITIL/ITSM
• NIST Cybersecurity Framework
• Defines cybersecurity
capability
• Describes practice of
cybersecurity
• NOT how
• Creates cybersecurity profiles
• Current state
• Future state
What Happens in Each Lifecycle Stage
• Strategy
– Ensure CR objectives clearly understood
– Identify critical assets, associated vulnerabilities & risks
• Design
– Design management systems & controls
– Design/select controls, training & RACI
• Transition
– Verify & validate expectations met
– Move output of design into operation
• Operations
– Operate the controls (include continual testing)
– Detect & manage CR events & incidents
• CR continual improvement
– Ensure CR evolves to meet changing threats
– Learn from experience & improve
RESILIA Steps to Be Cyber Resilience
• Identify information assets
– Where they live (may be more than single source)
– How they move
– Who has access & how
• Ownership, too
• Classify & prioritize assets for CR
– Threats, vulnerabilities & risks for each type
• Determine
– Type & level of protection needed
– Appropriate controls
• Make Continual improvement an organizational
capability
Strategy CR Control Objectives
•
•
•
•
•
•
•
Evaluate need & expectations of the stakeholders
Provide direction to management
Define who makes Cyber Resilience decisions & how
Ensure Cyber Resilience risk is addressed
Monitor performance & outcomes
Segregation of Duties & Dual Controls
Cyber Resilience activities
–
–
–
–
–
–
Define overall strategy to create value
Identify stakeholders
Understand business requirements & set expectations
Define high-level priorities, goals, balance & CSFs
Define roles & responsibilities
Provide funding
• … & exploit opportunities
Design CR Control Objectives
• Human Resources Security
– Joiners, movers & leavers (JML)
• Supplier & 3rd Party Security Management
– System Acquisition, Development Architecture &
Design
• Endpoint Security
• Cryptography
• Business Continuity Management
Transition CR Control Objectives
• Asset & Configuration Management
– What & where
– Classification & Handling
• Data Transportation & Removable Media
• Change Management
– Include CR considerations
• Testing
– Test CR capabilities for detection
• Training
– See something, say something
• Document Management
• Information Retention
• Information Disposal
Operation CR Control Objectives
• Ensure risks that disrupt operational service are managed
• Operation controls objectives include
– Access Control
• JML, business requirements & access policy
• Identity verification (authentication, access & non-repudiation)
–
–
–
–
Network Security Management
Physical Security
Operation Security
Incident Management
• Incident response
– Formal response team?
•
•
•
•
Define CR communication
Determine criteria to bring in specialists
Forensic investigation
Document lessons learned
CSI Control Objectives
•
•
•
•
•
•
Audit & Review
Control Assessments
KPIs, KRIs, & Benchmarking
Business Continuity Improvements
Process Improvements
Remediation & Improvement Planning
Effective CR Dependencies
• Board-level ownership &
responsibility for CR
– Execute business strategy
– Deliver desired outcomes
– Offer services to customers
• Trust & rely
• Training & development
• Identify critical information
assets
– What hackers want
• They want it all!!!
– Identify acceptable risk levels
– Threats & vulnerabilities for
each asset type
• Clear view of key threats &
vulnerabilities
– Include customers, partners &
supply chain
• Only secure as weakest link
– Common language used by all
stakeholders
– Assessment of organizational
CR maturity
• Appropriate balance of
controls to
– Prevent
– Detect
– Correct
Prevent
Detect & Correct
CR is Really Business Resilience
• Ensure the organization can confidently
– Execute business strategy with appropriate balance
• Prevent, detect, correct
– Deliver desired business outcomes
• Provide
– Good processes & people, systems & technology
• Offer products & services to customers
– Trust & rely to do the right thing
• Keep customers in the loop
• CR key to survivability & profitability
– Requires more than IT
– Absent effective CR  bad headlines
Additional Information
• Membership (CODE: HDI16)
http://www.itsmmentorstore.com/videotraining.asp
• RESILIA Foundation:
http://www.careeracademy.com/?RESILIAFd_Series
• RESILIA Practitioner:
http://www.careeracademy.com/?RESILIAPr_Series
• Executive overview (30 minute):
https://www.youtube.com/watch?v=xjmaZhVc7KY
Thank you for attending this
session.
Please remember to complete a
session evaluation!
Twitter: DavidM2
NIST Cyber Security Framework
•
•
National Institute of Standards & Technology (NIST)
Framework published in February 2014
– U.S. Publication – appropriate for organizations worldwide
– Intended for organizations supporting critical
infrastructure
– Systems & assets; physical or virtual
– Vital to U.S. Interests
•
Incapacity or destruction results in debilitating impact on
–
–
–
•
Security
National economic security
National public health or safety
NIST Framework
– Framework Core
•
Controls described in a formal structured hierarchy
– Framework Implementation Tiers
•
4-layered model describing alignment to the framework
– Framework Profiles
•
Selection of controls from the core that is appropriate for a
particular organization or context
__________
“The framework is intended for
organizations that are responsible for
critical infrastructure, defined as ‘systems
and assets, whether physical or virtual, so
vital to the United States that the
incapacity or destruction of such systems
and assets would have a debilitating
impact on security, national economic
security, national public health or
safety…’”
__________
NIST Cybersecurity Framework
• Published by the
– National Institute of Standards & Technology (NIST)
• Department of the U.S. Department of Commerce
• Published February 2014
• Deemed appropriate for organizations worldwide
• Risk-based approach
– Manages cybersecurity risk
– Framework Core
• Describes common desired outcomes
• Expressed as functions
– Framework Implementation Tiers
• Describes how cybersecurity is practiced
• Informed by business needs
– Framework Profiles
• Aligns “core” with resources & tolerances
• Used to define current state
• … & future state
__________
“The framework is intended for
organizations that are responsible for
critical infrastructure, defined as ‘systems
and assets, whether physical or virtual, so
vital to the United States that the
incapacity or destruction of such systems
and assets would have a debilitating
impact on security, national economic
security, national public health or
safety…’”
__________
Implementation Tiers
__________
•
Describes the practice of
–
–
–
–
Cybersecurity risk management
Rigor of the practice of cybersecurity
… as define in the framework
Not intended to represent “maturity levels”
•
•
… however may be used as such
Implementation Tiers
– Tier 1 - Partial
•
•
•
Ad hoc
Limited risk awareness
No collaboration
– Tier 2 - Risk-informed
•
•
•
Approved risk management practices
Organizational awareness of risk
Role in relation to other organization
– Tier 3 - Repeatable
•
•
•
Organization-wide formal practices
Consistent processes & methods
Information sharing with other organizations
– Tier 4 - Adaptive
•
•
•
Practices based on lessons learned
Risk management part of culture
Information actively shared
The Tiers range from ‘Ad hoc’ to ‘Adaptive and
describe an increasing degree of rigor and
sophistication in cybersecurity risk management
practices and the extent to which cybersecurity risk
management is informed by business needs and is
integrated into an organization’s overall risk
management practices.
“Implementation of the framework is not judged
based on the tier level achieved, but on achieving
the outcomes described in the organization’s target
profile(s).”
__________
NIST