Professional Documents
Culture Documents
A Toolkit for
CISOs
Table of Contents
03 Introduction
14 Conclusion
• We understand risk in the context of our unique • We have confidence that our security investment is
business and its objectives. appropriate to both known and anticipated risk.
• We have confidence that risk is being managed • We have a high degree of confidence that we are
crisis-ready.
effectively and that there is a process in place to
continually test those assumptions.
In 1975, 17% of S&P 500 firms’ market value was tied to intangible assets.
Source: Intangible Asset Market Value Study (2017), Ocean Tomo, LLC
This is not a simple task. Even CISOs with a To avoid making conversations with your board feel
well-established board reporting relationship must adapt more like an inquisition than a briefing, be proactive in
their tactics as board members grapple with new and your approach and pre-align your primary talking points
unfamiliar risk issues, such as global data protection with the board’s priorities. Board members are conditioned
regulations or digital transformation. to test assumptions. Careful preparation to ensure you
understand the board’s expectations before you walk
It’s difficult for board members, too. The linkages between into the room is key.
cybersecurity risk and business risk aren’t always intuitive
to business leaders who don’t have an IT or security As challenging as it can be to establish the right reporting
background. Your boardroom audience has very little insight framework with your board, there are rewards. When
into the complexity of your operations or the persistence you present to the board and executive team, you have
of your cyber adversaries. It’s up to you to share enough an opportunity to educate, align priorities, and ask for
information to ensure they are confident the risks are leadership support in the areas where you need it most,
well-managed, without overloading them with details. such as holding other functional areas accountable or
Legal, risk, and security advisors encourage board gaining a seat at the table in strategy initiatives.
members to focus on the big picture issues, such as
those shown in Figure 1.
01 02 03 04
Governance & Responsibility & Awareness & Goal Setting &
Leadership Accountability Communication Board Reporting
05 06 07 08
Cyber Risk Legal & Security Tools & Incident Preparation
Management Compliance Operations & Management
Figure 1: Eight Areas of Board Oversight for Cybersecurity Risk (Source: Board Cyber Risk Oversight Framework, Secureworks)
Do Your Research Some CISOs have found it useful to find a sponsor among
the executive team, often the CFO or General Counsel, who
Understanding perspectives and motivations in the
is willing to share information about the company’s strategic
boardroom is a good way to establish trust and gain
goals and facilitate an introduction to board members.
confidence. Research the backgrounds of your board
members to determine what they bring to the table. Are they If possible, engage with the chair of the board committee
former CEOs or CFOs? Have they led corporate mergers or with primary responsibility for cybersecurity risk, whether
digital transformations previously? Each one brings a unique that be the Audit or Risk committee, or a special committee
leadership perspective to the table that may predispose dedicated to IT, information security, or data protection.
them to interpret your reports and proposals differently than Discuss the top potential business impacts and risks that
you expect. What’s more, directors often serve on more can win consensus with the broader board as the focus for
than one board, particularly in public companies, and may your agenda. Ask them what they want to hear more about.
bring expectations about cybersecurity shaped by their Remember: from their perspective, cybersecurity is a means
experience with those other businesses. A little homework to a business outcome.
will tell you if one of your board members has been through
the trial of a public breach.
Make It Personal
An Opportunity to
No matter how much research you do, meeting
Improve Receptivity
directors for the first time in a formal presentation is not
ideal. It’s helpful to have a few well-placed advocates According to the Marsh-Microsoft Global
for cybersecurity before wading in. Forming individual Cyber Risk Perception Survey, February 2018:
relationships with select members of the board and
53% of Chief Information Security Officers
executive leadership team ahead of time is even better. Start
said they provide reports to board members
by identifying those with the strongest interest in the subject
on cyber investment initiatives. Yet only 18% of
matter. Discuss the organization’s strategic initiatives and
directors said they receive such information.
gain an understanding of what keeps them up a night.
• Insights their vendors bring from working across Once you’ve laid foundational relationships with directors
thousands of clients and established common language, you can build
confidence and trust with practical reporting.
• Insights gained from other security leaders who share
their lessons learned and best practices
Tactical plans that tell how Strategic plans that demonstrate why security
security works is a means to a business outcome
Avoid the Tactical Components Breaches have an obvious link to business impact, causing
of Your Program many board members to focus only on crisis readiness
and response plans. When tackling the difficult task of
Useful board reports address business risk, not demonstrating how the rest of your program is connected
cybersecurity risk. Your message should be practical and not to business outcomes, it may be helpful to highlight
overly-dependent on all the details of your day-to-day battle cybersecurity’s role in organizational resilience. For example:
against the adversaries. Boards expect that the organization’s
security program has put the appropriate IT support, controls, • What IT systems will have the most impact on business
and processes in place to prevent what it can, detect what it availability if they experience an outage due to
can’t prevent, and respond quickly to mitigate risk. They don’t cybersecurity breach or remediation? By addressing the
need to know how cybersecurity works, nor do they need risk of losing business availability, you have an opportunity to
to learn your whole security dashboard. What they do need discuss where to prioritize resources and enforce security
to know to exercise their fiduciary duties with confidence policies.
is that the risk is being managed. That means they care
deeply about the impact a breach could have on innovation, • Of all the products we deploy, which would have the
productivity, revenue, reputation, and shareholder value. most impact on revenue or reputation if it put consumer
safety at risk and had to be pulled? Help boards imagine
Use a Revenue and how threat actors could use the company’s unique
vulnerabilities to harm customers, partners, or consumers,
Margin Lens and then describe what protections are necessary to
For cybersecurity, proving a return on investment (ROI) mitigate those risks.
can be a mythical goal. While some security initiatives
will improve efficiencies and squeeze more value out of • Where is the workflow of mission-critical intellectual
existing investments, it is difficult to measure a return on risk property that could weaken our competitive position
prevention. This underscores the importance of delivering if it were stolen or made public? Is that system behind a
your cybersecurity risk report in terms of business outcomes firewall or in the cloud? Who has access to the information
that impact current or future revenue and margin. and on what devices? Discussing the flow and storage of
digital assets will lead to a conversation about administrative
Business Impact
Clearly articulating the alignment between cybersecurity
practices and business outcomes will help manage budget
expectations and avoid misaligned priorities.
• Have we tested those assumptions with • How are we staying current on the
independent third parties? threat landscape?
• Do we have adequate data governance policies and • How does our program align with
controls to protect critical assets? industry standards, those of our peers,
and regulatory requirements?
• How do we manage risk from our third parties
and suppliers, including Cloud and critical • Is our organization cyber-focused and culturally
business suppliers? cyber-conscious?
• Are we able to rapidly contain damages and • Are we focused on, and investing in, the
mobilize response resources when a cyber right things from a people, process, and
incident occurs? technology perspective?
Reporting Tip
01
Board Members
Suffer from Slide
Fatigue
03
Dashboards
Are a Supporting
Prop, Not the
Presentation
Annual Report
A useful board report tells
This is your chance to roll up the year’s prior presentations to demonstrate the strategic a story about how well risk
value of the investments made to date—and present future concerns that may warrant is being managed at the
budget adjustments. Aligning progress with the agreed-upon roadmap will help make the business level. Within that
case for renewed support from the board. report, your dashboard plays
a supporting role, while the
• Always start with your “ask.” What do • For public companies, this may also
narrative you use to explain
you want from the board or what do you be a time to prepare annual business
the risk is essential.
want them to agree to? risk disclosures. Be prepared to review
incident and breach impact metrics.
• Provide a narrative about progress Within the dashboard,
against desired outcomes: business • Illustrate how improved security has key metrics should be
execution, security controls, and risk reduced business risks or helped achieve replicable—appearing
position. Keep it high level. goals such as digital transformation. consistently in each report
over time—to help board
• Leverage a rollup of your quarterly • Paint a picture for what’s next given
members assess risk
metrics to provide risk and vulnerability emerging known threats.
trends, as well as the current state of
trends over time.
• Clarify your action plan and reiterate
risk exposure.
your asks for resources or support.
GERMANY
Asia Pacific
Main Airport Center,
AUSTRALIA Unterschweinstiege 10
Building 3, 14 Aquatic Drive 60549 Frankfurt am Main
Frenchs Forest, Sydney NSW 069/9792-0
Australia 2086 secureworks.de
1800 737 817
secureworks.com.au NETHERLANDS
Transformatorweg 38-72, 1014
JAPAN AK Amsterdam,
Solid Square East Tower 20F +31 20 674 5500
580 Horikawa-cho, Saiwai-ku
Kawasaki, 212-8589 UNITED KINGDOM
81-(44)556-4300 UK House, 180 Oxford St
secureworks.jp London W1D 1NN
+44(0)203 907 6280
secureworks.co.uk
1 Tanfield
Canonmills
Edinburgh EH3 5DA
United Kingdom
+44(0)131 260 3040
secureworks.co.uk
Appendix
Sample Board
Reporting
Dashboards
Threat Landscape
Win 2000
0 Left
80% 73% 98% 81% 84% 91% 83%
Server 2000
93% 0% 59% 91% 66% 2 Left
3% 84%
Gauge Legend
Good (85%-100%) Warning (65%-84%) Bad (0%-64%) Unknown
***Calculations below this point are based on the entire network not just the AD/Domain. Items such as PSO Networks/Non-IS Managed Systems/Medical Systems that are plugged into the Production Network are included.
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr
Vulnerability Legend
Critical CVSS 7-10 Non-Critical CVSS 0-6.9 Total/Trend *Critical / Non-Critical Findings based on Standard ISS / 01 Time to Remediate 30 Days Critical /
90 Days Non-Critical
Dashboard
Threat Landscape LOWERED TO GUARDED Wednesday, June 29, 2017 09:00:00
CTU researchers continue to analyze the NotPetya malware. Clients should block
MeDoc accounting software updates, verify backup and restore processes, and HISTORY
Guarded Cybersecurity Index segment networks for different business functions.
Security Stack
Physical
NETWORK WORKSTATIONS SERVER CLOUD SaaS CLOUD IaaS Security
Compliance Operations
SSAE16
SSAE16
ISO (SOC2/
FFIEC 27001 GDPR HIPPA NERC/CIP PCI Audit BCP Projects RISK Strategy
Type 2)
Vulnerabilities
Critical 79 21%
High 93 7%
Medium 98 2%
Low 98 2%
Total 93 7%
900 ???
800
700
600
500
400
300
200
100
0
Feb Mar Apr May Jun July Feb Mar Apr May Jun July
SSL Certificate Expired 18 critical Microsoft CVE-2017-84?3: Windows Explorer 2571 critical
Remote Code Execution Vulnerability
SSL Certificate Supports Weak Encryption 3 critical
Microsoft CVE-2017-????: 2571 critical
World Readable and Writable 1 critical Win32k Elevation of Privilege Vulnerability
Directory on Anonymous FTS
Microsoft CVE-2017-????: 2571 critical
Birthday attacks against TLS ciphers with 97 non-critical WordPad Remote Code Execution Vulnerability
64bit block size vulnerability (Sweet32)
CIFS Account Lockout Policy 4433 non-critical
SSL Certificate - Signature Verification Failed 60 non-critical Allows Password Brute Forcing
Vulnerability
Microsoft CVE-2017-0170: Windows Performance 2639 non-critical
CMP Timestamp Request 69 non-critical Monitor Information Disclosure Vulnerability
• CTU researchers identified 15 possible breaches. Most of these unconfirmed breaches affected government organizations or containing government identification
• Most threat actor activity and interest focused on financial organizations, specifically targeting credentials. CTU researchers also identified a significant increase in activity
affecting hotels, business services and technology
• North America and the combination of Europe and Russia (Europe + Russia) were the most targeted geographical locations although CTU researchers observed an
increase in advertised data from China, Australia and South America. UK financial e-crime also continued to rise.
Reconnaissance Reconnaissance is measured via standard deviance over weeks for seen events on our network as reconnaissance
MOST RECENT CHANGE
Team 1 Team 8
Team 2 Team 9
Team 3 Team 10
Team 4 Team 11 Team 1 Team 5
Team 5 Team 12 Team 2 Team 6
Team 6 Team 13 Team 3 Team 7
Team 7 Team 4 Team 8
??
?? 10
Other 7
TEST 99
Threat Landscape Detail - Attacks
Attacks Unsuccessful events are actual threats against Secureworks that were not turned into compromises. This is measured via standard deviation over
weeks for unsuccessful events against our networks
MOST RECENT CHANGE
These events 2017-07-10 11:45:45 17.00 17 unsuccessful attack incidents created from 6/1-6/30. This is within standard deviation.
generally are http
attacks, but include
phishing, brute This graph represents the number of unsuccessful attempts to compromise secureworks divided by week for the last 4 months.
force attacks and
other events as CAT 3 Incident Trending
well.
30
25
20
15
10
5
0
Jan 2017 Feb 2017 Mar 2017 April 2017 May 2017 June 2017 July 2017
The Secureworks® Counter Threat UnitTM (CTU) research team welcomes you to the Open Sources Intelligence Update for July 10, 2017. This update
provides a brief daily highlight of CTUTM activities, major issues, and trends affecting Secureworks clients.
CTU Research
Nothing to report
The Firewall metric is determined by the deployment of firewalls on all production networks. It is determined by taking the total number of
production networks that have no firewall or allow for ?? and dividing by the total number of networks.
Firewall MOST RECENT CHANGE
App Firewall is determined by coverage of application firewalls that host internet facing services. This traditionally only applies to web
traffic today. Application firewalls in blocking get one point. Applications in read only get 5. Applications with 0 application firewall get 0.
The score is an average.
MOST RECENT CHANGE
App Firewall
Timestamp Value Comments
2017-07-?? ?? We currently have a Web Application Firewall blocking ?? of IDP secureworks.com and
secureworks.com. Redcloak, the mobile portal, T ICE have a ?? that is non blocking, but being
monitored. Cloud Guardian, ??, ??, and CTU ?? ?? source code is stored have no ??. Currently,
we’re working on deploying the ?? ?
Encryption is determined by the percentage of workstations with no errors running full disk encryption. This ?? which use AES-256 local-
ly. Checkpoint and BitLocker (Windows 10)
Full Disk MOST RECENT CHANGE
Encryption
Timestamp Value Comments
2017-07-12 12:42:32 87.00 87% of devices are utilizing Full Disk Encryption (??)
Network Access Control is determined by the percentage of workstations with a valid certificate and AnyConnect that can
connect to the corporate network.
Network MOST RECENT CHANGE
Access
Control Timestamp Value Comments
2017-07-12 12:49:01 100.00 100% of devices are part of the domain and configured as part of GPO with network control
access. This is ensured by the ability to join our network.
Forensics is calculated by a percentage of workstations that have EnCase installed. EnCase is the tool we use to perform data forensic investigations.
MOST RECENT CHANGE
Forensics
Timestamp Value Comments
2017-07-10 15:10:15 0.00 Working with IT on deployment, CSO is building an encase install package that ProdOps can test deploy-
ment on sample machines.
File Integrity Monitoring is a host intrusion detection system that watches for unauthorized file changes indicating a potential compromise.
File Integrity MOST RECENT CHANGE
Monitoring
Timestamp Value Comments
2017-07-10 15:10:36 75.00 ?? software deployed and configured, monitoring process/procedures currently in development. We’re
having regular meetings where we ?? and respond to events.
Adaptive Planning is a budgeting and planning tool. Calculation is a metric determined by the vetting done by Security Architecture and Vendor Risk Manage-
ment as well as the number of exceptions to standards.
MOST RECENT CHANGE
Planning
Timestamp Value Comments
2017-05-02 20:24:28 0.00 This legacy service from Dell has not been reviewed by CSO and therefore gets a default total score of ??
Box is a hosted application that is used to store files and documents in a secure manner for collaboration. Calculation is a metric
determined by the vetting done by Security Architecture and Vendor Risk Management as well as the number of exceptions to standards.
Box com MOST RECENT CHANGE
Concur is a Dell hosted application used by SCWX for travel and expense related activities. Calculation is a metric determined by the vetting done
by Security Architecture and Vendor Risk Management as well as the number of exceptions to standards.
Concur
MOST RECENT CHANGE
Whitelisting is determined by the percentage of security groups per device that allow all connectivity inbound or outbound.
Whitelisting
MOST RECENT CHANGE
All doors in SCWX controlled spaces that have the specific purpose of controlling access and reporting anomalies to our monitoring system.
This excludes Dell Controlled and Monitored points of entry. There are 195 SCWX doors globally. To be considered fully operational, the door must:
Only open when prompted by associated badge reader
Close without assistance from person accessing it.
Doors Alarm ?? when forced open, or held open beyond its alloted time.
All cameras in SCWX controlled spaces that have the specific purpose recording activity in the vicinity of key areas. SCWX cameras are UNMOUNTED and
therefore only usable for investigative purposes after an incident has occurred. This excludes Dell Controlled and Monitored cameras. While we do have the
ability to petition Dell for a summary of activity from a given camera and time window, we do not currently possess the agreements to receive raw footage
for investigative purposes. There are 148 SCWX cameras. To be considered fully operational, the camera must:
Cameras Possess a recording resolution of 1280x720
Perimeter, SOC, IT Storage, and Data Center Cameras will record full time motion video.
All other cameras will be prompted by motion sensor.
BCP BCP - Readiness of Business Continuity Plan testing and ??? analysis.