Chris Martinez Executive Order: Private Sector Cybersecurity Information Sharing

oh I can make myself more attractive I'm actually not presenting

morning

Oh

unless our chat

water

look yeah can everybody hear Chris all right what do I sound good all right ready yeah there you go it's beautiful color

good afternoon everyone I'm Chris Martinez I will be talking to you about the executive order on private sector cybersecurity information sharing first I want to say it's an honor to be here my first be size was besides in Orlando last year so I'm excited to be talking yeah sorry be talking this year it's a little bit about me i work at R'lyeh quest as an IT security engineer we are a co managed IT security solutions provider we assess secure manage your security and compliance posture we do that through various solutions and 2407 services I primarily work with sim management you know from from content development installations and daily management for many different Sims we work with all types of the big ones you

know our site curator of logarithm secure view alienvault more i graduated from the university of tampa with a degree in management information systems focus and security i'm with my own study time and any available classes in there as well what am I well my two biggest in interest and information security is sim utilization which really I mean by the concept of integration with a centralized location excuse me and evolution of information security so by that i mean the the way that this field and people in this field are going with information security in general and also the societal and kind of the philosophy of how it changes in our society so fix this all right so introducing the

executive order on promoting private sector cybersecurity information sharing the purpose of presenting this topic is to bring awareness to everyone that what is going on in our society especially with our field and community of the cyber security that also includes technologically and politically so we as a cyber security community are going to be confronted with proposed changes whether we like it or not thanks a lot so however it is our responsibility to identify what is going on analyze the effects and also respond appropriately so what is the executive work the executive order is a framework that allows expansion of information information sharing designed to help companies work together with the federal government as well to quickly identify

and protect against cyber threats the framework contains four key points encouraging private sector cybersecurity collaboration improve private public information sharing provide strong privacy and civil liberties protections and pave the way for future legislation now rapid information sharing is an essential component for effective cyber security protection it enables us companies to work together to respond to threats rather than operating a loan so how does this affect us well for the first time in history we are experiencing encouragement sharing security information with third-parties and also the government as we know what the NSA that let's still very touchy topic for a lot of people because privacy is privacy we've been taught that and we have been rolling with

procedures and policies to protect that idea and concept however you know even Congress in recent years has attempted to pass legislation that would encourage cybersecurity or cyber threat information sharing but even those bills have been shot down by the concern over privacy but this year at HP software government summit in Washington DC even the HP senior vice president and general manager of enterprise security products art gilliland said cyber threat information sharing is one of the few ways organizations can be proactive in dealing with cyber attacks now that is huge especially as a security company he is saying look we need to be proactive and this is the way to do it so now that we know what it is and how it affects us

will drill into how it works so the executive order encourages the development of information sharing and analysis organizations also known as is a OS the is 80 s will serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and the government now in encouraging the creation of is a RS the executive order expands information sharing through the formation of communities that share information across a region or in response to a specific emerging threat in an industry so in is a 0 can be non-for-profit membership organization or single company facilitating among its customers or partners so that's also a upcoming business idea for a lot of companies is to become that non

for profit company for any threats that they are receiving either through honey pots or any other means we're going to see a lot of these come up very soon according to the 2015 Cisco annual security report 1% of high urgency CDEs were actively exploited now that is that is where the that is where is AO is common to play so with that one percent of high urgencies well this is very kind also similar to like ice axe and I will do questions after nice so haha according to Cisco abs alright according to cisco's 2015 report so one percent of higher Juicy CDs were exploited however that means that more companies need to be more proactive and also that these

threats need to be shared more quickly so collaborating with is a owes via the DHS national cyber security communications integration centers with that will be sharing information related to cyber security risk and incidence so a perfect example of this was high trust which is the health information trust alliance they have actually been very progressive with this executive order and the ideas coming out of this so in the wake of the anthem breach the industry was able to experience the effectiveness of information sharing when high trust was able to share indicators of compromise with the health care industry within one hour after the anthem was clear after anthem posted them to automated high trusts ctx so

their ctx is their cyber threat exchange the indicators have compromised we're also shared with the Department of Health and Human Services Homeland Security and USC ERT who share the indicators of compromised with other industries is a OS so high trust has recently made access to ctx their cyber threat exchange easier by offering a free subscription for any healthcare organizations now imagine if we have many industries doing this having this available retail industry financial industry that we have many industries pulling this data together and sharing it even with each other within the United States okay that is the goal of the executive order is to get that communication of rapidly sharing this information all throughout the United

States companies so as a even actually as of wednesday april eighth just the other day threat stream announced a groundbreaking partnership with high trust through the partnership hi trust is offering their cyber threat exchange powered through powered by threat stream as a service that streamlines cyber threat information sharing and significantly significantly accelerates detection of and response to cyber threats targeted at the healthcare industry so you know developing the baseline will enable isao is to quickly demonstrate their policies and security protocols and potential partners the executive order calls out to clarify the department of homeland security's authority with information sharing organizations so with that is streamlining national cybersecurity communications and integration centers information sharing agreements with is a

OS so one more thing was the to fund the creation of a nonprofit organization to develop a common set of voluntarily voluntary standards for is a OS so that is also going to include business processes operating procedures privacy protections which is the big big goal here is to keep data private while also being functional to share to other companies and industries so sharing organizations must engage in an open public review and comment process for the development of standards it's also going to improve private public information sharing by like I said clarifying the Department of Homeland Security's Authority with information sharing organizations this is going to ensure robust and voluntary information sharing and by streamlining private sectors companies abilities to

access classified cybersecurity threat information this is going to provide valuable context to network defenders and enhance their abilities to protect their systems so the Department of Homeland Security will approve classified information sharing agreements and arrangements the the administration intends on expanding sharing the compliment or expanding on sharing information to complement the existing effect of relationships between the government and private sector

there you go all right so here's actually how the high trust ctx and collaboration works right now and I use their example this is all from their high trust alliance website because they've actually done like I said a very good job of being able to demonstrate the effectiveness of collaboration and rapid information sharing of their security information so as you can see here when the breach occurs at organization one I OCS and attack details will be distributed to the CTX and other organizations will receive observables and will be directly integrated into their detection infrastructure such as such as Sims IAS IPS and other technologies and that I will go into a little bit more detail in

just a moment but that has also gone through the software installed within their ctx and other collaboration software that will be pushed out so organizations can continue to monitor for future occurrences as they have this information already shared across the board so as you can see here for the threat indicator acquisition they get their threat information by many different sources so the goal is again is to get this into every every type of industry within the United States especially the main one such as the financial health care so in this case they have the DHS feeding into this with their threat threat information they also have partners Homeland Security like I said trusted collaboration and their own

sandbox environments and also the modern honeynet this is all information that they're all sources that hi trust gets their information from and with this new executive order what we want to do is also push that back out any information that is receiving in the internal end push it back out for that to be able to be spread to other industries now threaten formation is rapidly imported into the CTX which is available for enterprise to this for enterprise to distribute this information into their security tools such as you can see here like logarithm our sites blanc curator etc so high trust specifically uses their optic link to implement the security tool and the information they're receiving in their CTS

so the executive order is also going to provide strong privacy and civil liberties protections now this ensures that information sharing enabled by this new framework will include strong protections and privacy and civil liberties so is a OS will agree to abide by a common set of voluntary standards such as minimization which is going to be redacting sensitive information without affecting the function of the information being provided now in addition agencies collaborating with is AOS under this order will coordinate their activities with their senior agent officials for privacy and civil liberties and ensures that appropriate protections for privacy and civil liberties are in place and are based upon the Fair Information practices principles such as protective PII and

all media through appropriate security safeguards there are also many other fairs fair information practice principles that deal with specifically privacy in regards to the information that is being shared

paving the way for future legislation this is intended to complement existing effective relationships between the government and private sector so building out the concept of is a OS is a framework for the targeted liability protections that the administrators has long asserted our pitbull for incentivising and expanding information sharing administration's or the administration will intend to use this proposal to complement and not to limit existing effective relationships between the government in the private sector the goal here is to goal here is to really to strengthen the not only the trust but the effectiveness of all the information sharing I was going on between the government in the private sector so with that there's actually going to be a

major security cybersecurity bill this month that is granting companies protection from legal liability if they choose to voluntarily share certain cyber threat data with the government now this does bring up a lot of questions I see some eyebrows being raised in the crowd so you know we're so used to the privacy so used to being secure with our own privacy not wanting this year and being taught time after time again that sharing is not great especially with third parties on the government how much are they surveilling well I want you guys know that this is not meant to be surveillance on anybody but this is simply meant to protect companies with the United States from

you know protect companies in the United States from breaches such as the big Sony breach that happened that was actually one of the big driving factors of this executive order was the Sony breach and other other breaches that come along way and big companies such as HP like we talked about and realize that being proactive that the ability to share this information rapidly is going far beyond software security solutions and also services such as that now is coming down to us being proficient in our processes and procedures so with that it is time even actually even on HP just I just keep going forward but I at the HP software summon HP had also said that

even as the Securities even as a solutions of software provider they also agree with the processes and people that are involved in the companies need to get need to get more efficient in their own processes procedures so with that said this executive order does bring up a lot of bills or a lot of bills coming into play especially with a you'll notice that if you guys have ever heard about the new bill that's coming out it's basically going to be seizing assets for anybody who is a cyber threat to US companies so with that that could be its own top again itself however that is also going to be a big one that this is going to pave legislation and those

common set of voluntary standards that will affect the bills to come so now are there any questions i kinda ran through this pretty quickly so any questions yes okay so if I get this rain is a voluntary standards to protect the information yes correct presumably they will be identified if they make exactly okay and the next legislation we're expecting is a build its going to grant liabilities companies who share information which is is a oh yeah so that they're going to share all the information because the ISA of us are going to protect that under their volunteers they're going to analyze it protect it right without actually this is a way to by companies against releasing public

information that can then be made available not only to intelligence agencies but potentially to the general public right hmm potentially to the general public not so much well and see there are going to be a lot of questions that come up with this bill in this executive order that even even in the bill itself in its current state is not clear to a full extent however we also ask the question of how valuable is data now so with having that insurance of you know or getting that liability taken off of companies just for sharing their cybersecurity information it really goes to show how valuable that will be to our own government and to the industries and

also to everybody else in the world so there are a lot of questions and i do want to state that this topic and presentation is meant to be informative and not influential so as a community we're going to have to think about these ideas and i would love to hear these opinions and comments and questions like this so any any questions or comments you guys have let's bring them up now go ahead look glad to hear you just in executive order that this is what the wink is executive order of promoting private sector cybersecurity information sharing its ongoing right now it is in in fact it just got passed in the house of leave with a 14 to one

pass so it will be moving on is going on is active right now all traffic good point which ingenious move so theoretically passwords and stuff could be shared through I guess one of these things in what would prove then if they're all be indemnified you know it there's no way of saying hey you know what you guys up your response and that's the beauty of the evolution of information security there's always going to be something that's coming up or a possibility or a way of breaching this data and especially with the process and procedures those will have to also evolve and possibly even this case be built up to to provide the best security against you know man-in-middle-attacks

because that was actually one of the thoughts i was thinking in this bill as well or in this executive order and just this whole framework that's being laid out so that's a good question and that's something that we're going to also have to look into and find out

the executive order is more aimed for the process and the procedure of it the executive order itself calming obviously coming from the administration of you know not from the technical side but more of the executive side this is definitely just going for the process and procedure as far as the technical standpoint as I showed over here in this guy and of course there's going to be a lot more information this was very high level over here but the idea yes you get that thread exchange database or you're just a threat exchange centralized location to be able to push out to other industries so integrating sins and ids IPS tools and any other security tools is definitely obviously it's going to be

done but this executive order in itself does not detail any you know when it comes to how it's going to read that how it's going to redact information or how it's going to even transfer oh the answer the question is no as far as the executive order goes correct all right

ah that's actually a really good one so as far as international companies go if the if the company is not bred in the United States but it's not located in the United States it does not go out to an international company however if it does belong to United States but it's branched out somewhere else then it is it's acceptable it's it's a trusted source at that point can you repeat your second part of the question

see

right

well as this framework stands that's all going to depend on how the organization goes out with those processes so we were the way that this executive order are standing right now they do not have a set standard for that in fact they didn't even go in depth that much which is actually very surprising was one of the things that I didn't like about this executive order when reading it however when it comes to being susceptible to being you know starting to become monitored by the NSA or whatever the case may be in that aspect that that's an entirely different subject when it comes to as far as what's neck what's going to be that boundary that was not

clear in the executive order and that's again that's something that as a community we definitely should look into green shirt

this exactly and you're absolutely right is a OS will be a huge target and it probably one of the biggest targets ever as as they become more and more popular especially the smaller ones yeah if as the is the information security that's needed any tools and process of procedures that are needed for is a OS those are really going to have to be extremely strong and coming back to the NSA on that I mean when we have any type of monitoring especially from the federal government going on with those information sharing and analysis organizations that actually helps them so with that aspect it's having another eye on what's going on so there's really a lot that goes on with

that idea as well so i would also i would have to agree and say that is a 0 is will be a huge target when it comes to when it comes time when these are more implemented they already are implemented but when these become more and more popular leave a hand

well that's an entirely different bill itself that's coming up this month yeah that's going to be this month it's actually just came out I saw I was reading up on the articles about it just the other day it just popped dial and seeing that's also another idea so what was that

Wow and so that's on the read into the bill to see how to what extent it goes through but also to respond back to this you know it's not sharing all information but really cyber threat data with the government so let's say you guys were to get compromised or we did see you note any type of any type of threat that came in maybe a CNC connection or whatever the case may be you know that gets shared with the government not necessarily every information not Social Security numbers of people will not

losses

and it also depends on to what extent will they not be liable at that point so to what extent do they still get protection on again that's something in the bill that is definitely shake your head but we as a community need to discuss these things as well and think of these ideas and you know as far as that so what was it yep

Oh us

fall down it's going to say if you send us

that's we have a question over here look excuse me we have a question over here

yeah White House the White House whitehouse.gov was the main source of this so actually you'll you'll be able to find something new just about every day when it comes to this more and more information comes out and certain things are passed and also revised as the date you know as as it continues so there's a lot of revisions that happens you know even from a month ago when i started this topic there's been changes so as far as that whitehouse gov is one of the best and also the DHS so the Department of Homeland Security is also the other main source to follow up with this

cool thank you

oracle hacker only what about keeping bug bounces you know if someone companies who so happens to be sending that data back you work on a bug bounty all of a sudden you're like opens back truck with you know all that and all your ships taken so and bug bounties are actually going to be that's actually also a different topic when it comes to the changes that are coming into play especially with this with the other build I was briefly explaining of any type of cyber threat happening to the US companies to what extent is our administration going to punish them that's actually a huge topic and it's actually most likely going to affect the bug bounties more than

anybody else so I am also interested to know about that because that's a good point and that's for the next bill to come out I be like there's go to changes in our field regardless and as we're all facing those all the time

for now for now i can see that a lot of already has

so it was really

different different bill but yeah I mean a word that we're definitely having some very different bills coming up that affect us bug bounties and other entities that are also doing doing things like that simply put so take us on the other hand right here yeah

discovered

I when it comes to with high trust I don't know by the time that actually happened and you know film when the ioc's got out but however when the IOC's dig it out and that's also where the the information sharing and analysis organizations come into play that would speed up the process of you know detection and then analyzing and then sharing so I was reading up about that and these are shared through sticks and taxi so those are two different protocols for sharing with the government sharing from the government information as well as that however as far as more strict protocols that I am not aware of right now so any other questions or comments I really

the purpose of this and I know the presentation was a little bit shorter without the hope for this one was to get everybody talking because a lot of people can get have been pretty opinionated on this from the ones I brought up in the past and so really really I wanted to get everybody just almost engaging so is everybody looks like we're all good now then all right well thank you guys for your time today