- This event has passed so registration is closed.
Overview
Demonstration utilizing an online tool, the CREF Navigator™, to apply cyber resiliency considerations from NIST SP 800-160 Volume 2 (Rev 1) to common use cases.
Comprehensive technical frameworks are usually voluminous including several definitions, concepts, relationships, tables, and references with linkages to other key frameworks or publications. NIST SP 800-160 Volume 2 (Rev 1): “Developing Cyber-Resilient Systems” is the leading framework defining and impacting the cyber resiliency space for US federal information systems. It is a comprehensive framework that is generally applicable and can be adopted by any organization seeking comprehensive and well-defined cyber resilience guidance. The publication which is over 300 pages centers around the Cyber Resiliency Engineering Framework (CREF) whose constructs include, in addition to the definition of cyber resiliency, four goals, eight objectives, fifteen techniques, fifty approaches, and fourteen design principles and their many to many relationships. Needless to say such a document is rather daunting to novices seeking cyber resiliency guidance and relationships to other key frameworks like NIST SP 800-53 (Rev 5) or the ATT&CK® Framework. The CREF Navigator™ was developed as a web based relational tool distilling the complex concepts and relationships from NIST SP 800-160 Volume 2 (Rev 1) into useful cyber resiliency terms, tables, and relationship visualizations enabling architectural and engineering analysis. The tool contains a hover-over, clickable dictionary of cyber resiliency terms; customizable visualization of complex relationships to other frameworks; the ability to balance and prioritize cyber resiliency choices based on nodal analysis; and export and import capabilities from ATT&CK® Navigator for presentation and analysis. The tool also provides an excellent crash course reference and training tool for those uninitiated to cyber resiliency concepts. The CREF Navigator™ is available to the masses via the internet for free at https://crefnavigator.mitre.org. This webinar will explore the development of the tool and potential use cases. There will also be demonstrations utilizing the CREF Navigator™ tool showing how an organization can spark cyber resiliency discussions, analysis, prioritizations, and build visual relationships to mitigations and ATT&CK® tactics and techniques.
Moderator
Francesco Chiarini – Head, Cyber Resilience Risk Strategy, ISSA Cyber Resilience SIG
Francesco Chiarini has nearly 20 years’ experience in cybersecurity and he is the founder of the prestigious ISSA.org Cyber Resilience specialized community with over 2400 associates across the globe. In his day-to-day, he leads cyber resilience for a major financial institution with the aim to continuously assess and evolve the organizations’ defensive posture to sustainably stay ahead of the cyber threat. Francesco has received the global innovation award from the USA Consumer Brands Association in 2018 and is the 2021 volunteer of the year from ISSA.org. Sought-after speaker who presented at global audiences including recent talks at MITRE, FS-ISAC, ISACA, ISSA, Microsoft, London Stock Exchange, FIRST, Asia Pacific CERT, Africa CERT and many others.
In 2022, Francesco has co-authored multiple recognized research papers such as the World Economic Forum “The Cyber Resilience Index: Advancing Organizational Cyber Resilience”, the ASIFMA “Data Vaulting considerations for improving data recovery” and the Eurocontrol “Incident Timing Metrics, Reporting Cyber Risk to Boards.
Francesco promotes and demystifies across all industries and communities the concepts of cyber resilience and threat-informed defense. From the beginning of his career, Francesco has been successful in providing international pedigree enterprises with the abilities to anticipate, withstand, respond and recover from multi-faceted attacks from advanced cyber adversaries. He had the privilege to build a best-in-class cyber resilience program vetted -among others- by experts of the US CISA cyber resilience task force. In this capacity, Francesco has coined the concept of “high value target” and developed a methodology to identify assets’ value from an adversarial standpoint.
Speaker/s
Shane Steiger – Principal Cyber Security Engineer, MITRE Corporation
Mr. Steiger joined MITRE Corporation in 2018 as a Principal Cyber Security Engineer. He has over 24 years of cyber security experience across multiple large enterprises and industries. He spent 9 years building and securing SCADA/ICS infrastructure for a large food manufacturer. He then worked for 6 years as an infrastructure security architect in a large drug distributor. He worked as Chief Endpoint Security Architect for a large technology company enabling the architectures of one of the largest spin/mergers to date. Most recently, he was Director of Security Strategy and Innovation within a large telecommunications and entertainment organization. Mr. Steiger was an early adopter of MITRE’s Cyber Resiliency Engineering Framework (CREF) and the ATT&CK® Framework. He incorporated each framework into the threat modeling, emulation and defensive strategy choices of his organizations. As part of his role, he was a member of multiple Public and Private partnership working groups. Some output can be seen in Security Tenets for Life Critical Embedded Systems published by DHS, an informational website on resilience – Industry Perspective on Cyber Resiliency hosted by MITRE and NIST SP 800-193 Platform Firmware Resiliency Guidelines. Mr. Steiger also contributed directly to NIST SP 800-160 Volume 2 (Rev. 1): Developing Cyber Resilient Systems: A Systems Security Engineering Approach. Mr. Steiger has spoken at the Annual Secure and Resilient Cyber Architectures Invitational several times. He has also presented to the Pennsylvania Bar Institute. He developed a cyber security game based on ATT&CK® which he presented at DEF CON 24 – Maelstrom: Are you playing with a full deck? Using a cyber adversary game based on ATT&CK® and the Lockheed Martin Kill Chain® to educate, demonstrate and evangelize. Curently, Mr. Steiger is leading a small team developing the CREF Navigator™ which presents the contents of NIST SP 800-160 Vol. 2 (Rev 1) as an interactive website. Mr. Steiger received his Bachelor of Arts in Mathematics and Latin from Susquehanna University and his Juris Doctor from Widener University Commonwealth Law School. He is a CISSP and a member of the Pennsylvania Bar.
Recent On-Demand Web Conferences
ISSA Webinars and Conference series cover all the continuing education credits to maintain your cyber security certifications. (CPEs, CEUs, ECE, etc). Each hour is equal to one continuing education credit. Certificates of completion are available upon request after completion. For instructions, click here.