This document summarizes an expert webcast on the Critical Security Controls and the StealthWatch system. John Pescatore from SANS discussed the Critical Security Controls and how they help prioritize security efforts. Charles Herring from Lancope then discussed how the StealthWatch system provides network visibility through NetFlow monitoring and can help implement several of the Critical Security Controls through boundary defense, threat detection, incident response, and secure network engineering capabilities. The webcast concluded with a question and answer session.
Handwritten Text Recognition for manuscripts and early printed texts
Ask the Expert: Critical Security Controls and StealthWatch
1. Ask the Expert Webcast: The
Critical Security Controls and the
StealthWatch System
John Pescatore, Director, SANS
Charles Herring, Lancope
1111
2. Obligatory Agenda Slide
• Housekeeping info
• Here’s what we will do
– 1:05 – 1:20
The Critical Security Controls– John
Pescatore, SANS
– 1:20 – 1:45 StealthWatch - Charles Herring,
Lancope
– 1:45 – 2:00 – Q&A
2
3. Bios
John Pescatore joined SANS in January 2013 with 35 years
experience in computer, network and information security. He
was Gartner’s lead security analyst for 13 years, Prior to
joining Gartner Inc. in 1999, he was Senior Consultant for
Entrust Technologies and Trusted Information Systems. Before
that, John spent 11 years with GTE developing secure
computing and telecommunications systems.
Mr. Pescatore began his career at the National Security
Agency and the United States Secret Service, He holds a
Bachelor's degree in Electrical Engineering from the University
of Connecticut and is a NSA Certified Cryptologic Engineer.
3
4. Bios
Charles Herring is Senior Systems Engineer at Lancope and
longtime StealthWatch user. While on active duty in the US Navy,
Charles leveraged StealthWatch in his role as Lead Network
Security Analyst for the Naval Postgraduate School. He was
tasked with staffing and training Network Security Group
personnel, building the security architecture and developing
incident response procedures.
After leaving the Navy, he spent six years consulting with Federal
government, disaster relief organizations and enterprise on
network security, communication and process improvement.
4
5. Focus on protecting the mission first
Effectively and efficiently and quickly
Advanced targeted attacks are happening now
Compliance must follow security
Break the Breach Chain
5555
7. Critical Security Controls
20) Penetration Tests and Red Team
Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
16) Account Monitoring
and Control
15) Controlled Access
Based on Need to Know
19
1) Inventory of
Authorized and
Unauthorized Devices
20
1
2
2) Inventory of Authorized and Unauthorized Software
3
3) Secure Configurations for Hardware and
Software on Laptops, Workstations, and Servers
4
18
17
4) Continuous Vulnerability
Assessment and Remediation
5
16
6
7
15
14) Maintenance, Monitoring
and Analysis of Audit Logs
5) Malware Defense
14
13) Boundary Defense
13
12) Controlled Use of
Administrative Privileges
12
11
10
11) Limitation and Control
of Network Ports,
Protocols and Services
9
8
6) Application Software
Security
7) Wireless Access Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate
Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls,
Routers, and Switches
7
8. Other
Benchmarking systemic
improvements
Detecting advanced
attacks
Incident response
Threat mitigation
Compliance to mandates
and regulations
Situational
awareness/gap analysis
Improvements to overall
risk posture
Risk
reduction/vulnerability
mitigation
Benefits: Risk Reduction and Visibility
Where have the Controls you implemented made the most
improvement and/or helped you close your gaps? (Check all that
apply.)
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%
9. Critical Security Controls Update
• Now maintained by the Council On
CyberSecurity
• Version 5.0 in public review
• Updated prioritization and definitions of
subcontrols
9
15. SANS Critical Controls
Boundary Defense
Defense Type
L3, L4,
Signature Emerging
L7
Detection Threat
Blocking
Detection
Targeted
Threat
Detection
Firewalls
Yes
Limited
No
No
Signature IDS
Limited
Yes
No
No
Malware
Sandbox
No
No
Yes
Limited
StealthWatch
No
Limited
Yes
Yes
15
17. SANS Critical Controls
Monitoring & Audit
Defense Type
Detection
Mechanism
Data Source
SIEM
Boolean
Syslog
StealthWatch
Algorithmic
NetFlow
17
18. SANS Critical Controls
Incident Response and Management
Logging Type
Data Stored
Endpoint
Hard Drive/Memory
Packet Capture
Raw PCAP
Log Collection
Syslog
StealthWatch
NetFlow
18
20. SANS Critical Controls
Secure Network Engineering
Monitor Type
Data Monitored
Firewall Change
Control
Changes in FW
Configuration records
Configuration Polling
SNMP
StealthWatch
NetFlow against Policy
20