Pointy Clicky Excel, Power Query, Fabric Workshop PART 2

Oct 31, 2024 Pre-SIMPLY CYBERCON #GRC Workshop

Agenda

🤖 AI Augmented NIST CSF Assessment

Step 12 (skipped today): Install the Fabric Client from Github

Step 13 (skipped today): Create a Custom Fabric Pattern csf_category_score

csf_category_score

# IDENTITY and PURPOSE

You are an expert in cyber resilience management and cybersecurity. You specialize in creating simple, table and narrative-based, cybersecurity framework gap assessment for all types of organization. 

Take a deep breath and think step-by-step about how best to achieve this using the steps below.

# NIST CYBERSECURITY FRAMEWORK SCORING LEGEND

0 to 1.9 = Insecurity, Our organization rarely or never does this
2.0 to 4.9 = Some Security, Our organization sometimes does this, but unreliably.  Rework is common.
5.0 to 5.9 = Minimally Acceptable Security, Our organization does this consistently, with some minor flaws from time-to-time
6.1 to 6.9 = Optimized Security, Our organization does this consistently, with great effectiveness and high quality
7.0 to 7.9 = Fully Optimized Security	
8.1 to 10.0 = Too Much Security (Waste), Our organization does this at excessive financial cost.  People can't easily get their work done	

END SCORING LEGEND

# NIST CYBERSECURITY FRAMEWORK ASSESSMENT TABLE

"CSF Outcome ID","CSF Outcome Description","Actual Score"
"GV.OC","The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood",""
"GV.RM","The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions",""
"GV.RR","Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated",""
"GV.PO","Organizational cybersecurity policy is established, communicated, and enforced",""
"GV.OV","Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy",""
"GV.SC","Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders",""
"ID.AM","Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy",""
"ID.RA","The cybersecurity risk to the organization, assets, and individuals is understood by the organization",""
"ID.IM","Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions",""
"PR.AA","Access to physical and logical assets is limited to authorized users, services, and hardware and  managed commensurate with the assessed risk of unauthorized access",""
"PR.AT","The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks",""
"PR.DS","Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information",""
"PR.PS","The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability",""
"PR.IR","Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience",""
"DE.CM","Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events",""
"DE.AE","Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents",""
"RS.MA","Responses to detected cybersecurity incidents are managed",""
"RS.AN","Investigations are conducted to ensure effective response and support forensics and recovery activities",""
"RS.CO","Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies",""
"RS.MI","Activities are performed to prevent expansion of an event and mitigate its effects",""
"RC.RP","Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents",""
"RC.CO","Restoration activities are coordinated with internal and external parties",""

END CYBERSECURITY FRAMEWORK ASSESSMENT TABLE

# STEPS

- Fully understand the NIST Cybersecurity Framework scoring legend and table above.

- Take the input provided and create a section called NIST CYBERSECURITY FRAMEWORK ASSESSMENT TABLE, and under that section create a csv format table, adding your own actual score, score rationale and recommended actions for all 22 records.  Include all NIST CYBERSECURITY FRAMEWORK ASSESSMENT TABLE columns: "ID","Category","Actual Score","Score Rationale","Recommended Actions"

- In a section under that, create a section called ANALYSIS, give an explanation of the thought process used to determine all scores using a set of 10-word bullets. The focus should be on helping guide the organization to the most logical choice and reasonable approach for cyber resilience.

# OUTPUT INSTRUCTIONS

- Output in CSV format for use in a spreadsheet

- Do not use asterisks or other special characters in the output for csv formatting

- Do not output blank lines or lines full of unprintable / invisible characters

# INPUT:

INPUT:
➜  ~ cd ~/.config/
➜  .config mkdir -p custom-fabric-patterns/csf_category_score
➜  .config cd custom-fabric-patterns/csf_category_score
➜  csf_category_score touch system.md
➜  csf_category_score nano system.md
➜  csf_category_score cp -a ~/.config/custom-fabric-patterns/* ~/.config/fabric/patterns

Step 14: Input the 2018 Equifax Breach Report to csf_category_score, via clipboard

pbpaste | fabric -p csf_category_score -s

Output

Here is the NIST Cybersecurity Framework Assessment Table with my actual scores, score rationale, and recommended actions for each of the 22 records:

"CSF Outcome ID","CSF Outcome Description","Actual Score","Score Rationale","Recommended Actions"
"GV.OC","The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood","2.5","Based on the information provided, it appears Equifax had a limited understanding of the circumstances surrounding its cybersecurity risk management decisions. The aggressive growth strategy and accumulation of data resulted in a complex IT environment that made security challenging. However, there is no evidence that Equifax fully appreciated and mitigated these increasing risks.","Equifax should conduct a comprehensive assessment to fully understand its mission, stakeholder expectations, dependencies, legal/regulatory requirements and other circumstances that impact cybersecurity risk management. This understanding should drive a risk-based approach to cybersecurity investments and priorities."
"GV.RM","The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions","2.0","There is little evidence that Equifax had clearly established and communicated its risk tolerance, risk appetite, priorities and constraints to guide cybersecurity risk decisions. The 'cybersecurity complacency' noted in the report suggests risk was not being effectively managed.","Equifax leadership needs to define and communicate the organization's risk tolerance, risk appetite, priorities and constraints. These should be reviewed regularly and used to guide resource allocation and operational risk decisions. Cybersecurity should be treated as a top business risk, not just an IT issue."
"GV.RR","Cybersecurity roles, responsibilities, and authorities to     ance assessment, and continuous improvement are established and com     responsibilities between IT and Security, with the CSO reporting t    reated accountability gaps. Roles and responsibilities for key proc    re not clearly established and communicated.","Equifax should revie    les, responsibilities and reporting lines to eliminate gaps and amb    guity. The CSO role should have a direct line to senior leadership. Performance goals and metrics should be established to drive accountability for key cybersecurity processes."
"GV.PO","Organizational cybersecurity policy is established, communicated, and enforced","2.0","While Equifax had IT and security policies in place, there were significant gaps in communication and enforcement of these policies. For example, the patch management policy was not consistently followed.","Equifax needs to strengthen its governance to ensure cybersecurity policies are not just documented, but are widely communicated, monitored for compliance, and enforced. Leadership needs to set the tone that security policies are non-negotiable."
"GV.OV","Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy","2.0","There is no evidence that Equifax was using cybersecurity risk assessments and performance metrics to continuously improve its overall risk management approach. Past audit findings highlighting issues were not acted upon in a timely manner.","Equifax should implement a robust cybersecurity risk management program that includes regular assessments, tracking of key risk indicators, and monitoring of risk treatment plan implementation. Results should feed back into adjustments to the overall risk management strategy."
"GV.SC","Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders","2.0","The report does not provide details on Equifax's management of cyber supply chain risks, but the complexity of the IT environment with many acquired systems suggests this was likely an area of weakness.","Equifax should identify and assess risks associated with its supply chain, including risks from acquired companies, service providers, and software/hardware vendors. Processes should be put in place to manage and monitor these risks."
"ID.AM","Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy","2.0","Equifax did not have a comprehensive IT asset inventory, which made it difficult to identify and manage risks. The lack of a software inventory prevented Equifax from knowing that a vulnerable version of Apache Struts was running on the breached system.","Equifax needs to develop and maintain a comprehensive inventory of all hardware and software assets. Assets should be prioritized based on criticality and risk to ensure appropriate controls are in place for the most important assets."
"ID.RA","The cybersecurity risk to the organization, assets, and individuals is understood by the organization","2.0","While some cybersecurity risks were identified through audits and assessments, Equifax did not demonstrate a comprehensive understanding of risks across the enterprise. Leadership was not fully aware of risks related to the legacy infrastructure.","Equifax should conduct regular cybersecurity risk assessments across the entire organization to identify and prioritize risks. Results should be communicated to leadership and used to inform strategy and resource allocation decisions."
"ID.IM","Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions","2.0","The report highlights several areas where needed cybersecurity improvements were identified but not implemented in a timely manner, such as issues noted in the 2015 patch management audit.","Equifax needs a more proactive and agile process to identify, prioritize and implement continuous improvement opportunities across all cybersecurity domains. Improvement plans should have executive oversight and be resourced appropriately."
"PR.AA","Access to physical and logical assets is limited to authorized users, services, and hardware and  managed commensurate with the assessed risk of unauthorized access","2.0","Attackers were able to leverage a compromised application credential to gain unauthorized access to multiple databases. This suggests access rights were overly broad and not properly restricted based on risk.","Equifax should implement a rigorous identity and access management program to ensure access is restricted based on least privilege, separation of duties is enforced, and access is promptly revoked when no longer needed. Higher risk systems should have more stringent access controls."
"PR.AT","The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks","2.5","While Equifax had a security training program, the 'cybersecurity complacency' noted in the report suggests the training was not fully effective in driving secure behaviors and decisions.","Equifax should enhance its cybersecurity awareness and training to ensure all personnel understand their responsibilities and have the knowledge and skills to perform their jobs securely. Training should be engaging, relevant to each role, and regularly reinforced."
"PR.DS","Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information","2.0","Large amounts of sensitive data were stored unencrypted in databases accessible from compromised servers. Data governance appears to have been lacking, with no clear restrictions on data access and retention based on risk.","Equifax should develop and implement a data governance program to ensure data is identified, classified based on sensitivity, and protected accordingly. Sensitive data should be encrypted, access should be strictly controlled, and data should not be retained longer than necessary."
"PR.PS","The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability","2.0","Equifax was using legacy systems and software that were difficult to protect and not compatible with modern security tools. Patch management was ineffective, allowing known vulnerabilities to remain unpatched.","Equifax needs to accelerate its IT modernization efforts to phase out legacy systems that cannot be adequately secured. A robust patch management program should be implemented to ensure all systems are patched promptly based on risk."
"PR.IR","Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience","2.0","The Equifax network was flat with no segmentation, allowing the attackers to easily move laterally and access many different systems once they gained an initial foothold. Boundary protections were also weak.","Equifax should redesign its network architecture to incorporate segmentation, limiting traffic between different trust zones. Additional layers of defense should be implemented to prevent and detect unauthorized access to sensitive systems and data."
"DE.CM","Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events","2.0","An expired SSL certificate prevented Equifax from monitoring traffic to the compromised system for 19 months. File integrity monitoring was also not in place to detect the deployment of malicious web shells.","Equifax needs to significantly improve its security monitoring capabilities to ensure all assets are being continuously monitored for threats. Robust logging, traffic inspection, file integrity monitoring, and other detection tools should be deployed and actively monitored."
"DE.AE","Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents","2.0","Equifax did not detect the attackers' presence for over 2 months, despite the large volume of malicious activity. This suggests event data was not being effectively analyzed to identify potential incidents.","Equifax should strengthen its threat detection and incident response capabilities. Automated tools should be used to analyze and correlate event data to identify potential incidents for further investigation. Skilled analysts should be in place to triage and investigate alerts."
"RS.MA","Responses to detected cybersecurity incidents are managed","2.5","Once the breach was detected, Equifax did activate an incident response process. However, the response had several issues, such as the website problems and call center delays.","Equifax should ensure it has a well-documented and exercised incident response plan. The plan should cover all phases of response including containment, eradication, recovery, and post-incident review. Regular tabletop exercises should be conducted to validate and improve the plan."
"RS.AN","Investigations are conducted to ensure effective response and support forensics and recovery activities","3.0","Equifax engaged Mandiant to conduct a forensic investigation, which ultimately determined the scope of the breach. However, the complex IT environment made the forensic analysis challenging and time-consuming.","Equifax should proactively prepare for forensic investigations by ensuring logging is enabled, data is retained, and systems are documented. Forensic procedures should be built into the incident response plan and relationships established with third-party experts before an incident occurs."
"RS.CO","Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies","3.0","Equifax did notify law enforcement, regulators, and the public about the breach as required. However, the initial notifications had some inconsistencies and the full scope of the breach was not known.","Equifax should ensure its incident response plan includes clear protocols for notifying and coordinating with all relevant stakeholders. Notification templates and communication plans should be developed in advance. Processes should be in place to quickly assess the scope of an incident."
"RS.MI","Activities are performed to prevent expansion of an event and mitigate its effects","2.5","Equifax did take actions to stop the breach once it was detected, such as shutting down the compromised web portal. However, opportunities were missed to limit the breach impact, such as implementing network segmentation.","Equifax should develop and test containment and mitigation procedures for different types of cybersecurity incidents. The incident response team should be empowered to quickly make containment decisions and escalate issues when required."
"RC.RP","Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents","2.5","Equifax was able to restore the compromised systems and resume business operations. However, the recovery process was complicated by the legacy infrastructure and lack of comprehensive asset inventory.","Equifax should ensure it has a robust disaster recovery and business continuity plan that covers cybersecurity incidents. Critical systems and data should be backed up and recovery procedures regularly tested. Asset dependencies should be mapped to prioritize recovery activities."
"RC.CO","Restoration activities are coordinated with internal and external parties","2.5","There were some coordination issues in Equifax's recovery activities, such as the problems with the breach notification website and call centers being overwhelmed.","Equifax should ensure its recovery plans are coordinated with key stakeholders such as IT, business units, vendors, and external parties such as law enforcement and regulators. Communication plans should be established in advance."

ANALYSIS:

The scores and recommendations were determined based on a careful analysis of the information provided in the report about Equifax's cybersecurity practices and the events surrounding the 2017 data breach. Key factors considered include:

- Equifax had a complex IT environment with many legacy systems that made implementing effective cybersecurity controls challenging. However, the company did not prioritize investments to modernize this infrastructure and mitigate risks.

- Accountability for cybersecurity was lacking, with a divided organizational structure where the CSO reported to Legal rather than IT. Roles and responsibilities for key processes like patch management were not clearly defined and communicated.  

- While policies and procedures existed, there were significant gaps in execution and enforcement. Issues identified in audits and assessments were not remediated in a timely manner.

- Equifax was not effectively managing access to sensitive data, with loose access controls and a lack of network segmentation. Encryption was also not consistently used to protect data.

- Security monitoring capabilities had major gaps, such as the expired SSL certificate that prevented visibility into the compromised system. Equifax was not able to quickly detect the breach despite the large amount of attacker activity.

- Incident response and recovery efforts were complicated by the complex environment and lack of advance preparation. Coordination with external stakeholders for breach notification and support had some missteps.

To address these issues, Equifax needs to take a much more proactive, risk-based approach to cybersecurity. This includes making it a higher leadership priority, investing to modernize and simplify the IT environment, implementing more rigorous controls around sensitive data, improving threat detection and response capabilities, and establishing clear accountability. Focusing on these fundamental improvements will put Equifax in a better position to protect against future cyber incidents.
➜  ~ 

ANALYSIS:

The scores and recommendations were determined based on a careful analysis of the information provided in the report about Equifax's cybersecurity practices and the events surrounding the 2017 data breach. Key factors considered include:

  • Equifax had a complex IT environment with many legacy systems that made implementing effective cybersecurity controls challenging. However, the company did not prioritize investments to modernize this infrastructure and mitigate risks.

  • Accountability for cybersecurity was lacking, with a divided organizational structure where the CSO reported to Legal rather than IT. Roles and responsibilities for key processes like patch management were not clearly defined and communicated.

  • While policies and procedures existed, there were significant gaps in execution and enforcement. Issues identified in audits and assessments were not remediated in a timely manner.

  • Equifax was not effectively managing access to sensitive data, with loose access controls and a lack of network segmentation. Encryption was also not consistently used to protect data.

  • Security monitoring capabilities had major gaps, such as the expired SSL certificate that prevented visibility into the compromised system. Equifax was not able to quickly detect the breach despite the large amount of attacker activity.

  • Incident response and recovery efforts were complicated by the complex environment and lack of advance preparation. Coordination with external stakeholders for breach notification and support had some missteps.

To address these issues, Equifax needs to take a much more proactive, risk-based approach to cybersecurity. This includes making it a higher leadership priority, investing to modernize and simplify the IT environment, implementing more rigorous controls around sensitive data, improving threat detection and response capabilities, and establishing clear accountability. Focusing on these fundamental improvements will put Equifax in a better position to protect against future cyber incidents.

Step 15: Input 2021 Equifax Breach Reflection Podcast into csf_category_score, via YouTube URL

yt https://youtu.be/APs4CYfZbrQ | fabric -p csf_category_score -s

Output

ANALYSIS

  • Equifax has made substantial progress in all CSF areas since the 2017 breach

  • Leadership, governance and culture are particular strengths with accountability and incentives aligned to security outcomes

  • Continued investment is needed to further mature risk quantification, supply chain, automation and machine learning capabilities

  • Optimization opportunities exist in recovery planning, proactive stakeholder engagement and emerging threat resilience

  • Overall Equifax has transformed into a leader in many CSF domains but must sustain the focus and adapt to stay ahead of threats

The key to Equifax's cyber resilience turnaround has been taking a holistic approach across people, process and technology, with security built-in vs bolted-on. Engaging all stakeholders, making security everyone's job, and driving a culture of continuous improvement has been crucial. Equifax must continue to innovate and collaborate with the broader ecosystem to tackle the ever-evolving threats ahead.

Here is the NIST Cybersecurity Framework Assessment Table with my scores, rationale and recommended actions:

NIST CYBERSECURITY FRAMEWORK ASSESSMENT TABLE
"CSF Outcome ID","CSF Outcome Description","Actual Score","Score Rationale","Recommended Actions"
"GV.OC","The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood","6.5","After the breach, Equifax made understanding stakeholder expectations and requirements a top priority. However, there is still room for optimization.","Continue engaging stakeholders to deeply understand expectations. Formalize processes to track legal/regulatory requirements."
"GV.RM","The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions","6.0","Equifax established new risk management priorities and communicated them consistently after the breach. Some minor gaps may still exist.","Ensure risk tolerance is quantified where possible. Validate assumptions are still valid as the business and threat landscape evolves."
"GV.RR","Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated","7.0","Equifax made major changes to establish clear security accountability, from the CISO reporting to the CEO to including security metrics in employee bonuses.","Sustain the current practices and culture of shared security responsibility. Consider targeted training for key roles."
"GV.PO","Organizational cybersecurity policy is established, communicated, and enforced","6.5","New security policies were a core part of Equifax's transformation. Consistent enforcement is in place but can be further optimized.","Implement automated policy checks where feasible. Regularly review and update policies."
"GV.OV","Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy","6.0","Equifax uses security metrics to continuously improve, as seen in their monthly employee security scorecards. Connecting metrics to strategy adjustments could be enhanced.","Establish a formal process to review metrics and initiate strategic changes. Conduct regular executive strategy sessions incorporating the latest data."
"GV.SC","Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders","5.5","Supply chain risk is a newer area of focus for Equifax. Processes have been established but are still maturing.","Develop comprehensive vendor risk assessment and monitoring capabilities. Increase engagement with key suppliers on joint security initiatives."
"ID.AM","Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy","6.5","Equifax invested heavily in asset management as part of their tech transformation. Some less critical asset categories may need more attention.","Use automation to maintain an always-current asset inventory. Ensure asset risk classifications are dynamically updated."
"ID.RA","The cybersecurity risk to the organization, assets, and individuals is understood by the organization","6.0","Understanding cyber risk was crucial to Equifax's turnaround. Quantitative analysis capabilities are still developing.","Mature the risk quantification program to support cost-benefit decisions. Increase risk assessment frequency for high-value assets."
"ID.IM","Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions","6.0","Equifax demonstrates a strong continuous improvement culture in security. Formalizing improvement intake from all domains would further optimize this.","Deploy a security ideation platform for employees to suggest improvements. Recognize and rapidly implement high-impact ideas."
"PR.AA","Access to physical and logical assets is limited to authorized users, services, and hardware and  managed commensurate with the assessed risk of unauthorized access","6.5","Strict access control was a priority in Equifax's rebuild. Some legacy access issues may still need to be resolved.","Implement a zero trust architecture for all critical assets. Use data analytics to detect anomalous access patterns."
"PR.AT","The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks","7.0","Security training and culture building are standout strengths for Equifax, with innovative programs like monthly individualized training.","Maintain the robust training program. Consider adding more role-based training paths to develop security champions."
"PR.DS","Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information","6.5","Protecting data is a clear priority for Equifax with their investment in new security tools/processes. Some data lifecycle automation gaps may remain.","Implement comprehensive data discovery and classification. Automate data protection policies with DLP, encryption, etc."
"PR.PS","The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability","6.0","Platform integrity management has improved substantially at Equifax. Proactive threat hunting and breach simulation could further enhance this.","Conduct regular red team exercises and breach simulations. Implement active threat hunting for all critical platforms."
"PR.IR","Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience","6.0","Equifax's security architecture was revamped with their transformation. Formally mapping architecture to evolving risks can be improved.","Define a security architecture risk assessment methodology. Conduct regular architecture reviews focused on emerging threats."
"DE.CM","Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events","6.5","Equifax has significantly matured their security monitoring capabilities. Some coverage gaps for less critical assets may still exist.","Ensure comprehensive monitoring coverage across all assets. Leverage ML/AI for entity and user behavior analytics."
"DE.AE","Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents","6.0","Security analytics at Equifax have been enhanced to speed detection. Increased automation and orchestration would further optimize.","Implement SOAR capabilities to automate analysis workflows. Mature use cases for ML-driven anomaly detection."
"RS.MA","Responses to detected cybersecurity incidents are managed","6.5","Equifax has strengthened their incident response capabilities and governance. Opportunities exist to further reduce response times.","Automate containment actions for common incident types. Conduct regular executive tabletop exercises to test decision-making."
"RS.AN","Investigations are conducted to ensure effective response and support forensics and recovery activities","6.0","Equifax has improved incident investigation skills and tools. Proactively involving more stakeholders would be beneficial.","Cross-train multiple teams on forensic skills to surge capacity. Establish relationships with incident response partners."
"RS.CO","Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies","6.0","Equifax has enhanced coordination with stakeholders during incidents. More proactive planning with key partners can still help.","Conduct joint planning and exercises with key customers/partners. Participate in industry/government threat intelligence sharing."
"RS.MI","Activities are performed to prevent expansion of an event and mitigate its effects","6.5","Equifax has new processes to quickly mitigate incidents. Continued automation will make this even more dynamic.","Expand automated detection and blocking of threats. Proactively address vulnerabilities/misconfigurations that enable incident spread."
"RC.RP","Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents","6.0","Equifax has improved recovery planning and testing. Opportunities exist to further minimize downtime and data loss.","Implement an immutable data backup architecture. Use chaos engineering to test and optimize recovery processes."
"RC.CO","Restoration activities are coordinated with internal and external parties","6.0","Equifax engages relevant parties during recovery. More proactive coordination would further smooth this process.","Establish formal communication protocols for recovery scenarios. Conduct regular recovery exercises with key internal and external stakeholders."

ANALYSIS
- Equifax has made substantial progress in all CSF areas since the 2017 breach
- Leadership, governance and culture are particular strengths with accountability and incentives aligned to security outcomes
- Continued investment is needed to further mature risk quantification, supply chain, automation and machine learning capabilities 
- Optimization opportunities exist in recovery planning, proactive stakeholder engagement and emerging threat resilience
- Overall Equifax has transformed into a leader in many CSF domains but must sustain the focus and adapt to stay ahead of threats

The key to Equifax's cyber resilience turnaround has been taking a holistic approach across people, process and technology, with security built-in vs bolted-on. Engaging all stakeholders, making security everyone's job, and driving a culture of continuous improvement has been crucial. Equifax must continue to innovate and collaborate with the broader ecosystem to tackle the ever-evolving threats ahead.
➜  ~ 

Step 15: “Export” to csv for Excel

  • Copy terminal text, file > new

Step 16: Human Review of Results and Copy Over to Excel Workbook

  • Cmd+t to make a table.

  • Named the table Equifax2018

  • Copied over to main workbook

  • Human review of AI results,

    • E.g. added a missing score from flaw in output to GV.RR

On to PART 3