Exploring the NIST Cybersecurity Framework 2.0: What You Need to Know

00:00

all right good morning everyone I am

00:02

Matt kazlowski I'm the VP of

00:04

Professional Services in cyber security

00:06

at the windso Technology Group and this

00:08

morning I am joined uh with Todd uh

00:11

senior sales engineer from Arctic Wolf

00:13

networks high at top the Winslow uh

00:16

webinar

00:17

Tower uh today we're actually gonna

00:19

cover the nist uh cyber security

00:21

framework 2.0 um so this framework has

00:24

been in the works for a bit of time it

00:26

is technically still in the uh the draft

00:28

state but it's pretty close to a a

00:30

finished product and we wanted to get

00:32

some information out um there's some

00:34

really great um updates to the framework

00:36

and um some some important information

00:38

there so Todd thank you very very much

00:40

for uh for joining us this morning um

00:43

yep yep good uh next slide there uh we

00:44

can talk about the agenda bit so we'll

00:47

just give you a brief overview of the

00:48

windso Technology Group um and our cyber

00:51

Security Solutions and and portfolio

00:53

here I'm gonna pass the uh the old mic

00:56

to uh to Todd um one of our senior sales

00:58

Engineers over at Arctic networks to

01:00

talk quite a bit about um the framework

01:02

it's going to be a pretty open uh open

01:04

discussion um if people have any

01:06

questions uh during uh the presentation

01:08

the best way to do that is drop them

01:10

right in the chat um this is a uh this

01:12

is a live presentation so um towards the

01:15

end we'll uh we'll group them all up and

01:17

uh and try to answer as many as we can

01:19

um if we're not able to we'll we'll

01:20

follow up with with y'all afterwards um

01:23

so that is that Todd you can hit the

01:25

next slide there sure um thank you um

01:29

just a a little bit about the windso

01:31

Technology Group so we are headquartered

01:33

um in walam Massachusetts right outside

01:35

of um beautiful Boston Massachusetts um

01:38

I'm actually in Connecticut right

01:39

between New York City and Boston um the

01:42

windso Technology Group has local

01:44

coverage from Maine through the

01:45

Carolinas um far out in Western

01:47

Pennsylvania and and down in uh in

01:49

Nashville too um where where we can um

01:51

have you know Regional local coverage

01:53

with with truly National reach um we

01:57

carefully vet our Partnerships like that

02:00

of Arctic Wolf to really provide um

02:02

gamechanging Solutions and Technologies

02:04

from the desktop to the data center uh

02:06

through our Professional Services cyber

02:08

security uh networking uh and cloud and

02:11

we we really try to identify unique and

02:13

and truly differentiated products and

02:15

services that provide uh effective

02:17

solutions that lead uh to um fantastic

02:21

uh outcomes for our customers uh next

02:23

slide please

02:25

St um so speaking of uh of outcomes um

02:29

on staff we at Winslow have a bench uh

02:31

of technical Engineers on our pre-sales

02:34

and postsales side that truly represent

02:36

hundreds of years uh of combined

02:38

technical experience we have four

02:40

OnStaff cissps and a truly truly

02:43

dedicated team of account Executives

02:45

that have a passion for technology and

02:47

outcomes and if there's one thing uh I'd

02:50

leave you with that characterizes the

02:51

windso Technology Group and Partnerships

02:53

with arctic wolf uh it's that customer

02:56

satisfaction and outcomes are our

02:58

measure of success like our mission

03:00

truly uh is take the passion and

03:02

expertise we have uh focus on outcomes

03:05

you know deliver on uh what you know our

03:08

customers like you need uh in the space

03:10

today and and one of those uh is you

03:12

know differentiated services with our

03:14

partner um arctic wolf so I'm really

03:16

happy to um to talk with Todd a bit

03:18

today uh about um about you know the NIS

03:21

cybercity framework 2.0 again draft

03:24

State uh we can talk quite a bit about

03:25

it and go from there you can go to the

03:27

next

03:28

slide do need to uh poke fun at uh

03:32

ourselves I guess a bit at the slide

03:34

because um if you're looking at this

03:35

you're noticing it's missing uh the

03:37

governance wheel uh we haven't had time

03:39

to uh to quite update this yet and the

03:41

framework still is I guess in a draft

03:43

state but um we'll we'll update it when

03:47

uh when we come out of draft I suppose

03:49

but a point being is at the windso

03:51

Technology Group in in Partnerships with

03:53

arctic wolf and and different services

03:55

that uh we uh deliver in including a

03:58

whole portfolio of of managed service

03:59

Services um we have a a fairly

04:02

comprehensive and complete uh portfolio

04:04

of products and services to help uh

04:06

customers of all shapes and sizes really

04:08

achieve um cyber security uh you know

04:12

security if you will uh really really

04:14

helping reduce risk and and managing uh

04:16

that risk to an acceptable level um we

04:19

can help with all aspects of the nist

04:21

1.0 or 1.1 framework which you're

04:23

looking at now um bunch of Technologies

04:26

you see layered there um and the 2.0 um

04:29

so one of the tools that uh winsel has

04:31

introduced um that you know I'm excited

04:33

for as this develop uh this framework

04:36

develops is a GRC tool so we have a

04:38

governance risk and compliance tool that

04:40

we're able to provide as a service with

04:42

Consulting and a variety of other um

04:44

riskmanagement uh components go into

04:46

that so A really exciting offering there

04:49

uh Dov Tales beautifully uh into what

04:51

Todd and I are going to speak about this

04:52

morning regarding uh the updated nist uh

04:55

cyber security framework uh Todd would

04:58

you um like to uh you know introduce

05:00

yourself and introduce arctic wolf a bit

05:02

yeah thanks Matt so Todd Mallet I'm one

05:04

of the sales Engineers or sc's here in

05:07

in the New England patch um I've been

05:09

here for around four years or so uh

05:11

previous to that kind of all over the

05:12

place uh infrastructure Centric um but

05:15

uh but been here for about four years

05:16

been a great run huge growth a lot of

05:18

that growth is due to Winslow um partner

05:21

of the year I think two or three times

05:23

something like that Matt but it's it's

05:24

been a lot one of our uh uh one of our

05:26

best Partners certainly in New England

05:27

and then actually in the United States

05:30

um so with that just very very quick

05:32

agenda um and before I get started we

05:34

encourage you guys to ask questions

05:36

we'll have a Q&A session after this um

05:38

so if you do have a question please post

05:40

it in chat and we'll try to get to as

05:42

many of them as we possibly can toward

05:44

the end of the call um but the things

05:46

that we'll be going through today are

05:47

obviously the update to n CFS uh what's

05:50

changed what's moved there's been a lot

05:53

of a lot of things that have been

05:54

augmented and and kind of tweaked within

05:57

this CFS the core construct is is still

05:59

there um but that second bullet point

06:01

the Govern function is really I think

06:04

the the newest thing and and almost

06:06

creates something of an overarching idea

06:09

around nist and and kind of plays to the

06:12

rest of the five controls that we're all

06:13

used to seeing for the last couple of

06:15

years um an enhanced emphasis on supply

06:18

chain so more and more as we you know

06:21

create kind of the global economy or uh

06:23

more vertical Integrations things like

06:25

that supply chain risks have become

06:28

something that's on Forefront of a lot

06:30

of companies mind certainly that I talk

06:31

to um and that you know directly relates

06:33

to miss but also if you've heard of or

06:35

are privy to cmmc um there's a lot of

06:38

controls specific to your vendors and

06:41

and also those that you're selling to if

06:43

they have any access to systems within

06:45

your environment even if they're uh you

06:47

know dedicated systems they still need

06:49

to have um some some level of security

06:52

so so you yourself as a company entity

06:55

are protected uh throughout your supply

06:56

chain engagements we'll talk a little

06:58

about the timeline line for roll out as

07:00

Matt has mentioned this is still in

07:02

draft state so what we're talking about

07:04

today is a little bit preemptive some

07:07

stuff could change but it's very very

07:09

late stage um this has been a long

07:11

process to create n 2.0 uh the questions

07:14

if you will or suggestions were due uh

07:18

116 November 6th of this year so the

07:20

question and answer portion is closed so

07:22

we should see something finalized in the

07:24

next couple of months and then we'll

07:26

kind of wrap it up with how to get

07:27

started um wisel has some offerings uh

07:29

that can certainly help you guys through

07:31

a nist assessment which Matt will talk a

07:32

lot more about as we get through the

07:33

deck um but that's kind of how we'll end

07:35

it you know what are what are the call

07:36

the actions what can you do to get

07:37

prepared for for 2.0 um if you're

07:40

already on 1.0 certainly a lesser lift

07:43

if you're just starting to look into n

07:44

compliance um as a framework that your

07:46

company wants to try to adhere to um

07:48

this will give you a great starting

07:49

point on on how to get going with

07:51

it so this is kind of what it looks like

07:53

this is a 50,000 foot view on 1.1 and

07:58

what 2.0 will look like uh nist

08:01

originally was started in 2014 finalized

08:04

in 18 um and that's kind of where we see

08:07

those traditional five different

08:09

controls identify protect attack respond

08:11

and recover as we move into 2024 over

08:14

the last you know 10 eight eight years

08:16

Etc since we've had a new draft of this

08:19

a lot has changed uh we've seen a lot of

08:21

increase in uh malicious attacks in

08:25

cyber crime losses we've seen uh the

08:28

landscape change and pivot away from you

08:31

know just the information age we moved

08:34

over to internet of things and now we're

08:36

stuck in and trying to cope with quite

08:38

frankly Ai and ml you know what is that

08:41

going to mean for us going forward from

08:43

a security perspective and I think

08:45

that's what 2.0 was really meant to try

08:47

to address and I think again when you

08:50

look at that overarching in inside wheel

08:52

uh govern I think that's why it was

08:54

created um and again I'm pretty excited

08:57

about this I know Matt is too because

08:59

govern is now going to get some tendrils

09:03

outside of it right it's going to have

09:06

you know those of you on the line I

09:08

assume the majority are within some form

09:10

of the it or with your companies but now

09:12

it's going to have you directly

09:15

interfacing with and having stakeholder

09:17

you know people talking through nist

09:20

with you what does this mean for the

09:21

company overall Mr sea level Miss sea

09:23

level um so I think there's going to be

09:25

a lot of additional stakeholders that

09:26

are going to take interest in nist um

09:28

and start paying attention to what it

09:30

means from an overarching company

09:32

perspective and again I think that's why

09:33

govern was was created

09:36

frankly side by side look so maybe this

09:39

is a 30,000 foot view of 1.1 and 2.0 um

09:42

you can see there were a number of

09:44

changes but but the overall number of

09:46

categories and subcategories actually

09:48

decreased so we went from five functions

09:50

in one one to six functions with the

09:52

addition of governments in 20 but then

09:54

we decreased the categories and the

09:56

subcategories the reason for this was

09:58

there was a lot of consolid ation

10:00

between some of the controls within

10:02

identify protect detect respond and

10:04

recover and they were Consolidated into

10:06

some of these additional controls uh

10:09

within govern and then more further

10:11

Consolidated within the uh the

10:13

pre-existing five controls that we saw

10:16

as we get a little bit more granular

10:17

into what these changes are this is a

10:20

very chaotic slide it made my eyes bleed

10:22

as I was making it but but this is what

10:24

it looks like so when you think about

10:25

the controls themselves here's what kind

10:28

of changed or was Consolidated or what

10:30

is brand new so we see a bunch of those

10:33

different controls certainly in govern

10:34

all brand new obviously but then we saw

10:37

some things drop from identify protect

10:39

and from respond and from an actual

10:43

subcontrol perspective here's what

10:45

happened so you're going to see a lot of

10:46

arrows starting to populate this slide

10:49

but nothing was truly eliminated from

10:51

this it just made it more intuitive and

10:55

more cohesive and again a lot of things

10:57

got moved up into that that overarching

11:00

govern uh category which like I said I

11:02

think is extremely important for the go

11:04

forward plan for anyone trying to adhere

11:06

to nist because it gets a lot of

11:08

additional Buy in from a company

11:10

perspective outside of outside of it

11:12

which is where nist was typically you

11:15

know landing and and where the

11:16

responsibility used to lie I think

11:19

that'll that'll be a big change for us

11:20

going forward and a welcom one because

11:23

at the end of the day when we're talking

11:24

about security everyone is part of the

11:26

security team um at any company

11:29

regardless of size or regardless of

11:31

vertical if you're unfamiliar with nist

11:35

this these are kind of what the controls

11:37

from an overarching perspective are

11:38

meant to do so identify is is supposed

11:40

to help you determine the current cyber

11:42

security risk to the organization it's

11:44

not actually about identifying an

11:46

inflate threat if you will it's about

11:48

identifying what within your environment

11:51

potentially has gaps has risks could

11:54

create some level of an impact to your

11:56

business should you experience an

11:58

incident of event a breach you know

12:00

whatever you want to call it but that's

12:01

really what identify targets protect is

12:04

what should you and could you be using

12:06

within your environment to safeguard

12:08

yourselves and really lessen the

12:10

likelihood that you'll experience an

12:12

incident in the first place so that's

12:14

what protect is all about what controls

12:16

policies products platforms uh vendors

12:19

Etc are you leveraging to preemptively

12:22

protect yourself and make it more

12:24

difficult for your environment to get

12:25

breached or infiltrated in the first

12:27

place detect is probably the most

12:29

self-explanatory one what do you have

12:31

within your environment that is

12:33

assisting you in detecting if something

12:34

wrong is going on within your

12:36

environment this is very very

12:38

multifaceted as you guys might imagine

12:40

nist refers to a lot of different things

12:42

within a within a corporate it

12:43

environment or or any environment for

12:45

example um but but what are you using to

12:48

detect it um you know we'll talk more

12:50

about what that looks like uh what a

12:52

holistic approach looks like versus what

12:54

kind of a point product approach looks

12:55

like those types of things um and then

12:57

responding so are you how are you taking

13:00

action once you do find a thing so if

13:03

something happens what is your plan do

13:05

you have a plan and planning is

13:08

something that is now very much

13:09

emphasized in 2.0 that's something that

13:12

we at arctic wolf and Winslow have been

13:13

talking about for quite sometime you

13:15

know if you don't have an IR plan it's

13:17

something you should seriously consider

13:19

implementing and there's different

13:21

processes in which an IR plan is either

13:23

good or bad so of course we want to

13:24

highlight the good but now it's in this

13:27

now it's really really talking about

13:29

having something tangible that you can

13:30

refer to that helps you and your company

13:33

kind of stop the scramble on what is

13:35

arguably the the worst day in your life

13:37

if you do experience some kind of a

13:39

catastrophic event um recover once again

13:42

moderately self-explanatory but but

13:44

quite convoluted there's a lot of things

13:45

that go into actual recovery of an

13:47

incident depending on what the impact

13:49

was you know was it stolen data was it

13:51

ransomware did it lock up your backups

13:54

which is you know a goal of a lot of

13:56

different actors to lock your backups

13:57

because once your backups are gone they

13:59

pretty much have you so what does it

14:00

look like from a recovery perspective

14:02

for your business and then finally the

14:04

last one the new one is establish and

14:05

monitor the organization cyber security

14:07

risk management strategy expectations

14:09

and policy so once again this is org

14:11

wide what do we as a company need to do

14:14

to create this cyber security risk

14:17

strategy um and a lot of these new

14:19

controls Consolidated controls moving up

14:22

into govern um we'll we'll talk about

14:24

that and we'll we'll emphasize that so

14:26

those are the six controls now of 2.0

14:29

kind of at a very high level we'll start

14:32

jumping into now um what the individual

14:34

changes of these controls and subc

14:37

controls and categories Etc kind of kind

14:39

of mean starting with identify um again

14:42

this is meant to help you identify and

14:44

determine what your overall risk profile

14:46

looks like in the 1.1 uh table that I

14:50

have there anything that's kind of

14:51

shaded in Gray has been moved um so the

14:55

four that you see shaded have been moved

14:56

over into Improvement or or moved over

14:59

into governance so there's been a lot of

15:01

moves and changes this is not a one for

15:03

one representation of all the moves and

15:05

pivots and changes just kind of a

15:06

condensed view for you but um in 2.0 we

15:09

do see a new uh new category just called

15:12

Improvement um and what Improvement is

15:15

really here to do is to help

15:16

organizations just drive toward

15:18

improvements overall in the

15:21

organizational cyber security plan you

15:23

know what procedures do we have in place

15:25

what do those activities within those

15:26

procedures look like you know kind of

15:28

helping you create a framework on on

15:31

what identify needs to look like so your

15:34

identification of your risks within your

15:36

environment become more comprehensive

15:38

and the more comprehensive knowledge you

15:40

have of your gaps and what your risks

15:42

are the better an arctic wolf and a

15:45

Winslow can help you address those you

15:47

know with with various Solutions like

15:48

arctic wolf and a myriad of other things

15:50

of course that go into an overall cyber

15:52

security

15:53

play so that's what we saw at least in

15:56

uh in identify but but but moving even

15:59

further into the Improvement category

16:01

there are four subcategories now within

16:04

Improvement um and the first word there

16:06

in the im- 01 is continuous right this

16:09

is not a oneandone exercise and I

16:12

there's no way that I can emphasize that

16:14

enough continuously understanding your

16:16

environment via you know your own

16:18

knowledge and research but also via

16:20

continuous monitoring and having someone

16:23

there to help identify gaps with you is

16:26

the first call out in this new identify

16:28

uh excuse me Improvement subcategory and

16:31

then it moves further into actually

16:32

testing things out right are you uh you

16:34

created a plan youve maybe identified

16:36

some risks but have you have you tested

16:38

have you done exercises do you know your

16:40

findings to be true or false um so so

16:43

it's calling that out directly here as

16:45

well uh Lessons Learned so creating some

16:48

kind of a journal log Etc on what you've

16:50

learned what procedures work what didn't

16:52

work what you need to you know rethink

16:54

perhaps um and then finally a cyber

16:56

security plan um that's effective that

16:59

is communicated maintained and approved

17:02

and I think the key word there is

17:04

probably communicated right so the

17:06

entire organization understands what

17:09

should and frankly what should not

17:10

happen during some form of of an event

17:13

has gone into that Improvement category

17:15

so it can all be laid out understood and

17:17

you have a A playbook that is ready to

17:19

be executed upon you know in the in the

17:21

instance that you have have a

17:24

problem so that's the bulk of what we

17:26

saw from the identity category uh

17:28

shifting or changing or being augmented

17:30

in some way um which brings us over to

17:32

protect so protect had a had a bunch of

17:34

changes as well as you might imagine

17:35

those three uh shaded and gray there um

17:37

have been Consolidated or moved or

17:39

tweaked once again into two additional

17:41

categories that are new for the protect

17:44

in uh NIS 2.0 so we see platform

17:46

security and we see technology uh

17:48

infrastructure

17:50

resilience so starting with platform

17:52

security um this is really talking about

17:54

Hardware software firmware operating

17:56

systems all of the things that make up

17:57

your environment um physical virtual

18:00

machines are managed consistently that

18:03

we understand how they're being managed

18:05

that there's a risk strategy again

18:07

encompassing them um to protect their

18:09

integrity their availability and of

18:11

course their confidentiality and then we

18:13

can see some of the new controls uh that

18:15

are that are provided into into those

18:17

subcategories we have some around

18:18

configuration management software being

18:21

maintained um again arctic wolf sees a

18:23

lot of these things and patching is is a

18:26

total pain for anyone dealing with

18:28

patching we understand that we can help

18:30

with that but I'm glad it's being called

18:32

out uh in in the way that it is now

18:34

Hardware certainly maintenance um we see

18:36

cves pretty much constantly for for

18:38

firewalls for example so staying on top

18:41

of those types of things um certainly

18:43

lowers your overall risk profile log

18:46

records are generated and made available

18:48

for continuous monitoring this is a big

18:50

one this is referring to 247 login event

18:53

monitoring um something that arctic wolf

18:55

plus Winslow are very very good at

18:57

providing and something that I still do

18:59

not see being done anywhere near enough

19:01

in the wild um so I'm again once again

19:04

I'm glad that this is called out as

19:06

specifically as it is within the protect

19:08

function um installation and execution

19:11

of unauthorized software are prevented

19:13

I'm guilty of this quite frankly I've

19:15

installed a thing or two on my work

19:17

machine once or twice um but this is

19:19

something that you know again I

19:20

shouldn't be doing nor nor do I these

19:22

days but um you know this is something

19:24

that mist certainly calls out as well

19:26

because if something gets installed and

19:28

for for example they installed an

19:29

application that included one of the

19:30

vulnerable log forj jres a year and a

19:33

half two years ago that could have

19:35

exploited an entire company uh if it was

19:37

done so on a business machine um and

19:39

then finally securing software

19:40

deployment practices so so how are you

19:42

guys pushing XYZ to your clients what's

19:45

the update cycle look like change

19:47

Windows all those types of things uh

19:49

making sure that those get

19:51

monitored moving over one more into the

19:54

technology infrastructure resilience

19:56

subcategory um this is all about

19:58

security Arch architectures are

20:00

maintained and managed with the

20:02

organization's risk strategy to protect

20:04

asset confidentiality Integrity

20:05

availability and organizational

20:07

resilience and we can see four different

20:08

changes here um Network and environments

20:10

are protected from uh unauthorized

20:13

logical access organizations's

20:15

technology assets are protected from

20:16

environmental threats uh mechanisms are

20:19

implemented to achieve resilience uh in

20:21

normal and adverse conditions and

20:23

adequate resource capacity to ensure

20:25

availability is maintained so as you're

20:27

kind of thinking through these you know

20:29

active passive type Technologies active

20:31

active even all of these types of

20:33

decisions and Frameworks can kind of

20:34

work into into these four new controls

20:37

that they've bundled under this

20:38

technology infrastructure resilience

20:40

header um which was further

20:42

consolidation most of these all existed

20:45

in some former fashion in one one um

20:47

they're just called out a little bit

20:48

differently you can see some of the

20:50

references to formally you know XYZ in

20:52

that Top Line um so you can see where

20:54

the pivots were made uh and where they

20:56

were kind of bundled if you will will

20:58

into this new technology infrastructure

21:00

resilience

21:03

subcategory finally or not finally

21:05

detect so detect is all about again

21:07

finding and analyzing cyber attacks so

21:09

we see detection processes being kind of

21:12

moved if you will and again re rebundle

21:15

into continuous monitoring and into

21:17

adverse event analysis I am personally

21:20

pretty excited about this because that

21:22

directly ties into quite frankly what

21:25

arctic wolf is and what arctic wolf does

21:27

so um our core construct if you will and

21:29

how we kind of came to Market 10 years

21:31

ago was the idea of manage detection and

21:34

response which focuses on continuous

21:36

monitoring and adverse event analysis um

21:39

I won't get too much into this slide

21:41

guys I don't want to make this a sales

21:42

pitch but just know that arctic wolf is

21:45

a managed security operations center

21:46

that is delivered as a service one of

21:48

the services that we offer is MDR and

21:51

MDR is quite frankly 247 log ingestion

21:54

from across your entire environment

21:56

integrating with a lot of different

21:58

third party productss you may already

21:59

own like crowd strike or Defender ATP

22:01

opad Duo o365 all that stuff combining

22:05

it with Telemetry that we're generating

22:06

our own via a physical sensor that's

22:08

deployed on your network and Via an

22:10

agent that is also deployed on all of

22:12

your endpoints Cloud desktop laptop or

22:15

server aggregated under a single

22:17

umbrella acting as a single source of

22:18

Truth and then looking through all of

22:21

the events that were uh receiving from

22:23

your environment looking for anomalies

22:26

indicators of compromise things that are

22:28

flagged by third party Integrations that

22:30

we have and then responding to them so

22:33

here's what we found here's what it

22:34

impacted within your environment here's

22:36

how we get rid of it let's go um so

22:39

again if I go back one slide and and

22:41

look at continuous monitoring and

22:42

adverse event analysis that is exactly

22:44

what arctic wolf does so we're excited

22:46

to see this called out in the way that

22:47

it is called out in 2.0 because the more

22:51

customers clients that are using Arctic

22:53

wol or frankly anything else that are

22:55

monitoring and you know actually

22:57

reacting to diverse events in a correct

22:59

and and quick way the less we're going

23:03

to see from a cyber losses perspective

23:05

and there's anary benefits to that too

23:07

right like your cyber insurance premiums

23:09

maybe doubling over the last 24 months

23:11

no one's really been a huge fan of that

23:13

maybe we'll start to see that Whittle

23:15

down you know as these cyber insurance

23:16

companies hopefully you know start

23:18

paying out less because we're getting

23:20

more in tune with what needs to be done

23:23

to properly secure

23:25

environments respond how am I taking in

23:28

action during a cyber incident obviously

23:29

arctic wolf can assist in that the the r

23:31

and MDR does stand for respond but we

23:33

saw some changes here as well response

23:35

planning and improvements as you might

23:37

imagine those have been uh pivoted again

23:40

or or moved over into more of the

23:41

governance subcategory which we'll talk

23:43

about in depth in a couple minutes um

23:45

but we've created the four categories

23:46

now within response we have Incident

23:48

Management analysis response reporting

23:51

and communication and mitigation and to

23:53

kind of you know expand on that a little

23:54

bit more you can see where some of these

23:56

moves were made um a few of them were

23:59

dropped as I had mentioned but they have

24:00

been moved into other subcategories uh

24:03

we have a couple different new ones four

24:04

of them um so analysis is performed to

24:06

determine what is taken during place of

24:08

an incident finding the root cause of an

24:10

incident oftentimes is critical to

24:13

understand what gaps you have and how to

24:15

fill those gaps um what actions

24:18

performed incident data and metadata

24:20

being collected again something that

24:22

that arctic wolf can certainly assist

24:23

with as well um and then lastly the

24:26

incident magnitude and is estimated and

24:28

validated so you know what did this cost

24:31

your company and again that's a

24:32

convoluted question too and I think

24:34

oftentimes when we think of the cost of

24:36

a breach let's say it's an average of $3

24:38

million we just think of that $3 million

24:41

as ransomware but you know the

24:42

ransomware portion if it was indeed

24:44

ransomware is is typically a a small

24:46

percentage of that overall loss because

24:49

you have operational loss you have you

24:51

know loss of of man and woman hours

24:53

going into whatever the solve for the

24:55

situation happened to be and then much

24:58

harder to quantify but you have

24:59

reputational loss um depending on how

25:02

you interface with your customers as

25:04

well whether that's B2B or whether

25:06

that's B to C there's a lot of

25:08

reputational loss that comes along with

25:09

that and that can linger for months or

25:12

years um depending on on what

25:16

happened recover so this is focusing on

25:19

restoring assets and operations the

25:21

picture there you're probably reading

25:22

that and hold my beer um one of my

25:24

favorite sayings but that is basically

25:27

saying that a lot of what they have

25:28

included now in 2.0 under the new

25:30

incident recovery plan execution and

25:33

communication really are telling you to

25:35

kind of just hold your breath for a

25:36

minute analyze the situation understand

25:39

exactly what happened and then truly

25:42

create a plan around your recovery

25:45

rather than just going you know bowling

25:47

a china shop trying to fix stuff and

25:49

scrambling and not documenting and

25:51

forgetting what got fixed and what

25:52

didn't get fixed you know stop Slow Down

25:56

plan and understanding exactly what it

25:58

is that you need to do versus again just

26:01

going crazy and trying to to scramble

26:02

and fix things which again you know from

26:05

an Arctic World perspective and I'm sure

26:06

Matt can validate this too on a Winslow

26:08

side the scramble is something that's

26:10

very very hard to stop because when you

26:12

have an incident that's of a magnitude

26:14

in which you need to respond rapidly and

26:16

quickly you've got your entire Team all

26:19

just doing something scrambling without

26:22

a lot of communication and again if you

26:24

read through the recover sections of

26:26

this uh which is kind right here that's

26:28

really where the focus is um slow down

26:31

take appropriate actions um have have

26:34

this organized and and kind of ready to

26:35

go and

26:36

understood um again I won't read through

26:39

every single one of these things but and

26:41

you guys are free to have this uh slide

26:43

deck as well at the end of this but um

26:45

that's really what the recover decided

26:47

to focus on I think a lot of the

26:48

controls that were already there were

26:49

good ones a lot goes into recovery

26:51

certainly um but I think having a focus

26:53

on making sure that it's well

26:55

orchestrated um and well understood SL

26:57

doent

26:58

is a is a welcome change to T yeah Todd

27:01

if you want me just to add some color to

27:03

that so we we do have uh an incident

27:05

response practice as uh as does Arctic

27:07

Wolf and oftentimes we've responded to

27:08

incidents together um I'll say um what

27:12

tends to happen uh for folks that don't

27:14

have a plan is uh twofold one is this

27:18

just overwhelming sense of oh crap what

27:22

do we do and you know we we have our own

27:25

runbook as as does Arctic Wolf we often

27:27

work together on um on the incident

27:29

response but but this overwhelming sense

27:31

of like what do we do now usually

27:33

followed you know was followed by like

27:35

panic and people start unplugging you

27:37

know Network ports and shutting this

27:39

down and it's actually um it can really

27:43

complicate like forensic investigation

27:45

because like ultimately you want to know

27:46

how they got in who got in what's going

27:48

on do we need to report this to the

27:50

authorities So like um in the absence of

27:53

a plan uh for Recovery uh we end up

27:57

seeing uh just Panic uh you know and and

28:00

uh you're right it's like slow down have

28:02

a bit of a plan together understanding

28:04

you know what's going on I'll tell you

28:06

the next piece of this that um you know

28:08

that's more of the it CIS admin

28:10

technical side if you will the more like

28:13

executive board side of this is um you

28:16

know our systems are down uh we're

28:18

paying people they can't work we're not

28:19

bringing Revenue in our you know systems

28:21

are offline how soon are we going to be

28:24

back online that is like the number one

28:25

question that you know comes up and and

28:28

just kind of like in our combined

28:29

experience just to be realistic with

28:31

everyone on the phone I would say an

28:33

average um when we get brought into an

28:36

incident and this is just again like

28:37

averaging everything out um the time

28:40

from you know phone call till some basic

28:43

restoration has happened just just in

28:45

our experience is about three days um so

28:48

that's like three days of downtime where

28:51

uh you don't really know what's going on

28:52

to have some semblance of a restoration

28:55

plan you know of course in in the

28:56

absence of having having something

28:57

planned up front and then um from there

29:00

uh we see actual restoration when when

29:02

it's not really planned out and um you

29:04

know we're just kind of figuring it out

29:06

as we go because because this part um

29:08

wasn't really thought of um Beyond kind

29:10

of like we'll recover from backup um it

29:12

usually takes two to three months uh to

29:15

recover systems and and in that time um

29:18

we've unfortunately experienced some

29:20

organizations where they start

29:21

questioning like the viability of their

29:23

business not because they were um only

29:26

attacked but because um their recovery

29:28

mechanisms and the recovery planning and

29:31

and what needs to happen to recover

29:32

their applications data and and overall

29:35

um operational State just wasn't really

29:37

thought about so um to your point to I I

29:40

actually love seeing more attention

29:42

being spent on this end of the framework

29:46

um and um and I I feel like with you

29:49

know cyber risk and and cyber security

29:51

incidence it's it's you know this is

29:53

like very cliche it's it's not a matter

29:55

of uh if it it will be a matter of when

29:58

um attackers using AI based you know

30:01

malware and AI based um attacks are are

30:04

real it's something that technical

30:06

controls may not be able to keep up with

30:09

uh hopefully they minimize the risk and

30:11

minimize the impact of of an incident um

30:14

but everyone's going to be faced with

30:15

recovery at some point so so like really

30:17

putting some emphasis in planning and

30:19

having the right policies and procedures

30:21

in place is uh is really really critical

30:23

and um I like seeing this being uh

30:25

spiked out a bit more um in the 2.0

30:28

framework yeah those are perfect points

30:31

I mean just if you read a couple of the

30:33

1. ons they they almost seem rudimentary

30:36

compared to how 2.0 gets a little bit

30:39

more you know finite on what the ask is

30:42

um you know if you look at the kind of

30:44

the backup um it's it's interesting

30:47

right that it wasn't included to to

30:49

begin with but um you know establishing

30:51

and understanding that the backups

30:53

you're restoring are actually good

30:55

Integrity right because in storing you

30:57

know re restoring a dirty backup just

30:59

wasted a day

31:01

D I'll tell you like Todd that is such a

31:04

good example because I've like

31:06

personally been on incidents where we've

31:08

restored um you know applications I'll

31:11

just say at a broad level they had

31:13

already been tampered with and they had

31:16

um some sort of a trip wire I'll say

31:18

built into it where um if you went back

31:21

as far as you know two weeks or three

31:23

weeks or whatever to restore it they had

31:25

already been in the environment that

31:26

long and in that case it it wasn't just

31:29

like the backup system that was flawed

31:31

it was like the Integrity of that system

31:34

and you know alongside that the backup

31:37

itself was totally compromised because

31:38

if you restored um if you restored that

31:41

backup itself it was tampered with um

31:44

and you know would essentially like

31:45

reinfect the rest of the environment

31:47

once it was restored so um I I agree I

31:50

think youed like the perfect word here

31:51

too where you're talking about like the

31:53

1. one seems rudimentary and like it is

31:56

I mean you look at it and it's like

31:58

we're looking at like big you know

32:00

crayons that we're drawing with with

32:02

like a

32:03

fist right versus uh perhaps the the

32:06

Precision of a of like a number two

32:08

pencil here so I think that's a great

32:10

great Point yep absolutely I think it's

32:12

gonna help a lot just for for everyone

32:14

trying to adhere to Nest I think

32:16

everyone should at least if you're going

32:17

to pick any framework if you don't have

32:18

you know a specific form of compliance

32:20

you're mandated to do it here to this is

32:22

a this is a great place to start and

32:24

honestly if you do start with nest and

32:25

then maybe via some pivot companywide

32:29

you are now privy to some form of

32:30

compliance you must adhere to if you're

32:33

doing this you've probably satisfied 70

32:35

80 90% sometime of the controls that

32:38

that other compliance refers to um so

32:41

I'm glad it's laid out the way it's laid

32:42

out now

32:43

yeah we'll jump into govern which is the

32:46

last one kind of the new kid uh and

32:47

again you know the one that I think

32:49

myself and and I'm I'm understanding

32:52

Matt is probably the most excited about

32:53

because it does specifically speak to

32:56

organization

32:58

awareness of an overall security

33:00

framework so um a bunch of new controls

33:02

here there's six subcategories within

33:04

the Govern section um again I won't read

33:07

every single one of these uh but I

33:09

certainly encourage you to do so but

33:11

we're talking about organizational

33:13

context uh an overarching risk

33:15

management strateg strategy I talked

33:17

earlier about the supply chain risk

33:18

management and this is a big deal right

33:20

if you are doing business again B2B and

33:23

you have systems that are being accessed

33:25

by whomever you're interfacing with they

33:27

become compromised you now have or at

33:30

risk at least of being compromised as a

33:32

relation of that uh you know perhaps

33:34

database that you're sharing or that

33:36

interface that you're sharing or

33:37

whatever happens to be so understanding

33:39

your risk around your supply chain is

33:40

something that's pretty critical um

33:42

roles responsibilities and authorities

33:44

again like I said this is going to bleed

33:46

outside of it in a very very welcomed

33:49

way where the rest of your organization

33:51

um should and could be a part of your

33:53

overarching security plan gaining

33:55

awareness for those of us in the it

33:58

realm um gaining Buy in uh and and

34:01

hopefully you know having a little bit

34:02

more um versatility in what you're able

34:05

to talk about present and and you know

34:08

try to fix your gaps with um so I think

34:11

this is a very good thing uh policies

34:13

processes procedures Etc um those are

34:15

kind of table Stakes but again they've

34:17

been moved into that govern category so

34:19

it becomes like I said earlier more of