Scribd
Upload
137 views27 pages

The Updated Cyber Rosetta Stone: The Collective Risk Project

Uploaded by

dbf75
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
137 views27 pages

The Updated Cyber Rosetta Stone: The Collective Risk Project

Uploaded by

dbf75
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

The Updated Cyber Rosetta Stone

The Collective Risk Project

Presented by Kelli Tarala


© 2021 Principal Consultant Enclave Security
2 Translation

“Translation is not a matter of words


only; it is matter of making intelligible the
whole culture.”
-Anthony Burgess

The Updated Cyber Rosetta Stone © Enclave Security 2021


3 The Rosetta Stone

Chris 73 / Wikimedia Commons, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=19669

Bibi Saint-Pol - Own work Public Domain, https://commons.wikimedia.org/w/index.php?curid=1904789.

The Updated Cyber Rosetta Stone © Enclave Security 2021


4 We Needed a Cyber Rosetta Stone

• Rather than every organization attempting to do this


on their own, why can’t the community come together
to fix this problem and make things better?
• As a community of cybersecurity professionals, we
solved this problem.
• Collective Risk Project translates frameworks into
building blocks.

The Updated Cyber Rosetta Stone © Enclave Security 2021


5 Cyber Security & Privacy Frameworks
• NIST 800-53 • Australian Signals Directorate
• ISO/IEC Standards (ASD) Top 35
• CMMC • NERC CIP
• HIPAA • PCI
• NIST Cyber Security • NYCRR 500
Framework • NIST 800-82
• CIS Controls • COBIT
• NIST Privacy Framework • CCPA
• Various State Laws • ISA/IEC 62443

The Updated Cyber Rosetta Stone © Enclave Security 2021


6 Cyber Security & Privacy Frameworks and Standards

• Too many standards


• Time consuming to
understand
• Vague Controls
• Overlapping Controls
• Missing Controls

The Updated Cyber Rosetta Stone © Enclave Security 2021


7 AuditScripts Collective Risk Project

• Collective Risk Model


• Collective Threat Model
• Collective Controls
Catalog
• Metrics & Measures

The Updated Cyber Rosetta Stone © Enclave Security 2021


8 Project Contributors
• There have been numerous contributors to this project
over the last few years

• Some of the key contributors to this project include


representatives from:
– The SANS Institute
– The Institute of Applied Network Security (IANS)
– Enclave Security / AuditScripts
– Black Hills Information Security (BHIS)
– Individuals from a diverse set of international organizations
(public and private)

The Updated Cyber Rosetta Stone © Enclave Security 2021


9 Collective Risk Model (CRM)
• Most cybersecurity professionals agree that risk
management should be the foundation of all
cybersecurity activities.

• But the reality is that most risk management


frameworks are vague and academic in nature,
leaving it to each organization to determine what to
do.

• The result is that almost no organization is doing risk


management well, some are doing just pieces of the
puzzle at best.

• The cybersecurity profession needs a clear,


collaborative framework for managing risk that does
not require each organization to reinvent the wheel.
The Updated Cyber Rosetta Stone © Enclave Security 2021
10 Collective Risk Model

The Updated Cyber Rosetta Stone © Enclave Security 2021


11 Collective Threat Model
• Formerly known as the Open Threat Taxonomy
• Hundreds of organizations have contributed
• One of the latest efforts is the release of a community
threat model, which will be used to document and
prioritize threats
• CTM will be used to define threats to define controls
• Will help standardize risk assessments, make one less
paperwork step for organizations to complete

The Updated Cyber Rosetta Stone © Enclave Security 2021


12 Popular Threat Inventories
• Today, there are a limited number of threat inventories that
can be used as a starting point for this exercise

• Some of the most widely used models include:


– ENISA’s Threat Taxonomy
– MITRE’s ATT&CK Framework
– OWASP Top Ten
– Collective Threat Model

The Updated Cyber Rosetta Stone © Enclave Security 2021


13 Mapping Threats to Controls

• Once an organization has a threat inventory and a control


inventory, they must be mapped against each other to
define which controls could defend against which threat

• This can be a difficult task, as often many controls could


potentially stop one threat or a control may only partially
address a particular threat

• Few threat to control mappings exist, thus this step is


almost universally skipped by most organizations

The Updated Cyber Rosetta Stone © Enclave Security 2021


14 Collective Control Catalog (CCC)
– Developed by the same
consortium of security
practitioners that developed the
CRM and CTM.
– Open source research project
freely available to the community.
– Started as a research project to
normalize and compare existing
cybersecurity standards and
regulations.

The Updated Cyber Rosetta Stone © Enclave Security 2021


15 Understanding the Collective Control Catalog
• Presently aggregates and analyzes control libraries from
35+ standards.
• Normalizes roughly 2000 control statements to about 400
statements.
• Categorizes, tags, and prioritizes control statements to
facilitate project planning and implementation efforts.

The Updated Cyber Rosetta Stone © Enclave Security 2021


16 Control Categories and Control Systems

The Updated Cyber Rosetta Stone © Enclave Security 2021


17 Collective Security Control Catalog: Coverage

The Updated Cyber Rosetta Stone © Enclave Security 2021


18 Example Framework compared to CCC

The Updated Cyber Rosetta Stone © Enclave Security 2021


19 Collective Security Control Catalog: Normalizing and Mapping

The Updated Cyber Rosetta Stone © Enclave Security 2021


20 Collective Control Catalog: Prioritization and Tagging

The Updated Cyber Rosetta Stone © Enclave Security 2021


21 AuditScripts CCC Assessment Tool
• Security control-centric approach to
risk assessment.
• Tool is maintained by Enclave
Security and AuditScripts.com.
• Organization is assessed based on
their successful implementation of
specific security controls.
• Output is a dashboard/maturity
score based on successful control
implementation.

The Updated Cyber Rosetta Stone © Enclave Security 2021


22 CCC Assessment Tool
• Microsoft Excel is still the most
popular management tool available
to cybersecurity practitioners.
• Sometimes it is better not to be
complicated.
• The tool to the right is an example of
using Microsoft Excel to score
control implementation.
• In this case, using the free
AuditScripts.com tool to measure
against the Collective Controls
Catalog

The Updated Cyber Rosetta Stone © Enclave Security 2021


23 AuditScripts Collective Risk Project
• Risk Model
• Collective Threat Model
• Collective Controls Catalog
• Metrics & Measures

The Updated Cyber Rosetta Stone © Enclave Security 2021


24 No Redundancy

The Updated Cyber Rosetta Stone © Enclave Security 2021


25 Future of the Project
• The goal is to continue to develop this framework, with collective
community support

• At least annually a new version of this framework, with supporting


resources, will be released to the community for their consideration

• Ideally each year, more and more cybersecurity professional will


donate their time to refining and explaining this approach
• Ideally each year, more and more resources and templates will be
available to make it easier for organization to process the body of
knowledge

The Updated Cyber Rosetta Stone © Enclave Security 2021


26 Next Steps - Call for Action

• Learning from presentations such as this is wonderful, but


action is better:
– Risk?
– What control libraries does your organization use?
– Has your organization formally agreed on a common set of
cybersecurity controls?
– Has your organization been assessed against a common set of
cybersecurity controls to better understand their present state?
– Has your organization defined a plan to address the most critical
cybersecurity control gaps that were identified in the assessment?

The Updated Cyber Rosetta Stone © Enclave Security 2021


27 Resources and Contact Information

RESOURCES FOR FURTHER STUDY:


KELLI TARALA
AuditScripts.com Collective Risk Project
Principal Consultant at Enclave Security Resources

Kelli.Tarala@EnclaveSecurity.com Auditscripts.com Master Mapping Spreadsheets

@KelliTarala SANS MGT415: A Practical Introduction to


Cyber Security Risk Management

The Updated Cyber Rosetta Stone © Enclave Security 2021

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy