• Rather than every organization attempting to do this
on their own, why can’t the community come together to fix this problem and make things better? • As a community of cybersecurity professionals, we solved this problem. • Collective Risk Project translates frameworks into building blocks.
8 Project Contributors • There have been numerous contributors to this project over the last few years
• Some of the key contributors to this project include
representatives from: – The SANS Institute – The Institute of Applied Network Security (IANS) – Enclave Security / AuditScripts – Black Hills Information Security (BHIS) – Individuals from a diverse set of international organizations (public and private)
11 Collective Threat Model • Formerly known as the Open Threat Taxonomy • Hundreds of organizations have contributed • One of the latest efforts is the release of a community threat model, which will be used to document and prioritize threats • CTM will be used to define threats to define controls • Will help standardize risk assessments, make one less paperwork step for organizations to complete
14 Collective Control Catalog (CCC) – Developed by the same consortium of security practitioners that developed the CRM and CTM. – Open source research project freely available to the community. – Started as a research project to normalize and compare existing cybersecurity standards and regulations.
15 Understanding the Collective Control Catalog • Presently aggregates and analyzes control libraries from 35+ standards. • Normalizes roughly 2000 control statements to about 400 statements. • Categorizes, tags, and prioritizes control statements to facilitate project planning and implementation efforts.
21 AuditScripts CCC Assessment Tool • Security control-centric approach to risk assessment. • Tool is maintained by Enclave Security and AuditScripts.com. • Organization is assessed based on their successful implementation of specific security controls. • Output is a dashboard/maturity score based on successful control implementation.
22 CCC Assessment Tool • Microsoft Excel is still the most popular management tool available to cybersecurity practitioners. • Sometimes it is better not to be complicated. • The tool to the right is an example of using Microsoft Excel to score control implementation. • In this case, using the free AuditScripts.com tool to measure against the Collective Controls Catalog
25 Future of the Project • The goal is to continue to develop this framework, with collective community support
• At least annually a new version of this framework, with supporting
resources, will be released to the community for their consideration
• Ideally each year, more and more cybersecurity professional will
donate their time to refining and explaining this approach • Ideally each year, more and more resources and templates will be available to make it easier for organization to process the body of knowledge
• Learning from presentations such as this is wonderful, but
action is better: – Risk? – What control libraries does your organization use? – Has your organization formally agreed on a common set of cybersecurity controls? – Has your organization been assessed against a common set of cybersecurity controls to better understand their present state? – Has your organization defined a plan to address the most critical cybersecurity control gaps that were identified in the assessment?