leveraging sans and nist to evaluate new security...

Leveraging SANS and NIST to Evaluate New Security Tools

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Agenda

• About TaaSera

• A Problem to Solve

• Overview of NIST CybersecurityFramework

• Overview of SANS CSC-20

• Call to Action

• Conclusion

• Q&A

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Company

• Founded 2012

• Spin-Off from SRI International

• Patented Technology

(6 Issued, 3 Pending, 3 Licensed)

• $19.5mm Raised to Date – Series B Underway

• 28+ Customers, 50+ PoCs

• Headcount 65+

• Cupertino, CA I McLean, VA

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

A Problem To Solve• Implementing risk management

and deploying security controls

• The number of products can up add quickly and it becomes increasingly difficult to assess the potential value of the next product

• How do I make gains against the plan?

-Easy to implement

-Measurable and reasonable

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Overview of NIST Cybersecurity Framework

• History

• What is it?

Framework Core

Framework

Implementation Tiers

Framework Profile

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

NIST Cybersecurity Framework Core

Referenced from: NIST Cybersecurity Framework, 02/12/2014

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Turning Theory Into Practice

• Introducing … SANS CSC-20

History

Why is there a SANS CSC-20?

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Turning Theory Into Practice• What does it consist of?

Proof

Actions grouped by 4 Categorieso Quick Wins

o Visibility & Attribution Measures

o Improved Information Security Config & Hygiene

o Advanced

Security Framework Mappings

Procedures and Tools

Metrics and Tests

Samples!

• Why should I care?!?

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

“First Five” Quick WinsID # Description Category

CSC 2-1 Deploy application whitelisting technologyQuick win (One of the

"First Five")

CSC 3-1Establish and ensure the use of standard secure configurations

of your operating systems.

Quick win (One of the

"First Five")

CSC 3-2Implement automated patching tools and processes for both

applications and for operating system software.

Quick win (One of the

"First Five")

CSC 3-3 Limit administrative privileges to very few usersQuick win (One of the

"First Five")

CSC 12-1

Minimize administrative privileges and only use administrative

accounts when they are required. Implement focused auditing

on the use of administrative privileged functions and monitor for

anomalous behavior.

Quick win (One of the

"First Five")

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Mapping CSC to Other Frameworks

Referenced from: SANS CSC-20 Fall 2014 Poster

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Call to Action

11

Create a Baseline/Gap

Analysis

Develop a Roadmap

Implement the First Phase of Controls

Integrate Controls Into Operations

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

SANS CSC-20 – Baseline

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Financial Services Client – SANS CSC-20 Coverage

Percentage to Goal

50% or Below 51 – 80% 81 – 100%

Control

ID

Description Client’s Current

Goal Progress

Progress

Including

TaaSera

TaaSera Coverage

# of Sub-CSCs

Handled

CSCs

Addressed

CSC 4Continuous Vulnerability

Management62% 86%

5 of 10 4.1, 4.2, 4.4, 4.6,

4.10

CSC 5 Malware Defenses 50% 90%8 of 11 5.1-5.3, 5.6, 5.8-

5.11

CSC 18Incident Response &

Management71% 82%

2 of 7 18.1, 18.4

CSC 20Penetration Tests & Red

Team Exercises74% 84%

3 of 8 20.3, 20.6, 20.8

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Financial Services Client – SANS CSC-20 Coverage

Control

ID

Description Client’s Current

Goal Progress

Progress

Including

TaaSera

TaaSera Coverage

# of Sub-CSCs

Handled

CSCs

Addressed

CSC 1 Device Inventory 46% 58% 2 of 7 1.1, 1.4

CSC 3Workstation & Server

Configurations41% 55%

2 of 10 3.3, 3.7

CSC 19Secure Network

Engineering48% 64%

1 of 4 19.2

Percentage to Goal

50% or Below 51 – 80% 81 – 100%

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Selling SANS CSC-20 to Management

SANS CSC-20 answers key questions:

• What is connected?

• What is running?

• Which few people have admin privileges?

• Which continuous improvement processes help prevent/detect/mitigate breaches?

• We can prove it…

Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH

Conclusion

• Using NIST as a guiding framework

• SANS CSC-20 to convert theory into practice

• Using SANS CSC-20 to evaluate continuous

security effectiveness improvement

• Model for evaluating new security products

Attend a demo session next week & be

entered in our iWatch drawing!

Tuesday, 5/19 @ 2pm EDT

Wednesday, 5/20 @ 10am EDT

Thursday, 5/21 @ 4pm EDT

Just share your card & we’ll register you.

Brian Eberhardy

Director of

Solutions Consulting

beberhardy@taasera.com

(414) 687-2950

Q & A