GTRI Cybersecurity Framework, Slides of Computer Networks

Established in 1934, GTRI pursues a strategically focused and synergistic model of research, innovation and education that is continually enhanced and applied ...

Typology: Slides

2022/2023

Uploaded on 05/11/2023

rakshan
rakshan 🇺🇸

4.6

(18)

239 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
!
Developing*a*Framework*to*Improve*
Critical(Infrastructure(Cybersecurity!
!
National(Institute(of(Standards(and(Technology((NIST)(
Request(for(Information(
Docket!Number!13020811933119301!
Document!Number!2013304413(
(
Submitted(by:(
Thomas(Dunn(
Cyber!Technology!and!Information!Security!Laboratory!
Georgia!Tech!Research!Institute!
250!Fourteenth!St.!
Atlanta!GA!30318
pf3
pf4

Partial preview of the text

Download GTRI Cybersecurity Framework and more Slides Computer Networks in PDF only on Docsity!

Developing a Framework to Improve

Critical Infrastructure Cybersecurity

National Institute of Standards and Technology (NIST) Request for Information Docket Number 130208119-­‐3119-­‐ Document Number 2013-­‐

Submitted by: Thomas Dunn Cyber Technology and Information Security Laboratory Georgia Tech Research Institute 250 Fourteenth St. Atlanta GA 30318

Georgia Tech Research Institute Cybersecurity Framework

The Georgia Tech Research Institute (GTRI) is the Georgia Institute of Technology’s applied research institution. Established in 1934, GTRI pursues a strategically focused and synergistic model of research, innovation and education that is continually enhanced and applied to solve the problems of a complex world. GTRI’s strengths are based on: world-class subject matter experts in systems engineering, sensors, and information and telecommunications technology; a unique laboratory infrastructure; and collaboration with Georgia Tech’s academic colleges as well as access to the vast intellectual resources of one of America’s premier research universities.

GTRI plays a “white-hat” role between industry and government by performing cutting edge work to help secure national critical infrastructure entities. We research the backbone that our nation’s critical infrastructures depend on. GTRI has developed a unique cybersecurity framework that is both minimally disruptive and cost-effective. As our framework has evolved, we have identified key practices that pertain to securing critical infrastructure computer networks. The GTRI framework focuses on the following three interrelated core practices:

  • Preventing, Detecting and Responding to Cyber Weaknesses
  • Threat Intelligence
  • Continuous Testing

Preventing, Detecting and Responding to Cyber Weaknesses

GTRI implemented an Information Security Operations Center (ISOC) that functions as the key player in all our cyber incident responses. It detects anomalies, categorizes incidents based on the impact they have on the GTRI environment and informs the appropriate response leads for remediation. Part of our incident response framework is learning from the incident, determining what went well and what we should change to prevent future incidents.

The core of the ISOC is an event correlation engine that consolidates all of our security, authentication and network traffic logs regardless of data source. These logs are useful for both detection as well as later forensics. GTRI has researched standards to guide which logs to correlate and which devices to fully log. This engine allows the ISOC staff to search for any indicators of a cyber incident, such as a source IP address or DNS name, regardless if it was logged by a firewall, IDS, or antivirus suite. A correlation engine such as this is a critical first step in cybersecurity response. No organization responsible for critical infrastructure will be able to respond to an incident without it.

It’s imperative to know exactly what is going into and out of critical infrastructure communication networks. We have integrated a full network forensics capability with our correlation engine. Full network forensics provides the infrastructure for full-packet capture of critical nodes in an organization’s network. The needs of the organization, as well as its risk profile will determine the length of time to preserve both security logs and network forensics.

important aspect is developing an extremely focused, targeted report as relevant to leadership as possible, such as a “top-ten list.” Doing it right isn’t about volume. Our goal is to achieve security buy-in; we want leadership to request penetration testing support as much as the system owners.

Everything we do in penetration testing is about relationship building. We strengthen security by establishing a trust partnership; we don’t want the person responsible for a targeted system to feel like we’re “out to get them.” We want system owners to desire our support just as much as leadership, not think our penetration testers as a hindrance.

Unless specifically requested, we conduct tests in a non-destructive manner; no Denial of Service, dangerous exploits or destructive scans. We test from both inside and outside our networks. A public IP space carries a higher criticality and time sensitivity since it introduces actors and systems external to GTRI control. We have learned to not only emphasize classic remote access vulnerabilities that compromise confidentiality, integrity or availability but also unintentional information disclosure (to prevent adversaries from building an accurate profile of their target). Continuously monitoring private IP space is just as important to thwart insider threats, but may not be as time sensitive.

Conclusions

GTRI’s core practices are broadly applicable across sectors and throughout industry. These practices should be widely used throughout critical infrastructure and industry. Additionally we can draw the following conclusions from our experience with our framework:

  1. The GTRI framework is cost-effective – we focus on incrementally cleaning house rather than engaging in wholesale infrastructure replacement. Organizations without the expertise to develop their own security research lab can join communities to give them actionable threat intelligence.
  2. Relationship Building – Everything we do is geared towards building a trust partnership.
  3. Sharing is key. This includes understanding your duty to share information.
  4. Hire experienced personnel rather than just buying expensive tools – Simply buying a device won’t make you secure without skilled personnel who understand what the device is telling you. Every system must be tuned to find actual threats.
  5. Apply Defense in Depth within the network , rather than just at the perimeter. Control what they can do once adversary gets on your network. Organizations must be able to continue business (by creating isolated enclaves, for example) even if adversaries are on their network. You won’t be able to eradicate a threat without knowing exactly what got into your network and what goes out.