bsides orlando 2015 executive order-information security sharing
TRANSCRIPT
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m© 2014 ReliaQuest All Rights Reserved
Executive Order: Private Sector Cybersecurity Information Sharing
04/11/2015
Christopher Martinez
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Biography
• IT Security Engineer at ReliaQuest Co-Managed Security Solutions Provider Assess, Secure, and Manage Security and Compliance Posture SIEM Management (ArcSight, QRadar, LogRhythm, SecureVue, and more)
• Graduated from the University of Tampa Degree in Management Information Systems Focus in Security
• Information Security Interests: SIEM Utilization (Integrating with Centralization) Evolution of Information Security
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m© 2015 ReliaQuest All Rights Reserved
Introduction to the Executive Order Promoting Private Sector
Cybersecurity Information Sharing
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
What is the Executive Order?
• Encouraging Private-Sector Cybersecurity Collaboration
• Improve Private-Public Information Sharing
• Provide Strong Privacy and Civil Liberties Protections
• Pave the Way for Future Legislation
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
How Does This Affect Us?
• First time in history for encouraging the act of sharing security information with third parties and the government.
“Cyberthreat information sharing is one of the few ways organizations can be ‘proactive’ in dealing with cyberattacks” – Art Gilliland, HP Senior Vice President and General Manager of Enterprise Security Products (ESP)
Source: www.fortune.com
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Encouraging Private-Sector Cybersecurity Collaboration
• Development of Information Sharing Organizations Information Sharing and Analysis Organizations (ISAOs)
o Not-for-profit community, membership organization, or a single company facilitating sharing among its customers or partners.
o Serve as focal points for cybersecurity information sharing and collaboration within the private-sector and between private-sector and government.
o According to the 2015 Cisco Annual Security Report, 1% of high-urgency CVE’s were actively exploited.
Collaborate with ISAOs via DHS National Cybersecurity and Communications Integration Center (NCCIC)o Sharing information related to cybersecurity risks and incidents
Real Example: Health Information Trust Alliance (HITRUST)
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Health Information Trust Alliance (HITRUST)
• “In the wake of the Anthem breach, the industry was able to experience the effectiveness of information sharing when HITRUST was able to share Indicators of Compromise (IOCs) with the healthcare industry within one hour after Anthem posted them to the automated HITRUST CTX.” –hitrustalliance.net
Source: theverge.com
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Encouraging Private-Sector Cybersecurity Collaboration
• Develop a common set of standards for Information Sharing Organizations Executive Order directs the Department of Homeland
Security to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOso Business processeso Operating procedureso Privacy protections, etc.
Sharing Organization must engage in an open public review and comment process for the development of the standards
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Improve Private-Public Information Sharing
• Clarify the Department of Homeland Security’s authority with Information Sharing Organizations Streamlining National Cybersecurity and Communications
Integration Center (NCCIC) information sharing agreements with ISAOso Ensures robust, voluntary information sharing
• Streamline private sector companies’ ability to access classified cybersecurity threat information Provides valuable context to network defenders and
enhances their ability to protect their systems Department of Homeland Security will approve classified
information sharing arrangements
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
HITRUST CTX and Collaboration
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
HITRUST CTX and Collaboration
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Provide Strong Privacy and Civil Liberties Protections
• Ensures that information sharing enabled by this new framework will include strong protections for privacy and civil liberties ISAOs will agree to abide by a common set of voluntary
standardso Minimization – Redacting sensitive data without affecting the
function of the information being provided.
Agencies will coordinate their activities and ensure that protections are based upon the Fair Information Practice Principleso Protecting PII (in all media) through appropriate security
safeguards
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Paving the Way for Future Legislation
• Intended to complement existing effective relationships between the government and private sector. Building out concept of ISAOs as a framework for targeted
liability protections
Major cybersecurity bill this month Granting companies protection from legal liability if they
choose to voluntarily share certain cyberthreat data with the government.
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m© 2015 ReliaQuest All Rights Reserved
Questions?
www.Rel iaQuest .com
© 2015 ReliaQuest All Rights Reserved
w w w . R e l i a Q u e s t . c o m
Slides Will Be Available For Download At The ReliaQuest SlideShare Page
SlideShare.net/ReliaQuest