WIXLIB

NIST Cyber Security Framework & Healthcare IT SecurityClarksville, MD 22 April 2016 Annual Spring ConferenceNext Generation SecurityAdaptive Intelligent ResilientScott MontgomeryVP, Chief Technical Strategistscott.montgomery@intel.com 1 240 498 2941 mMcAfee Confidential

DISCLAIMER“The information contained in this document is for informational purposesonly and should not be deemed an offer by Intel Security or create anobligation on Intel Security. Intel Security reserves the right to discontinueproducts at any time, add or subtract features or functionality, or modify itsproducts, at its sole discretion, without notice and without incurring furtherobligations.”McAfee Confidential2

HealthCare Security Landscape Sector’s Top Attack CategoriesDDoSAccount HijackingMalware“Average data breach cost per capita for the healthcare industry is 363”Sources: Ponemon Data breach report 2015 and Intel Security GroupMcAfee Confidential3

RansomwareCyber-Threat-Alliance “When researchingprofits made by the group behind CW3, anestimated 325 million dollars wasdiscovered.”Ransomware-as-a-Service (RaaS) is booming inthe early start of 2016, multiple sites andcampaigns have been detected.Most prevalent ransomware families at themoment: CryptoWall v4 and TeslaCryptSource: McAfee Labs Threat Report, November 2015Source: dfMcAfee Confidential

HealthCare – Ransomware attacksAttackers ask 3.6 million ransom-Hospital’s network down for more than a weekSystems for CT scans and others impactedEmail, Patient-files and other data encryptedStaff went back to fax-machines for communicationThey were not the only hospital hit by ransomware.Reported by CSO OnlineMcAfee Confidential5

HealthCareWe still have a long way to go:simple scan of Internet facing devices for remote control software without passwordMcAfee Confidential6

Healthcare Organizations are Subject to Many Legislative & RegulatoryRequirements “Authoritative Sources” Often OverlapMcAfee Confidential7

NIST Cybersecurity FrameworkWhat it is and why An organizational Cybersecurity Risk Management tool for: Improving communications between technical staff and thebusiness decision makers A common language for discussing organizational cybersecurityissues Evaluating an organization’s current security posture Developing an organization’s target security profile Providing a means to develop a roadmap for improving thecybersecurity posture based on specifics Improving Cybersecurity Risk Management decision making withinthe organization Why? Released (Version 1.0)February 12, 2014, it is in directresponse and support ofPresident Obama's February2013 Executive Order 13636"Improving Critical InfrastructureCybersecurity." Helps organizations to identify,understand, manage and reducecybersecurity risks by prioritizingsecurity investmentsVoluntary Guidance created based on existing standards and best-practices(private and public sector were involved in the creation) A living documentMcAfee Confidential88

NIST Cybersecurity FrameworkWhat it is not Prescriptive A replacement for existing risk managementmethodologies (but can augment and compliment OR fillgap if none exists) Foolproof! No, implementing the CSF does not mean yourimmune to being compromised! A “One size fits all” approach A substitute for thoughtful review, evaluation andpragmatism in addressing risk concerns and priorities It is NOT an IT governance “Framework” in the classicsense of CoBIT It is not a silver bulletMcAfee ConfidentialOrganizations will continue to haveunique risks – different threats, differentvulnerabilities, different risk tolerances –and how they implement the practices inthe Framework will vary. Organizationscan determine activities that areimportant to critical service delivery andcan prioritize investments to maximizethe impact of each dollar spent.Ultimately, the Framework is aimed atreducing and better managingcybersecurity risks.Source: NIST Framework for ImprovingCritical Infrastructure Cybersecurity,Version 1.0.99

NIST Cyber Security Framework - OverviewThree primary components:1)Profile: Comprised of two views; current “as is” and target “to be”2)Implementation Tiers (1 – 4): Partial, Risk Informed, Repeatable, Adaptive3)Core:- Functions: Identify, Protect, Detect, Respond, Recover- Categories, subcategories and Informative ReferencesSource for slide content: urity-framework-021214.pdfMcAfee Confidential10

NIST Cyber Security Framework - OverviewImplementation Tiers:Tier 1 – Partial: Risk management process and program ad hoc, reactive. Cybersecurity activities and riskmanagement visibility limited.Tier 2 – Risk Informed: Risk management practices approved by management may not be fully established acrossorganization. Cybersecurity activities and risk management concerns have some level of visibility but may not be allencompassing across organization.Tier 3 – Repeatable: Risk management practices are clearly approved and defined, adhered to and consistentmethods in place to respond to and address risks across the organization.Tier 4 – Adaptive: Organization adapts, evolves risk management, cybersecurity practices based on lessons learnedand predictive analysis. Cybersecurity risk management is part of culture.Tiers can provide context for the organization relative to how they view and manage cybersecurity risksSource for slide content: urity-framework-021214.pdfMcAfee Confidential11

NIST Cyber Security Framework - OverviewThe CSF provides a common method for organizations to:1. Baseline anddescribe “as is”current posture4. AssessprogressSource for slide content: urity-framework-021214.pdfMcAfee Confidential3. Identify andprioritizeimprovements2. Describe “tobe” target state5. Communicateto stakeholders12

Points of ConsiderationIt is the start of a journey Enables continuity and continuousimprovement Branch out and connect with partners andothers who are taking this journeyLeveraging the CSF can helpdrive better risk management,prioritized investments andfoster better communicationacross state organizations Keep it simple! Do not go too deep or toofast Understanding risk and managingpriorities in investments to addressenables complianceMcAfee Confidential1313

Our Lessons LearnedThe CSF fosters essential internal discussions aboutalignment, risk tolerance, control maturity, and otherelements of cyber risk management Setting our own Tier Targets was especially usefulThe CSF provides a common language for crossorganizational communications, allowing apple-to-applescomparisonsEngage all stakeholders early; the Framework itselffacilitates discussionIts alignment to industry practices made it easy to scale andtailor it to our environment with surprisingly minimal impactMcAfee Confidential14

NIST CSF Update to Industry Cyber Security Framework Workshop 6-7 April 2016On December 11, 2015, NIST issued its third request for information (RFI), Views on the Framework for ImprovingCritical Infrastructure Cybersecurity, to receive feedback. The RFI analysis served as a starting point for discussionat the Cybersecurity Framework Workshop 2016, hosted by NIST in Gaithersburg, Maryland on April 6 & 7, 2016.The workshop, with approximately 800 participants, continued important conversations begun in the recent RFI andincluded topics such as: Ways in which the Framework is being used to improve cybersecurity risk management,How best practices for using the Framework are being shared,The relative value of different parts of the Framework,The possible need for an update of the Framework, andOptions for long-term governance of the Framework.McAfee Confidential15

NIST CSF Update to Industry Cyber Security Framework Example RFI Responses 11 Dec 2015McAfee Confidential16

Reaching Critical MassSecurity teams are overwhelmed by manually intensive solutionsCollect Normalize Enrich CorrelateData SourcesThreat Intelligence!ObjectNetworkLogsMcAfee ConfidentialEndpoint!!!!!Security ConsolesOrganizationalCommunityGlobal17

Gap in Cyber Security Skilled LaborGlobal shortfall in talentActual RequirementsHiring GapThe 2015 (ISC)2 Global Information Security Workforce SurveyMcAfee Confidential18

Intelligence Based Orchestration & AutomationApply the power of knowledge – Security ConnectedGlobal ThreatIntelligenceMcAfee GlobalThreat IntelligenceVirus Total3rd Party FeedsIntel SecurityCountermeasuresAnalytics & responsePayload inspection& detonationCloud assistedprotection3rd Party SolutionsOrganizationalThreat IntelligenceSecurity OrganizationPrevalence &ForensicsEvolution of endpointsMcAfee Confidential19

Connected ArchitectureEfficient, thorough, automated communications between disparate sensorsReal-Time MessagingEndpointStandardized ContentNetworkIdentityAdaptive WorkflowsData3rd PartyEfficiency in CommunicationMcAfee Confidential20

Critical Conversations – Challenges & Outcomesopen integration fabric partner ecosystem services & expertiseStrategic ApproachDynamic Control &AutomationCustomer ChallengesNeutralizeEmergingThreatsCustomer Outcomes SafeguardVital DataContextual Risk CognitionPervasive Point of Presence Fortify CriticalEnvironments Optimize SecurityOperations McAfee ConfidentialA resilient digital enterprise that can withstandsophisticated attack campaignsA shift from tactical firefighting to strategic lifecycledefenseMinimized financial, brand and user impact fromsecurity incidentsSafely leverage innovative services andtechnologies for competitive business advantageEstablish control between end-users and cloudProtect sensitive data regardless of where it lives orhow it movesRapid business line service provisioning withminimized riskComprehensive visibility and consistent policyextension across complex hybrid datacentersMaximized agility and resource utilization withoutsacrificing securityCompressed decision making and action cyclesyielding improved overall efficacyIncreased efficiency, automation and labor-houroutput of existing teams and technologyReduced deployment, management, and reportingcomplexity of the entire security ecosystemEvolving PortfolioAdvanced Web SecurityWeb Security integration with Cloud SandboxingConverged EndpointConsolidated Endpoint Platform (ENS) with AR,TIE, Contain & TraceDetection for Targeted AttacksThreat Management Platform plus TIE with Endpoint,IPS, SIEM, & Cloud SandboxingPervasive Data ProtectionEndpoint Cloud delivered Data Protection unificationwith visibility and control for cloud applicationsDynamic Endpoint ProtectionEndpoint 10.X integration with Web SaaSSecurityPrivate & Hybrid Cloud SecurityNetwork IPS, ATD & Server security into moreprivate/hybrid environmentsDynamic Protection for Public Cloud(s)Expansion of discovery and consistent policycontrols across public cloud environmentsCloud Management at Enterprise ScaleCloud ePO delivery for Enterprise Endpoint & WebSecurityDetection for Targeted AttacksThreat Management Platform plus TIE with Endpoint,IPS, SIEM, & Cloud Sandboxing21

Integrated System ValueDisconnectedArchitectureIntegratedSystemTime to Respond1455:17 min24 hours6:50 min4.2 hoursTime to Protect254:02 min1:08 min Full use of intelligence gives customer ahigher confidence that security is effectiveCapacity6 IOC/day210 IOC/dayEFFICENCYCoverage GapsGap in hashdata sent toSIEM0Data Confidence24Consoles62Manual Steps193RequirementsMcAfee ConfidentialEFFICACY Average Time to Respond reduces dwell timeto less than 7 min 66% reduction in technology componentsreduces the cost of security 85% decrease in manual steps allowscustomer to repurpose the analysts to hardertasks 3500% increase in IOC handling capacity22

Power of Intel CorporationInnovating solutions from silicon to softwareCompatibilityInnovationAnti-TamperOpen PerformanceFrameworkBig ConnectedPerformanceBig DataInnovationNext Generation DefenseHW-Assisted SecurityMcAfee formanceScalability23