how boards use the nist cybersecurity framework as a
TRANSCRIPT
GOH Seow Hiong
Executive Director, Global Policy & Government Affairs, Asia Pacific
Cisco Systems
December 2017
Why is the NIST framework important?
How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity
• Does your company’s management report to the Board on cybersecurity? Regularly?
• Do you know when was the latest breach in the company?
• Do you know the damage from the last breach?
• Do you know the extent of the breach?
As board members …
THE EVOLVING THREAT LANDSCAPE
What threats do I face?
Shortage of cyber security experts
Evolving business needs
Dynamic threat landscape
Complexity and fragmentation
Security Challenges
Changing regulations and business models
Widening IT/Board communication gap
Attack surface
Threat actors
Attack sophistication
Fragmented security
Not interoperable
Not open
Talent crunch
Niche security skills
Increased costs
THE BIGGEST PROBLEM
Do I know if I’ve been compromised?
Cyber Attack – No If but When
Source: Verizon 2012 Data Breach Investigation Report
Whack-a-mole Approach
Recognizing Malware is Difficult and Not Enough
How easy is it to breach?
MY IT GUYS ARE ON IT!
How are they managing security?
Management Nightmare
25%Lack of Trained
Personnel
(-4%)
Complexity is a Significant Obstacle to Security
Business Constraints
55%of organizations use 6 to
>50 security vendors
65% of organizations use 6 to
>50 security products
2016 (n=2,850)
2016 (n=2,860)
35%Budget
25%Certification
Requirements
28%Compatibility
Issues
Vendor
(-4%)
(+/-0%)
(Change from 2015)
(+3%)
Products
Complexity
1-5 (45%) 6-10 (29%)
11-20 (18%) 21-50 (7%) Over 50 (3%)
1-5 (35%) 6-10 (29%)
11-20 (21%) 21-50 (11%)
Over 50 (6%)
Device enrollment challenges await….
374new devices per second
10 minto connect and define policy
7.8person-days of effort per second
245.8Mperson-days of effort per year
How do deal with the challenges?
Holistic not piecemeal approach
Evolution of defensive tactics
Medieval defense Modern defense
Analogy with Airport security
Identity Check AnyConnect
No Entry for Unauthorized OpenDNS
Boarding passISE
Security InspectionFirepower/AMP
Luggage Check ESA/WSA
Luggage Check InTalos
Isolates Electronic DeviceThreatGrid
Security CheckStealthWatch
Boarding on planeTrustSec
Immigration CheckASA
Leverage the network
Firewall and security infrastructure
Advanced threat intelligence
Governanceprocesses
Effective security requires integrated threat defense
Before After
Integrated threat defense
During
• Voluntary, open, transparent drafting process
• Voluntary, consensus-based standards leveraged
• Voluntary use of Framework by private sector
• Input to regulation & government procurement
NIST Cybersecurity Framework
NIST Cybersecurity Framework
Identify
Protect
DetectRespond
Recover
Asset management;
Business environment;
Governance;
Risk assessment;
Risk Management strategy
Access control;
Awareness training;
Data security;
Information protection
processes & procedures;
Protective technology
Anomalies and events;
Security continuous
monitoring;
Detection processes
Response planning;
Communications;
Analysis;
Mitigation;
Improvements
Recovery planning;
Improvements;
Communications
How do I measure?
Metrics
• Mean time to detect
• Mean time to contain
• Mean time to recovery
Does your management measure these?
Metrics
Detection is key
• Current average time-to-detect: 100-200 days
• Cisco in 2015: time-to-detect at 2 days
• Today:
• Cisco Time-to-detect at 6 hours
• Cisco in independent tests (NSS)
• 70% of breaches detected < 1 min
• 90% of breaches in 3 minutes
• 99% detection within 6 hours
• 100% in 24 hours
Looking forward
• Governments
• International bodies
• Private sectors and customers
Collaborating with Partners
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL Per Day
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages, 86% SPAM
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLIONThreats Blocked
INTEL SHARING
Cisco
Customer Data Sharing Programs
Service Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
*Google : 3.5B searches/day
Address the Entire Attack Continuum
Network Endpoint Mobile Virtual Cloud
Network as a Sensor Network as an Enforcer
Total visibility + Minimum time to detect + Fast containment
.
BeforeDiscover
Enforce
Harden
AfterScope
Contain
Remediate
Detect
Block
Defend
During
• Risk-based Decisions
• People + Processes + Technology
• Ongoing self-examination
• Continuous Improvement
• Dynamic Threats
• Complexity is the Enemy
Security is a Journey, Not a Destination
Email: [email protected]