The document discusses cybersecurity frameworks and introduces the NIST Cybersecurity Framework. It provides an overview of the framework, explaining that it was created to provide a common language for organizations to assess security capabilities, identify gaps, and measure progress across different standards. The framework establishes guidelines for profiling current security levels, setting targets, and developing action plans to close gaps. An example is provided of a company that used the framework to improve security and facilitate auditing and certification.

1. Cybersecurity for real life:
Using the NIST Framework to
protect your critical infrastructure

2. © 2017
@CohesiveNet
About me
The need for NIST
The fog of more - life before the Framework
Intro to the NIST Cybersecurity Framework
NIST for all
Real life use case
Agenda
2

3. © 2017
@CohesiveNet
tl;dr
3
NIST Cybersecurity Framework can help all orgs:
• move from checklist security to proactive prevention
• asses current security capabilities
• measure vulnerable areas across compliance standards

4. © 2017
About Me
4

5. © 2017
@CohesiveNet
Dwight Koop, CFO & COO
5
co-founded the Chicago Board of
Options Exchange (CBoE)
co-founded Rabbit MQ, now VMware
Secret Services’ Chicago Electronic
Crimes Task Force
Treasurer for Chicago FBI Infragard

6. © 2017
@CohesiveNet
Cohesive Networks - your applications secured
6
VNS3 security & network
software products
2000+ customers in 20+
countries across
industries and sectors
Enterprise
Security
Top 20 Most Promising
Company
Cloud Marketplace Provider
MARKETPLACE SELLER
TECHNOLOGY PARTNER

7. © 2017
The need for NIST
7

8. © 2017
@CohesiveNet
new cyber realities
8
Attacks have become
professional: hackers,
criminals or foreign
governments.
In the post-Sony era,
all servers “on a wire”
are compromised or
targets.
Regulatory
implementation and
reporting demands
are increasing.

9. © 2017
@CohesiveNet
target: governments
9

10. © 2017
@CohesiveNet
target: healthcare
10

11. © 2017
@CohesiveNet
target: retail
11

12. © 2017
@CohesiveNet
target: you
12

13. © 2017
@CohesiveNet
• Increase Information Sharing
• Protect Privacy & Civil Liberties
• Consult with Everyone
• NIST Create Cybersecurity Framework
• Voluntary Adoption Program w/ Incentives
• Identify Greatest Risks
• Determine Need for More Regulation
DHS mandate: organize & coordinate
13
Executive Order 13636:
Improving Critical Infrastructure
Cybersecurity
Image credit:Wikimedia Commons

14. © 2017
@CohesiveNet
DHS mandate: organize & coordinate
14
Cybersecurity Enhancement
Act of 2014
• Amends the NIST Act
(15 U.S.C. 272(c))
• Voluntary
•Consensus-based
• Industry-led
Image credit:Wikimedia Commons

15. © 2017
Fog of More: Life before NIST
15

16. © 2017
@CohesiveNet
Pre-NIST Cybersecurity Frameworks
16
• International Organization for Standardization ISO/
IEC 27005:2011
• Electricity Sub-Sector Cybersecurity Risk
Management Process (RMP) guideline
• Committee of Sponsoring Organizations
(Accounting Orgs) (COSO)
• American Institute of CPA's (AICPA) SOC 2 & SAS70
• American Institute of CPA's (AICPA) - Generally
Accepted Privacy PrinciplesGAPP (August 2009)
• Shared Assessments ORG Vendor Assessments
(AUP v5.0 & SIG v6.0)
• FTC Children's Online Privacy Protection Rule
(COPPA)
• European Union Agency for Network and
Information Security (ENISA) IAF
• European Union Data Protection Directive 95/46/
EC
• GSA's Federal Risk and Authorization Management
Program (FedRAMP) Cloud Security Controls
• Family Educational and Privacy Rights Act (FERPA)
• Health Insurance Portability and Accountability Act
(HIPAA)
• Health Information Technology for Economic and
Clinical Health (HITECH) Act
• Dept. of State International Traffic in Arms
Regulations ITAR
• UK Royal Mail - Jericho Forum on De-
Perimeterisation
• and on and on…

17. © 2017
@CohesiveNet
The Big 10
17
International Organization for
Standardization ISO 31000:2009
International Organization for
Standardization ISO/IEC 27001 2013
NIST Special Publication NIST 800-53r3 & r4
Payment Card Industry Security Standards
Council Data Data Security Standard PCI DSS
v3.0
International Society of Automation
Industrial Automation And Controls ISA-IAC
62443-2-1:2009
Information Systems Audit and Control
Association (ISACA) COBIT 5
Cloud Security Alliance - Enterprise
Architecture & Guidance CSA EAG v3.0
SANS Institute Council on Cybersecurity's
Critical Security Controls for Effective Cyber
Defense v5
DHS Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT)
Cybersecurity Evaluation Tool (CSET®)
Department of Energy (DOE) Cybersecurity
Capability Maturity Model C2M2

18. © 2017
@CohesiveNet
Class Test
Certification is expensive
18

19. © 2017
@CohesiveNet
Software Tools
Standards
Training Classes
Certification Badges
Certification, PenTest, & Audit
Services
Vulnerability Databases
Guidance & Best Practices
Catalogs of Controls
Checklists
Vendor Benchmarks
Recommendations, Regulations
& Requirements
Threat Information Feeds
Risk Management Frameworks
Competing Options, Priorities, Opinions, and Claims
The Fog of More
19

20. © 2017
Intro to the NIST Cybersecurity Framework
20

21. © 2017
@CohesiveNet
Who: 16 Critical Infrastructure Sectors
21
Nuclear Chemical Facilities CommsManufacturing EmergencyDamsDefense
Financial Energy Agriculture HealthWater IT Gov FacilitiesTransportation
Image credit: dhs.gov

22. © 2017
@CohesiveNet
NIST Cybersecurity Framework Core
22

23. © 2017
@CohesiveNet
just one subcategory:
23

24. © 2017
@CohesiveNet
NIST Framework tiers of maturity
24

25. © 2017
@CohesiveNet
NIST Cybersecurity Framework
25
Creates a common language
82% of US federal agencies fully or partially adopting it
“align these policies, standards, and guidelines with the
Framework”
Creates actionable guides for agencies:
1. create a report within 90 days with an implementation plan
2. maintain a comprehensive understanding of cybersecurity risk

26. © 2017
@CohesiveNet
Organized
One standard format
Common language
Unifying process
Defense in breadth & depth
Incentives
Risk management focused
Free
Cons
Why: NIST Cybersecurity Framework
26
Redundant
Yet another framework
Enforcement & penalties
Sustained cyber-siege
Not technical
Not designed for small firms
Technology debt?
Pros

27. © 2017
@CohesiveNet
applying risk based cybersecurity
27
Traditional Risk-Based
Audit focus Business focus
Transation-based Process-based
Compliance objective Customer focus
Policies & procedures focus Risk management focus
Multi-year audit coverage Continual risk-reassessment coverage
Policy adherence Change facilitator
Budgeted cost center
Accountability for performance improvement
results
Career auditors Diversified knowledge and experience
Methodology: Focus on policies, transactions,
and compliance
Methodology: Focus on goals, strategies, and risk
management processes

28. © 2017
@CohesiveNet
risk-based security frameworks
28
2016 PwC State of Information Security:
91% of companies have already adopted a
risk-based cybersecurity framework
Risk-based security can help:
•identify and prioritize risks
•gauge the maturity of cybersecurity practices
•better communicate internally and externally
•design, measure and monitor goals
•build program that centers around safety and security of data
91%

29. © 2017
NIST for all
29

30. © 2017
@CohesiveNet
how: NIST Cybersecurity for all
30
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
Step 7: Implement Action Plan
Repeat The Steps As Needed (Rinse and Repeat)

31. © 2017
@CohesiveNet
Chicago style cybersecurity
31
Innovative
blend proven style with new technologies
Pragmatic
work within constraints - shifting sand (literally!)
Transparent
more opportunities to allow more light internally
Tenacious
driven by the Mid-Western work ethic
Creative
willingness to build solutions rather than empires The Marquette Building
Image via the MacArthur Foundation

32. © 2017
@CohesiveNet
roll your own NIST Manual
32
INTRODUCTION
RISK MANAGEMENT STRATEGY STATEMENT
Risk Management Process
Integrated Risk Management Program
External Participation
SCOPE OF RISK MANAGEMENT PROGRAM
Asset, Change, and Configuration Management
Cybersecurity Program Management
Supply Chain and External Dependencies
Management
Identity and Access Management
Event and Incident Response, Continuity of
Operations
Information Sharing and Communications
Risk Management
Situational Awareness
Threat and Vulnerability Management
Workforce Management
INFRASTRUCTURE UPGRADE PRIORITIES
Current CyberSecurity Profile
Target Profile
Technology Debt
CYBERSECURITY ROADMAP & MILESTONES
Appendix 1:
REGISTRY OF PRIMARY CYBERSECURITY RISKS
Appendix 2:
REGISTRY OF STAKEHOLDERS AND USERS
Etc.
Cybersecurity Risk Management & Network Operations Center Manual

33. © 2017
@CohesiveNet
conduct app-specific self-evaluations
33
Self evaluations available -
Just go download a template!

34. © 2017
@CohesiveNet
1. Integrate Enterprise and Cybersecurity Risk Management
2. Manage Cybersecurity Requirements
3. Integrate and Align Cybersecurity and Acquisition Processes
4. Evaluate Organizational Cybersecurity
5. Manage the Cybersecurity Program
6. Maintain a Comprehensive Understanding of Cybersecurity
Risk
7. Report Cybersecurity Risks
8. Inform the Tailoring Process
further reading: DRAFT NISTIR 8170 - Implementation
Guidance for Federal Agencies
34
Public comment period: May 12, 2017 through June 30, 2017

35. © 2017
LocusView use case
35

36. © 2017
@CohesiveNet
LocusView
• Natural gas SaaS provider
• Chicago-based
• Customers build critical infrastructure
case study: LocusView
36
Challenge
An increasing stream of requests for
documentation, certifications, and
penetration test results
LocusView’s LocusMay product for
tracking and traceability

37. © 2017
@CohesiveNet
case study: LocusView
37
Solution
Used NIST Framework to map the
compliance areas that matter most to
their organization and clients
Used VNS3 to securely route traffic
between customer networks and AWS-
based resources
customer network
Public Cloud
Overlay Network
IPsec Tunnel
Firewall / IPsec
Cloud Server
AWS ELB
VNS3 Controller
public internet
user traffic

38. © 2017
@CohesiveNet
case study: LocusView
38
Outcome
• Updated risk-management approach
• Built roadmap for repeatable reports
• Passed initial audits and first of many
penetration tests
“We wanted to look at a bigger picture than just
natural gas and current regulations.”
Tim Hopper - GIS Professional LocusView
Adjust
Monitor
Audit

39. © 2017
Conclusions
39
• Standards are still relevant — Map from standards, not to
• Shift from audit-heavy compliance to risk-based prevention
• Prioritize current compliance over post-mortem disaster
recovery
• Holistic security for each business unit
• NIST Framework can make everyone’s jobs less
complicated

40. © 2017
Questions?
40

41. © 2017
@CohesiveNet
VNS3 cloud network solution
41
Software-only virtual appliance deployed to any cloud
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3 Core NetworkComponents
router switch
Increased mobility/agility and control over end to end
encryption, IP addressing, and network topology

42. © 2017
@CohesiveNet
VNS3 extends network functions
42
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3CoreComponents
router switch
waf content caching nids proxy load balancing custom
L4-L7 Plugin System

43. © 2017
Cloud overlay networking diagram
43
Active IPsec Tunnel
VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Peered Peered
Overlay IP: 172.31.1.1
Cloud Server A
Overlay IP: 172.31.1.2
Cloud Server B
Overlay IP: 172.31.1.3
Cloud Server C
Overlay IP: 172.31.1.4
Primary DB
Overlay IP: 172.31.1.5
Backup DB
us-west-2 north europe
Data Center 2
London
Data Center 1
Seattle, WA
Failover IPsec Tunnel
vpc 1 vlan 2 vpc 3
VNS3:ha 1
central us

44. © 2017 44
• Business applications are a
collection of servers
• Traffic needs to only flow in
permitted directions, from
permitted locations
• No server should communicate
with any other server without
going through a secure and
encrypted switch
• Apply application-centric security
rules
Is the right traffic going to/from your
cloud servers?
Challenges:
Security: Application
Segmentation
Issue: VNS3 Controller
web
app
db
mq
Overlay Network
logical subnet

45. © 2017 45
• Delivering your SaaS in multiple
regions, on multiple clouds.
• Attesting to data in motion
encryption in a public cloud
environment
• Monitoring and management
Extend the reach of your application
via region or cloud federation
Challenges:
Connectivity:
Cloud Federation Public Cloud
West Europe
IPsec Tunnel
VNS3 Controller
Issue:
Customer A
Firewall / IPsec
Customer C
Site 1 - US
ISV NOCCustomer B Customer C
Site 2 - EU
Public Cloud
East US
VNS3:ms
Customer A
Overlay
Network
Customer B
Overlay
Network
ISV
Overlay
Network
Customer C
Overlay
Network
Peered