Page 1

hp t shirt transfer evolution writers instructions 05 05


evolution writers mario the thousand year door help center 05 04


common app questions 2018 05 15


help with legal evolution writerswork 05 04




leader definition essay on success 05 13



1000 word essay on discipline 05 02

order research paper on social security numbers online 05 13

600 word essay double spaced 05 02

pencraig traffic report 08 20


recommendation letter for admission in phd 05 14

evolution writers mario sticker star world 3 8 walkthrough 05 05 2

infamous second son evolution writers trail walkthrough part 4 05 04

essay on customer retention 05 13

australia resume cover letter 05 10

wgt 2018 reportage photography 05 09

3 paragraph expository essay outline 05 02



essay writing skills in hindi 05 03

ancient writing in china 05 05

tesco china strategy report 05 14

essay vocabulary pdf 05 03



paper sizes help 05 03

start analysis search reports 05 15


essay writers block 05 03

essay 400 words 05 02

handwriting practice sheets for ks3 05 08

need someone to do my dissertation abstract on national security online 05 11



harbour online writing services 05 13

evolution writers editing help 05 04

essay yog andolan 05 03

reaction to 2nd presidential debate 08 20

essay map graphic organizer 05 02

save the environment short essay scholarships 05 14

evolution writers mill at helpston 05 04

advances in pulp and paper research oxford 2018 05 11

St. Thomas Aquinas College, Sparkill ​[Music] hello how's everyone doing today so what we're gonna be talking to you today about is a partnership that Microsoft has working with very closely with NIST with National Institute of Standards and technology's with center for internet security Tony's there in the front as well as Department of Homeland Security and we also have some universities are participating in the program as well to help give us that academic perspective so my name is mark Simas I'm lead architect in our cybersecurity group at Microsoft and Kevin I'm Kevin Stein I lead our applied cybersecurity work at NIST in partnership with organizations like Microsoft and other colleagues across the government industry yep and we're gonna tell you a little bit about the partnership today how it works what we're trying to accomplish and quite frankly we're simply trying to solve the patching problem and I know the word simply sounds like it's a bit of an over promise but we're genuinely trying to go after that problem in a meaningful way so when we look at cybersecurity hygiene obviously we're on the show floor at RSA and even for those of you that aren't here physically that are watching the recording of this there's a lot of talk of capabilities of new ideas fresh technology applying those to that that's a very important part of cyber security it's a critical element to be solving a lot of the problems that we deal with on the risk side but there's also a hygiene element there's a lot of things that we've known to do for 10 or 20 years that are super critical for us to actually solve but they're also pretty hard and so we're going to talk today about how we're trying to tackle this together and we're going to be asking for your help and your participation in solving these problems so ultimately cybersecurity hygiene is as simple in concept as washing your hands however it's a little bit more difficult anyone here ever tried to patch a hundred thousand-plus machines it's a little bit challenging so we understand that we recognize how important it is because we see the same issues in breach after breach issue after issue incident after incident you see it in the water crypto petia you see it in the in the advanced attacks it's just it's always there but it's very very hard to fix and so that's what we're working on is helping solve those kind of issues so ultimately the purpose that we're setting out to do as a working group is one to get some attention so that people notice that these organizations are working together who all have this common purpose because it's that important but we're really trying to drive that ecosystem resiliency to improve our ability as as an industry to protect the assets that we need to protect against these attackers and what we're seeing in on here is a couple different elements and we actually had a really productive working group yesterday where we had a lot of input from a lot of different folks including some container experts and some other security vendor experts and we had a really good understanding that we develop on how to solve this problem and the things that we're going after first are what to do first we know this is a challenge there's a lot of guidance that says hey this is good to do for cybersecurity but there's not a lot of guidance that says what to do specifically in this order first next beyond that so we're focused heavily on that and we're also and we have some work to share on that that we're going to point you to and we're also recognizing that how to be successful end-to-end is also a challenge so even if I know I have to patch and I know it's my top priority I need to know how to do it so I can actually be successful at patching and so that's another element of it and that's Kevin's going to be talking us to the NCCA we process where we're going to be going through and working on that particular part of the problem and of course we want to connect it to existing standards so if you have a compliance a set of requirements you have to meet you want to absolutely get credit for what you're doing so that you're getting that double credit not only security against the bad guys in the incident but also the the connection to existing standards so you can get that credit and also leverage the wisdom that's and that's in those so this is an example we're not going to go through all these this is the first piece of work so in the wake of wet of wanna crypt and petia we took it upon ourselves at Microsoft and then we quickly realized this kind of dumb for us to do this by ourselves at Microsoft and so we started working with this group to identify ok what do customers really need to do to not be in the situation of being nailed by watercraft and petia and it's no it's not a magic silver bullet it's actually a set of steps many of which we've known for a long time and so we put a lot of time and investment into that we work with a group to validate and make sure everybody agrees that yes these are the right things this is the right order this will have the effect and we published it out there an akms rapid attack you're welcome to go check this out and follow this guidance we really want people to be following this so they don't fall victim to it we've actually a number of us have visited some of the victims of those attacks and it is a very difficult emotional thing to think about in see and witness an entire enterprise really being brought to its knees it was a very very difficult situation we do not want people to be in that again so please follow this guidance check it out spread the word so

Kevin you want to cover that yeah perfect sister yep yeah thanks mark so again I'm Kevin Stein from NIST leader Applied cybersecurity work and I think as Mark mentioned he's absolutely right you know we we have serious or complex cybersecurity challenges that are impacting our businesses and our organization's abilities to accomplish our mission and our business objectives and we know that there are many standards many best practices and different types of technologies that are available in the market today that can if integrated in the right way can help us to address some of these complex challenges not just from the technology perspective but really from the process perspective and I think one of those challenge areas is patching you know as a dimension of critical hygiene so absolutely important capability our focus at the national cybersecurity Center of Excellence or the NCCA weĂľd mist is to work with business process owners organizations kind of the practitioner level to understand the business challenges that they're facing from a cybersecurity perspective to work with the solution providers the vendors the organizations that are developing the products and the technologies that can be brought to bear to help address these challenges and working together in a collaborative environment at the NCC OE to integrate these different solutions standards-based approaches and solutions to help build out example solutions to help address some of these challenges that organizations are facing [Music] you have the clicker thank you so our operating model at the center is a pretty pretty simple one if you will we start off by defining the problem and it's really you know sessions like this one and the one that marked reference that we had yesterday to help get feedback from folks to help us define the problem in a way that is going to be meaningful to the community and is going to be something that we can achieve using the suite of standards and best practices and technologies that are available today that again if integrated in the right way it can be brought to bear to help produce some example solutions and references that will help you to achieve your objectives we seek to assemble a team we seek to assemble folks that are that are experiencing deep challenges that want to patch have a better patch management process in the patch capability in place for their organizations and have experiences that can be brought to bear to help inform our efforts and you know be able to take the solutions and the examples that we produce and kind of take those kick the tires and improve their processes and provide us that feedback that also includes the the vendor community that has the different types of solutions and capabilities that can be integrated in a way that could help to produce a more holistic solution and capability after we assemble our team we go into kind of the build mode the build phase if you will where we work in our lab with the different vendors and the business process owners the organization's to build out the example solutions to kind of integrate the actual products and technologies you know and the standards base the standards of best practices and a way to prove out an example solution and we document this very meticulously so that a practitioner can take the final output from this effort and replicate it within their environment down to the bits and bytes the little configurations and the little you know configs that we flip the switches on to make these things interoperate in a meaningful way and hopefully produce the intended outcome that we're trying to achieve here and after we complete the build and issue the guideline in this case it's a practice guide coming out of NIST in our 1800 series of resources we go into kind of advocacy mode if you will it's not something that you can just put out there and let it speak for itself we want to go out and and share this resource with folks talk about it understand your challenges your implementations be able to provide input to you on how you could take these resources or others and help to address your challenges and then also have a kind of that feedback loop so that you can provide information to us about your experiences and what worked and what didn't in an effort to improve not just these types of resources but also the broader standards and the technologies that are being developed to address some of these complex cybersecurity challenges that we're facing so Thanksgiving so this is just a quick snippet of some of the work that we've been doing in this space the intent is that when we provide these solutions out of the NCC OE process is we want to provide something that's useful something that's actionable that I can take and say you know what this is my template for my patching process and I need to make sure I have all these components and I happen to have this vendor do they go in the lab and test it great here's my instructions on how to do that here's my template process of what I do on the phase one on the day one of hatching what do I do on the next day the day after that so we're really trying to get that level of utility and the level of detail so that people can actually go for it then check their program against measure against this reference and build a new program as I know so many organizations are fine are just building their own security departments so really driving towards that actionability to help with that just a couple notes because we do have a few moments here we are focused in this first effort on the technical pieces necessary to patch across a typical enterprise we are putting operational technology unmatchable stuff we're not dealing with that in a lot of detail we're actually going to make that more of an isolation strategy so if you have access to the Internet either directly or via the intranet you have to patch if not the recommendation is isolation here's the criteria on how to actually isolate and do it correctly so that's the scope of the first one we know that there's a lot of pain and managing and patching the OT space but that's going to be for

more of a future effort it's currently out of scope for this first one we want to get the IT and the IT related a-19 looking stuff solved first and so we're really approaching it from that perspective or to the manage which is kind of the bulk of the devices you deal with network devices we're bringing into scope which is something that isn't address with a lot of patching programs we want to push that envelope all the elements of the patching solution not just what it requires a patch but also how do you secure that because these are often powerful systems that the adversaries can weaponize we want to make sure that we're including the standards on securing those and then of course all the elements in the backend data center from the VMS to the containers to the hosts as well so really trying to to address that level of scope in the first version the effort makes sense ok I got a few head nods cool and so last piece here Kevin you want to cover that so again so everything we do at NIST is done in a very open and transparent inclusive way and it's intended to really you know bring folks in understand their challenges be able to receive that your operational experiences to essentially inform the process here and in all of our standards of guidelines help to inform the development to make them more meaningful and useful and this project is no exception we certainly are looking for your thoughts and your inputs to help not just scope this project as we've discussed it so far provide your inputs on that and how we could improve this effort and then certainly in every step along the way you know reviewing the different resources that we'll put out around this patching effort that we're starting here including some of the questions and things that are referenced up here certainly would be eager to get your feedback on these you can definitely reach out to us through the email address at the top cyber hygiene at NIST gov and provide that information and also use that as kind of a mechanism to stay engaged with us and we we commit to working with any and all that are interested to take that feedback and improve the process absolutely and if you guys hadn't read into it we're really looking for bright spots if you feel like you did something that really works well you've got a good process you've got a good set of strategies or something that works we're really looking for that because we want to get the bright spots from the community and share with all through this process so with that we'll go ahead and take questions okay no questions from the audience so we'll take them afterward on the stage oh I'm sorry we are looking very close the question is are we looking at IOT and others yes we are very much looking at that we're gonna do as much as we can in terms of at least guidance and principles but we recognize that we can't do all of that we don't want to hold up this first so that's that's very much top of mind for the next work so thank you a good question all right with that we'll close up we'll take questions on the stage afterwards thank you coming in thank thank you everyone that's watching thank you SUNY Delhi.