Revolutionizing Cyber Defense: The NIST CSF 2.0 Advantage

so this afternoon is going to be U presenting a paper on reev revolutionizing Cyber defense the N CSF 2.0 advantage and just a little brief into um his background s AAR is a cyber security consultant with over 18 years of experience in the field his multiple qualifications include cissp ccsp cism Caesar cisk and C demonstrates his dedication to staying current with cyber security challenges and Regulatory demands throughout his career sa has built solid Partnerships and provided tailor security advisory services to meet the unique needs of various organizations he has helped over 100 organizations protect their critical assets and sensitive information ensuring business continuity safeguarding reputations and maintaining Regulatory Compliance a round of appla for us so

good afternoon everyone thank you so much for coming today um as they mentioned my name is sa pear I'm a cyber security adviser I've been in the industry for more than 18 years I've been roles like technical management leadership and uh basically I help organizations enhance their security posture understand the risk they have and help them protect their critical ense so in in today presentation we will try to answer three questions what are the objectives what we are trying to achieve as cyber Security Professionals whether we are analysts Engineers Architects or even sees and what are the challenges that we have facing on day-to-day basis as Professionals in the field handling different business requirements uh tackling different cber

threats pring or trying to navigate different regulations and lates that coming to the industry every month or every year and finally how we going to use um a framework to basically streamline our tasks or streamline our day-to-day jobs rather than being like tackling those problems without a strategy or without a poli Vision uh within the environment so I would start with the objectives what we are trying to achieve as as security professional what are the security go goals that we have one is being EST protection for sure so that could be the data the sensitive information systems networks applications you name it even we consider people as critical asset for the organization we need to protect emo

especially when it comes to critical infrastructure Industries or sectors the second one is maintaining operation resilience business continuity that's very important and we probably heard multiple STS today or yesterday talking about business resilience how you should recover from an incidents maintain your Revenue uh customer satisfaction uh business operation in jail and lastly the reputation on the brand how you make sure that your customers still can trust you as an organization if you have a data preach how should be transparent with those data nature I should report those incidents to the authorities to the people to the stakeholders in general now to do that we need some cyber defense mechanisms we need some uh security controls uh security controls

or those mechanism could be a combination of uh Technologies processes best practices that's going to help you defend or mitigate those cyber threats as well as the risks those cyber defense mechanism or controls it could be administrative like policies it could be technical controls like firewalls antivirus um um any other type of like technology or to you use and finally this could be operational or physical control like d especially if you have an on envirment or offices or facilities and those controls going to help you mitigate the risk or the threats those threats could be adversarial they could be accidental like someone within your internal team deleting files causing an outage this could be Technology based risks like an

outage within your technology stack or uh an outage for your uh cloud services uh or it could be environmental like natural disaster floods uh fires within your data centers usually we focus only on the adversarial side of things but we need to tle over type of threats and that's how you basically um uh um help you understand what type of security controls you need to deploy your FL of course those as ver or could be Insider to be an outsider could be individuals groups nation states coner that will T to your organization every organization has some level of cyber mut mechanisms or security controls so if I want to take an example of an organization what you

see here on the screen is an example of an Enterprise they might have if you see to the to the bottom of the screen they might have f facilities or offices which is a controlled environment they might have remote access Workforce that could be like people working from home from the airports they are traveling could be anywhere and the organization also have some systems some data applications that deployed in a cloud maybe it's a s application it could be infrastructure it could be an on-prem or a private data center also as an organization you will deal with supply chain you deal with art that's be contractors vendors business ERS who have access to your dat they

have access to your systems and of course you have clients you want a business organization you're going to have clients whether that's b2v or b2c depends on your uh organization so every organization start with deploying different type of security controls those are basic controls they start with f walls with an softare software they start to some that of solution and as the organization start problem and expanded maybe into New Market or they starting to build a new product they start deploying more security controls more defense mechanisms do the security uh operations like monitoring uh log analystics this could be more advanced identity and access M Solutions and when you start doing that basically your security controls start growing

organically without a cohesive Vision or strategy also some organizations start reacting to some incident they have the envirment or reacting to uh uh new regulations or mandates within within your industry and that will make your make the team even deploy more tools or more strategies in the environment or even more FES now this is where cyber security become overwhelming because you are having a fchw of solutions a PW of tools those tools they overlap they are redundant those deployments might be uh inconsistent like you're trying to focus on a certain business unit or business process rather than focusing on the whole Enterprise as a one strategy uh that will make your team have some fatigue they will be over off they will

be stress because now they are trying to handle different type of requirements and usually we are all kind of like facing that when there's a new business requirement usually there is no notice no advanced notice they're not going to tell you well next year we're going to have a new product usually we going say next month we're trying to Le this product B secure this CL for or security deployment and you handle us that's will make you basically do a quick deployment incomplete deployments just to be compliant with the requirements compliant with the new region you are going there so this is not security this is mainly compliance so in order to tackle this in order to build a unique

strategy or a c strategy for the environment you need a framework that framework going to help you manage your risks it's going to help you uh protect your assets maintain operation maintain your uh reputation and brands for the for the organization and a framework is basically is a set of well defined practi processes uh guidelines that will help you implement it in a repeatable way in in in a proper way to meet the uh business uh objective or the security objective uh it will give you um put perspective in terms of like broad map what is the current profile of Curr security stand for organization and where you want to go so you start working with the business you start

working with the tech technical team the St all the stakeholders basically to meet or achieve that road map or that desired state in the future whether that's a go end in one year in two years or three years depends on the size of the environment depends on your strategy basically the framework also going to give you a comprehensive approach it's going to cover all areas of cyber security so you know how some of us in certain fields or we are subject matter expert we focus on only detection mechanisms or adversary or offensive security or identity access management in my opinion all the security teams or security team members they need to focus on the whole strategy

they need to understand when someone come to them and say hey I need a backup solution they need to understand why you need a backup solution why a backup solution is important because you need business resilient if they say we need to detect threats they need to know that incidence still going to happen it's not like you deploy the security control you are all set and you should be fine no this is going to happen so you need to have a full strategy in terms of the uh protection the detections the recovery all suspect racing and that's going to also help you build a consistent uh strategy Min environment so usually the Frameworks can be applied

to the whole organization like how do you have like what type of strategy you have for the organization it can be applied to a business unit or can be applied to a system like this could be a mission critical system within your environment so this framework is basically going to help you to be adapt adaptable scalable and also uh have the same strategies across the board now which Frameworks they use there are plenty of Frameworks like and standouts uh strategies in the in the in the industry there are some that's risk management framework some of them are technical some of them are um uh targeting specific industry or sector some of them are um um they work for a

certain region like it could be maybe the Europe like gdpr as a privacy I know privacy and cyber security are different disciplines but they they overlap a lot and usually the same strategies or controls you use is going to help you achieve your privacy as well as cyber security of so where should you start basically there are many ways there is no wrong answer but one of the best Frameworks in the industry is cyber um Nest cyber security framework n CSF and it's great because it's can help like it's why recognize this is number one second is being scalable and uh adaptable so any type of business doesn't matter your like indust or sector whether you government your are

public sector your private sector nonprofit organization uh doesn't matter the side of the organization it's going to apply to you you can adopt to those kind of like strategies and outcomes at the same time it can integrate with other standards other guidelin done this one so you can have a pray War uh that you build for organizations customiz tailor to your that's follow this it can also adopt some strategies or guidelines from the iso family it's can adopt strategies from the CIS controls as technical controls and you can mix and match but the base framework that you're going to use is n CSM and then you bu on job on time the other factor with the scsf is

basically it give you coverage so ansf uh recognize six security functions that you have security controls or outcomes within those functions they have the Govern which is the governance compliance risk management the identify or identification of assets risks protection detection response and recover those are all the main critical areas that you need to focus on when you build as a strategy or a framework for your VAR and also they have the road map as I mentioned the ncsf can give you the capability to build current profiles or the curreny me your flight server secy and the desire State the taret profile and basically you will be able to start prioritizing your activities your budgets your resources

to work toward those uh desired profiles and finally the maturity you will be able to measure how mature your practices are are you doing things in ADV manner for on demand do your process year on certain date exercises or exercises or proper schedule do you involve everyone that's going to measure the maturity of your practice and will help you communicate this to the business saying hey we are doing great in those areas with asset management but we usually don't do good when it comes to business continuity exercises in response exercise so we need to be to do better so you start building this year after year until you reach the the maturity that suits your

need as well as it's within the uh um acceptable risk levels for the organization until today I haven't seen organization that's uh reached level four of maturing usually they they will be between risk in to the basically repeatable process so we're all on the same page here like we're on the same journe we all trying to work towards a better maturity levels um and it's a long journey it's not going to be overnight or over a year it's going to be mon Years be changing was of the objective this is required uh for your organization now talking about the coverage as you mentioned uh the N tsf has six different functions that uh Define multiple

outcomes multiple security domains of ours that you can Implement our the first one be on governance that's basically understanding your business what are the objectives what are the goals what are the policies you have in a place uh what are the risk management strategies do you accept risk do you mitigate risk do you transfer it to a third party or do you avoid it that really depends on the risk appetite or risk uh tolerance for the organization it can also handle s spe or supply chain this med and those two things are major enhancements of n CSF version to they added a dedicated function for the Govern which is this one and they had dedicated uh outcomes

or categories for supply chain uh risk management they also have the by function which basic you need to know what dam what type of assets what type of data what type of systems and applications if you don't know what you have you will not be able to protect or detect incident with in those functions once you identify those assets and risks threats vulnerabilities now you start uh uh protecting them using different kind of that's be identity access management passwords mulct Authentication privilege identity management it could be security awareness uh applying secure configuration within the environment once you start protecting your environment you still need to detect if there are some weirds orous mod you need to detect uh um bad

behaviors or or suspicious kind of like alerts in the environment of course even if you are protecting your environment detecting normally is incident still going to happen so you're still going to have an incident with your W now the thing is or the matter is going to be what's the impact of that so prepare is respon for different play different scenarios within the environment what will happen if you have a ROM in the environment what will happen if someone um a privilege identity your privileg user password with compromise what are the steps you're going to follow to who should you notif

and of course after every incident after you mitigate the incident you need to recover you need to be able to restore your services whether that's restoring access to an account or restoring the whole environment if you have a major outage due to around somewhere or something else because you remember we mentioned that it's not always at per so not always malicious activities could be anything else so you need to be prepared for those scenarios so if we want to kind of like apply those six security functions uh to the organization uh EXA that you have fa enough you need first to start with identifying the assets those asss could be in the cloud like it could be like

cloud services applications could be platforms uh could be banks in the fact like if you're dealing with banks or what's what's not uh you need to identify all the assets within uh handed or or delivered to your Workforce laptops devices printers you need to understand your environment so you be able to assess the risk assess the vulnerabilities that you have uh in the environment who are the threat actors that could Target your industry and can they exploit those vulnerabilities or missing processes or gaps in the environment and how do you move over time on this process uh are you doing something different are you being very Broad in terms of risk management you're only focusing on the organization but

you're not focusing on your mission critical Assistance or appliation members maybe you need to go deeper and do the same risk assessment for the system that generate revenue for your mark or for your organization maybe you need to do it for your system that's uh store or handle your medical records if you are in the healthcare industry um those are the things that you need to to focus on once you identify those assets as you mentioned you start protecting them with Technologies processes and best practices now the as you mention management uh trans both petucation you name it uh those by the way could apply to your environment or it apply also to the third party who has access to your

environment so you need to tackle both you need to manage the risk from both perspective doesn't matter who's accessing your data we need to protect that and sure we have invest authentication oranization how do you apply for mechanism in the environment security awareness that's very important you need to build build arisk aware culture within your envirment you need to make sure everyone understands what they would do when there is an incident how they should react uh practice practice practice basic so they they know what so they know how toact and good the confidentiality Integrity availability of your data are you encrypting the data are you do you have like uh data loss prevention tool do you

do labeling and classification of data so you know what have access to your data for example a new technology just released like generative AI if you enable that within your environment what type of access this technology going to have how do you govern that access do you do labeling and classification and say well Microsoft compile you can access those specific C or those specific labels you canot access everything those are the things you need to work on so it doesn't matter if it's a threat or doesn't matter if it's a technology you still need to tackle this you need uh handle the p uh platform security technology infrastructure resilience building redundancy within the environment that's

also very important once you do the production Go pass which is basically monitoring the events discovering anomalies monitoring the dark we for uh indicator of compromise or Le credentials within your environment and how you should react to that again incident still going to happen either of that's because some someone didn't pay attention Toc and they URL all this would be a technology that fail you need to be able to respond to that incident you need to be able to uh be prepared on who you should talk to who you going to uh report the incident to in many Industries there is there are some in first forms Ting B for example British Colombia for their utility uh companies they have

now new mandates that you need to report the incident within 72 hours and they ask you to build an inent response strategy that's based on Nest framework so you need to compile those requirement in other in other areas like maybe financial industry the Osby uh it's also ask you to be compliant with certain requirements and they focus on inant response once it comes to pii Phi PCI Data you need to be really serious when it comes to reporting those data breaches uh because that affect the Privacy it could affect the livelihood of the individuals affected within that breach so who's doing the analysis uh when it comes to inent response uh we mention who you are communicating where

are you reporting to the authorities are you only reporting internally if there is no data breach and uh finally um uh how do you going to gust if it's a password compromise or a credential compromise for someone within your environment what you going to do what's the thing I'm going to uh Reser the password Cate connections and you vot a day if it's around somewhere what you going to do do you disconnect the network try to isolate the incident and then you start uh analyzing uh how it's happened where it's happened how you should uh prevent that happening in the future and finally which is the most important one is how you recover to the

a good state of your operation if you don't have backups if you don't have a mechanism to recover to your operation you are done like what's you going to do after that business continuity and business resilience is very important this is what's going to help you to stand back up and basically resume your operation that's all come to how prepared that you can recover in one day or you can recover in one month it really depends on the plans you have in the environment do you have a clean backup copy for your data do you trust that do you have a strategy like NE or something else that's to analyze and then basically uh return to operation

that's very important to to understand and finally how you going to govern the whole thing from the ident identify all the way to the recovery process what are the policies you have in place what are your risk management strategies do you need to be compliant or it's just like following best practices to secure your environment those are all important questions I need to uh um tackle them uh sooner than later so if you are a client or you are trying you are part of organization you're are trying to protect your environment you need to think of all of that you need to sit down uh build a strategy talk to your stakeholders talk to the it teams

security teams and say hey we need to focus on all those areas it's no longer only deploying firewalls or deploying like a s tool or or EDR solution we need to make sure that we have the necessary tools um um at our dispos to be able to protect the environment you need to understand what type of tools you have to need some of those tools they overlap so if you have a detection and response to to V could be uh U managing your um like a manage detection of response for example they might offer endpoint detection response they might offer Network detection response how you going to build your tool set to make sure that

it's working for you working for the environment and basically you are not overwhelming your your team members you as a vendor as well what you going to do to help the clients make a better decision how you going to map your function or your security features to those security functions when you come and reach out to a client how you make sure that hey I can help you covering those aspects within the detection the response as well as the protection the protection take a firewall as an example it could have IDs it could have IPS it could have antim malware they have many features you can you can use are they covering like your public cloud services

or covering only the OWN services so that's that's how you can basically plan your strategy now the nice thing about um Miss CSM is basically it has um um practical implementation guides or profiles let's say you are the healthare uh healthcare industry your main objective as an example is to protect the from a security perspective of course to protect the patient so n CSF if you want to adop that it's going to help you identify what are the critical assets where are the lorts most store before forces how do you protect that do you use encryption do you use something else um how do you respond if uh there is a data breach for your Phi like the proed

health information uh do you respond to uh internally do you need to notify authorities do you need to notify the patients that there AG need that's all things that you need to take care of and you need to basically plan for the beauty of a CSF is basically there are multiple Community profiles already built and ready to be used for different sectors like smart grids or uh energy sectors uh election systems and that's continue to grow like there are more Community profiles being released day after day um they even have Community profiles that you can use to tackle a certain seate threats or risk ransomware denial of service all those can be accessed through their websites you can basically

download the templates and customize it your they will give you what a w your stus and what would be the Desir state for your environment for this sector as an example now where do we start uh if we want to adopt NS I would say if you are kind of like lean or you don't have straty L you can start with understand of your business what are the objectives what are the policies who are your stakeholders and then you start doing initial assessment tell me what type of assets you have tell me what type of risk and other like threats or vulnerabilities um after that you start with uh building current and Target profile where I am at today where should I go in

the next year or two years or three years uh what are the priorities for our environments how should I adopt like new strategies for enhancing the detection protection response capabilities now of course seeing saying three months 6 months 12 months that could be unrealistic for some organizations some organizations are like way Happ on this business process it will take longer so maybe you focus on a certain business process or certain business unit and you tackle that this is the mission critical business process let's do that first let's do risk assessment let's figure out the priorities so those timelines could be really subjective to the size of environment to the sector the ter of and fin how do you do continuous

improvements the spontanous tests uh risk assessment risk analysis uh basically being able to build the security posture within your environment uh make everyone aware of the risk associated with technology whether they are adversarial accidental technology followed by and that's that's the proposed way for do it doing it I hope that you learn something today I appreciate your time for you coming here and thank you so much

uh any questions yes yeah see um

so can you what I've been working

atment so I found the how long is so it's

proxy uh that's very good question and it's very challenging to

ask right so give you like a profile so usually there are new techologies or new con back basically the best idea is to always have always SC for that and you have at least 1 to 16 now if you usual the first 12 hours or 12s is you and and you other in house do some B if you What's happen go they can't us because they don't what they will need evidence La information analyze it and that's going to take days to do that at the other hand you have a business that say stopover we are losing we are losing you have tonight people need to take Tom more so I say it's very subjective to I us

back sure that so it's very subjective one of the mess way to is basically build what where to do some analysis validations and but back you say that's so wait yeah another question okay perfect thank you so much