leveraging sans and nist to evaluate new security...
TRANSCRIPT
Leveraging SANS and NIST to Evaluate New Security Tools
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Agenda
• About TaaSera
• A Problem to Solve
• Overview of NIST CybersecurityFramework
• Overview of SANS CSC-20
• Call to Action
• Conclusion
• Q&A
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Company
• Founded 2012
• Spin-Off from SRI International
• Patented Technology
(6 Issued, 3 Pending, 3 Licensed)
• $19.5mm Raised to Date – Series B Underway
• 28+ Customers, 50+ PoCs
• Headcount 65+
• Cupertino, CA I McLean, VA
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
A Problem To Solve• Implementing risk management
and deploying security controls
• The number of products can up add quickly and it becomes increasingly difficult to assess the potential value of the next product
• How do I make gains against the plan?
-Easy to implement
-Measurable and reasonable
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Overview of NIST Cybersecurity Framework
• History
• What is it?
Framework Core
Framework
Implementation Tiers
Framework Profile
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
NIST Cybersecurity Framework Core
Referenced from: NIST Cybersecurity Framework, 02/12/2014
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Turning Theory Into Practice
• Introducing … SANS CSC-20
History
Why is there a SANS CSC-20?
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Turning Theory Into Practice• What does it consist of?
Proof
Actions grouped by 4 Categorieso Quick Wins
o Visibility & Attribution Measures
o Improved Information Security Config & Hygiene
o Advanced
Security Framework Mappings
Procedures and Tools
Metrics and Tests
Samples!
• Why should I care?!?
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
“First Five” Quick WinsID # Description Category
CSC 2-1 Deploy application whitelisting technologyQuick win (One of the
"First Five")
CSC 3-1Establish and ensure the use of standard secure configurations
of your operating systems.
Quick win (One of the
"First Five")
CSC 3-2Implement automated patching tools and processes for both
applications and for operating system software.
Quick win (One of the
"First Five")
CSC 3-3 Limit administrative privileges to very few usersQuick win (One of the
"First Five")
CSC 12-1
Minimize administrative privileges and only use administrative
accounts when they are required. Implement focused auditing
on the use of administrative privileged functions and monitor for
anomalous behavior.
Quick win (One of the
"First Five")
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Mapping CSC to Other Frameworks
Referenced from: SANS CSC-20 Fall 2014 Poster
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Call to Action
11
Create a Baseline/Gap
Analysis
Develop a Roadmap
Implement the First Phase of Controls
Integrate Controls Into Operations
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
SANS CSC-20 – Baseline
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Financial Services Client – SANS CSC-20 Coverage
Percentage to Goal
50% or Below 51 – 80% 81 – 100%
Control
ID
Description Client’s Current
Goal Progress
Progress
Including
TaaSera
TaaSera Coverage
# of Sub-CSCs
Handled
CSCs
Addressed
CSC 4Continuous Vulnerability
Management62% 86%
5 of 10 4.1, 4.2, 4.4, 4.6,
4.10
CSC 5 Malware Defenses 50% 90%8 of 11 5.1-5.3, 5.6, 5.8-
5.11
CSC 18Incident Response &
Management71% 82%
2 of 7 18.1, 18.4
CSC 20Penetration Tests & Red
Team Exercises74% 84%
3 of 8 20.3, 20.6, 20.8
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Financial Services Client – SANS CSC-20 Coverage
Control
ID
Description Client’s Current
Goal Progress
Progress
Including
TaaSera
TaaSera Coverage
# of Sub-CSCs
Handled
CSCs
Addressed
CSC 1 Device Inventory 46% 58% 2 of 7 1.1, 1.4
CSC 3Workstation & Server
Configurations41% 55%
2 of 10 3.3, 3.7
CSC 19Secure Network
Engineering48% 64%
1 of 4 19.2
Percentage to Goal
50% or Below 51 – 80% 81 – 100%
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Selling SANS CSC-20 to Management
SANS CSC-20 answers key questions:
• What is connected?
• What is running?
• Which few people have admin privileges?
• Which continuous improvement processes help prevent/detect/mitigate breaches?
• We can prove it…
Confidential information of TaaSera Inc. Copyright © 2015. All rights reserved. Authorized use only. BEFORE THE BREACH
Conclusion
• Using NIST as a guiding framework
• SANS CSC-20 to convert theory into practice
• Using SANS CSC-20 to evaluate continuous
security effectiveness improvement
• Model for evaluating new security products
Attend a demo session next week & be
entered in our iWatch drawing!
Tuesday, 5/19 @ 2pm EDT
Wednesday, 5/20 @ 10am EDT
Thursday, 5/21 @ 4pm EDT
Just share your card & we’ll register you.