Category going out to Feedburner

Cyber Range Report Available

In the US, we have a significant problem with over 200,000 unfilled cybersecurity jobs. Estimates range, but this number could top 1 million job openings in 10 years. The only way to address this shortage is to leverage training in a cyber range.

The Cyber workforce shortage has national attention and schools, companies, government agencies, and individuals are scrambling to fill the gap. We faced similar issues with aviation and medicine in the first half of the last Century. At the time, both areas were nascent industries with exciting technology and engineering developments and an ever-increasing job shortage. This lead to some well-trained professionals, and even more under-trained, or ill-trained pilots and doctorsThe ad-hoc nature of training and certification lead to lost lives. Eventually, both aviation and medicine developed a new model for training, new standards for operational experience, and in the case of flight training, significant simulation systems to give pilots opportunities to practice safely.

In cybersecurity, we are in a similar period where conventional training models are insufficient to fill the cyber skills gap. As with flight training – and medicine to some extent – the enabling technology is simulation/emulation. The essence of this report is correct simulation/emulation gives us the power of Predictive Operational Performance (POP) for cybersecurity professionals. It instills confidence in cyber workforce seekers and cyber workforce employers that training will predict job success.

Get The Report

Halting Cyber Delivery: Return to Sender!

This post is the fourth in a series of posts (Intro, Reconnaissance, Weaponization), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Frameworkand the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

At First Sight

Once weaponized, the malicious exploit delivery is usually via website downloads, email, and USB tokens. This step is one of the most interesting to me since it’s the first opportunity to actively stop the attack chain. Put another way, it’s the last chance for the organization to disrupt the attack, before a breach. NB, Delivery is also a step that leaves few traces in the logs, so prevention relies heavily on active scanning/IDS controls and excellent configuration hygiene.

At this stage, I see four primary defensive moves to identify malicious activity in time to disrupt the delivery of the malicious payload:

  1. Maintain browser security – Standardize on a browser and implement endpoint management solution to manage software inventory and control browser use. It is imperative that all non-supported script languages are disabled and that all browser patches are up to date
  2. Anti-virus and anti-malware, particularly inline versions. This only works if the AV/AM engines use real-time heuristics and threat intel feeds to identify potentially dangerous payloads
  3. Correct use of a Web Application Firewall (WAF)
  4. Use of secure web gateways – Secure web gateways can significantly reduce the possibility of end users unintentionally installing backdoor malware variants

Critical Security Controls (CSC)

In addition to CSC1-3, key CIS Critical Security Controls to disrupt the delivery step, include CSC6, CSC7, CSC8, CSC11, CSC13, and CSC17:

CSC6 – Maintenance, Monitoring of Audit Logs – Manual audit log management is impossible, even for small network infrastructures. Event volume is increasing exponentially and organizations need to keep much longer log history for Incident Response and detection of APTs. All organizations need SIEM functionality

CSC7 – Email and Web Browser Protection – As mentioned above, standard email and web browsers are step one. Step two is maintaining the apps to most current levels and patches. Step 3 is locking down the configs of the browsers to disable unsupported scripting languages. This also includes web proxies, URL filtering, blocking, whitelisting and email server hardening

CSC8- Malware Defenses – Having the detection capabilities to identify artifacts of weaponization in addition to identifying malware

CSC11 – Secure Configuration of Network Devices – This requires rigorous change management and control. This is executed in conjunction with CSC3 – Secure configuration of all devices. Organizations should develop a gold config for network devices

CSC13 – Data Protection

CSC17- Security Skills Assessment and Training – Though listed last, this could be the most important control against this step of the CKC. User awareness training can significantly reduce the effectiveness of phishing attacks and malicious attachments

A Holistic Approach

The below diagram highlights the relationship between the CKC Delivery Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, there may be multiple deliveries, based on recon and weaponization cycles.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CISLockheed MartinNISTOptivSANSTrend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.

First stop was Introduction. Second stop was Reconnaissance. Last stop was Weaponization.

Next stop is Exploitation, ETA 10/25/2017

Disarming Cyber Weaponization

This post is the third in a series of posts (IntroReconnaissance), aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro post, I believe it is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that dramatically reduces risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

Stopping the attack at this point is extremely difficult since it is occurring offline, from the perspective of corporate IT. If the organization picks up on the recon activity, then it could block weaponization. For example, if we see SQL scans then potentially the target is SQL Injection weaknesses. Or, if the scans are looking at Apache rev/patch levels, it could be indicative of a potential exploit such as a Struts vulnerability.

At this stage, I see three primary defensive moves to deter potential weaponization:

  1. Actively pursue threat intelligence to track current weaponization techniques
  2. Deploy honeypots as a means to drive the adversary to invest in a delivery mechanism against a vulnerability resident in the honeypot
  3. Deploy tools and training to detect elements of recon as early indicators of potential delivery vectors. Also, prepare the Incident Response team to identify possible attack vectors based on recon artifacts

Key CIS Critical Security Controls to implement to disrupt the weaponization step, include CSC9, CSC17, and CSC19 (also CSC1, CSC2, CSC3, and CSC6):

  • CSC9 – Limitation and Control of Network Ports, Protocols, and Services – This includes layered perimeter defense with network segmentation and extensive use of IDS/IPS on these segments. This lockdown has to occur in both physical and virtual environments along with vulnerability scanners properly configured to scan all ports and protocols for potential vulnerability
  • CSC17- Security Skills Assessment and Training – The more aware staff are to their role in an attack, the less likely weaponization will succeed. For example, if the staff is trained to always “hover before clicking” the likelihood of a drive-by download is significantly reduced
  • CSC19 –Incident Response and Management – It’s critical that IR has the tools and knowledge to detect artifacts of weaponization as a means to better understand the intent, scope, and target of the attack

What Goes Around Comes Around

The below diagram highlights the relationship between the CKC Weaponization Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, after establishing a foothold and conducting additional reconnaissance, the adversary could develop a second weaponization step based upon the discovery of a new vulnerability.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.

First stop was Introduction. Last stop was Reconnaissance.

Next stop is Delivery, ETA 10/24/2017

Turning Cyber Reconnaissance Opaque

This post is the second in a series of posts, aligning the 20 Critical Security Controls (CSC) from the Center for Internet Security (CIS) to the seven steps of the Lockheed Martin Cyber Kill Chain (CKC™). As I wrote in the intro postit is time to rethink the way we go about protecting our assets and building our cybersecurity practices. Mapping the CIS Critical Security Controls (CSC) against the CKC™ achieves a relatively short list of actions that may dramatically reduce risk. Also, this approach aligns well with the NIST Cybersecurity Framework and the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) that I wrote about previously.

Phase I: Reconnaissance

The first phase of the CKC™ is Reconnaissance. During this step, the adversary collects as much information as possible about the target, much of which does not require explicit interaction with the organization’s IT infrastructure (i.e., no log entries), but as discussed below there may be telltale traces in the logs, even during this step.

Key Moves

At this stage, I see five primary defensive moves to limit the reconnaissance surface area, thus reducing the attacker’s ability to discover potential targets and approaches:

  1. Implement controls to identify any possible interaction with the IT infrastructure, quickly. Typically, look for scans and probes. For example, there may be a burst of login attempts against Outlook Web Access (OWA) as the adversary attempts to determine the invalid login lockout setting. Web analytics is critical for identifying potential adversary activity
  2. Conduct in-depth scans to identify all live IP addresses and open ports. Scan across multiple protocols and scan the cloud environment (e.g., check for exposed EC2 Security Groups on AWS)
  3. Deploy honeypots to provide the adversary with “easy recon,” incenting them to move to weaponization, rather than spending more effort to uncover potential vulnerabilities
  4. Educate employees about best practices to limit exposure of potentially sensitive information
  5. Conduct external threat intel scans and social media tracking to identify the disclosure of potentially leverageable publicly available information (e.g., looking on Pastebin and the dark web for corporate and staff PII)

Key CIS-20 Controls

Please note that in my first post, I described CSC1, CSC2, CSC3, and CSC6 as fundamental to every step, including this one. Additional controls to detect and disrupt the recon step are CSC9, CSC11, CSC12, and CSC20:

  • CSC3 – Secure Configuration of Hardware and Software – Much recon activity is possible due to weak configurations and these poor, and misconfigured systems are an attractive target
  • CSC6 – Maintenance, Monitoring of Audit Logs – This is the only opportunity to catch scans and probes as an indicator of a potential attack vector. Of course, one must be recovering the right logs and retaining them long enough. A significant consideration is the attack velocity. Ideally, attacks are verbose and intense, but the attack could be low and slow (possibly an Advanced Persistent Threat (APT)). In the latter case, it is critical that the log retention times be very long, or even, forever
  • CSC9 – Limitation and Control of Network Ports, Protocols, and Services – The tighter the lockdown, the less leverageable the recon data
  • CSC11 – Secure Configuration of Network Devices – Routers and access points with default passwords are easy targets. Lock them down!
  • CSC12 – Boundary Defense – Recon will detect weak boundary defense which could increase the likelihood of tactics such as exfiltration of data by tunneling via non-standard protocols
  • CSC20 – Penetration Test and Red Team Exercises – Though listed last, this is one of an essential control because it gives a Red Team the ability to see what adversaries see as they conduct their recon efforts

What Goes Around Comes Around

The below diagram highlights the relationship between the CKC Reconnaissance Phase, The NIST Cyber Security Framework Core, and the CIS-20. It is critical to think of the kill chain as a continuous loop, as depicted in the drawing. For example, recon could initially be external, and once the adversary establishes a foothold (Install), they will launch recon internal to the Firewall.

Moving on Down the Chain

To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my insights. I base much of this analysis on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CISLockheed MartinNISTOptivSANSTrend Micro, and Verizon.

I welcome feedback to help refine this series. With critical and constructive feedback, I believe these posts may become an outline any organization may use to efficiently and effectively reduce its risk.

Next stop is Weaponization, ETA 10/23/2017

Rethink Cyber: (NCSF+CSC)xCKC™ = BFD

It is time to rethink the way we go about protecting our assets and building our cybersecurity practices. As I wrote in a previous post, I find the Pareto principle applies to cyber defense: 20% of the controls can block 80% of the threats. Similarly, according to the Center for Internet Security, implementing the first five Critical Security Controls (CSC) can reduce the risk of attack by 85%.

As discussed below, the same logic applies on the threat side of the equation: focusing on the seven steps of the Lockheed Martin Cyber Kill Chain™ – versus trying to model every possible attack – addresses the majority of threats. Sure, the CKC™ is a malware-centric model, and as I have written previously, attacks are not linear, but I believe it is the most straightforward roadmap we have to address threats.

Like Peanut Butter and Banana

Mapping the CIS Critical Security Controls (CSC) against the CKC™generates a relatively short list of actions that (when taken) dramatically reduce risk. Of course, implementing controls in a governance/risk management vacuum is a short-sighted and short-lived approach. The good news is both the CIS controls and the CKC™ directly align with the NIST Cybersecurity Framework. Moreover, it dovetails exceptionally well with the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM)™, developed by UMass Lowell and itSM Solutions. Figure 1 shows the 20 Critical Security Controls and the CKC™. I have color-coded the CIS controls to map to the NIST CSF Core functions. In the next posts, I will map specific CIS controls to each CKC™ phase.

Figure 1 – Laying Out NIST CSF Core with CKC and CIS CSC

The Four Horsemen of the CKC™ Blockalypse

To start, all organizations should implement the first five CIS controls. However, my goal with this series of posts is distilling the direct relationship between the CKC™ phases and the individual CIS controls. With this in mind (as grouped in Figure 1), CSC1, CSC2, CSC3, and CSC6 are four controls directly relevant to almost every CKC™ phase. My rationale is as follows:

  • Organizations must not go past “Go” without doing CSC1- Inventory of authorized and unauthorized hardware and CSC2-Inventory of authorized and unauthorized software. These two are the foundation on which the others build since we can only protect what we know.
  • Likewise, CSC3 – Secure Configuration of Hardware and Software is a mandatory control, addressed in more detail in relevant sections of the CKC™ discussion.
  • CSC6 – Maintenance, Monitoring of Audit Logs is also mandatory across the CKC™ phases because the majority of artifacts and traces lay in the logs.

Yes, CSC4 – Continuous Vulnerability Assessment and Remediation and CSC-5 – Controlled Use of Administrator Privileges are critical controls that all organizations must implement and I discuss these at specific phases of the CKC™. However, I believe the above four are foundational to blocking the CKC™.

And, Away We Go!

This post is the first in a series of nine posts, aligning the CIS 20 Critical Security Controls (CSC) to the seven CKC™ phases. To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my own insights. Much of this analysis is based on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.

With constructive feedback, I believe this series of posts may become an outline any organization may use to efficiently and effectively reduce its risk while following an 80/20 approach.

I welcome your comments. Next up is phase 1: Reconnaissance.

A Failure to Cyber Educate

Given the current 300,000+ cybersecurity job openings in the USA, there is much focus on training needs to develop more qualified cybersecurity professionals. Filling these jobs is critical to our future, but even more critical is making sure organizations are training their current cybersecurity and security-related staff. These are the people at the controls: the people that are not patching; the people missing IOCs, for months; the people falling prey to phishing emails; and, the people not elevating cybersecurity to the boardroom level. To underscore the importance of cyber-education, the Center for Internet Security (CIS) dedicates one of its CIS- 20 critical cybersecurity controls to security skills assessment and training. Further, awareness and training (AT) is a principal function of the NIST Cybersecurity Framework Core function: Protect.

The good news is if we better align cybersecurity training with cybersecurity staffing, we better define the training needs to help fill those 300K+ positions!

Where to Start?

A challenge I find is there are so many training options, varying widely in their competency and capabilities: masters degrees to four-year undergrad degrees to professional certifications to boot camps to online training to hackathons to capture the flag exercises, and much more. To illustrate the market scale, check out the NICCS (National Initiative for Cybersecurity Careers and Studies) and its 3239 courses!

Rather than trying to categorize and make sense of all the training offerings, I propose focusing on the demand side of the equation. Specifically, if we define the knowledge, skills, and abilities required of a particular security or security-related role, we will be in a much better position to determine the right training for the job.

Finding a Frame of Reference

As I recently posted, I achieved certification on the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM) courses developed by UMass Lowell and itSM Solutions. I chose this program because it is an advanced, standardized, training program, providing organizational/governance knowledge, skills, and abilities (KSAs) to plan, organize and stand-up a NIST-CSF centered cyber operation. A course chapter is on cyber workforce development, based on the National Initiative for Cybersecurity Education (NICE). After going through this chapter, I realized that the NCSF-CFM, when coupled with NICE, provides an excellent framework to map a cyber organization’s training requirements against training options in the marketplace.

That’s NICE

The NICE program evolved from cybersecurity skills and training work started in 2008 with the Comprehensive National Cybersecurity Initiative (CNCI). I believe NICE is the most complete and practical ontology of cyber roles. As shown in figure 1, the NICE framework defines seven functional categories, 33 specialty areas, and 52 work roles.

Directly mapping all training options to the 52 work roles is quite challenging, especially since so many jobs require both hard and soft skills. In looking for a better way to go about this, I find the UMass Controls Factory Model maps very nicely to the NICE roles, across the following three CFM workforce enablement tracks:

  • Business Integration Track – These jobs most closely align with the business organization, including the oversight and governance positions as well as strategic planning, legal, and training. I also put the NICE Investigate category in this track because forensics and incident response must tightly hook into business governance and operations.
  • Engineering Track – These are the roles that define the core functions of cybersecurity, including overall software development, system architecture, vulnerability and threat management, and overall risk management.
  • Technology Operations – These roles center on the Security Operations Center (SOC) and the operations and maintenance of cybersecurity technology.

Overlaying the seven categories, 33 specialty areas, and 52 roles onto the three NCSF-CFM tracks facilitates mapping training programs by track. For example, as a first pass, I would include UMass NCSF-CFM and ISACA/CISM as well as some ISC2 and ISO27002 cert training in the Business Integration Track. I could also see some CompTIA and SANS fitting in there. Similarly, most of the vendor-specific training would fall under the Technology Operations Track, and most of the technical cert programs from ISC2, SANS and ISO27001 would fall under the Engineering Track.

The end result of this exercise is an effective and efficient way to define and align competency-based training to the core competencies of the cyber organization. This will help the existing staff be more successful and provide better guidance for people looking to fill the organization’s open positions.

Onward and Upward

In a later post, I will return to this and add more granularity by mapping specific classes/programs to the three NCSF-CFM tracks. In the meantime, I first want to get back to my previous discussion on a new cyber operations model and figure out the best way to layer on the CIS-20.

I would love to hear from folks on their training challenges and if they are using NICE as a guideline to better define roles, responsibilities, tasks and the associated knowledge, skills and abilities necessary for success.

A New Cyber Operations Model

As part of my cyber workforce development research, I want to rationalize the NIST Cybersecurity Framework (NCSF), the related NIST National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework and the Lockheed Martin Cyber kill chain. I believe connecting these foundational components is critical to establishing a common working framework for cyber operations. I include the kill chain because keeping the end game (securing infrastructure against internal/external exploitation) in mind when discussing cyber operations is imperative. At a 10,000-foot level (as shown in the Appendix of the NICE SP 800-181), it all seems to fit together, but as discussed below, clarity at lower elevation (where the work gets done) requires morphing the underlying structures. In the end, I think it gives a new perspective on how to operationalize the NCSF.

When looking at graphic depictions of the NCSF, NICE and the Cyber Kill Chain, I find that they do not represent the real world. For example, anyone dealing with cyber is familiar with the Kill Chain, adapted to cyber by Lockheed Martin. The Cyber Kill Chain identifies steps adversaries take during an intrusion, exploit, and eventual exfiltration of data. Most people depict a linear process, per Figure 1.

For a single exploit, it is a relatively straight-line process. However, from the viewpoint of cyber operations, this is ongoing, and therefore, a more accurate depiction of the kill chain is a kill cycle, as depicted in Figure 2.

I also see the same challenge when describing the NIST Cybersecurity Framework (NCSF) core elements: Identify, Protect, Detect, Respond, and Recover. Often these framework functions are laid out in a cycle format, similar to COBIT’s (Deming) Plan, Do, Check, Act (PDCA) cycle (See Figure 3).

As with the Cyber Kill Chain, this may work for addressing protection of a single asset, but from a cyber operations viewpoint, these functions overlap and intersect; at times parallel, at times linear, and at times orthogonal. For example, I view Detect at the center of the Core, detecting normal and anomalous behaviors continually. Similarly, the Protect and Identify activities represent ongoing governance and protective controls throughout cyber operations. In comparison, the Recover function engages only after malicious exploit. The best depiction I can develop showing the relationship between these functions is in Figure 4.

When we combine the Cyber Kill Cycle and the NCSF Core Cycle, we get a very functional NCSF operational template, per Figure 5.

What I like about this approach is it puts the Cyber Kill Chain into operational perspective. It confirms the criticality of Detect and Respond as crucial steps for all stages of the attack. It shows the need for 360-degree governance and diligence represented by Identify and Protect Core functions. And, it maps the Recover function to the second half of the Cyber Kill Chain.

In the end, I have taken two static models and put them in motion for successful cybersecurity operations. You may be wondering how NIST NICE fits in here? Well, that’s the next step: to map the functional roles of cybersecurity operations to this NCSF Cyber Operations Cycle. Please stay tuned! Also, as I’ll discuss in future posts, this research dovetails nicely with the NIST Cybersecurity Framework Controls Factory Model (NCSF CFM) training, developed by Larry Wilson, UMass CISO and produced by itSM Solutions. For more information on this exciting program, please see my previous posts.

Is it Safe?

“Is it safe?” Argh! For anyone who has seen the movie, Marathon Man this line triggers terror. Similarly, being asked “are we secure?” by management instills equal terror. Why? Most organizations lack continuous monitoring and real-time situational awareness of their security posture. Without this, it is impossible to answer the question, and it is impossible to be secure, let alone safe. 

In this ongoing series of posts, I am sharing my experience as I work through the NIST Cybersecurity Framework Controls Factory Model (NCSF CFM) training, developed by Larry Wilson, UMass CISO and produced by itSM Solutions. In my previous posts, I provided an overview of the NCSF CFM and touched on the Technology Program Design-Build, the first component of the CFM Technology Center, and the foundation of this discussion, the Security Operations Center (SOC).

The SOC training begins with the NIST 800-137 Information Security Continuous Monitoring (ISCM) methodology:

It is a great place to start. Continuous monitoring is core to NIST CSF (DE.CM1-8), ISO 27001 (A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.1, A.14.2.7, A15.2.1), and COBIT 5 (AP007.06, BA103.10, DSS05.01, DSS05.07).

The training goes through all aspects of a SOC: technology, people, processes, and services. It does an excellent job of putting the role of the SIEM (Security Information Event Management) into perspective for overall situational awareness.

Balancing Strategy with Practical Guidance

So far, this is pretty much bread-and-butter security operations training. What I like about Larry’s flow is he moves smoothly between strategy and practical guidance. For example, the training first dives into the application of SIEM to specific data sources: security devices, servers & mainframes, network & virtual activity, data activity, application activity, configuration info, vulnerability & threat, user activity, etc. After this, it steps back and maps out the different personnel roles and responsibilities of a SOC. Then, it dives into a detailed discussion of cyber threat hunting. I love the cyber threat hunting maturity model that the training draws on from SQRRL!

Once one gets through SOC technology, personnel, and operations, the training provides an excellent integration of NIST 800-61 Incident Response Lifecycle: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

Radical Simplicity

As I have written multiple times, what excites me about this training is the radical simplicity of the practice. But, simple doesn’t mean elementary. For example, Larry Wilson recognizes that the participant might be a team member of a 500 person security operation, or they may be the security operation. At the end of the training, there is an excellent discussion of SOC alternatives including roll your own and MSSP. This section is one area where I think the training could go into more detail on homegrown SOC technology using open source solutions like OSSIM and ELK stack, including Logstash and Kibana. When I start delivering the training, I plan to add a section on homegrown SOC options.

The training concludes with a decision matrix to help organizations figure out their appetite for security operations.

For example, as Larry states, “if the purpose of the security operations program is compliance and audit readiness, then an MSSP is usually the best option.” I like the pragmatism of this type of training: making decisions based on the reality of one’s situation, rather than the fantasy of what one hopes to see happening.

Moving Forward

After going through the training, I am much more confident in my abilities to walk into a security operation and quickly assimilate as a newbie or sketch out a SOC for my company as a CISO. Is it secure? Well, not yet. We still have seven more modules to work through in the NCSF CFM. However, this class alone will prevent significant pain and anxiety the next time anyone asks “is it safe?”

In my next post, I am jumping over to the business center of the NCSF Controls Factory Model. In the meantime, please contact me if you have any questions about NCSF CFM. Also, please comment below. I would love to hear from my connections on the front line of cybersecurity, doing their best to keep their colleagues and organizations safe.

Building a Strong Cybersecurity Technology Program – 80/20 Prevails

How many of you have heard this? “We need a comprehensive, continuous improvement risk management program with clear goals, objectives, and expected outcomes. We need this yesterday, and we do not have any additional budget to support this. Oh, have a great day!”

This could be right out of a Dilbert cartoon, but the I find the request, the assessment of current operations for many companies accurate, and the budget demands a reality for most security professionals.

Related to the above, I am reviewing a phenomenal security operations training program developed by Larry Wilson (UMass CISO). As discussed in my previous post, the NIST Cybersecurity Framework (NCSF) Controls Factory Model (CFM) operationalizes the NIST CSF. Currently adopted by 13 universities, it is now becoming available to the commercial enterprise. Based on what I have seen so far, the Foundation and Practitioner programs will arm participants with the knowledge, skills, and abilities to meet the above management request. Moreover, this can be done in a relatively short time and at a reasonable cost.

Why Not Start Today?

Diving right in, as shown in the below figure, the Technology Program Design-Build function is the first step in the CFM’s Technology Center. Its goals are straightforward, prescriptive and pragmatic:

  1. Develop the capability to mitigate threats at every stage of the attack chain
  2. Automate security controls for each core NIST CSF Function: Identify, Protect, Detect, Respond, and Recover
  3. Configure cybersecurity tools to vendor specifications

Nonlinear Cybersecurity Control Management

The Technology Program Design-Build manages security control implementation and effectiveness. In contrast, the Engineering Center leads vulnerability and threat modeling and analysis. These are intentionally parallel processes: a radical departure from more linear risk management approaches of first determining vulnerabilities, threats, and the likelihood of attack, and then beginning control definition. In my view, this is a far more effective and efficient approach. Of course, not all controls are equal and willy-nilly jumping into controls can be wasteful. The NCSF CFM addresses this by focusing on the Center for Internet Security 20 Common Security Controls (CIS-20).

Surprisingly, Pareto Is Your Best Control Option 80% of the Time!

As I wrote in my last post, what excites me about the NCSF CFM is its elegant simplicity. For control selection, the CFM loosely follows the Pareto principle (80/20 rule) in multiple ways. First, as discussed in the training, implementing the CIS-20 can reduce risk by over 90%. Second, NIST 800-53 Rev 4.0 defines approximately 225 controls and 590 enhancements, so the CIS-20 (including 149 sub-controls) is about 20% of the over 800 potential touch points of NIST 800-53. Moreover, third, if we only implement 20% of the CIS-20 (controls 1-4), we can prevent over 80% of targeted cyber intrusions.

Based on the Technology Program Design-Build training (it goes into detail of all CIS-20 controls as part of the section), to address my hypothetical bosses request I am starting my security program by implementing the first six controls, summarized below:

In my next post, we move from Technology Program Design-Build to cybersecurity operations. In the meantime, please contact me if you have any questions about NCSF CFM. Also, please comment below. I would love to hear connections on the front line dealing with these challenges on a daily basis.

Honing NIST Cybersecurity Framework with Occam’s Razor

You are anxious to put the NIST Cybersecurity Framework into action. You have your core ducks lined up: identify, protect, detect, respond, and recover. You have an idea of your framework tier (risk maturity level), and you have a sketch of a current and future state profile. What next?

You are not alone in adopting a security framework: 80% of respondents in a 2016 Tenable study are using some form of framework. Moreover, this finding is across the board from SMB (100 – 1000 employees) to the enterprise (5000+ employees).

Adopting frameworks is relatively straightforward, implementing them is hard: 95% of the survey respondents indicate significant implementation challenges.

Overview of NCSF Controls Factory Model (CFM)

As I wrote in my last post, we need help operationalizing these frameworks, and it starts with the right training. To this end, I have just finished reviewing the first few modules of the upcoming itSM/UMass NIST Cybersecurity Framework Controls Factory ModelTM (CFM) Practitioners course. It is phenomenal! 

The power of the NCSF CFM is its flow, flexibility, and extensibility. It succinctly addresses the critical challenges referenced in the above report: organizational, operational, and technological. The essence of the model is reducing the organization’s risk by converting unmanaged (high risk) assets into managed (low risk) assets by running them through the factory.

The CFM’s simplicity is striking, especially when I compare it to other security operations methodologies that can be overly complicated. For operationalizing the NIST CSF, I am following Occam and focusing on the simplest solution to get the job done.

The factory has three main tracks:

  1. Engineering Center– The engineering center is the factory hub, addressing vulnerabilities, controls framework, assets, and identities for the organization. This function develops the set of differentiated technical and business controls directly linking to the NIST CSF, and it maintains a detailed understanding and mapping of all risk components
  2. Technology Center– The technology center covers the technical controls design, build (technology), managed services, testing, and assurance of all controls. This function determines and implements optimal technology solutions to automate the controls and operate the Security Operations Center (SOC).
  3. Business Center– The business center includes the control design related to critical business processes and staff. This function establishes an industry standard cyber risk management program, manages control implementation (via policy), workforce development, executive communications, testing, and the assurance of overall security operations.

As Larry Wilson, UMass CISO (training program author), explains during the training “The Controls Factory produces managed assets that are implemented into an enterprise network and support essential business functions. The goal of our controls factory is to ensure these assets include security controls that safeguard the critical assets against the latest cyber-threats.”

The CFM is the heart of an itSM/UMass NCSF workforce development program that teaches individuals and organizations “how to” Engineer, Operate and Manage the Business Governance of a NIST Cybersecurity Framework (NCSF) Program. Each learning track also aligns with the workforce categories outlined in the  NICE Cybersecurity Workforce Framework.

If I have piqued your interest, please contact me, and I am happy to discuss the curriculum and provide training samples.

Coming Next

In my next post, I get into some of the core aspects of each CFM function. In particular, I highlight the extensibility of the model as it pulls from a range of standards and frameworks, including NIST, ISO, CIS, and PCI.