Exploring the NIST Cybersecurity Framework 2.0: What You Need to Know

Winslow Technology Group
11 Jan 202453:48

Summary

TLDRこのトランスクリプトは、Windsor Technology GroupのMatt KazlowskiとArctic WolfのTodd Malletが共同で行ったウェビナーの内容を要約しています。彼らは、NISTサイバーセキュリティフレームワーク2.0について議論し、その更新点、供給チェーンのリスク管理、および新しいガバナンス機能の強化されたemphasisを説明しています。また、Arctic WolfとWindsor Technology Groupが顧客のニーズに合わせて提供するサービスと製品についても触れています。

Takeaways

  • 📌 NIST Cybersecurity Framework 2.0 はまだドラフト段階にありますが、ほぼ完成品に近いとされています。
  • 🛡️ Winslow Technology Group は、マサチューセッツ州のウォラムズに本社を置いており、東北部からカリフォルニアまで地域的なカバーを提供しています。
  • 🤝 Arctic Wolf は Winslow Technology Group とパートナーシップを結んでおり、セキュリティ技術やサービスを提供しています。
  • 🔍 NIST 2.0 は、グローバル経済や垂直統合の進展により、供給チェーンのリスクが重要視されるようになりました。
  • 📈 NIST 2.0 では、6つの機能(Identify, Protect, Detect, Respond, Recover, Govern)が新たに設けられました。
  • 📚 旧バージョンの NIST 1.1 から NIST 2.0 への移行は、既存のセキュリティ体制を改善するための一歩として位置付けられています。
  • 💡 Arctic Wolf は、継続的な監視と事象分析を通じて、マネージドセキュリティオペレーションセンター(MDR)を提供しています。
  • 🔄 NIST 2.0 は、リスク管理戦略やポリシーの重要性を強調し、組織全体のセキュリティ体制に関与する利益関係者を拡大するよう求めています。
  • 🚨 セキュリティ事件への対応においては、迅速かつ計画的なアプローチが重要であり、混乱を避けるための事前準備が求められます。
  • 🛠️ NIST フレームワークの評価や、リスク管理に関するサポートが必要な場合は、Winslow Technology Group が提供する無償のミニ評価を受けることができます。

Q & A

  • NIST Cybersecurity Framework 2.0の主要な更新点は何ですか?

    -NIST Cybersecurity Framework 2.0の主要な更新点は、新しい統治機能の追加、供給チェーンのリスク管理の強化、およびCMMCに関連する制御のいくつかの変更です。

  • 統治機能がNIST 2.0にどのように役立つのでしょうか?

    -統治機能は、NIST 2.0において、他の5つの機能を組織の使命とステークホルダーの期待に関連联させることを助け、全面的なセキュリティ戦略を構築する上で欠かせない要素となっています。

  • Winslow Technology Groupが提供するサービスは何ですか?

    -Winslow Technology Groupは、プロフェッショナルサービス、网络安全、ネットワーク、クラウドなどの分野で、技術的なエンジニアリングを提供しています。また、Arctic Wolfなどのパートナーシップを通じて、デスクトップからデータセンターまでをカバーするゲームチェンジングのソリューションと技術を提供しています。

  • Arctic WolfのMDRサービスとは何ですか?

    -Arctic WolfのMDRサービスは、マネージドセキュリティオペレーションセンターをサービスとして提供することを指します。これは、継続的な監視、異常イベント分析、およびインシデント対応を含みます。

  • NIST 2.0のリリースに準備するために、どのようなアクションを取ることができますか?

    -NIST 2.0のリリースに準備するために、組織は現在のセキュリティ状況を評価し、リスク管理戦略を改善し、継続的な監視とインシデント対応計画を強化する必要があります。また、GRCツールなどの支援ツールを利用して、効果的な実施を図ることも重要です。

  • Arctic WolfがCMMCレベル2の認定を取得しているのはいつからですか?

    -Arctic Wolfは現在、CMMCレベル2の多くのコントロールを満たしており、そのほとんどを補完しています。将来的には、CMMCレベル2の正式な認定を目指しています。

  • FedRAMP ModerateまたはHighのクラウドセキュリティ要件を満たすために、Arctic Wolfはどのような措置をとっていますか?

    -Arctic Wolfは、北米に基づく顧客に対して、北米のみのArctic Wolfの従業員と通信し、データロケールは100%アメリカ合衆国に基づいており、他の国にはトラバースされないことを保証しています。また、PII(個人を特定できる情報)は吸収せず、吸収された場合でも即座に削除する制御が設けられています。

  • NISTフレームワークとSOC 2の関係は何ですか?

    -NISTフレームワークは、SOC 2プログラムと重複しています。NISTフレームワークは、多くのコントロールをカバーしており、SOC 2に準拠するための大きな準備をします。ただし、SOC 2はサービスプロバイダーに特化したコントロールを持っているため、NISTフレームワークとSOC 2の両方を満たすことが重要です。

  • Winslow Technology Groupは、NIST評価をどのように支援していますか?

    -Winslow Technology Groupは、無料でミニNISTサイバーセキュリティフレームワーク評価を提供しています。これは、各機能に関する一連の質問に基づくコンサルチティブなインタビューであり、顧客がフレームワークに関する質問や一般的なセキュリティに関する質問をすることができます。評価の結果、顧客は赤、緑、黄の異なるカラーコーディングによる完全な報告を受け取ります。

  • GRCツールについて、どのようなアドバイスがありますか?

    -GRCツールは、ガバナンス、リスク管理、コンプライアンスを管理するのに役立ちますが、エクセルなどの基本的なツールでは効果的に管理することが難しいです。Winslow Technology Groupは、GRCツールを提供しており、顧客がNIST 2.0への移行を支援することができます。

Outlines

00:00

📢 ウェルカムとNIST CSF 2.0の紹介

Matt KazlowskiがWindo Technology GroupのVPとして、Cyber Securityに関するウェビナーで登壇。Toddを紹介し、NIST Cyber Security Framework 2.0について話し合う。NIST 2.0はまだドラフト段階にあるが、已完成の製品に近い。このフレームワークの更新版には重要な情報がある。

05:00

🗓 ウェビナーのアジェンダとWindo Technology Groupの紹介

ウェビナーのアジェンダを説明し、Windo Technology GroupとArctic Wolfのサービスについて説明。参加者は質問をチャットで投じて、後半でまとめて回答する。Windo Technology Groupのローカルカバーとパートナーシップについても触れる。

10:03

🌟 Winslowの技術力とNISTフレームワークの適用

Windsor Technology Groupの技術力と、Pre-salesとPost-salesの専門家がNIST 1.0または1.1フレームワークに対応する方法について説明。GRCツールを提供し、リスク管理の様々な要素を取り入れている。

15:03

🚀 NIST CSF 2.0の更新と供給チェーンの強化

NIST CSF 2.0の更新内容について説明し、Govern機能の追加と供給チェーンのリスク管理の強化について議論。CMMCに関連する制御についても触れ、Arctic Wolfがどのように役立つかを示唆。

20:04

🔍 NIST 2.0の検出と対応機能の改善

NIST 2.0における検出過程の改善と、Arctic Wolfのマネージドセキュリティ運用センター(MDR)サービスの役割について説明。継続的な監視と事件分析の重要性に焦点を当て、Arctic Wolfが提供するサービスの背後にある理念を明確にする。

25:06

🛠️ 事故復旧計画とNIST 2.0の改善

NIST 2.0の復旧機能の焦点を事故復旧計画の実行と通信に変更することを説明。事故対応の際の分析、計画の立て方、適切な行動の重要性について強調し、Arctic WolfとWindsor Technology Groupがどのように役立つかを述べる。

30:07

🏛️ ガバナンスとNIST 2.0の全体像

NIST 2.0におけるガバナンス機能の6つのサブカテゴリーについて説明し、組織全体のセキュリティ框架に対する認識を高める。重要なのは、ガバナンスが他の5つの機能に影響を与えることである点である。

35:08

🔑 セキュリティの管理とNIST 2.0の適用

NIST 2.0の管理機能がどのように組織のセキュリティ戦略を確保し、リスク管理戦略を定義するかを説明。NIST 2.0が他のコンプライアンスに準備する際に役立つ理由を強調し、Arctic WolfがFedRAMPやCMMCの認定に向けて取り組んでいることを述べる。

40:10

📋 NIST CSF 2.0のタイムラインとQ&A

NIST CSF 2.0のドラフトのタイムラインを説明し、ウェビナーの最後にQ&Aセッションを提供する。Arctic WolfのサービスがどのようにNIST 2.0の要件に対応しているか、またGRCツールがどのように役立つかを説明。

Mindmap

Keywords

💡NIST Cybersecurity Framework 2.0

NIST Cybersecurity Framework 2.0は、アメリカ国立標準技術研究所(NIST)が開発した、サイバー脅威に対するリスク管理のためのフレームワークです。このフレームワークは、企業がサイバーセキュリティを強化するための指針を提供し、識別、保護、検出、対応、復旧という5つの機能に基づいています。また、2.0バージョンでは、ガバナンスが新たに追加され、組織全体のセキュリティ戦略を強化するよう求めています。

💡Risk Management

リスク管理とは、潜在的なリスクを識別、評価、および優先順位付けを行い、それに対する対策を立てることです。これにより、組織は将来的な問題を回避し、損失を最小限に抑えることができます。リスク管理は、サイバーセキュリティにおいても重要な役割を果たし、NIST Cybersecurity Framework 2.0においてもその重要性が強調されています。

💡Supply Chain Risk

サプライチェーンリスクは、組織が外部と連携する際に発生する可能性のあるリスクのことを指します。これには、資料の提供者やパートナー企業など、外部の関係者がシステムへのアクセスを取得し、そのようなアクセスを悪用する可能性があることが含まれます。サプライチェーンリスク管理は、NIST Cybersecurity Framework 2.0においても重要なテーマとなっています。

💡Governance

ガバナンスとは、組織の戦略、目的、および利害関係者の期待を考慮して、意思決定や管理を行うプロセスのことを指します。NIST Cybersecurity Framework 2.0においては、ガバナンスが新たに追加され、サイバーセキュリティ戦略を組織全体のコンテキストに置いて定義し、実施するための枠組みが提供されています。

💡Managed Security Operations Center (MSOC)

マネージドセキュリティオペレーションセンター(MSOC)とは、外部企業が提供するサービスを通じて、継続的に監視、検出、分析、対応するセキュリティオペレーションセンターのことです。MSOCは、組織のセキュリティインシデントに対する迅速な対応を可能にし、専門的な知識と技術を利用してサイバー脅威に対応します。

💡Incident Response

インシデント対応とは、サイバー攻撃やセキュリティ違反が発生した際に、迅速かつ効果的に対処するためのプロセスです。これには、攻撃の検出、インシデントの報告、分析、対応策略の立案、被害の最小化が含まれます。NIST Cybersecurity Framework 2.0においては、インシデント対応計画の策定と実施が重要視されています。

💡CMMC (Cybersecurity Maturity Model Certification)

CMMC(Cybersecurity Maturity Model Certification)とは、アメリカ国防総省が導入する、サイバーセキュリティの熟達度を評価・証明する制度です。CMMCは、防衛契約者が持つサイバーセキュリティ能力を標準化し、サイバーリスクを管理するためのガイドラインを提供します。

💡FedRAMP (Federal Risk and Authorization Management Program)

FedRAMP(Federal Risk and Authorization Management Program)とは、アメリカ連邦政府のクラウドサービスプロバイダーのセキュリティおよびプライバシー基準を確立するプログラムです。FedRAMPは、クラウドサービスを利用する政府機関のリスクを管理し、情報システムのセキュリティを確保することを目的としています。

💡SOC 2 (System and Organization Controls Type 2)

SOC 2(System and Organization Controls Type 2)とは、サービスプロバイダーの信息系统のコントロールに関する評価基準です。SOC 2は、コンフィデンシアリティ、インテグリティ、可用性、プロテクション、プライバシーの5つのトラストサービスカテゴリに基づいて、サービス提供者がこれらのカテゴリに対するコントロールをどのように適用しているかを評価します。

💡GRC Tool (Governance, Risk, and Compliance Tool)

GRCツール(ガバナンス、リスク、コンプライアンスツール)とは、組織がガバナンス、リスク管理、コンプライアンスを効率的に管理するためのソフトウェアツールです。GRCツールは、ポリシーの遵守、リスクの評価、規制の対応、レポートの作成など、幅広い機能を提供し、企業が複雑な規制環境を適応させる助けます。

Highlights

Overview of the NIST Cybersecurity Framework 2.0

Introduction of Matt Kazlowski, VP of Professional Services in Cybersecurity at the Winslow Technology Group

Todd, a senior sales engineer from Arctic Wolf, joins the discussion

The framework has been in development and is close to a finished product

Updates to the NIST Cybersecurity Framework 2.0 and their importance

Agenda for the webinar covering Winslow Technology Group and their Cybersecurity Solutions

Discussion on the regional coverage and reach of Winslow Technology Group

Emphasis on customer satisfaction and outcomes as a measure of success for Winslow Technology Group

Technical Engineers at Winslow Technology Group and their combined technical experience

Introduction to Arctic Wolf and their partnership with Winslow Technology Group

Updates to the NIST Cybersecurity Framework 2.0, including the addition of the 'Govern' function

Discussion on the supply chain risks and their relevance to the NIST framework

Timeline for the rollout of NIST Cybersecurity Framework 2.0

How to prepare for NIST Cybersecurity Framework 2.0 and the offerings from Winslow and Arctic Wolf

Explanation of the six controls of NIST 2.0 and their purposes

Discussion on the importance of governance in the NIST Cybersecurity Framework 2.0

The role of the 'Govern' function in creating a comprehensive security plan for organizations

The impact of the NIST Cybersecurity Framework 2.0 on various stakeholders within an organization

The evolution of the NIST Cybersecurity Framework from version 1.1 to 2.0

The significance of the 'Improvement' category in the Identify function of NIST 2.0

Details on the Protect function and its focus on platform security and technology infrastructure resilience

The Detect function and its emphasis on continuous monitoring and adverse event analysis

The Respond function and its new categories for incident management, analysis, response reporting, and communication

The Recover function and its focus on restoring assets and operations with a well-orchestrated plan

The Govern function and its role in establishing and monitoring the organization's cybersecurity risk management strategy

The importance of understanding and managing risks in the context of the organization's mission and stakeholder expectations

The potential impact of the NIST Cybersecurity Framework 2.0 on insurance premiums and risk management

The necessity of planning and risk management in preventing future cybersecurity incidents

The offer of a free mini NIST Cybersecurity Framework assessment by Winslow Technology Group

The discussion on how the NIST framework can complement other compliance frameworks like SOC 2 and FedRAMP

Transcripts

play00:00

all right good morning everyone I am

play00:02

Matt kazlowski I'm the VP of

play00:04

Professional Services in cyber security

play00:06

at the windso Technology Group and this

play00:08

morning I am joined uh with Todd uh

play00:11

senior sales engineer from Arctic Wolf

play00:13

networks high at top the Winslow uh

play00:16

webinar

play00:17

Tower uh today we're actually gonna

play00:19

cover the nist uh cyber security

play00:21

framework 2.0 um so this framework has

play00:24

been in the works for a bit of time it

play00:26

is technically still in the uh the draft

play00:28

state but it's pretty close to a a

play00:30

finished product and we wanted to get

play00:32

some information out um there's some

play00:34

really great um updates to the framework

play00:36

and um some some important information

play00:38

there so Todd thank you very very much

play00:40

for uh for joining us this morning um

play00:43

yep yep good uh next slide there uh we

play00:44

can talk about the agenda bit so we'll

play00:47

just give you a brief overview of the

play00:48

windso Technology Group um and our cyber

play00:51

Security Solutions and and portfolio

play00:53

here I'm gonna pass the uh the old mic

play00:56

to uh to Todd um one of our senior sales

play00:58

Engineers over at Arctic networks to

play01:00

talk quite a bit about um the framework

play01:02

it's going to be a pretty open uh open

play01:04

discussion um if people have any

play01:06

questions uh during uh the presentation

play01:08

the best way to do that is drop them

play01:10

right in the chat um this is a uh this

play01:12

is a live presentation so um towards the

play01:15

end we'll uh we'll group them all up and

play01:17

uh and try to answer as many as we can

play01:19

um if we're not able to we'll we'll

play01:20

follow up with with y'all afterwards um

play01:23

so that is that Todd you can hit the

play01:25

next slide there sure um thank you um

play01:29

just a a little bit about the windso

play01:31

Technology Group so we are headquartered

play01:33

um in walam Massachusetts right outside

play01:35

of um beautiful Boston Massachusetts um

play01:38

I'm actually in Connecticut right

play01:39

between New York City and Boston um the

play01:42

windso Technology Group has local

play01:44

coverage from Maine through the

play01:45

Carolinas um far out in Western

play01:47

Pennsylvania and and down in uh in

play01:49

Nashville too um where where we can um

play01:51

have you know Regional local coverage

play01:53

with with truly National reach um we

play01:57

carefully vet our Partnerships like that

play02:00

of Arctic Wolf to really provide um

play02:02

gamechanging Solutions and Technologies

play02:04

from the desktop to the data center uh

play02:06

through our Professional Services cyber

play02:08

security uh networking uh and cloud and

play02:11

we we really try to identify unique and

play02:13

and truly differentiated products and

play02:15

services that provide uh effective

play02:17

solutions that lead uh to um fantastic

play02:21

uh outcomes for our customers uh next

play02:23

slide please

play02:25

St um so speaking of uh of outcomes um

play02:29

on staff we at Winslow have a bench uh

play02:31

of technical Engineers on our pre-sales

play02:34

and postsales side that truly represent

play02:36

hundreds of years uh of combined

play02:38

technical experience we have four

play02:40

OnStaff cissps and a truly truly

play02:43

dedicated team of account Executives

play02:45

that have a passion for technology and

play02:47

outcomes and if there's one thing uh I'd

play02:50

leave you with that characterizes the

play02:51

windso Technology Group and Partnerships

play02:53

with arctic wolf uh it's that customer

play02:56

satisfaction and outcomes are our

play02:58

measure of success like our mission

play03:00

truly uh is take the passion and

play03:02

expertise we have uh focus on outcomes

play03:05

you know deliver on uh what you know our

play03:08

customers like you need uh in the space

play03:10

today and and one of those uh is you

play03:12

know differentiated services with our

play03:14

partner um arctic wolf so I'm really

play03:16

happy to um to talk with Todd a bit

play03:18

today uh about um about you know the NIS

play03:21

cybercity framework 2.0 again draft

play03:24

State uh we can talk quite a bit about

play03:25

it and go from there you can go to the

play03:27

next

play03:28

slide do need to uh poke fun at uh

play03:32

ourselves I guess a bit at the slide

play03:34

because um if you're looking at this

play03:35

you're noticing it's missing uh the

play03:37

governance wheel uh we haven't had time

play03:39

to uh to quite update this yet and the

play03:41

framework still is I guess in a draft

play03:43

state but um we'll we'll update it when

play03:47

uh when we come out of draft I suppose

play03:49

but a point being is at the windso

play03:51

Technology Group in in Partnerships with

play03:53

arctic wolf and and different services

play03:55

that uh we uh deliver in including a

play03:58

whole portfolio of of managed service

play03:59

Services um we have a a fairly

play04:02

comprehensive and complete uh portfolio

play04:04

of products and services to help uh

play04:06

customers of all shapes and sizes really

play04:08

achieve um cyber security uh you know

play04:12

security if you will uh really really

play04:14

helping reduce risk and and managing uh

play04:16

that risk to an acceptable level um we

play04:19

can help with all aspects of the nist

play04:21

1.0 or 1.1 framework which you're

play04:23

looking at now um bunch of Technologies

play04:26

you see layered there um and the 2.0 um

play04:29

so one of the tools that uh winsel has

play04:31

introduced um that you know I'm excited

play04:33

for as this develop uh this framework

play04:36

develops is a GRC tool so we have a

play04:38

governance risk and compliance tool that

play04:40

we're able to provide as a service with

play04:42

Consulting and a variety of other um

play04:44

riskmanagement uh components go into

play04:46

that so A really exciting offering there

play04:49

uh Dov Tales beautifully uh into what

play04:51

Todd and I are going to speak about this

play04:52

morning regarding uh the updated nist uh

play04:55

cyber security framework uh Todd would

play04:58

you um like to uh you know introduce

play05:00

yourself and introduce arctic wolf a bit

play05:02

yeah thanks Matt so Todd Mallet I'm one

play05:04

of the sales Engineers or sc's here in

play05:07

in the New England patch um I've been

play05:09

here for around four years or so uh

play05:11

previous to that kind of all over the

play05:12

place uh infrastructure Centric um but

play05:15

uh but been here for about four years

play05:16

been a great run huge growth a lot of

play05:18

that growth is due to Winslow um partner

play05:21

of the year I think two or three times

play05:23

something like that Matt but it's it's

play05:24

been a lot one of our uh uh one of our

play05:26

best Partners certainly in New England

play05:27

and then actually in the United States

play05:30

um so with that just very very quick

play05:32

agenda um and before I get started we

play05:34

encourage you guys to ask questions

play05:36

we'll have a Q&A session after this um

play05:38

so if you do have a question please post

play05:40

it in chat and we'll try to get to as

play05:42

many of them as we possibly can toward

play05:44

the end of the call um but the things

play05:46

that we'll be going through today are

play05:47

obviously the update to n CFS uh what's

play05:50

changed what's moved there's been a lot

play05:53

of a lot of things that have been

play05:54

augmented and and kind of tweaked within

play05:57

this CFS the core construct is is still

play05:59

there um but that second bullet point

play06:01

the Govern function is really I think

play06:04

the the newest thing and and almost

play06:06

creates something of an overarching idea

play06:09

around nist and and kind of plays to the

play06:12

rest of the five controls that we're all

play06:13

used to seeing for the last couple of

play06:15

years um an enhanced emphasis on supply

play06:18

chain so more and more as we you know

play06:21

create kind of the global economy or uh

play06:23

more vertical Integrations things like

play06:25

that supply chain risks have become

play06:28

something that's on Forefront of a lot

play06:30

of companies mind certainly that I talk

play06:31

to um and that you know directly relates

play06:33

to miss but also if you've heard of or

play06:35

are privy to cmmc um there's a lot of

play06:38

controls specific to your vendors and

play06:41

and also those that you're selling to if

play06:43

they have any access to systems within

play06:45

your environment even if they're uh you

play06:47

know dedicated systems they still need

play06:49

to have um some some level of security

play06:52

so so you yourself as a company entity

play06:55

are protected uh throughout your supply

play06:56

chain engagements we'll talk a little

play06:58

about the timeline line for roll out as

play07:00

Matt has mentioned this is still in

play07:02

draft state so what we're talking about

play07:04

today is a little bit preemptive some

play07:07

stuff could change but it's very very

play07:09

late stage um this has been a long

play07:11

process to create n 2.0 uh the questions

play07:14

if you will or suggestions were due uh

play07:18

116 November 6th of this year so the

play07:20

question and answer portion is closed so

play07:22

we should see something finalized in the

play07:24

next couple of months and then we'll

play07:26

kind of wrap it up with how to get

play07:27

started um wisel has some offerings uh

play07:29

that can certainly help you guys through

play07:31

a nist assessment which Matt will talk a

play07:32

lot more about as we get through the

play07:33

deck um but that's kind of how we'll end

play07:35

it you know what are what are the call

play07:36

the actions what can you do to get

play07:37

prepared for for 2.0 um if you're

play07:40

already on 1.0 certainly a lesser lift

play07:43

if you're just starting to look into n

play07:44

compliance um as a framework that your

play07:46

company wants to try to adhere to um

play07:48

this will give you a great starting

play07:49

point on on how to get going with

play07:51

it so this is kind of what it looks like

play07:53

this is a 50,000 foot view on 1.1 and

play07:58

what 2.0 will look like uh nist

play08:01

originally was started in 2014 finalized

play08:04

in 18 um and that's kind of where we see

play08:07

those traditional five different

play08:09

controls identify protect attack respond

play08:11

and recover as we move into 2024 over

play08:14

the last you know 10 eight eight years

play08:16

Etc since we've had a new draft of this

play08:19

a lot has changed uh we've seen a lot of

play08:21

increase in uh malicious attacks in

play08:25

cyber crime losses we've seen uh the

play08:28

landscape change and pivot away from you

play08:31

know just the information age we moved

play08:34

over to internet of things and now we're

play08:36

stuck in and trying to cope with quite

play08:38

frankly Ai and ml you know what is that

play08:41

going to mean for us going forward from

play08:43

a security perspective and I think

play08:45

that's what 2.0 was really meant to try

play08:47

to address and I think again when you

play08:50

look at that overarching in inside wheel

play08:52

uh govern I think that's why it was

play08:54

created um and again I'm pretty excited

play08:57

about this I know Matt is too because

play08:59

govern is now going to get some tendrils

play09:03

outside of it right it's going to have

play09:06

you know those of you on the line I

play09:08

assume the majority are within some form

play09:10

of the it or with your companies but now

play09:12

it's going to have you directly

play09:15

interfacing with and having stakeholder

play09:17

you know people talking through nist

play09:20

with you what does this mean for the

play09:21

company overall Mr sea level Miss sea

play09:23

level um so I think there's going to be

play09:25

a lot of additional stakeholders that

play09:26

are going to take interest in nist um

play09:28

and start paying attention to what it

play09:30

means from an overarching company

play09:32

perspective and again I think that's why

play09:33

govern was was created

play09:36

frankly side by side look so maybe this

play09:39

is a 30,000 foot view of 1.1 and 2.0 um

play09:42

you can see there were a number of

play09:44

changes but but the overall number of

play09:46

categories and subcategories actually

play09:48

decreased so we went from five functions

play09:50

in one one to six functions with the

play09:52

addition of governments in 20 but then

play09:54

we decreased the categories and the

play09:56

subcategories the reason for this was

play09:58

there was a lot of consolid ation

play10:00

between some of the controls within

play10:02

identify protect detect respond and

play10:04

recover and they were Consolidated into

play10:06

some of these additional controls uh

play10:09

within govern and then more further

play10:11

Consolidated within the uh the

play10:13

pre-existing five controls that we saw

play10:16

as we get a little bit more granular

play10:17

into what these changes are this is a

play10:20

very chaotic slide it made my eyes bleed

play10:22

as I was making it but but this is what

play10:24

it looks like so when you think about

play10:25

the controls themselves here's what kind

play10:28

of changed or was Consolidated or what

play10:30

is brand new so we see a bunch of those

play10:33

different controls certainly in govern

play10:34

all brand new obviously but then we saw

play10:37

some things drop from identify protect

play10:39

and from respond and from an actual

play10:43

subcontrol perspective here's what

play10:45

happened so you're going to see a lot of

play10:46

arrows starting to populate this slide

play10:49

but nothing was truly eliminated from

play10:51

this it just made it more intuitive and

play10:55

more cohesive and again a lot of things

play10:57

got moved up into that that overarching

play11:00

govern uh category which like I said I

play11:02

think is extremely important for the go

play11:04

forward plan for anyone trying to adhere

play11:06

to nist because it gets a lot of

play11:08

additional Buy in from a company

play11:10

perspective outside of outside of it

play11:12

which is where nist was typically you

play11:15

know landing and and where the

play11:16

responsibility used to lie I think

play11:19

that'll that'll be a big change for us

play11:20

going forward and a welcom one because

play11:23

at the end of the day when we're talking

play11:24

about security everyone is part of the

play11:26

security team um at any company

play11:29

regardless of size or regardless of

play11:31

vertical if you're unfamiliar with nist

play11:35

this these are kind of what the controls

play11:37

from an overarching perspective are

play11:38

meant to do so identify is is supposed

play11:40

to help you determine the current cyber

play11:42

security risk to the organization it's

play11:44

not actually about identifying an

play11:46

inflate threat if you will it's about

play11:48

identifying what within your environment

play11:51

potentially has gaps has risks could

play11:54

create some level of an impact to your

play11:56

business should you experience an

play11:58

incident of event a breach you know

play12:00

whatever you want to call it but that's

play12:01

really what identify targets protect is

play12:04

what should you and could you be using

play12:06

within your environment to safeguard

play12:08

yourselves and really lessen the

play12:10

likelihood that you'll experience an

play12:12

incident in the first place so that's

play12:14

what protect is all about what controls

play12:16

policies products platforms uh vendors

play12:19

Etc are you leveraging to preemptively

play12:22

protect yourself and make it more

play12:24

difficult for your environment to get

play12:25

breached or infiltrated in the first

play12:27

place detect is probably the most

play12:29

self-explanatory one what do you have

play12:31

within your environment that is

play12:33

assisting you in detecting if something

play12:34

wrong is going on within your

play12:36

environment this is very very

play12:38

multifaceted as you guys might imagine

play12:40

nist refers to a lot of different things

play12:42

within a within a corporate it

play12:43

environment or or any environment for

play12:45

example um but but what are you using to

play12:48

detect it um you know we'll talk more

play12:50

about what that looks like uh what a

play12:52

holistic approach looks like versus what

play12:54

kind of a point product approach looks

play12:55

like those types of things um and then

play12:57

responding so are you how are you taking

play13:00

action once you do find a thing so if

play13:03

something happens what is your plan do

play13:05

you have a plan and planning is

play13:08

something that is now very much

play13:09

emphasized in 2.0 that's something that

play13:12

we at arctic wolf and Winslow have been

play13:13

talking about for quite sometime you

play13:15

know if you don't have an IR plan it's

play13:17

something you should seriously consider

play13:19

implementing and there's different

play13:21

processes in which an IR plan is either

play13:23

good or bad so of course we want to

play13:24

highlight the good but now it's in this

play13:27

now it's really really talking about

play13:29

having something tangible that you can

play13:30

refer to that helps you and your company

play13:33

kind of stop the scramble on what is

play13:35

arguably the the worst day in your life

play13:37

if you do experience some kind of a

play13:39

catastrophic event um recover once again

play13:42

moderately self-explanatory but but

play13:44

quite convoluted there's a lot of things

play13:45

that go into actual recovery of an

play13:47

incident depending on what the impact

play13:49

was you know was it stolen data was it

play13:51

ransomware did it lock up your backups

play13:54

which is you know a goal of a lot of

play13:56

different actors to lock your backups

play13:57

because once your backups are gone they

play13:59

pretty much have you so what does it

play14:00

look like from a recovery perspective

play14:02

for your business and then finally the

play14:04

last one the new one is establish and

play14:05

monitor the organization cyber security

play14:07

risk management strategy expectations

play14:09

and policy so once again this is org

play14:11

wide what do we as a company need to do

play14:14

to create this cyber security risk

play14:17

strategy um and a lot of these new

play14:19

controls Consolidated controls moving up

play14:22

into govern um we'll we'll talk about

play14:24

that and we'll we'll emphasize that so

play14:26

those are the six controls now of 2.0

play14:29

kind of at a very high level we'll start

play14:32

jumping into now um what the individual

play14:34

changes of these controls and subc

play14:37

controls and categories Etc kind of kind

play14:39

of mean starting with identify um again

play14:42

this is meant to help you identify and

play14:44

determine what your overall risk profile

play14:46

looks like in the 1.1 uh table that I

play14:50

have there anything that's kind of

play14:51

shaded in Gray has been moved um so the

play14:55

four that you see shaded have been moved

play14:56

over into Improvement or or moved over

play14:59

into governance so there's been a lot of

play15:01

moves and changes this is not a one for

play15:03

one representation of all the moves and

play15:05

pivots and changes just kind of a

play15:06

condensed view for you but um in 2.0 we

play15:09

do see a new uh new category just called

play15:12

Improvement um and what Improvement is

play15:15

really here to do is to help

play15:16

organizations just drive toward

play15:18

improvements overall in the

play15:21

organizational cyber security plan you

play15:23

know what procedures do we have in place

play15:25

what do those activities within those

play15:26

procedures look like you know kind of

play15:28

helping you create a framework on on

play15:31

what identify needs to look like so your

play15:34

identification of your risks within your

play15:36

environment become more comprehensive

play15:38

and the more comprehensive knowledge you

play15:40

have of your gaps and what your risks

play15:42

are the better an arctic wolf and a

play15:45

Winslow can help you address those you

play15:47

know with with various Solutions like

play15:48

arctic wolf and a myriad of other things

play15:50

of course that go into an overall cyber

play15:52

security

play15:53

play so that's what we saw at least in

play15:56

uh in identify but but but moving even

play15:59

further into the Improvement category

play16:01

there are four subcategories now within

play16:04

Improvement um and the first word there

play16:06

in the im- 01 is continuous right this

play16:09

is not a oneandone exercise and I

play16:12

there's no way that I can emphasize that

play16:14

enough continuously understanding your

play16:16

environment via you know your own

play16:18

knowledge and research but also via

play16:20

continuous monitoring and having someone

play16:23

there to help identify gaps with you is

play16:26

the first call out in this new identify

play16:28

uh excuse me Improvement subcategory and

play16:31

then it moves further into actually

play16:32

testing things out right are you uh you

play16:34

created a plan youve maybe identified

play16:36

some risks but have you have you tested

play16:38

have you done exercises do you know your

play16:40

findings to be true or false um so so

play16:43

it's calling that out directly here as

play16:45

well uh Lessons Learned so creating some

play16:48

kind of a journal log Etc on what you've

play16:50

learned what procedures work what didn't

play16:52

work what you need to you know rethink

play16:54

perhaps um and then finally a cyber

play16:56

security plan um that's effective that

play16:59

is communicated maintained and approved

play17:02

and I think the key word there is

play17:04

probably communicated right so the

play17:06

entire organization understands what

play17:09

should and frankly what should not

play17:10

happen during some form of of an event

play17:13

has gone into that Improvement category

play17:15

so it can all be laid out understood and

play17:17

you have a A playbook that is ready to

play17:19

be executed upon you know in the in the

play17:21

instance that you have have a

play17:24

problem so that's the bulk of what we

play17:26

saw from the identity category uh

play17:28

shifting or changing or being augmented

play17:30

in some way um which brings us over to

play17:32

protect so protect had a had a bunch of

play17:34

changes as well as you might imagine

play17:35

those three uh shaded and gray there um

play17:37

have been Consolidated or moved or

play17:39

tweaked once again into two additional

play17:41

categories that are new for the protect

play17:44

in uh NIS 2.0 so we see platform

play17:46

security and we see technology uh

play17:48

infrastructure

play17:50

resilience so starting with platform

play17:52

security um this is really talking about

play17:54

Hardware software firmware operating

play17:56

systems all of the things that make up

play17:57

your environment um physical virtual

play18:00

machines are managed consistently that

play18:03

we understand how they're being managed

play18:05

that there's a risk strategy again

play18:07

encompassing them um to protect their

play18:09

integrity their availability and of

play18:11

course their confidentiality and then we

play18:13

can see some of the new controls uh that

play18:15

are that are provided into into those

play18:17

subcategories we have some around

play18:18

configuration management software being

play18:21

maintained um again arctic wolf sees a

play18:23

lot of these things and patching is is a

play18:26

total pain for anyone dealing with

play18:28

patching we understand that we can help

play18:30

with that but I'm glad it's being called

play18:32

out uh in in the way that it is now

play18:34

Hardware certainly maintenance um we see

play18:36

cves pretty much constantly for for

play18:38

firewalls for example so staying on top

play18:41

of those types of things um certainly

play18:43

lowers your overall risk profile log

play18:46

records are generated and made available

play18:48

for continuous monitoring this is a big

play18:50

one this is referring to 247 login event

play18:53

monitoring um something that arctic wolf

play18:55

plus Winslow are very very good at

play18:57

providing and something that I still do

play18:59

not see being done anywhere near enough

play19:01

in the wild um so I'm again once again

play19:04

I'm glad that this is called out as

play19:06

specifically as it is within the protect

play19:08

function um installation and execution

play19:11

of unauthorized software are prevented

play19:13

I'm guilty of this quite frankly I've

play19:15

installed a thing or two on my work

play19:17

machine once or twice um but this is

play19:19

something that you know again I

play19:20

shouldn't be doing nor nor do I these

play19:22

days but um you know this is something

play19:24

that mist certainly calls out as well

play19:26

because if something gets installed and

play19:28

for for example they installed an

play19:29

application that included one of the

play19:30

vulnerable log forj jres a year and a

play19:33

half two years ago that could have

play19:35

exploited an entire company uh if it was

play19:37

done so on a business machine um and

play19:39

then finally securing software

play19:40

deployment practices so so how are you

play19:42

guys pushing XYZ to your clients what's

play19:45

the update cycle look like change

play19:47

Windows all those types of things uh

play19:49

making sure that those get

play19:51

monitored moving over one more into the

play19:54

technology infrastructure resilience

play19:56

subcategory um this is all about

play19:58

security Arch architectures are

play20:00

maintained and managed with the

play20:02

organization's risk strategy to protect

play20:04

asset confidentiality Integrity

play20:05

availability and organizational

play20:07

resilience and we can see four different

play20:08

changes here um Network and environments

play20:10

are protected from uh unauthorized

play20:13

logical access organizations's

play20:15

technology assets are protected from

play20:16

environmental threats uh mechanisms are

play20:19

implemented to achieve resilience uh in

play20:21

normal and adverse conditions and

play20:23

adequate resource capacity to ensure

play20:25

availability is maintained so as you're

play20:27

kind of thinking through these you know

play20:29

active passive type Technologies active

play20:31

active even all of these types of

play20:33

decisions and Frameworks can kind of

play20:34

work into into these four new controls

play20:37

that they've bundled under this

play20:38

technology infrastructure resilience

play20:40

header um which was further

play20:42

consolidation most of these all existed

play20:45

in some former fashion in one one um

play20:47

they're just called out a little bit

play20:48

differently you can see some of the

play20:50

references to formally you know XYZ in

play20:52

that Top Line um so you can see where

play20:54

the pivots were made uh and where they

play20:56

were kind of bundled if you will will

play20:58

into this new technology infrastructure

play21:00

resilience

play21:03

subcategory finally or not finally

play21:05

detect so detect is all about again

play21:07

finding and analyzing cyber attacks so

play21:09

we see detection processes being kind of

play21:12

moved if you will and again re rebundle

play21:15

into continuous monitoring and into

play21:17

adverse event analysis I am personally

play21:20

pretty excited about this because that

play21:22

directly ties into quite frankly what

play21:25

arctic wolf is and what arctic wolf does

play21:27

so um our core construct if you will and

play21:29

how we kind of came to Market 10 years

play21:31

ago was the idea of manage detection and

play21:34

response which focuses on continuous

play21:36

monitoring and adverse event analysis um

play21:39

I won't get too much into this slide

play21:41

guys I don't want to make this a sales

play21:42

pitch but just know that arctic wolf is

play21:45

a managed security operations center

play21:46

that is delivered as a service one of

play21:48

the services that we offer is MDR and

play21:51

MDR is quite frankly 247 log ingestion

play21:54

from across your entire environment

play21:56

integrating with a lot of different

play21:58

third party productss you may already

play21:59

own like crowd strike or Defender ATP

play22:01

opad Duo o365 all that stuff combining

play22:05

it with Telemetry that we're generating

play22:06

our own via a physical sensor that's

play22:08

deployed on your network and Via an

play22:10

agent that is also deployed on all of

play22:12

your endpoints Cloud desktop laptop or

play22:15

server aggregated under a single

play22:17

umbrella acting as a single source of

play22:18

Truth and then looking through all of

play22:21

the events that were uh receiving from

play22:23

your environment looking for anomalies

play22:26

indicators of compromise things that are

play22:28

flagged by third party Integrations that

play22:30

we have and then responding to them so

play22:33

here's what we found here's what it

play22:34

impacted within your environment here's

play22:36

how we get rid of it let's go um so

play22:39

again if I go back one slide and and

play22:41

look at continuous monitoring and

play22:42

adverse event analysis that is exactly

play22:44

what arctic wolf does so we're excited

play22:46

to see this called out in the way that

play22:47

it is called out in 2.0 because the more

play22:51

customers clients that are using Arctic

play22:53

wol or frankly anything else that are

play22:55

monitoring and you know actually

play22:57

reacting to diverse events in a correct

play22:59

and and quick way the less we're going

play23:03

to see from a cyber losses perspective

play23:05

and there's anary benefits to that too

play23:07

right like your cyber insurance premiums

play23:09

maybe doubling over the last 24 months

play23:11

no one's really been a huge fan of that

play23:13

maybe we'll start to see that Whittle

play23:15

down you know as these cyber insurance

play23:16

companies hopefully you know start

play23:18

paying out less because we're getting

play23:20

more in tune with what needs to be done

play23:23

to properly secure

play23:25

environments respond how am I taking in

play23:28

action during a cyber incident obviously

play23:29

arctic wolf can assist in that the the r

play23:31

and MDR does stand for respond but we

play23:33

saw some changes here as well response

play23:35

planning and improvements as you might

play23:37

imagine those have been uh pivoted again

play23:40

or or moved over into more of the

play23:41

governance subcategory which we'll talk

play23:43

about in depth in a couple minutes um

play23:45

but we've created the four categories

play23:46

now within response we have Incident

play23:48

Management analysis response reporting

play23:51

and communication and mitigation and to

play23:53

kind of you know expand on that a little

play23:54

bit more you can see where some of these

play23:56

moves were made um a few of them were

play23:59

dropped as I had mentioned but they have

play24:00

been moved into other subcategories uh

play24:03

we have a couple different new ones four

play24:04

of them um so analysis is performed to

play24:06

determine what is taken during place of

play24:08

an incident finding the root cause of an

play24:10

incident oftentimes is critical to

play24:13

understand what gaps you have and how to

play24:15

fill those gaps um what actions

play24:18

performed incident data and metadata

play24:20

being collected again something that

play24:22

that arctic wolf can certainly assist

play24:23

with as well um and then lastly the

play24:26

incident magnitude and is estimated and

play24:28

validated so you know what did this cost

play24:31

your company and again that's a

play24:32

convoluted question too and I think

play24:34

oftentimes when we think of the cost of

play24:36

a breach let's say it's an average of $3

play24:38

million we just think of that $3 million

play24:41

as ransomware but you know the

play24:42

ransomware portion if it was indeed

play24:44

ransomware is is typically a a small

play24:46

percentage of that overall loss because

play24:49

you have operational loss you have you

play24:51

know loss of of man and woman hours

play24:53

going into whatever the solve for the

play24:55

situation happened to be and then much

play24:58

harder to quantify but you have

play24:59

reputational loss um depending on how

play25:02

you interface with your customers as

play25:04

well whether that's B2B or whether

play25:06

that's B to C there's a lot of

play25:08

reputational loss that comes along with

play25:09

that and that can linger for months or

play25:12

years um depending on on what

play25:16

happened recover so this is focusing on

play25:19

restoring assets and operations the

play25:21

picture there you're probably reading

play25:22

that and hold my beer um one of my

play25:24

favorite sayings but that is basically

play25:27

saying that a lot of what they have

play25:28

included now in 2.0 under the new

play25:30

incident recovery plan execution and

play25:33

communication really are telling you to

play25:35

kind of just hold your breath for a

play25:36

minute analyze the situation understand

play25:39

exactly what happened and then truly

play25:42

create a plan around your recovery

play25:45

rather than just going you know bowling

play25:47

a china shop trying to fix stuff and

play25:49

scrambling and not documenting and

play25:51

forgetting what got fixed and what

play25:52

didn't get fixed you know stop Slow Down

play25:56

plan and understanding exactly what it

play25:58

is that you need to do versus again just

play26:01

going crazy and trying to to scramble

play26:02

and fix things which again you know from

play26:05

an Arctic World perspective and I'm sure

play26:06

Matt can validate this too on a Winslow

play26:08

side the scramble is something that's

play26:10

very very hard to stop because when you

play26:12

have an incident that's of a magnitude

play26:14

in which you need to respond rapidly and

play26:16

quickly you've got your entire Team all

play26:19

just doing something scrambling without

play26:22

a lot of communication and again if you

play26:24

read through the recover sections of

play26:26

this uh which is kind right here that's

play26:28

really where the focus is um slow down

play26:31

take appropriate actions um have have

play26:34

this organized and and kind of ready to

play26:35

go and

play26:36

understood um again I won't read through

play26:39

every single one of these things but and

play26:41

you guys are free to have this uh slide

play26:43

deck as well at the end of this but um

play26:45

that's really what the recover decided

play26:47

to focus on I think a lot of the

play26:48

controls that were already there were

play26:49

good ones a lot goes into recovery

play26:51

certainly um but I think having a focus

play26:53

on making sure that it's well

play26:55

orchestrated um and well understood SL

play26:57

doent

play26:58

is a is a welcome change to T yeah Todd

play27:01

if you want me just to add some color to

play27:03

that so we we do have uh an incident

play27:05

response practice as uh as does Arctic

play27:07

Wolf and oftentimes we've responded to

play27:08

incidents together um I'll say um what

play27:12

tends to happen uh for folks that don't

play27:14

have a plan is uh twofold one is this

play27:18

just overwhelming sense of oh crap what

play27:22

do we do and you know we we have our own

play27:25

runbook as as does Arctic Wolf we often

play27:27

work together on um on the incident

play27:29

response but but this overwhelming sense

play27:31

of like what do we do now usually

play27:33

followed you know was followed by like

play27:35

panic and people start unplugging you

play27:37

know Network ports and shutting this

play27:39

down and it's actually um it can really

play27:43

complicate like forensic investigation

play27:45

because like ultimately you want to know

play27:46

how they got in who got in what's going

play27:48

on do we need to report this to the

play27:50

authorities So like um in the absence of

play27:53

a plan uh for Recovery uh we end up

play27:57

seeing uh just Panic uh you know and and

play28:00

uh you're right it's like slow down have

play28:02

a bit of a plan together understanding

play28:04

you know what's going on I'll tell you

play28:06

the next piece of this that um you know

play28:08

that's more of the it CIS admin

play28:10

technical side if you will the more like

play28:13

executive board side of this is um you

play28:16

know our systems are down uh we're

play28:18

paying people they can't work we're not

play28:19

bringing Revenue in our you know systems

play28:21

are offline how soon are we going to be

play28:24

back online that is like the number one

play28:25

question that you know comes up and and

play28:28

just kind of like in our combined

play28:29

experience just to be realistic with

play28:31

everyone on the phone I would say an

play28:33

average um when we get brought into an

play28:36

incident and this is just again like

play28:37

averaging everything out um the time

play28:40

from you know phone call till some basic

play28:43

restoration has happened just just in

play28:45

our experience is about three days um so

play28:48

that's like three days of downtime where

play28:51

uh you don't really know what's going on

play28:52

to have some semblance of a restoration

play28:55

plan you know of course in in the

play28:56

absence of having having something

play28:57

planned up front and then um from there

play29:00

uh we see actual restoration when when

play29:02

it's not really planned out and um you

play29:04

know we're just kind of figuring it out

play29:06

as we go because because this part um

play29:08

wasn't really thought of um Beyond kind

play29:10

of like we'll recover from backup um it

play29:12

usually takes two to three months uh to

play29:15

recover systems and and in that time um

play29:18

we've unfortunately experienced some

play29:20

organizations where they start

play29:21

questioning like the viability of their

play29:23

business not because they were um only

play29:26

attacked but because um their recovery

play29:28

mechanisms and the recovery planning and

play29:31

and what needs to happen to recover

play29:32

their applications data and and overall

play29:35

um operational State just wasn't really

play29:37

thought about so um to your point to I I

play29:40

actually love seeing more attention

play29:42

being spent on this end of the framework

play29:46

um and um and I I feel like with you

play29:49

know cyber risk and and cyber security

play29:51

incidence it's it's you know this is

play29:53

like very cliche it's it's not a matter

play29:55

of uh if it it will be a matter of when

play29:58

um attackers using AI based you know

play30:01

malware and AI based um attacks are are

play30:04

real it's something that technical

play30:06

controls may not be able to keep up with

play30:09

uh hopefully they minimize the risk and

play30:11

minimize the impact of of an incident um

play30:14

but everyone's going to be faced with

play30:15

recovery at some point so so like really

play30:17

putting some emphasis in planning and

play30:19

having the right policies and procedures

play30:21

in place is uh is really really critical

play30:23

and um I like seeing this being uh

play30:25

spiked out a bit more um in the 2.0

play30:28

framework yeah those are perfect points

play30:31

I mean just if you read a couple of the

play30:33

1. ons they they almost seem rudimentary

play30:36

compared to how 2.0 gets a little bit

play30:39

more you know finite on what the ask is

play30:42

um you know if you look at the kind of

play30:44

the backup um it's it's interesting

play30:47

right that it wasn't included to to

play30:49

begin with but um you know establishing

play30:51

and understanding that the backups

play30:53

you're restoring are actually good

play30:55

Integrity right because in storing you

play30:57

know re restoring a dirty backup just

play30:59

wasted a day

play31:01

D I'll tell you like Todd that is such a

play31:04

good example because I've like

play31:06

personally been on incidents where we've

play31:08

restored um you know applications I'll

play31:11

just say at a broad level they had

play31:13

already been tampered with and they had

play31:16

um some sort of a trip wire I'll say

play31:18

built into it where um if you went back

play31:21

as far as you know two weeks or three

play31:23

weeks or whatever to restore it they had

play31:25

already been in the environment that

play31:26

long and in that case it it wasn't just

play31:29

like the backup system that was flawed

play31:31

it was like the Integrity of that system

play31:34

and you know alongside that the backup

play31:37

itself was totally compromised because

play31:38

if you restored um if you restored that

play31:41

backup itself it was tampered with um

play31:44

and you know would essentially like

play31:45

reinfect the rest of the environment

play31:47

once it was restored so um I I agree I

play31:50

think youed like the perfect word here

play31:51

too where you're talking about like the

play31:53

1. one seems rudimentary and like it is

play31:56

I mean you look at it and it's like

play31:58

we're looking at like big you know

play32:00

crayons that we're drawing with with

play32:02

like a

play32:03

fist right versus uh perhaps the the

play32:06

Precision of a of like a number two

play32:08

pencil here so I think that's a great

play32:10

great Point yep absolutely I think it's

play32:12

gonna help a lot just for for everyone

play32:14

trying to adhere to Nest I think

play32:16

everyone should at least if you're going

play32:17

to pick any framework if you don't have

play32:18

you know a specific form of compliance

play32:20

you're mandated to do it here to this is

play32:22

a this is a great place to start and

play32:24

honestly if you do start with nest and

play32:25

then maybe via some pivot companywide

play32:29

you are now privy to some form of

play32:30

compliance you must adhere to if you're

play32:33

doing this you've probably satisfied 70

play32:35

80 90% sometime of the controls that

play32:38

that other compliance refers to um so

play32:41

I'm glad it's laid out the way it's laid

play32:42

out now

play32:43

yeah we'll jump into govern which is the

play32:46

last one kind of the new kid uh and

play32:47

again you know the one that I think

play32:49

myself and and I'm I'm understanding

play32:52

Matt is probably the most excited about

play32:53

because it does specifically speak to

play32:56

organization

play32:58

awareness of an overall security

play33:00

framework so um a bunch of new controls

play33:02

here there's six subcategories within

play33:04

the Govern section um again I won't read

play33:07

every single one of these uh but I

play33:09

certainly encourage you to do so but

play33:11

we're talking about organizational

play33:13

context uh an overarching risk

play33:15

management strateg strategy I talked

play33:17

earlier about the supply chain risk

play33:18

management and this is a big deal right

play33:20

if you are doing business again B2B and

play33:23

you have systems that are being accessed

play33:25

by whomever you're interfacing with they

play33:27

become compromised you now have or at

play33:30

risk at least of being compromised as a

play33:32

relation of that uh you know perhaps

play33:34

database that you're sharing or that

play33:36

interface that you're sharing or

play33:37

whatever happens to be so understanding

play33:39

your risk around your supply chain is

play33:40

something that's pretty critical um

play33:42

roles responsibilities and authorities

play33:44

again like I said this is going to bleed

play33:46

outside of it in a very very welcomed

play33:49

way where the rest of your organization

play33:51

um should and could be a part of your

play33:53

overarching security plan gaining

play33:55

awareness for those of us in the it

play33:58

realm um gaining Buy in uh and and

play34:01

hopefully you know having a little bit

play34:02

more um versatility in what you're able

play34:05

to talk about present and and you know

play34:08

try to fix your gaps with um so I think

play34:11

this is a very good thing uh policies

play34:13

processes procedures Etc um those are

play34:15

kind of table Stakes but again they've

play34:17

been moved into that govern category so

play34:19

it becomes like I said earlier more of

play34:21

an overarching idea and then oversight

play34:23

you know who's who's the one ultimately

play34:25

paying attention responsible for

play34:27

uh validating Etc all of these different

play34:30

strategies um that we that we putting in

play34:32

place via the

play34:34

n2.0 so to get a little bit more into it

play34:37

just kind of kind of some questions to

play34:38

you know ask yourself this is really

play34:40

what govern is is getting you to do is

play34:42

kind of create that conversation within

play34:44

your organization around you know why do

play34:47

we exist and what are we trying to

play34:48

accomplish some of these are are kind of

play34:49

no-brainers but you know what are our

play34:51

internal and external stakeholders and

play34:53

what are their needs and expectations um

play34:55

you know if you're a if if you're a CFO

play34:57

perhaps you know maybe it isn't

play35:00

something that you're necessarily diving

play35:02

into at a granular level certainly

play35:05

you're approving projects but um maybe

play35:07

this will give you a lot more Awareness

play35:09

on you know what what nist is and why

play35:12

cyber secur is important in the first

play35:13

place um objectives capabilities you

play35:16

know that your stakeholders depend on um

play35:19

does Enterprise risk management include

play35:20

cyber security is that actually a

play35:22

control or a thought process within your

play35:24

risk management plan overall

play35:27

um what's your appetite for risk and

play35:29

your tolerance for risk this is a super

play35:31

interesting question that I get to ask

play35:33

prospects every now and then when I'm

play35:34

talking to them and the answers that you

play35:36

get just very wildly um and some of them

play35:39

are funny some of them are depressing

play35:41

but but overall it's a very very

play35:43

different story from whomever you're

play35:44

talking to on what their their tolerance

play35:46

for risk is um have you standardized on

play35:49

methods for for calculating for

play35:51

documenting for prioritizing your risks

play35:53

again are these something that you are

play35:55

paying attention to on a daily basis and

play35:57

from my experience over the last four

play35:59

years I can wholeheartedly answer the

play36:01

majority of people I talk to the answer

play36:03

is no um because I'll be in engagements

play36:06

for you know a month long two month long

play36:08

three Monon long conversation with a

play36:10

prospect um and during that duration of

play36:12

conversations with arctic wolf or maybe

play36:14

they were budget constrained or they had

play36:16

never been breached before so they

play36:17

haven't felt the pain of of being

play36:19

breached uh historically speaking and

play36:21

then they get popped in the middle of

play36:22

our conversations we're engaging you

play36:25

know with Winslow we're deploying IR

play36:26

we're doing all these things um and it

play36:29

it becomes a question of you know had we

play36:31

just gotten this done this would have

play36:33

never happened um and often times the

play36:35

the remediation tactics and the cost

play36:38

implications and all of those other

play36:40

things that come along with having a

play36:41

breach are are far more expensive than

play36:43

the solution would have been to prevent

play36:46

uh The Happening of the of the problem

play36:49

um and then finally again going back to

play36:51

supply chain do we understand our

play36:52

suppliers and partners what their

play36:54

requirements are um and how do we

play36:57

address supply chain risk so what I

play37:00

highlighted at the bottom here is again

play37:01

kind of the the overall idea this the

play37:03

Govern function helps organizations

play37:05

achieve and prioritize outcomes of the

play37:07

other five functions in the context of

play37:09

mission and stakeholder expectations um

play37:12

so like I said earlier I think it's a

play37:15

really good control I love that they

play37:16

made it touch everything you know kind

play37:18

of made this its own Inner Circle

play37:20

meaning that it has its tendrils into

play37:22

the other five pre-existing controls um

play37:25

because governance is something that you

play37:27

know really should be paid attention to

play37:28

I think first and foremost to have that

play37:31

understanding of what each one of these

play37:32

controls means to the entire business um

play37:35

not just to those of us in

play37:38

it quick example we all remember the

play37:40

solar winds breach um this was uh pretty

play37:44

dramatic um it's often times been quoted

play37:47

by the the CEO of Microsoft as being the

play37:50

most sophisticated breach we have ever

play37:52

seen um and that's true in some aspects

play37:55

um but to kind of go through this a

play37:57

little bit you know this was something

play37:59

of a supply chain breach to a degree um

play38:03

we saw this in early 2020 actually late

play38:05

2020 excuse me that that year just

play38:07

completely Blends for me um but you know

play38:10

Implement zero trust and that's

play38:11

something again that that we can

play38:12

certainly assist with certain aspects

play38:14

with Winslow can assist with a lot of

play38:16

the other aspects um but but do active

play38:18

audits you know understand what changes

play38:20

you've been doing in your environment um

play38:22

Implement Sim and log management those

play38:24

were recommendations made after this

play38:27

breach occurred um fine-tune your DLP so

play38:30

do you even have DLP to fine-tune maybe

play38:33

that's the first place that you would

play38:34

need to look but should you have a dop

play38:36

plan in place you know make sure it's

play38:37

tuned make sure it's actually doing what

play38:39

it needs to be doing um and penetration

play38:41

testing and again this is something that

play38:42

wissow can assist with test your

play38:44

environment if you're not testing your

play38:46

environment and you've put all these

play38:47

controls in you've done the things you

play38:49

have a a good environment on paper if

play38:52

you haven't tested the thing then you

play38:54

don't know how good it actually is and

play38:57

not just it you don't know how good you

play38:59

actually are right how you're responding

play39:00

to it at a company level who you're

play39:02

engaging with um all those types of

play39:04

things need to be tested on a regular

play39:06

basis and I think penetration testing

play39:08

tabletops red team purple teams all

play39:09

those types of things um should be

play39:11

should be leveraged um as much as you

play39:13

see fit uh to understand your

play39:15

environment and what and what it looks

play39:16

like in a in a actual real world type of

play39:19

an incident so I said earlier at the

play39:21

beginning of this slide this was called

play39:23

oftentimes Again by the CEO of Microsoft

play39:25

the most sophistic at breach we've ever

play39:27

seen but kind of the fun fact some of

play39:29

you probably know this some of you don't

play39:31

but the server that was initially hacked

play39:33

by The Bad actors within solar winds the

play39:35

password was solar winds 123 so while

play39:38

the breach became sophisticated the

play39:42

initial compromise was anything but I

play39:45

mean I'm not going to say that I would

play39:46

have guessed this but if you're just

play39:48

using a a password spray application

play39:50

it's not going to take that long to get

play39:52

to solar winds 123 um this comes down to

play39:56

again again the government's part of

play39:58

what we're talking about within nist

play40:00

password policies enumeration

play40:02

complexities reusage all those things

play40:04

that we all in our minds think are table

play40:06

Stakes are absolutely not table Stakes

play40:09

human beings again are the number one

play40:12

vulnerability that any company has

play40:14

regardless of vertical size industry

play40:16

segment anything so simple policies like

play40:19

this again are things that we can assist

play40:22

with helping on Winslow can certainly

play40:24

help assisting on but nist or or any

play40:26

other frankly Common Sense logic could

play40:29

also assist on on helping as well Matt

play40:32

do you have anything to add

play40:33

yourbody yeah um I I feel like it's you

play40:37

know it's weird to be um excited if you

play40:39

will about this but um but I feel like

play40:42

um I'm personally excited about it just

play40:44

because of how often uh you know myself

play40:47

and my team gets involved in incident

play40:49

response and like I'd like my weekends

play40:50

and holidays back too you know so um by

play40:53

having a bit more risk management and

play40:55

governance on the front and uh it

play40:57

certainly uh certainly helps uh helps us

play40:59

all out um one one tip I would uh you

play41:03

know implore folks attending the webinar

play41:05

is like um it is very difficult to do uh

play41:08

governance you know risk and compliance

play41:11

management out of excel um so while you

play41:14

can download this framework and other

play41:16

Frameworks out of you know Excel and and

play41:18

work from there um it's a real

play41:20

rudimentary way to do it it is very

play41:22

difficult to um co-contribute track

play41:24

changes and and do things of that nature

play41:27

so I would uh I would implore people to

play41:29

consider like a GRC tool um you know and

play41:32

and some you know services to help

play41:34

people understand and digest that um we

play41:36

we offer one candidly um but there are

play41:38

other uh GRC tools out there too so that

play41:41

that would be part one um I think part

play41:43

two is um it's interesting to see this

play41:45

unfold because um I believe it's was out

play41:48

of necessity uh that we had to or that

play41:51

we got where we are right um attackers

play41:55

were smarter well know about smarter but

play41:57

we're more motivated I'll say you know

play41:58

financially to take organizations down

play42:00

demand Ransom so on and so forth um your

play42:03

it your average it CIS admin is trying

play42:07

to keep the lights on you know deploy

play42:09

new software for the organization so on

play42:11

and so forth um it is very difficult for

play42:14

that you know individual or that team of

play42:16

individuals to combat the ongoing um you

play42:19

know threat of incidents and what that

play42:22

led to was just deploying a bunch of

play42:23

tools um because we needed to like plug

play42:26

the plug the holes in the dam if you

play42:29

will you know uh it's like the you know

play42:31

european vacation right scene where

play42:33

Clark grizwalds like plugging the holes

play42:35

in the dam that kind of thing um so we

play42:37

had to do that out of necessity and now

play42:39

um you know we're able to come back and

play42:41

say hey if if we were to do this right

play42:43

or wrer um what would we do and it kind

play42:47

of naturally leads itself to like well

play42:49

Step One is um it's very difficult to um

play42:53

manage by exception it's very difficult

play42:55

to manage by by just saying like well we

play42:57

got this happened we're going to do this

play42:59

by reaction right um so what this says

play43:02

is um let's hit the pause button like

play43:04

you said earlier take a step back and

play43:06

really understand what our risk is first

play43:09

what is our risk of a ransomware attack

play43:11

what's our risk if uh our Erp system is

play43:14

offline for a week what's our risk if

play43:17

our self-funded employee uh health care

play43:21

benefits system is compromised I don't

play43:23

know there's a whole bunch of things

play43:24

like even simple stuff like

play43:26

um organizations have you know what they

play43:28

think is a really solid practice but

play43:31

maybe someone in um Finance or payroll

play43:33

or whatever you know was running payroll

play43:36

reports they just innocently store that

play43:38

payroll report for quote unquote backup

play43:40

purposes on their laptop or a network

play43:41

share that wasn't you know sanctioned uh

play43:45

but it wasn't you know clearly

play43:46

communicated by policy that we don't

play43:48

store stuff uh like that that's

play43:51

considered Pi we don't store that like

play43:52

locally on our machines and there is no

play43:54

um software DLP solution to like even

play43:56

prevent that um which which would be a

play43:57

step further so um I feel like um this

play44:01

whole notion of governance and like

play44:02

managing by policy really sets um a bar

play44:06

and a framework for all organizations to

play44:08

be able to have like a common you know

play44:11

internal to that organization a common

play44:13

set of um practices you know procedures

play44:16

um and you know rules really uh to

play44:19

conduct business and and really keep

play44:21

that organization or better keep that

play44:23

organization cyber safe and and and

play44:25

really um managing risk um versus you

play44:28

know just plugging holes in the dam if

play44:30

you will so sorry I didn't mean to you

play44:32

know steal the old show here but um but

play44:34

I feel like this is um actually like a

play44:36

much needed addition to the framework

play44:39

and um you know Fantastics see kind of

play44:41

like this development of the framework

play44:43

and see it um evolve and and morph

play44:45

overtime as uh as risks and and

play44:47

organizations evolve as well yeah could

play44:50

agree more man you're not stealing the

play44:51

show you're you're adding to it so thank

play44:53

you very much sure really good points

play44:56

um so I think last slide for me actually

play44:59

is going to be the the timeline so again

play45:01

I had mentioned and Matt had mentioned

play45:02

this is still technically in draft um

play45:05

but if you look at this timeline a lot

play45:07

of work has been done over the last uh

play45:09

about about 12 months actually um

play45:11

comments were due November 6 uh which

play45:14

basically means you know hey we have

play45:16

some last minute edits some last minute

play45:18

things we want to see um so that was due

play45:20

uh you know a couple months ago so we're

play45:22

right in the middle here where we should

play45:23

see this finalized I'm probably

play45:26

extremely close to what we've just shown

play45:28

you um in the next month or two is when

play45:30

we expect this to be uh officially

play45:32

drafted and and two. becomes uh official

play45:35

and and slash nonraft

play45:38

um so with that I'm going to Pivot back

play45:41

over to Matt he's going to talk a little

play45:42

bit more about what Winslow does from

play45:45

their nist uh evaluation perspective you

play45:47

know how that could help you guys going

play45:49

forward um and then we'll get into Q&A

play45:51

at the end here so Matt if you want to

play45:53

take it with

play45:54

your yeah absolutely so um thank you

play45:56

Todd so if if folks have never um gone

play45:59

through any sort of a framework review

play46:03

or you know pop the hood if you will on

play46:05

you know nist 1.0 1.1 or even took a

play46:08

look at 2.0 that's uh that's actually

play46:10

totally cool like we um at wtg are happy

play46:13

to offer a no cost um mini nist cyber

play46:17

security framework assessment if you

play46:19

will um so it's a consultative interview

play46:22

um we ask a bunch of questions around

play46:24

each um family or function um of the

play46:26

framework it's a great time for you to

play46:28

be able to ask any questions that