Security Today. Shon Harris. Security consultant, educator, author

Transcription

1 Security Today Shon Harris Security consultant, educator, author

2 360 Security Model Holistic Approach to Security

3 Every Organization has these EXACT issues The responsibility of securing an organization is falling into the laps of individuals who are not security professionals. This is because security is no longer just a technology issue, but is now a business issue that must be dealt with at all levels of an organization. The biggest hurdle is that the individuals in the industry have a difficult time understanding the ultimate goals of a secure enterprise architecture in a way that allows them to break them down into achievable steps. This is not because they are ignorant or incapable, but every organization is struggling with the exact same questions; How do we setup a security enterprise architecture? How do we setup an enterprise risk management model? How do we implement security governance? How do we know what enough security means? We are recognizing that more than technical people need to be involved, but cannot figure out how to integrate security into business process.

4 Are There Gaps? Do the departments responsible for these different types of security communicate and work well together in your company?

5 Most Organizations Do not fully realize that there is a structured way of rolling out and maintaining a security program Organizations are bombarded with products, consultants, too much information, and service and product companies with their own agendas By not following a structured approach, organizations are wasting time, wasting money, experiencing security compromises, and failing audits

6 Common Pain Points Every organization is RECREATING THEIR OWN WHEEL when it comes to developing a secure enterprise architecture. This only adds layers of confusion because no one fully understands the overall goals or how to accomplish them.

7 But We Have Models CobiT ISO 17799/BS 7799 NIST documents SABSA Etc.

8 CobiT Control Objectives 5.1 Management of IT Security Manage IT Security at the highest appropriate organizational level 5.2 IT Security Plan Translate business information requirements, IT configuration, information risk action plans, and information security culture 5.3 Identity Management All users (internal, external, and temporary) and their activity on IT systems (business application, system operation ) 5.4 User Account Management Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges 5.5 Security Testing, Surveillance, and Monitoring Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically

9 Industry Best Practices Standards BS/ISO I7799 Guidelines on range of controls for implementing security Best practices for security management Divided into 10 sections Security policy Security organization Assets classification and control Personnel security Physical and environmental security Computer and network management System access control System development and maintenance Business continuity planning Compliance

10 NIST Guidelines

11 SABSA Model

12 More Models Extended Enterprise Architecture Framework The U.S. Department of Defense (DoD( DoD) Architecture Framework (DoDAF( DoDAF) Zachman Framework The Open Group Architecture Framework (TOGAF) Capgemini's Integrated Architecture Framework United States Government Federal Enterprise Architecture (FEA) The UK Ministry of Defence (MOD) Architecture Framework (MODAF) NIH Enterprise Architecture Framework

13 Result of Trying to Understand all Models

14 Exactly Where Are We Trying to Go? Enterprise Security Architecture Security Governance Enterprise Risk Management Staying out of the Headlines First, let s understand some of these concepts

15 Goal of Enterprise Security Architecture = Security at All Levels Security is to be in alignment with organization s strategic goals.

16 Enterprise Security Architecture Strategic alignment Business enablement Process enhancement Security effectiveness

17 Without an Enterprise Security Architecture Security is in silos Security only takes place only at the technical level Continual confusion and repeating expensive mistakes Stovepipe solutions,, which costs more in maintenance and integration Depending upon point solutions, not enterprise solutions Unable to use enterprise information to make solid business decisions Continually putting out fires Reactive versus proactive

18 Security Governance Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise s resources are used responsibly. - IT Governance Institute

19 Company A Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches. CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review. Executive management sets an acceptable risk level that is the basis for the company s s security policies and all security activities. Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units. Company B Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits. CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved. CISO took some boilerplate security policies, inserted his company s s name, then had the CEO sign them. All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.

20 Company A Critical business processes are documented along with the risks that are inherent at the different steps within the business processes. Employees are held accountable for any security breaches they participate in, either maliciously or accidentally. Security products, managed services, and consultants are purchased and deployed in an informed manner.. They are also constantly reviewed to ensure they are cost effective. The organization is continuing to review its business processes, including security, with the goal of continued improvement. Company B Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability. Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed. Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services. The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.

21 Security Governance = Managing Security at All Levels

22 After Looking at the Pretty Graphics

23 What are We Doing Today? Lack of true understanding of overall goals Detailed structure is not fully developed first Bringing in expensive consultants Purchasing products Using managed security services Sending staff to technical security courses CEO and Board Consultants Managed Services Products Generic Technology Training C-Level Individuals Department Managers IT and technologists

24 Why Is Our Current Model Dangerous? Not enough data gathered to understand how the organization works and identify goals Continually having to change because new company requirements are identified No real roadmap, so the team is not marching forward Continually chasing their own tails Not making educated and informed decisions Making the same expensive mistakes over and over Relying too heavily on consultants Lack of continual and useful communication People who are responsible for putting out fires are also trying to develop strategy Accountability is not truly enforced Point solutions instead of enterprise solutions are rolled out Plans are built around technology and not solution processes

25 Security Consulting Issues

26 COMMUNICATION

27 Knowledge Requirements and Communication Channels

28 There Are Cookie Cutter Approaches

29 Enterprise Security Architecture Components

30 Architecture Subcomponents

31 Laying Out Steps

32 Steps of a Risk Management Program

33 Fully Understand WHAT You are Doing BEFORE Jumping In Vulnerability Management Program Process Define roles and responsibilities Develop VM baselines and metrics Develop threat classifications (high, medium, low) Identify and inventory assets Create CSIRT Develop procedures for incident handling Develop communication channels for incident data dissemination Carry out vulnerability assessments Carry out penetration tests Receive vendor vulnerability alerts Validate vulnerability alerts against your inventory of assets Classify new vulnerability (high, medium, low) Test remediation (patches, hotfix) ) and deploy patch management Implement preventive controls based on new vulnerability releases Audit vulnerability management processes and continually improve Qualys, Foundstone Scanner, and ISS cannot do all of this for you. The product is just one component of the process.

34 Data Classification and Data Protection Data Classification Program Risk assessment of not protecting sensitive data Define sensitive data as it maps to business drivers Define classification criteria (determine value of data via business impact analysis) Define data owner and custodian responsibilities Develop the necessary policies, standards, guidelines and procedures for internal use Know how to detect sensitive data at rest and in transit Mitigating third party risks (they have copies of sensitive data your are responsible for protecting) Response procedures when users attempt to release sensitive data and enforcement tactics Document data classification process, which includes a risk matrix, and control descriptions for auditors and compliance Know how to modify classification criteria based on business and regulatory needs Understanding data protection controls that should be in place; Access control User provisioning Encryption Digital rights management Monitoring Training on data classification program, processes, and product use Integrate data classification and data protection processes into internal auditing practices Develop documentation and resources for external auditors for compliancy validation

35 This Level of Detail Per Program Component Program Components Don t buy a tool and THEN figure out your process.

36 Break Your Three Year Plan Down Project management is required to keep everyone in step and on track.

37 Phases Need Useful Detail and Goals

38

39 When? Do you have to accomplish all of this today? In a week? In a year? In 2 years? No, but you need a plan today and if it is worthless you will not accomplish this stuff in 10 years!

40 3 Year Plan Are Your Phases Even Useful or Too High Level?

41 Where is Your Architecture? Structure or Chaos or In Between? Swamp guides become more valuable than security architects If you don t t know where you are, you can t t get to where you want to go.

42 All Organizations We are currently around here

43 We Need to Evolve We need to empower organizations and allow them to understand security in business terms. We need take the theoretical best practices and turns them into practical action items. Companies need to be able to take ownership of their internal security program. The current approach will continue to provide a gap between what we preach and what we practice. Holistic, integrated security, that is integrated into business processes.

44 Security Maturity Evolution Assurance Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and that they are effective Security Capability Initiate Stakeholder Security Program Stakeholder sponsored program with responsibilities assigned Documented Strategy, Principles, and Policy Clearly defined set of technology-independent policies developed from the business strategy Security Organizational Structure Individuals and organizations assigned responsibility, accountability, and authority to support the infrastructure Security Architecture Architecture principles and policies in place to define core security functions Baseline Security Standards Security controls defined to establish a consistent basis for managing risk Security Technical Framework Establishment of standards and technologies to support stakeholder interaction Compliance and Certification Establish compliance measurement and reporting system Security Metrics Measure the efficiency, effectiveness, value, and continuous performance improvement of the individual security process Level 1 Level 2 Level 3 Defined Integrated Optimized Evolution

45 How to be Successful Figure out what needs to be protected, where you are and where you need to go Gather A LOT of organizational data do not work in a vacuum Get at least one person out of the responsibility of continually fighting fires Stop spending money until a structured risk-based architecture is developed that can be measurable and controllable Break the pieces down into achievable goals that are inexpensive Learn from each phase, improve, and incorporate knowledge into next phase Do not create metrics, baselines, processes in the dark which would waste a lot of money and be useless Understand how to incorporate security into business units and processes Make the 3 year plan a living document you will only continue to learn

46 Business Case Communication What will Allow this Project to Succeed? Take the time to gather all of the necessary data before running forward Get feedback from all departments that would be involved and affected Provide real information for decision makers and not superficial data Solid and reasonable phased approach Realize and communicate the true benefit that this will provide for ALL security needs and departments Realize that this is a long jog, not a short sprint What will Cause this Project to Fail? If necessary resources and funds are not provided through ALL PHASES Viewed as a bottleneck for business expansion. Must be enforced as a must have not a nice to have If one person does not own this process and keep people on track More communication does not take place Wrong people are on the security committee Other projects take precedence and motivation fades

47 Improvement Will Not Happen Accidentally

48 Shon Harris Security Coach Not Consultant (972) Logical Security

49 Questions?