SANS Institute Information Security Reading Room - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SANS Institute Information Security Reading Room Effective Implementation of the NIST Cybersecurity Framework with Fortinet ______________________________ Don Weber Copyright SANS Institute 2020. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
A SANS Product Overview
Effective Implementation of the NIST
Cybersecurity Framework with Fortinet
(Companion Piece to “Security by Design:
A Systems Road Map Approach”)
Written by Don C. Weber Sponsored by:
February 2020 Fortinet
Introduction: Challenges of Connected IT
and OT Networks
How do businesses with operational technology (OT) networks implement information
security successfully? In this paper, we review one approach to updating an OT
network, commonly referred to as a control network, by leveraging a combination of the
NIST Cyber Security Framework (CSF),1 the SANS ICS4102 Reference Architecture model
and Fortinet Security Fabric3 technologies. We will examine how to effectively support
and implement the NIST CSF (see sidebar on the next page) and explore how some of
Fortinet’s product line can assist with an organization’s OT security evolution.
Regulations provide an excellent starting point for improving an organization’s security
program and implementing basic information security controls. Sectors working on
regulations—sometimes for decades—have experienced the process of translating
words from standards, frameworks and guidelines into implemented practitioner-
focused programs. In some mature standards bodies, this process allows for standards
improvements and enforcement capability to measure adherence. Organizations with
OT networks not covered by regulations, however, must formulate their own approach to
information security. Many of these businesses are turning to the NIST CSF to develop
1
www.nist.gov/cyberframework
2
www.sans.org/course/ics-scada-cyber-security-essentials
3
www.fortinet.com/solutions/enterprise-midsize-business/enterprise-security.html
©2020 SANS™ Institute
an internal security program. The problem is, unregulated
Origin of the NIST Framework
organizations often run into experience and funding issues
Since the establishment of the Energy Independence and
that hamper the planned approach for this evolution.
Security Act (EISA) of 2007,4 NIST has been directly assisting
OT networks are made up of technologies that provide the utility industry with the development of standards for
the interoperability and security of the Smart Grid in the
specialized functionality for specific tasks. These tasks
US. The Smart Grid working groups that resulted from this
require implementation practices that cannot conform effort have helped form a strong foundation for utilities
to the common security practices designed to secure a to strive to obtain and maintain. While these efforts paved
the way for the energy sector, the output of these efforts
corporate IT network. Thus, most organizations initiating a
is difficult to apply to other critical infrastructure and
new security program for their OT network run into issues nonregulated sectors. In 2013, Executive Order (EO) 13636,
because their teams attempt to force IT network policies, Improving Critical Infrastructure Cybersecurity,5 tasked
NIST with assisting critical infrastructure by providing
solutions, standards and procedures onto the OT network’s
guidance for improving the security posture of all critical
processes and solutions. The IT teams design the OT security infrastructure sectors. These efforts resulted in the
program without understanding that the systems, devices NIST CSF, which proved to be flexible enough to improve
security programs in both the critical infrastructure and
and protocols configured in the OT networks were selected
nonregulated sectors. For more specific background and
for reasons related to the process’s functional requirements. guidance on implementation of the NIST CSF, please see
For this reason, IT security requirements are often watered the SANS companion guide to this paper: “Security by
Design: A Systems Road Map Approach.”6
down, or even ignored, in these areas, resulting in insecure
environments that are often directly connected to the
company’s IT network and, at times, directly to the internet. This situation creates a false
sense of security while exposing the OT network to threats from the IT network that it’s
not prepared to handle, such as malware and compromised credentials.
Identifying Operational and Tactical Efforts
The NIST CSF is an excellent methodology that many organizations will begin using to
generate policies and initiate security programs specifically for their OT networks. As the
security program moves out of the planning phase, IT and OT personnel will be tasked
with addressing immediate operational requirements and then implementing the short
to midrange tactical steps necessary to achieve the strategic security goals for the OT
environment. To do so, some organizations are going to consider revamping the current
OT infrastructure while others will be starting from scratch. The trick is to implement
security controls in a manner that is cost effective and, most important, has negligible
negative effect on the processes within the OT network.
An organization’s business goals will dictate the specific order in which an
organization deploys new or modified existing security controls. To assist your efforts,
the Critical Infrastructure Road Map Cycles from the SANS companion guide to this
paper, “Security by Design: A Systems Road Map Approach,” detail the operational
and tactical phases that are implemented in the first six months and 12 months of
deployment, respectively.7 We recommend that organizations consider the following
4
https://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/WebHome#SGIP_Catalog_of_Standards
5
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
6
www.sans.org/reading-room/whitepapers/analyst/security-design-systems-road-map-approach-39370
7
www.sans.org/reading-room/whitepapers/analyst/security-design-systems-road-map-approach-39370
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 2
steps during these phases to quickly and cost-effectively improve the safety and
security of the OT network.
1. Isolate the OT network from the IT network, and segment OT assets and
processes to establish protections and opportunities to identify suspicious
activity.
2. Manage authentication and authorization for OT assets to maintain isolation of
the OT network while permitting remote administration and maintenance of the
processes.
3. Implement centralized logging across all OT assets and security controls to
improve insight into asset inventory, generate baselines of common activity,
provide a feed for monitoring solutions and prepare for incident response.
4. Generate and maintain hardware and software inventories that can be used to
identify critical assets for each process, understand the attack surface within
the OT network and appropriately model threats to prioritize efforts.
5. Prepare the OT and IT teams to collaborate effectively when responding to and
recovering from common cybersecurity incidents within the OT network.
Operational and Tactical Approach Using Fortinet
Security Fabric
In the SANS companion guide to this paper, “Security by Design: A Systems Road
Map Approach,” we outlined a Critical Infrastructure Road Map to identify a phased
implementation schedule for an organization’s new security program within the OT
network. The schedule contains three time-based phases: operational from zero to
six months, tactical from 12 to 24 months, and strategic for greater than 24 months.
The operational and tactical phases are the periods in which organizations will begin
to leverage their current understanding of the OT environment and the updated OT
cybersecurity program to implement reconfigured technologies and security controls,
and to deploy new ones.
With this in mind, the SANS Analyst Program has been asked to consider how the
technologies associated with the Fortinet Security Fabric could play a role in driving
these efforts through implementation of the OT security program. Typically, the SANS
Analyst Program would manually test each of these technologies to understand their
stalwartness and shortcomings in a lab environment configured for normal operations.
For the purposes of this paper, however, we could not conduct manual testing because
OT lab networks are too restrictive to be realistic when compared with an operational
environment. Thus, this editorial is centered on identifying how the technologies
provided by the Fortinet Security Fabric could play a role in the operational and tactical
improvements of an OT network’s cybersecurity program. Fortinet did provide access to
a virtualized environment configured to integrate several of the Fortinet technologies to
demonstrate the configurable capabilities.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 3
Fortinet Security Fabric Technologies
The Fortinet Security Fabric is an integration of Fortinet products and vendor solutions.
This integration provides many benefits for an organization, including visibility and
central management. Integrated with the Security Fabric, FortiManager unifies the
management and orchestration of Fortinet products, many of which are detailed in
Table 1, and gets extremely
Table 1. Fortinet Products and Descriptions
close to providing a single-
Fortinet Technology Product Description
pane-of-glass management
FortiManager Product supports network operations use cases for centralized management,
solution. Other Fortinet best practices compliance and workflow automation to provide better protection
solutions, such as FortiNAC, against breaches.
FortiGate Next-generation firewalls that utilize purpose-built security processors and threat
integrate with third- intelligence security services from AI-powered FortiGuard Labs to deliver top-rated
party devices, providing protection and high-performance inspection of clear-texted and encrypted traffic.
FortiNAC Product provides visibility across the entire network and the capability to control
visibility and control of the access for all devices and users, including dynamic, automated responses.
network configuration and FortiClient An endpoint agent that provides visibility and control of software and hardware
inventory across the entire Security Fabric, allowing organizations to discover,
device communications, monitor and assess endpoint risks in real time. It also provides secure remote access
(VPN client).
which is difficult to find
FortiEDR An advanced endpoint protection solution that provides detection and response
in technologies that are capabilities. It delivers post-compromise protection and can ensure high availability
even in the midst of a security incident. The product automates threat detection,
not interrelated. These containment, response and remediation without taking the machine offline.
integrations could be FortiAnalyzer Product provides analytics-powered cybersecurity and log management for better
detection against breaches.
extremely beneficial within
FortiSIEM A multivendor security incident and event management solution that simplifies
control environments while cybersecurity management for air-gapped systems by providing visibility, correlation,
automated response and remediation in a single, scalable product.
resulting in minimal impact
FortiWeb WAF A web application firewall that secures cloud-based resources and DevOps
to current operations. environments by protecting against known and unknown threats, including
sophisticated threats such as SQL injection, cross-site scripting, buffer overflows and
DDoS attacks.
Network FortiSwitch Product provides superior security, performance and manageability in a broad
Segmentation and portfolio of secure, simple and scalable Ethernet access layer switches.
FortiAuthenticator Product provides centralized authentication services for the Fortinet Security Fabric,
Isolation including single sign-on services, certificate management and guest management.
FortiToken Product confirms the identity of users by adding a second factor to the
To understand network authentication process through physical and mobile application-based tokens.
segmentation and isolation FortiCamera/ A suite of secure, network-based surveillance video cameras that bolster protection
FortiRecorder against cyber-physical attacks.
within an OT network,
FortiDeceptor An early-warning system that provides accurate detection that correlates an
we need to understand attacker’s activity details and the lateral movement that feeds up to a broader
threat campaign.
the Purdue Model. Most
FortiSandbox A powerful combination of advanced detection, automated mitigation, actionable
organizations have deployed insight and flexible deployment to stop targeted attacks and subsequent data loss.
their OT networks following FortiProxy A secure web proxy that protects employees against internet-borne attacks by
incorporating multiple detection techniques, such as web filtering, DNS filtering, data
guidelines outlined by the loss prevention, antivirus, intrusion prevention and advanced threat protection.
ISA-95 standard. ISA-95 FortiGuard A global threat research and response team that leverages machine learning and AI
systems around the globe to gather the real-time threat intelligence that powers the
details the deployment Security Fabric.
of processes using the FortiCloud A cloud-delivered FortiClient endpoint protection service designed for small and
medium-sized business.
Purdue Enterprise Reference
Architecture model, also known as the Purdue Model. This standard has been migrated
to the ISA-99 standard and subsequently renamed IEC/ISA-62443, which provides
security guidance to the Purdue Model.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 4
ICS410 Reference Architecture
To help with the implementation of this model, the SANS ICS program has generated the
ICS410 Reference Architecture.8 The ICS410 Reference Architecture, shown in Figure 1,
provides a visual model
teams can use when planning
the design or redesign and
implementation of an OT
network.
The ICS410 Reference
Architecture outlines the
division of individual processes
associated with specific
functionality at Purdue Levels
0 through 2. Enforcement
boundaries between processes
Figure 1. SANS ICS410 Reference
are typically access control lists (ACL), but organizations can choose to implement Architecture Model
firewalls at these locations to improve their security posture. The heart of the control
network, with the majority of the OT network’s management servers and supervisory
systems, is found at Purdue Level 3. These systems are protected from the other
levels by firewalls and ACLs. Additional security controls will live at Purdue Level 3
as implementations mature. The ingress and egress of information, OT management
personnel connections and third-party connections are managed via industrial
demilitarized zones (iDMZ), which are deployed associated with specific functions. These
iDMZs allow for managed and monitored connectivity into the plant network at Purdue
Level 4 and, ultimately, to the
corporate IT network at Purdue
Level 5 (not represented in
Figure 1).
Fortinet Network
Management
FortiManager, pictured in Figure
2, enabled us to interact with
Fortinet products designed
to achieve the network
segmentation and isolation
detailed in the ICS410 Reference
Architecture. Our initial focus
drew our attention to the
FortiGate management icons to
review how the solution helps
with network segmentation Figure 2. FortiManager Load-In Screen
8
www.sans.org/course/ics-scada-cyber-security-essentials
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 5
and isolation. The Policy &
Objects and VPN Manager are
necessary to control network
segmentation and isolation.
We assumed that managing
the network configuration
would be similar to any firewall.
Therefore, we focused on locating
specific policy objects related to
industrial control protocols.
Selecting the Policy & Object
icon took us to the FortiGate
Figure 3. Accessing the Application Control Profile
management portal. From there,
we located the management of
industrial protocols by drilling
into the Security Profiles and
Application Control menu items
in the left sidebar, detailed in
Figure 3.
A review of the industrial
protocols shows, in Figure 4, that
FortiGate provides capabilities
for monitoring and controlling a
large number of protocols that
will be implemented within a
control network. These include,
but are not limited to, Modbus,
EtherNet/IP, Common Industrial
Protocol (CIP), BACnet, Profinet,
Open Platform Communications
(OPC), Siemens protocols, Inter-
Control Center Communications
Protocol (ICCP) and HART.
Figure 4. Industrial Controls Signatures on FortiGate
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 6
The capabilities, some of which are listed in
Figure 5, did provide for the management of
specific protocol commands, such as HART
and Modbus reading and writing activities,
but this control is limited to communications
between destinations rather than actually
controlling what happens across the protocol.
Initial implementations within operational
environments would likely restrict by protocol,
while the capability to additionally restrict by
functions and commands will be necessary as
organizations mature.
The log data provided by FortiManager’s
industrial protocol functionality should
provide the organization with visibility into
several key areas where OT personnel are
concerned. Once implemented, network
communication logs can be used to review
device redundancy configurations, understand
and validate failover functionality and ensure
there are no operational timing issues
Figure 5. Industrial Application
that occur during device failures. Thus, these industrial protocol-specific network Control Limited to Connection
communication logs could improve security while also adding value to the process
being protected.
We did take a look at the
VPN Manager functionality
integrated with FortiManager.
The integrated application allows
for the configuration of IPSec
and SSL VPN tunnels. The SSL
VPN configuration capabilities,
seen in Figure 6, provide
configuration options to limit
connectivity to specific assets
within the control network. This
capability is extremely useful
when considering restrictions for
remote vendor and integrator
access to the control network. Figure 6. SSL VPN Configuration for
Internal Assets
While the IPSec VPN capabilities may also provide these configuration settings, a VPN
tunnel was not configured for the test environment we reviewed and therefore these
capabilities were not analyzed beyond these steps.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 7
Access Control
Access control, the second consideration, is a challenging effort for many organizations.
Mature control networks will have separate authentication and authorization servers,
such as Microsoft Active Directory servers, for their corporate network and the control
network. This situation is common for control networks associated with critical
infrastructure. Businesses not related to critical infrastructure, however, may struggle
with justifying the additional cost and expertise necessary to implement separate
access control servers within the control network. Businesses that have deployed their
control network access control with a trust relationship to the corporate network should
immediately reconsider this configuration and separate these assets.
The FortiAuthenticator and FortiToken devices are two Fortinet technologies that could
help in improving control network identity management. FortiAuthenticator integrates
with FortiManager and could be beneficial by providing more granular control of users
and assets within the control network and improving activity logging. Identity- and role-
based policies are leveraged by several of the Fortinet products to limit and monitor
user and asset activities within the control network.
The FortiToken device, which provides a two-factor authentication mechanism,
is another useful appliance for the control network. Many organizations have
deployed two-factor authentication solutions in their corporate environment,
which, due to network segmentation and isolation, cannot be used in the control
network. Requirements for remote access and administrative access for vendors and
integrators leave many organizations in a conundrum as to how to implement two-
factor authentication for
these users. The FortiToken
appliance integrates with
FortiAuthenticator, although it
does not directly integrate with
FortiManager, and can easily
provide an organization with a
solution while also integrating
with the rest of the Fortinet
Security Fabric to provide two-
factor authentication capabilities
for security administration of the
platform.
Although these technologies
were not available in the test
network, we were able to take
a look at the access control
Figure 7. FortiManager’s Granular
provided through FortiManager. Deploying a large number of security controls within User Management
a network can result in complex and time-consuming user management. FortiManager
provides the capability to granularly manage the roles and responsibilities, as shown in
Figure 7, for users accessing a majority of the Fortinet products. Coupled with two-factor
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 8
authentication, a central point of management for access control and role management
of the security controls is an important feature, and the reduction in management
overhead could prove useful.
Logging and Monitoring
Next we focused our attention on how the Fortinet Security Fabric can help with the
third consideration: logging and monitoring. Each OT device and system produces, and
provides vision into, the technology’s local events. Understanding these events requires
alerting on known unusual activity, correlating events and reporting on specific activities
for classes of assets.
FortiAnalyzer provides visibility into the events that occur across the Fortinet Security
Fabric. This device integrates with FortiManager, and its capabilities can be accessed by
selecting the SOC, Log View, Incidents & Events and Reports icons, as identified earlier
in Figure 1. The appliance can import syslog events from other devices, but its analyzing
and reporting functionality is
limited specifically to Fortinet
products.
The Fortinet lab we accessed was
not configured to provide any
reportable details. However, the
power of combining information
from FortiGuard, FortiVPN,
FortiNAC and FortiAuthenticator
cannot be dismissed. The
integration of industrial
protocols in the FortiGuard
appliance provides the capability
to generate reports involving
these protocols, demonstrated
in Figure 8. Understanding
the common baseline of
device communications and Figure 8. Generating Custom Reports
interactions gets an organization closer to generating a baseline of common behavior. in FortiAnalyzer
This data is invaluable during event evaluations and incident response.
FortiSIEM is the primary central logging, correlation and analysis portal of the Fortinet
Security Fabric. This appliance receives logs from all configured devices, produces alerts
on configured activity and provides a portal for security operations center analysts.
Figure 9 shows the FortiSIEM portal interface. The effectiveness of this interface in
identifying events and managing workflow could not be determined without being
deployed in an operational environment.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 9Figure 9. FortiSIEM Dashboard
Because the lab had very limited implemented assets, the events stored in the
FortiSIEM could not be analyzed. This situation limited the review of events, incidents,
ticket analysis and report generation. An attempt to create a new report related to
industrial protocols such as Modbus and Profinet was made, but the report could not
be generated without data from an active OT network. Rules for default ports related
industrial protocols has not been configured in this FortiSIEM.
Asset Inventory
Asset inventory challenges any
organization. Collecting and
maintaining this information is a
huge drain on personnel. To help
with hardware inventory, the
Fortinet Security Fabric provides
Figure 10. FortiNAC Integrated with
two capabilities that appear to help ease some of this effort. Hardware inventory can Cisco Switch
be accomplished through the integration of FortiNAC and FortiSIEM into the Fortinet
Security Fabric. FortiNAC allows for the integration with an organization’s networking
devices, such as Cisco switches and routers, shown in Figure 10.
This integration allows FortiNAC to observe and provide details about devices
communicating across the OT network. Figure 11 is an example of this information,
which can be extracted in several formats including comma-separated values and
Microsoft Excel. Periodic reports
can be generated to gain an
understanding of the assets
communicating within the
control network.
Figure 11. Asset Inventory Using FortiNAC
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 10FortiSIEM includes a
configuration management
database, shown in Figure 12,
that tracks all assets logging
to the appliance. The database
is automatically updated and
maintained with information
from incoming events, allowing
administrators to quickly
understand these assets and
where they are located and to
generate reports for baselining
normal activity. This information
is extremely valuable for normal
operations and critical during
the investigation of security
events and incident response. Figure 12. FortiSIEM’s Configuration
Management Database
In addition to hardware inventory, organizations need to address software inventory.
As a part of the Fortinet Security Fabric, software inventory can be accomplished
through the deployment of FortiClients to servers and workstations with the control
network. During this review, we were not able to review the effects FortiClient has on
server and workstation resources such as memory, CPU and network usage. Therefore,
organizations will want to review the effects of FortiClients with their vendors or
integrators before deploying to an environment. Alternatively, deploying the FortiClient
on engineer, operator and programmer workstations may be easier. The cost to
processing power on the system may be justified by the asset information provided
through the FortiClient. This information includes software and hardware information
about the workstation. Additionally, it provides valuable vulnerability information and
connectivity with the FortiNAC device for additional administrative and security benefits.
Incident Response and Recovery
Incident response and recovery can be a confusing and stressful operation for any
organization. Accurate information about system, network and authentication events
is critical during these periods. Correlating these events across the control network is
equally important. Having a single pane of glass that allows administrators to gather
and analyze this information can be especially beneficial by reducing the steps to
access the information.
The Fortinet Security Fabric lab provided for this analysis was not configured in a
manner that provided actual data to understand its true value during an incident
response effort. However, the integration of security controls, via FortiManager, and the
data it correlates is promising and would be useful to analysts, incident responders
and managers. Once configured and integrated correctly, the information provided by
the Fortinet Security Fabric technologies has the potential to significantly reduce the
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 11gaps between compromise and identification. These security controls will also provide
valuable correlated information that will assist with the containment of a security
incident and eventual recovery of the OT environment.
The best path forward for any team to address security events within the OT network
is to conduct incident response table-top scenarios. The Fortinet Security Fabric assets
will provide the team with details about the control network to assist with scenario
generation, data collection and impact analysis. Teams with this type of data are more
prepared than those that must manually acquire and correlate device logs.
Summary
The NIST CSF is designed to assist critical infrastructure in the development and
implementation of a security program specifically for the OT environments. There is
no reason that teams managing non-critical infrastructure cannot use the NIST CSF
in the same manner. This approach ensures that the processes at the center of the
OT network are driving the requirements while also educating the IT and OT team
members about these requirements. This communication and agreement to priorities
is the key to success.
New security policies are going to mean a changing of procedures and, potentially,
technologies. As processes do not change often, the use of a tightly integrated,
homogeneous security control environment makes a lot of sense. Having a solution
that offers almost a single pane of glass, as provided by FortiManager, to manage and
monitor many security controls can go a long way in reducing time and effort. The
overhead of account management provided by FortiAuthenticator should also reduce
confusion and mistakes, compared with managing administrative and user access to
each resource individually.
It is difficult to judge how each Fortinet product will function separately within an OT
network without actual data, but the demonstration we had of the basic capabilities of
the Fortinet Security Fabric did help us understand their potential. The capabilities of
FortiGate to monitor and manage, even at a high level, specific industrial protocols will
help OT teams implement effective enforcement boundaries between each Purdue level.
The integration of FortiGate with FortiAuthenticator and the control network’s Active
Directory will provide the benefits of access control to the Fortinet Security Fabric and
other OT technologies. The FortiAnalyzer and FortiSIEM products will provide OT teams
with correlated system and network events generated within the OT environment, which,
in turn, will assist them with identifying and addressing security events and improve the
response to security incidents. FortiNAC and FortiClient will help improve hardware and
software asset management, an area that is challenging for many organizations.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 12All told, we are pleased with the capabilities the Fortinet Security Fabric brings to the OT
networks and their supporting teams. Funding and deploying all of these technologies
at the same time will be unrealistic for most organizations. But, with a planned security
program, based on the security requirements directly associated with the organization’s
process, migration to a Fortinet Security Fabric-managed OT infrastructure could be
possible and help organizations protect these critical networks and technologies.
For new processes, determine the information security requirements and work them
into the factory and site acceptance testing (FAT and SAT) phases of the process’s
lifecycle. This action will help identify, justify and ensure that the deployment of these
security controls has a positive impact on the process. Organizations securing active
processes will need to use testing and cutover times to implement these products, to
provide OT teams the necessary time to test and validate how the process’s reliability
and availability are affected by the implementation of the new technologies. Planned
properly, these technologies should improve the security and functionality of the
processes in which they are deployed.
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 13About the Author
Don C. Weber, a SANS ICS instructor and founding member of the GIAC Ethics Council,
has devoted himself to information security since 2002. He has extensive experience
in security management, physical and information technology penetration testing, web
assessments, wireless assessments, architecture review, incident response and digital
forensics, product research, code review and security tool development. He is currently
focusing on assisting organizations secure their business and ICS environments through
program reviews, security assessments, penetration testing and training.
Sponsor
SANS would like to thank this paper’s sponsor:
Effective Implementation of the NIST Cybersecurity Framework with Fortinet 14Last Updated: September 28th, 2020
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS October Singapore 2020 Singapore, SG Oct 12, 2020 - Oct 24, 2020 Live Event
SANS Community CTF , Oct 15, 2020 - Oct 16, 2020 Self Paced
SANS SEC504 Rennes 2020 (In French) Rennes, FR Oct 19, 2020 - Oct 24, 2020 Live Event
SANS SEC560 Lille 2020 (In French) Lille, FR Oct 26, 2020 - Oct 31, 2020 Live Event
SANS Tel Aviv November 2020 Tel Aviv, IL Nov 01, 2020 - Nov 06, 2020 Live Event
SANS Sydney 2020 Sydney, AU Nov 02, 2020 - Nov 14, 2020 Live Event
SANS Secure Thailand Bangkok, TH Nov 09, 2020 - Nov 14, 2020 Live Event
APAC ICS Summit & Training 2020 Singapore, SG Nov 13, 2020 - Nov 21, 2020 Live Event
SANS FOR508 Rome 2020 (in Italian) Rome, IT Nov 16, 2020 - Nov 21, 2020 Live Event
SANS Community CTF , Nov 19, 2020 - Nov 20, 2020 Self Paced
SANS Local: Oslo November 2020 Oslo, NO Nov 23, 2020 - Nov 28, 2020 Live Event
SANS Wellington 2020 Wellington, NZ Nov 30, 2020 - Dec 12, 2020 Live Event
SANS OnDemand OnlineUS Anytime Self Paced
SANS SelfStudy Books & MP3s OnlyUS Anytime Self PacedYou can also read
