- This event has passed so registration is closed.
Overview
Demonstration utilizing an online tool, the CREF Navigator™, to apply cyber resiliency considerations from NIST SP 800-160 Volume 2 (Rev 1) to common use cases.
Comprehensive technical frameworks are usually voluminous including several definitions, concepts, relationships, tables, and references with linkages to other key frameworks or publications. NIST SP 800-160 Volume 2 (Rev 1): “Developing Cyber-Resilient Systems” is the leading framework defining and impacting the cyber resiliency space for US federal information systems. It is a comprehensive framework that is generally applicable and can be adopted by any organization seeking comprehensive and well-defined cyber resilience guidance. The publication which is over 300 pages centers around the Cyber Resiliency Engineering Framework (CREF) whose constructs include, in addition to the definition of cyber resiliency, four goals, eight objectives, fifteen techniques, fifty approaches, and fourteen design principles and their many to many relationships. Needless to say such a document is rather daunting to novices seeking cyber resiliency guidance and relationships to other key frameworks like NIST SP 800-53 (Rev 5) or the ATT&CK® Framework. The CREF Navigator™ was developed as a web based relational tool distilling the complex concepts and relationships from NIST SP 800-160 Volume 2 (Rev 1) into useful cyber resiliency terms, tables, and relationship visualizations enabling architectural and engineering analysis. The tool contains a hover-over, clickable dictionary of cyber resiliency terms; customizable visualization of complex relationships to other frameworks; the ability to balance and prioritize cyber resiliency choices based on nodal analysis; and export and import capabilities from ATT&CK® Navigator for presentation and analysis. The tool also provides an excellent crash course reference and training tool for those uninitiated to cyber resiliency concepts. The CREF Navigator™ is available to the masses via the internet for free at https://crefnavigator.mitre.org. This webinar will explore the development of the tool and potential use cases. There will also be demonstrations utilizing the CREF Navigator™ tool showing how an organization can spark cyber resiliency discussions, analysis, prioritizations, and build visual relationships to mitigations and ATT&CK® tactics and techniques.
Moderator
Francesco Chiarini – Head, Cyber Resilience Risk Strategy, ISSA Cyber Resilience SIG
Francesco Chiarini is the founder and Chair of the ISSA.org Cyber Resilience Special Interest Group with over 1200 associates across the globe. In his day-to-day, he leads globally cyber resilience for Standard Chartered Bank with the aim to assess and evolve the Bank’s cyber resilience posture by highlighting the key strategic capabilities we need to sustainably stay ahead of the cyber threat. Francesco has 15+ years’ experience in IT and cyber security and joined Standard Chartered Bank from PepsiCo where he was in charge of one of the two global Cyber Fusion Centers (Poland), leading globally incident response, adversary emulation and cyber resilience.
Big aficionado of NIST and MITRE products and promoting the concept of threat-informed architecture (beyond threat-informed defence). From 2019 when NIST released the 800-160 publication, Francesco specialized in equipping companies with the ability to withstand and recover from multi-faceted attacks from advanced adversaries. He had the privilege to build a best-in-class cyber resilience program vetted -among others- by experts of the US CISA cyber resilience task force. In this capacity, Francesco has coined the concept of “high value target” and developed a methodology to identify assets’ value from an adversarial standpoint.
In 2022, he has co-authored -among others- the whitepaper “The Cyber Resilience Index: Advancing Organizational Cyber Resilience”. As well, Francesco has hired hundreds of information security professionals in Warsaw, Poland – he won a global innovation award from the US Consumer Brands Association in 2018 among Fortune-100 companies.
Founder of the Consumer Packaged Goods (CPG) Special Interest Group (SIG) at FIRST.org and of the Poland FIRST.org group. 2021 Volunteer of the year award at ISSA.org, director for International Cooperation at ISSA Poland, Advisor of the FIRST.org Security Metrics SIG.
Francesco holds an MA in International Economics, and B.Sc. in Management Engineering and a number of professional certs.
Speaker/s
Shane Steiger – Principal Cyber Security Engineer, MITRE Corporation
Mr. Steiger joined MITRE Corporation in 2018 as a Principal Cyber Security Engineer. He has over 24 years of cyber security experience across multiple large enterprises and industries. He spent 9 years building and securing SCADA/ICS infrastructure for a large food manufacturer. He then worked for 6 years as an infrastructure security architect in a large drug distributor. He worked as Chief Endpoint Security Architect for a large technology company enabling the architectures of one of the largest spin/mergers to date. Most recently, he was Director of Security Strategy and Innovation within a large telecommunications and entertainment organization. Mr. Steiger was an early adopter of MITRE’s Cyber Resiliency Engineering Framework (CREF) and the ATT&CK® Framework. He incorporated each framework into the threat modeling, emulation and defensive strategy choices of his organizations. As part of his role, he was a member of multiple Public and Private partnership working groups. Some output can be seen in Security Tenets for Life Critical Embedded Systems published by DHS, an informational website on resilience – Industry Perspective on Cyber Resiliency hosted by MITRE and NIST SP 800-193 Platform Firmware Resiliency Guidelines. Mr. Steiger also contributed directly to NIST SP 800-160 Volume 2 (Rev. 1): Developing Cyber Resilient Systems: A Systems Security Engineering Approach. Mr. Steiger has spoken at the Annual Secure and Resilient Cyber Architectures Invitational several times. He has also presented to the Pennsylvania Bar Institute. He developed a cyber security game based on ATT&CK® which he presented at DEF CON 24 – Maelstrom: Are you playing with a full deck? Using a cyber adversary game based on ATT&CK® and the Lockheed Martin Kill Chain® to educate, demonstrate and evangelize. Curently, Mr. Steiger is leading a small team developing the CREF Navigator™ which presents the contents of NIST SP 800-160 Vol. 2 (Rev 1) as an interactive website. Mr. Steiger received his Bachelor of Arts in Mathematics and Latin from Susquehanna University and his Juris Doctor from Widener University Commonwealth Law School. He is a CISSP and a member of the Pennsylvania Bar.
Recent On-Demand Web Conferences
ISSA Webinars and Conference series cover all the continuing education credits to maintain your cyber security certifications. (CPEs, CEUs, ECE, etc). Each hour is equal to one continuing education credit. Certificates of completion are available upon request after completion. For instructions, click here.