Scribd Logo
Upload

Welcome to Scribd!

  • The Updated Cyber Rosetta Stone: The Collective Risk Project

    Uploaded by

    dbf75
    44 views27 pages

    Original Title

    SLIDES_CyberRosettaStone_BHIS_August_2021

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    44 views27 pages

    The Updated Cyber Rosetta Stone: The Collective Risk Project

    Uploaded by

    dbf75

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 27

    The Updated Cyber Rosetta Stone

    The Collective Risk Project

    Presented by Kelli Tarala


    © 2021 Principal Consultant Enclave Security
    2 Translation

    “Translation is not a matter of words


    only; it is matter of making intelligible the
    whole culture.”
    -Anthony Burgess

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    3 The Rosetta Stone

    Chris 73 / Wikimedia Commons, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=19669

    Bibi Saint-Pol - Own work Public Domain, https://commons.wikimedia.org/w/index.php?curid=1904789.

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    4 We Needed a Cyber Rosetta Stone

    • Rather than every organization attempting to do this


    on their own, why can’t the community come together
    to fix this problem and make things better?
    • As a community of cybersecurity professionals, we
    solved this problem.
    • Collective Risk Project translates frameworks into
    building blocks.

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    5 Cyber Security & Privacy Frameworks
    • NIST 800-53 • Australian Signals Directorate
    • ISO/IEC Standards (ASD) Top 35
    • CMMC • NERC CIP
    • HIPAA • PCI
    • NIST Cyber Security • NYCRR 500
    Framework • NIST 800-82
    • CIS Controls • COBIT
    • NIST Privacy Framework • CCPA
    • Various State Laws • ISA/IEC 62443

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    6 Cyber Security & Privacy Frameworks and Standards

    • Too many standards


    • Time consuming to
    understand
    • Vague Controls
    • Overlapping Controls
    • Missing Controls

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    7 AuditScripts Collective Risk Project

    • Collective Risk Model


    • Collective Threat Model
    • Collective Controls
    Catalog
    • Metrics & Measures

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    8 Project Contributors
    • There have been numerous contributors to this project
    over the last few years

    • Some of the key contributors to this project include


    representatives from:
    – The SANS Institute
    – The Institute of Applied Network Security (IANS)
    – Enclave Security / AuditScripts
    – Black Hills Information Security (BHIS)
    – Individuals from a diverse set of international organizations
    (public and private)

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    9 Collective Risk Model (CRM)
    • Most cybersecurity professionals agree that risk
    management should be the foundation of all
    cybersecurity activities.

    • But the reality is that most risk management


    frameworks are vague and academic in nature,
    leaving it to each organization to determine what to
    do.

    • The result is that almost no organization is doing risk


    management well, some are doing just pieces of the
    puzzle at best.

    • The cybersecurity profession needs a clear,


    collaborative framework for managing risk that does
    not require each organization to reinvent the wheel.
    The Updated Cyber Rosetta Stone © Enclave Security 2021
    10 Collective Risk Model

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    11 Collective Threat Model
    • Formerly known as the Open Threat Taxonomy
    • Hundreds of organizations have contributed
    • One of the latest efforts is the release of a community
    threat model, which will be used to document and
    prioritize threats
    • CTM will be used to define threats to define controls
    • Will help standardize risk assessments, make one less
    paperwork step for organizations to complete

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    12 Popular Threat Inventories
    • Today, there are a limited number of threat inventories that
    can be used as a starting point for this exercise

    • Some of the most widely used models include:


    – ENISA’s Threat Taxonomy
    – MITRE’s ATT&CK Framework
    – OWASP Top Ten
    – Collective Threat Model

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    13 Mapping Threats to Controls

    • Once an organization has a threat inventory and a control


    inventory, they must be mapped against each other to
    define which controls could defend against which threat

    • This can be a difficult task, as often many controls could


    potentially stop one threat or a control may only partially
    address a particular threat

    • Few threat to control mappings exist, thus this step is


    almost universally skipped by most organizations

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    14 Collective Control Catalog (CCC)
    – Developed by the same
    consortium of security
    practitioners that developed the
    CRM and CTM.
    – Open source research project
    freely available to the community.
    – Started as a research project to
    normalize and compare existing
    cybersecurity standards and
    regulations.

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    15 Understanding the Collective Control Catalog
    • Presently aggregates and analyzes control libraries from
    35+ standards.
    • Normalizes roughly 2000 control statements to about 400
    statements.
    • Categorizes, tags, and prioritizes control statements to
    facilitate project planning and implementation efforts.

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    16 Control Categories and Control Systems

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    17 Collective Security Control Catalog: Coverage

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    18 Example Framework compared to CCC

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    19 Collective Security Control Catalog: Normalizing and Mapping

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    20 Collective Control Catalog: Prioritization and Tagging

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    21 AuditScripts CCC Assessment Tool
    • Security control-centric approach to
    risk assessment.
    • Tool is maintained by Enclave
    Security and AuditScripts.com.
    • Organization is assessed based on
    their successful implementation of
    specific security controls.
    • Output is a dashboard/maturity
    score based on successful control
    implementation.

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    22 CCC Assessment Tool
    • Microsoft Excel is still the most
    popular management tool available
    to cybersecurity practitioners.
    • Sometimes it is better not to be
    complicated.
    • The tool to the right is an example of
    using Microsoft Excel to score
    control implementation.
    • In this case, using the free
    AuditScripts.com tool to measure
    against the Collective Controls
    Catalog

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    23 AuditScripts Collective Risk Project
    • Risk Model
    • Collective Threat Model
    • Collective Controls Catalog
    • Metrics & Measures

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    24 No Redundancy

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    25 Future of the Project
    • The goal is to continue to develop this framework, with collective
    community support

    • At least annually a new version of this framework, with supporting


    resources, will be released to the community for their consideration

    • Ideally each year, more and more cybersecurity professional will


    donate their time to refining and explaining this approach
    • Ideally each year, more and more resources and templates will be
    available to make it easier for organization to process the body of
    knowledge

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    26 Next Steps - Call for Action

    • Learning from presentations such as this is wonderful, but


    action is better:
    – Risk?
    – What control libraries does your organization use?
    – Has your organization formally agreed on a common set of
    cybersecurity controls?
    – Has your organization been assessed against a common set of
    cybersecurity controls to better understand their present state?
    – Has your organization defined a plan to address the most critical
    cybersecurity control gaps that were identified in the assessment?

    The Updated Cyber Rosetta Stone © Enclave Security 2021


    27 Resources and Contact Information

    RESOURCES FOR FURTHER STUDY:


    KELLI TARALA
    AuditScripts.com Collective Risk Project
    Principal Consultant at Enclave Security Resources

    Kelli.Tarala@EnclaveSecurity.com Auditscripts.com Master Mapping Spreadsheets

    @KelliTarala SANS MGT415: A Practical Introduction to


    Cyber Security Risk Management

    The Updated Cyber Rosetta Stone © Enclave Security 2021

    You might also like