Jump to content

Blogs

Featured Entries

  • twsager

    CForum Reboot

    By twsager

    There’s been a flurry of activity around the NIST Cybersecurity Framework over the last year, driven by the NIST RFI and the responses, as well as the Workshop. These events highlighted many common themes, including the desire for more sharing about best practices, more gathering of resources, and ongoing consideration of industry feedback. As NIST maps out the roadmap for Framework evolution, it is more important than ever for the industry to speak up. Our friends at NIST have always been clear about their role – they are conveners and organizers of the process, but our industry needs to own this and to drive the evolution.   And as the best available open public discussion forum about the Framework, it is time for CForum to fulfill its potential. We need to grow this from a well-intentioned but low-traffic discussion site into “must-see IT” about the Cybersecurity Framework. The place where people and enterprises share stories, ideas, resources, feedback. Your comments from the Workshop notes and the RFIs were loud and clear – the need is there – but it’s up to folks like us to do something constructive to make it happen.   So here’s my part – I’ve agreed to be the volunteer Executive Director for CForum. I’d describe it as a combination of instigator, cat-herder, and maybe catalyst for conversation. I’ve spoken to many of you across the industry, and there’s a general feeling that the Framework has become the closest thing around to a universal discussion baseline, but we need a way to focus, share, and drive this conversation. And through my “day job” with the Center for Internet Security, I’ll share the work that we have done to align with the Framework.   Your part? Speak up, share your stories, ideas, even your frustrations with the Framework. As a friend once told me, “you’re not writing the Federalist Papers” – write down what you think, let the ideas flow, and see what happens. And grab your industry friends and colleagues to bring them into the CForum discussion.   The cybersecurity problem is real, and it affects us all. After 40 years in this business, one thing I truly appreciate is the chance to work with so many talented people of good will. But that’s not enough - we also need to get organized, and get focused on action. Let’s start here!   --Tony Sager
    Center for Internet Security   http://www.nist.gov/cyberframework/upload/RFI3_Response_Analysis_final.pdf   http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf
    • 0 comments
    • 881 views

Our community blogs

    • 1
      entry
    • 0
      comments
    • 2145
      views

    Recent Entries

    As part of my daily job, I work with the NIST Cybersecurity Framework team. It is my pleasure to share with you that after 3 years of dialog with the community, the Cybersecurity Framework has been updated. This draft update, version 1.1, draws from discussions had at workshops, public comment periods, and general feedback received from stakeholders.

     

    The update is a first and foremost an attempt to refine and clarify some aspects of the Framework. Additionally, the update adds additional information on topics that have been brought up as gaps in the original version, namely: cyber supply chain, measurement, and authentication. NIST is seeking comment on the draft from the community by April 10th 2017.

     

    If you plan on being at RSA2017 in February, I will be moderating a panel on the Cybersecurity Framework implementation and update. Scheduled to join me are: the NIST Cybersecurity Framework Program Manager Matthew Barrett, Venable Senior Director for Technology Risk Management John Banghart, as well as Center for Internet Security VP and CFORUM Executive Director Tony Sager. We will be discussing the who, the what, and the where of the Framework at 8:00am on Thursday 2/16/2017 in Moscone North 131.

     

    For those attending in person or who see the recap later, continue the conversation here, on CForum.

     

    Come join us.

  1. twsager
    Latest Entry

    There’s been a flurry of activity around the NIST Cybersecurity Framework over the last year, driven by the NIST RFI and the responses, as well as the Workshop. These events highlighted many common themes, including the desire for more sharing about best practices, more gathering of resources, and ongoing consideration of industry feedback. As NIST maps out the roadmap for Framework evolution, it is more important than ever for the industry to speak up. Our friends at NIST have always been clear about their role – they are conveners and organizers of the process, but our industry needs to own this and to drive the evolution.

     

    And as the best available open public discussion forum about the Framework, it is time for CForum to fulfill its potential. We need to grow this from a well-intentioned but low-traffic discussion site into “must-see IT” about the Cybersecurity Framework. The place where people and enterprises share stories, ideas, resources, feedback. Your comments from the Workshop notes and the RFIs were loud and clear – the need is there – but it’s up to folks like us to do something constructive to make it happen.

     

    So here’s my part – I’ve agreed to be the volunteer Executive Director for CForum. I’d describe it as a combination of instigator, cat-herder, and maybe catalyst for conversation. I’ve spoken to many of you across the industry, and there’s a general feeling that the Framework has become the closest thing around to a universal discussion baseline, but we need a way to focus, share, and drive this conversation. And through my “day job” with the Center for Internet Security, I’ll share the work that we have done to align with the Framework.

     

    Your part? Speak up, share your stories, ideas, even your frustrations with the Framework. As a friend once told me, “you’re not writing the Federalist Papers” – write down what you think, let the ideas flow, and see what happens. And grab your industry friends and colleagues to bring them into the CForum discussion.

     

    The cybersecurity problem is real, and it affects us all. After 40 years in this business, one thing I truly appreciate is the chance to work with so many talented people of good will. But that’s not enough - we also need to get organized, and get focused on action. Let’s start here!

     

    --Tony Sager
    Center for Internet Security

     

    http://www.nist.gov/cyberframework/upload/RFI3_Response_Analysis_final.pdf

     

    http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf

  2. G2 is helping BSI explore industry interest in a third-party assessment based on a combination of the Cybersecurity Framework (CSF) and the ISO/IEC 27001:2013 standard. It issued a Request for Information back in August, which we've publicized here.

     

    As our engineers help to implement the CSF around the world, we often hear frustration that the CSF outcomes are somewhat high-level (e.g., PR.DS-01, Data-at-rest is protected). They were built that way because it would be inappropriate for the Framework to declare a prescriptive approach for all users and all types of data. CSF’s purpose is to inspire users to determine for themselves what procedures and controls are necessary to achieve risk management goals (as determined in CSF Step 1), and then identify ways to monitor the ongoing effectiveness of those measures. The “how” is intentionally in the eye of the beholder.

     

    The challenge, then, comes when we try to use the CSF Profiles to compare my target state requirements against another’s current state assertions. Some organizations may need an independent and qualified 3rd party to determine whether a Current State Profile accurately describes the procedures and controls in place, and to render an opinion on the effectiveness of those measures claimed.

     

    Many Framework adopters already use the ISO/IEC 27000 family of international standards, and 27001 was well referenced by CSF. An organization that wants to leverage BSI’s Certification to ISO/IEC 27001 Information Security Management will already be formally assessing those CSF subcategories to which ISO controls are mapped. When a 3rd-party assessor assures that the necessary ISO/IEC 27001 procedures and controls are in place and working effectively, that same reviewer could consider the reasonableness of the other Current State Profile assertions. This approach wouldn’t bind CSF to any particular standard, but it might be beneficial for those that already apply ISO 27000 standards to organizational practices, and it might help provide some confidence to those that need higher assurance that the Current State Profile is accurate and reasonable.

     

    What are your thoughts? We’re getting ready to post the formal responses received in the Downloads folders here, and we’d welcome your thoughts in the Forums (fora?)

     

    Until then, be safe and have a great weekend!

    • 2
      entries
    • 0
      comments
    • 5510
      views

    Recent Entries

    Understanding the Cybersecurity Framework (CSF) can prove a difficult task for professionals in the field. Whether it is an individual, new to the Cybersecurity and trying to understand the different road signs, or the established journeyman, coming to grips that lanes are now established in a realm that seemed to resemble the wild west – the CSF impacts everyone calling the field of Cybersecurity their career path. Therefore, it is important to understand the different categories and subcategories associated with the CSF. Comprehensive understanding of the affiliated groupings ensures that individuals working in Cybersecurity understand that Cyber isn’t just a willy-nilly, undefined realm of ones and zeroes, but a professional field that becomes more demarcated every day. Over the next several posts, the categories and subcategories will be analyzed in hopes of trying to make them more clear for the reader.

     

    Within the first domain of the CSF, identify, lies the Asset Management Category. As the framework points out, this category ensures that the “data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.” This is a drawn out way to say: track your stuff. It’s very easy to lose track of items in the melee of the everyday work environment. Whether it is something as small as a usb drive or as large as a multi-blade server – inventory must always take place. The subcategories associated with Asset Management confirm these sentiments.

     

    Each subcategory within Asset Management speaks to a different aspect of the concept as a whole. For example, ID.AM-1 covers the most common idea of management when it states that “[p]hysical devices and systems within the organization are inventoried.” Usually this can take the form of either a common list which correlates item with location or personnel or an advanced barcoding or RFID tracking capability. The CSF intentionally does not get so specific as to identify which method an organization should use, but does offer a few tips in the form of its informative references, such as NIST SP 800-53 Rev. 4, CM-8, which suggests that an organization develop an accurate system that inventories items at a specific level of granularity that the organization deems appropriate and that updates and reviews are conducted on a regular basis.

     

    Another subcategory of the CSF applies the regular evaluation identified in ID.AM-1 to software. The CSF understands that typical physical inventories that comprise other fields does not encompass all of the needs of the Cybersecurity field. It is important that a regular evaluation of the software and applications that are utilized by a work force are inventoried and evaluated. The added bonus that isn’t often considered is that the inventory process also helps identify any potentially unapproved software that may have been installed by a workforce unaware of the importance of the software approval process.

     

    ID.AM-3 takes another step in considering the non-traditional inventory aspects of the cyber workplace. Understanding that organizational communication is a method through which people (who are also assets) interact, the CSF identifies these interactions as pertinent to asset management. These communications between individuals are another form of data flowing between assets, however, in addition to digital communication, these can take the form as the oldest analog communications in the world: speech.

     

    These are just two of the subcategories that help organizations conduct asset management efficiently. Over the next several weeks, additional blog posts will dissect and analyze the other subcategories that comprise the CSF, making these components more tangible for the reader to implement in their organization.

    • 1
      entry
    • 0
      comments
    • 6472
      views

    Recent Entries

    RSA Joins CForum as Founding Member

    Industry-led Organization Advances the Cybersecurity Framework through Collaboration

     

     

    RSA Conference USA 2015

    April 15, 2015 01:15 PM Eastern Daylight Time

     

    ANNAPOLIS JUNCTION, Md.--(BUSINESS WIRE)--CForum, an industry-led forum focused on the evolution and use of the Cybersecurity Framework, announced that RSA, The Security Division of EMC (NYSE:EMC), has joined CForum as a founding member. CForum is a not-for-profit organization providing an open environment to share cybersecurity best practices and related topics important to anyone responsible for cybersecurity in their organization. CForum expands on the information sharing that occurred during the development of the Cybersecurity Framework, released by the National Institute of Standards and Technology (NIST), as requested in President Obama’s Executive Order 13636 on cybersecurity.

     

    Released on February 12, 2014, the Cybersecurity Framework was developed through industry and government collaboration, initiating a year-long open dialogue that is continued through CForum. The goal of CForum is to promote information sharing among organizations using or planning to improve their cybersecurity program. Discussions within CForum use the Cybersecurity Framework as the common language for describing components within a cybersecurity program.“CForum was established to foster continued cybersecurity collaboration, creating an environment for organizations to discuss how to best use the Cybersecurity Framework,” said Paul Green, founder of CForum. “RSA’s participation as a founding member underscores the role CForum will have on advancing the cybersecurity framework and we are proud to have such a well-respected industry leader join our growing community of cybersecurity contributors.”

     

    “The Framework is a great start for any organization seeking to develop or accelerate an effective cyber defense and resilience capability,” said Mike Brown, Rear Admiral, USN (Ret) and vice president and general manager of RSA’s Global Public Sector practice. “CForum provides an environment that brings together an insightful community of participants, focused on answering questions, sharing best practices and offering new ideas related to the framework. We look forward to playing a role in expanding the CForum ecosystem, while positively impacting the future of cybersecurity.”

     

    During the 2015 State of the Union address, President Obama said “If we do [act on cybersecurity], we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.” CForum is one way in which organizations and individuals can collaborate and share information on cyberthreats, cyberattacks, and how to best prepare an organization to defend against them.

     

    CForum to Present at RSA Conference 2015 in San Francisco

     

    On April 23, Greg Witte and Tom Conkle will be presenting an overview session on CForum. For more on the session, “CForum: A Community-Driven Solution to Cybersecurity Challenges,” visit the RSA Conference 2015 site.

    • 1
      entry
    • 0
      comments
    • 10112
      views

    Recent Entries

    What’s next?

     

     

    This is a question on all of our minds – not just for the Framework but also cybersecurity more generally.

     

    Executives have started to get on board, the press is paying attention, manufacturers are starting to include security in their ICS products, grass roots organizations such as I Am The Cavalry and others are forming to help to move Automotive and Medical Device security forward, the White House has issued the Executive Order, Congressional staff discusses cybersecurity regularly, and together we have created a common practice consensus "flag" with the NIST Framework, and this very forum now exists to help us collaborate more effectively.

     

    So, how do we use this momentum to continue to move forward coherently toward sustained risk reduction?

     

    I’ve heard a lot of good ideas here, at the 6th NIST workshop, and in many other venues about what to do next, but a lot of these ideas, thrown up into the air, fall down with no structure to catch them. There is no bigger picture into which to slot next step ideas and see how they relate to past work, need, and each other.

     

    Without such a common reference structure, making progress from here on out will be increasingly difficult and I believe we need to learn from the very recently successful past and build a framework to do so.

     

    The new framework I'm envisioning would, far from a "2.0" of what we've already built, have a completely different goal. Instead of collecting and organizing common solution elements into a document, this framework would identify the types of problems we face doing business in a hostile, ICT (Internet and Communication Technology) enabled world and provide a context in which to organize the existing NIST Framework solutions.

     

    In other words, if we identify a common language and reference for the "cybersecurity problem space" - especially the areas outside of the CISO organization - it should be much easier to go back, find out where the Framework excels, where it needs help, and where it simply does not apply and, from there, allow us to organize future efforts effectively and sustainably.

     

    Maybe we should have done this earlier, but maybe it took creating a Common Practice Framework to highlight the need to go back and create a “Problem Space Framework”. How many of us have looked at strategy documents that said things like “Will reduce cyber attacks” or “Improve Cybersecurity” and thought “But wait, what does that mean?” Shouldn’t there be goals, or non-security objectives for security to help frame, limit, and shape our efforts to some productive end?

     

    When the executive order came out and I heard about how the NIST Framework was going to be used to support “Performance Objectives”, I thought, “Great! Finally, we’re going to have the electrical current that non-security-activity goals provide to security activities to drive them to defined, implementable, and effective ends”.

     

    Unfortunately, that doesn’t seem to be happening and there doesn’t seem to be consensus that that was even the original intent. But that doesn’t mean we don’t still need to create that organizing current around security activities.

     

    The “Tier” concept in the existing framework, as incomplete as it is, definitely speaks to the need for the application of a maturity model to what we’re doing, but even maturity models need to exist inside a larger context of “Why?” that is framed by all of the ways organizations – and those who work for them – introduce risk. If we don’t have a framework for risk introduction in a broad business and national context, how will we ever be able to tell ourselves, each other, our customers, or anyone else that we’ve applied the NIST Framework in some legitimately effective or helpful way?

     

    This shouldn’t be a hard problem to solve. As with the Common Practices in the NIST Framework, we’re in a situation where a lot of different people have very different but valid views into the cybersecurity problem space. The material and knowledge exists, we just need to gather it, write it down, gain consensus, and begin to apply it.

     

    From my own point of view, I think this begins by identifying (and documenting) how the major, common roles within organizations (and of organizations) introduce cybersecurity risk through legitimate, authorized means in the course of doing business. If we can nail this down across the entire business value chain – from Boards and CEO’s to CFO’s to Operations Managers to IT to Procurement to Sales and Marketing to HR to Industry Partners to Insurance Companies to Regulators all the way to the CISO shops that the NIST Framework already assumes solutions for – we will have a much better understanding of what we're solving for. This is because our cybersecurity risk profiles are, when it comes down to real root causes, exclusively the result of the series of decisions made by people in legitimate, authorized capacities. Whether or not the decisions are in your sphere of influence, knowing how they are influencing your cybersecurity risk profile over time is the first step in determining how to most effectively apply the controls from the existing NIST Framework. From there, that knowledge can be applied to contextualizing the maturity levels in models like the ES-C2M2 in a way that provides "Management Metrics" to those responsible for managing organizational behavior, and those maturity levels can then guide the scope, goals, metrics, and placement of those controls that exist in the NIST Framework.

     

    Beyond the tactical benefits of the knowledge such a framework would give us, our ability to act strategically will improve. If we know how our CEOs and those who work for them are introducing risk, if we can find commonalities across organizations, then we can describe the goals, effectiveness, and mitigating controls in terms that are much less dependent on far too rapidly changing technology and external threat actors. This would provide a much more stable platform over time from which to begin doing sustainably successful risk management, maturity modeling, and NIST Framework implementation and adoption.

     

    That said, this is just one way we might go about creating a "Problem Space Framework" - there are others. Regardless of which one we choose, I strongly believe building one will clarify, speed up, and make our way forward much more effective at reducing risks created by the use and operation of ICT's.

    • 1
      entry
    • 0
      comments
    • 13483
      views

    Recent Entries

    Without a security policy, there is no security.

     

    This is a pretty bold statement, but think about variations of this which we all know not to be true:

     

    I'm secure because I have a firewall.

    I'm secure because we passed a penetration test.

    I'm secure because we haven't detected any intrusions recently.

    I'm secure because my CSO has lots of experience.

     

    The only way to really have a concept of security is to have a plan which aligns to your business risks and goals and then measure how well you are doing against this plan.

     

    Unfortunately, networks have become very complex. There are a plethora of devices, users, connections and applications running on other people's infrastructures.

     

    Historically, it was not possible to audit all of these things with a comprehensive policy, so we instead relied on humans to perform audits. Many of these audits were periodic in nature and did not consider the continuous nature of how fast risks to our network could be discovered and exploited.

     

    Today however, automation can be used to discover, assess and then report about how well your network is doing against your plan. This can often be done in near real time.

     

    Your plan could be a direct implementation of something like the NIST Cyber Security Framework, a realtime measurement of your compliance with PCI or something more basic, such as measuring that everyone of your web servers is protected by a WAF.

     

    As the CEO for Tenable Network Security, I've seen a dramatic change in how organizations view the functions of audit. As organizations move from periodic audits to continuous audits, they gain tremendous advantages. These include:

    • near real-time inventory discovery which also implies realtime change detection
    • near real-time discovery of security risks and violations
    • earlier detection of potential hacker targets and regulatory compliance issues
    • confidence in the network's ability to operate at an appropriate risk level

    One of the most popular items our customers use are our dynamic dashboards. We've seen tremendous growth in organizations who want to know how they compare to regulatory and compliance standards from NIST, DISA, PCI, .etc. Our customers leverage dashboards and report templates which allow them to re-interpret the scanning, network monitoring and log analysis data they are already collecting to monitor how compliant they are with these standards. I've included links to many of our more popular dashboards below:

     

    CSC 20 Controls

    http://www.tenable.com/sc-dashboards/council-on-cybersecurity-20-critical-security-controls-dashboard

     

    NIST CyberSecurity Framework

    http://www.tenable.com/sc-dashboards/cybersecurity-framework-audit-dashboards

     

    PCI Status

    http://www.tenable.com/sc-dashboards/pci-status

     

    Securities and Exchange Commission

    http://www.tenable.com/sc-dashboards/sec-risk-alert

     

    Australian Signals Directorate Top 4 Mitigation Strategies

    http://www.tenable.com/sc-dashboards/asd-top-4-mitigation-strategies

     

    Each of these dashboards includes a lengthy description of how technologies such as network traffic monitoring, net flow collection, credentialed vulnerability scanning and configuration auditing can be leveraged to perform a technical assessment of compliance with each of these controls. We have published several hundred of these types of dashboards for our customers. Many of these were requested by our customers as well.

     

    At Tenable, we consider realtime automated testing of a security policy the very essence of continuous monitoring. Without a security policy to translate the security telemetry from your scanners, logs and security systems, all of this data produces security noise. It takes a policy to make sense and understand if the data from your sensors is telling you that you are secure or that you have a problem.

    • 1
      entry
    • 1
      comment
    • 7525
      views

    Recent Entries

    As we are all aware, cyber breaches from malicious actors - criminal and/or nation-sponsored - to our critical infrastructure could lead to significant damage and disruption to our national economy. The national conversation around cyber incidents, which included work from the Obama administration, hearings and other efforts in congress, led to President Obama’s Executive Order (EO 13636) that established the path forward to increase the cybersecurity of our nation’s critical infrastructure, including the development of the Cybersecurity Framework (CSF).

     

    The CSF is a great start for critical infrastructure entities, or other organizations, that want to develop or accelerate an effective cyber defense and resilience capability. It presents a model that helps to identify, assess and reduce critical business risk and also promotes a measured approach that organizations can follow to determine exactly what their cybersecurity posture is and create a roadmap to address prioritized risk areas. These efforts can be led through internal capabilities or through third party assessments.

     

    One way to get started is through engagement with CFORUM which will provide access to a thoughtful community that can assist in answering questions and sharing best practices and ideas. While the information security leaders in the CFORUM have an enriching and wide diversity of backgrounds and industries – they share a common purpose: securing the American economy from the serious cyber risks. I encourage you to join and take advantage of it.

     

    While supported and incubated by the public sector, a fundamental aspect of the vision behind the EO and CSF was to establish a living Framework that is private sector led. In my next post, I’ll outline how a confluence of factors in the private sector (from insurance, to contracts, to supply-chain management, and more) are contributing to making this voluntary framework, a de facto required one.

    • 1
      entry
    • 0
      comments
    • 7759
      views

    Recent Entries

    Welcome to CForum, the information hub for the cybersecurity framework!

     

    As you may be aware, the framework was set into motion by Executive Order 13636 in February 2013. This order directed the Department of Commerce to direct the National Institute of Standards and Technology (NIST) to convene industry and come up with a common framework for identifying, assessing, and managing cybersecurity risk. Through a consultative process with critical infrastructure, industry, and government partners, NIST utilized a Request for Information, 5 national workshops, and a final Request for Comments to build the framework. A key component of that process was the dialogue that happened at the workshops between industry members and the government. This dialogue was critical to the success of the NIST process and the subsequent framework.

     

    Now that the framework has been published, the dialogue needs to move toward framework alignment and best practices. This type of discussion is ongoing and dynamic and needs to be focused in one place; therefore, a different method of communication is needed. These forums serve as that central location and include topics such as: Framework 101; sector based adoption; next steps for the Framework; and many more topics being defined by the community. These forums include topics from a 101 section, a sector adoption section, and a board to discuss the next steps of the framework. CForum is the foundation upon which industry can build a better cybersecurity risk management platform.

     

    To build that platform, there are many topics surrounding the framework that need to be addressed by the community. To that end, please engage with your industry partners in meaningful dialogue around the implementation of the framework at your organizations. Only by gathering lessons learned and best practices can we truly raise the cybersecurity bar. CForum represents an opportunity for each organization to make its voice heard and to contribute to the evolution of the framework.

     

    We look forward to continuing the discussion!

    CForum Team

×