Security TodaySecurity Today

Shon HarrisShon HarrisSecurity consultant, educator, authorSecurity consultant, educator, author

Presentation is Proprietary and Cannot be Reused without Permission

360 Security Model360 Security Model

Holistic Approach to SecurityHolistic Approach to Security

Every Organization has these EXACT issues…

• The responsibility of securing an organization is falling into the laps of individuals who are not security professionals.

• This is because security is no longer just a technology issue, but is now a business issue that must be dealt with at all levels of an organization.

• The biggest hurdle is that the individuals in the industry have a difficult time understanding the ultimate goals of a secure enterprise architecture in a way that allows them to break them down into achievable steps.

• This is not because they are ignorant or incapable, but every organization is struggling with the exact same questions;• How do we setup a security enterprise architecture?• How do we setup an enterprise risk management model?• How do we implement security governance?• How do we know what “enough security” means?

• We are recognizing that more than technical people need to be involved, but cannot figure out how to integrate security into business process.

Are There Gaps?Are There Gaps?Do the departments responsible for these different types ofDo the departments responsible for these different types of

security communicate and work well together in your company?security communicate and work well together in your company?

Most Organizations…Most Organizations…

► Do not fully realize that Do not fully realize that there is a there is a structured waystructured way of rolling out and of rolling out and maintaining a security programmaintaining a security program

► Organizations are bombardedOrganizations are bombarded with with products, consultants, too much products, consultants, too much information, and service and product information, and service and product companies with their own agendascompanies with their own agendas

► By not following a structured approach, By not following a structured approach, organizations are wasting time, organizations are wasting time, wasting wasting moneymoney, experiencing security compromises, , experiencing security compromises, and failing auditsand failing audits

Common Pain PointsCommon Pain PointsEvery organization is Every organization is RECREATING THEIR OWN RECREATING THEIR OWN

WHEELWHEEL when it comes to developing a when it comes to developing a secure enterprise architecture.secure enterprise architecture.

This only adds layers of confusion

because no one fully

understands the overall

goals or how to accomplish

them.

No Enforcement – Just No Enforcement – Just DocumentsDocuments

But We Have ModelsBut We Have Models

► CobiTCobiT► ISO 17799/BS 7799ISO 17799/BS 7799► NIST documentsNIST documents► SABSASABSA► Etc.Etc.

CobiT – Control ObjectivesCobiT – Control Objectives5.1 Management of IT Security

Manage IT Security at the highest appropriate organizational level …

5.2 IT Security Plan

Translate business information requirements, IT configuration, information risk action plans, and information security culture …

5.3 Identity Management

All users (internal, external, and temporary) and their activity on IT systems (business application, system operation…)

5.4 User Account Management

Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges …

5.5 Security Testing, Surveillance, and Monitoring

Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically …

Industry Best Practices Industry Best Practices StandardsStandards

BS/ISO I7799BS/ISO I7799 Guidelines on range of controls for implementing security Guidelines on range of controls for implementing security Best practices for security managementBest practices for security management Divided into 10 sectionsDivided into 10 sections

Security policySecurity policy Security organizationSecurity organization Assets classification and controlAssets classification and control Personnel securityPersonnel security Physical and environmental securityPhysical and environmental security Computer and network managementComputer and network management System access controlSystem access control System development and maintenanceSystem development and maintenance Business continuity planningBusiness continuity planning ComplianceCompliance

NIST GuidelinesNIST Guidelines

SABSA ModelSABSA Model

http://www.sabsa-institute.org/UserFiles/Image/3-framework.png

Result of Trying to Understand Result of Trying to Understand all Approachesall Approaches

Exactly Where Are We Trying to Exactly Where Are We Trying to Go?Go?

► Risk ManagementRisk Management► Enterprise Security ArchitectureEnterprise Security Architecture► Security Governance Security Governance ► Security Legal and Regulatory Security Legal and Regulatory

ComplianceCompliance► Staying out of the HeadlinesStaying out of the Headlines

Need Risk Management Need Risk Management Now?Now?

Does your team know how to develop and role this out?

Goal of Enterprise Security Goal of Enterprise Security Architecture = Security at All Architecture = Security at All

LevelsLevels

Security is to be in alignment with organization’s strategic

goals.

Enterprise Security ArchitectureEnterprise Security Architecture

Strategic alignmentStrategic alignment Business enablementBusiness enablement Process enhancementProcess enhancement Security effectivenessSecurity effectiveness

WithoutWithout an Enterprise Security an Enterprise Security ArchitectureArchitecture

Security only takes place at the Security only takes place at the technical technical levellevel

Continual confusion and Continual confusion and repeating repeating expensive mistakesexpensive mistakes

Stovepipe solutionsStovepipe solutions, which costs more , which costs more in maintenance and integrationin maintenance and integration

►Depending upon point solutions, not Depending upon point solutions, not enterprise solutions enterprise solutions

Unable to use enterprise information to Unable to use enterprise information to make solid make solid business decisionsbusiness decisions

Continually putting out fires Continually putting out fires ►ReactiveReactive versus proactive versus proactive

Security GovernanceSecurity Governance

““Security governance is the set of Security governance is the set of responsibilities and practices exercised by the responsibilities and practices exercised by the

board and executive management with the board and executive management with the goal of providing strategic direction, ensuring goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that that objectives are achieved, ascertaining that

risks are managedrisks are managed

appropriately and verifying that the enterprise’s appropriately and verifying that the enterprise’s resources are used responsibly.”resources are used responsibly.”

- IT Governance Institute - IT Governance Institute

All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.

Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.

CISO took some boilerplate security policies, inserted his company’s name, then had the CEO sign them.

Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities.

CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.

CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review.

Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits.

Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.

Company BCompany A

The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.

The organization is continuing to review its business processes, including security, with the goal of continued improvement.

Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services.

Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.

Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.

Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.

Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability.

Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.

Company BCompany A

Security Governance = Security Governance = Managing Security at All LevelsManaging Security at All Levels

After Looking at the Pretty After Looking at the Pretty GraphicsGraphics

Information Security Information Security MantraMantra

““Security needs to be a business Security needs to be a business process” process”

Great strategic goal – but many organizations Great strategic goal – but many organizations will never get there under their current will never get there under their current

approaches.approaches.

What are We Doing Today?What are We Doing Today?► Lack of true understanding of overall goalsLack of true understanding of overall goals► Detailed structure is not fully developed firstDetailed structure is not fully developed first► Bringing in expensive consultantsBringing in expensive consultants► Purchasing productsPurchasing products► Using managed security servicesUsing managed security services► Sending staff to technical security coursesSending staff to technical security courses

IT and technologists

Department Managers

C-Level Individuals

CEO and

Board

Generic Technology Training

Consultants

Managed Services

Products

Why Is Our Current Model Why Is Our Current Model Dangerous?Dangerous?

► No real roadmap, so the team is not marching forwardNo real roadmap, so the team is not marching forward Continually chasing their own tailsContinually chasing their own tails

► Not making educated and informed decisionsNot making educated and informed decisions Making the Making the same expensive mistakessame expensive mistakes over and over over and over Relying too heavily on vendorsRelying too heavily on vendors

► Lack of continual and useful Lack of continual and useful communicationcommunication between between corporate levelscorporate levels

► Risk management is talked about, but Risk management is talked about, but not understoodnot understood or or implementedimplemented

► Accountability is Accountability is not truly enforcednot truly enforced► Point solutionsPoint solutions instead of enterprise solutions are rolled out instead of enterprise solutions are rolled out► Plans are built around Plans are built around technology technology and not solution and not solution

processesprocesses► People who are responsible for People who are responsible for putting out firesputting out fires are also are also

trying to develop strategy trying to develop strategy

Security Consulting IssuesSecurity Consulting Issues

COMMUNICATIONCOMMUNICATION

Knowledge Requirements and Communication Channels

There Are Cookie Cutter There Are Cookie Cutter ApproachesApproaches

Break Your Three Year Plan Break Your Three Year Plan DownDown

Project Project management management is required to is required to

keep everyone keep everyone in step and on in step and on

tracktrack

Phases Need Useful Detail and Phases Need Useful Detail and GoalsGoals

Mapping Requirements to Mapping Requirements to Security ProcessesSecurity Processes

Security Program Components are the Security Program Components are the Categories of Control ObjectivesCategories of Control Objectives

Security Program Security Program SubcomponentsSubcomponents

Defining the Surrounding Defining the Surrounding Process around Specific Process around Specific

SubcomponentsSubcomponents

ExampleExampleVulnerability ManagementVulnerability Management

Almost all regulations require Almost all regulations require vulnerability management. vulnerability management.

There are about 100 different ways that There are about 100 different ways that vulnerability management is termed in vulnerability management is termed in

the various laws and regulations.the various laws and regulations.

The difficulty is developing and implementing The difficulty is developing and implementing a successful VM program and ensuring that it a successful VM program and ensuring that it

maps to all compliancy requirements. maps to all compliancy requirements.

You Need a Fully Functional You Need a Fully Functional ProgramProgram

Vulnerability Management Program ProcessVulnerability Management Program Process Define roles and responsibilitiesDefine roles and responsibilities Develop VM baselines and metricsDevelop VM baselines and metrics Develop threat classifications (high, medium, low)Develop threat classifications (high, medium, low) Identify and inventory assetsIdentify and inventory assets Create CSIRTCreate CSIRT Develop procedures for incident handlingDevelop procedures for incident handling Develop communication channels for incident data disseminationDevelop communication channels for incident data dissemination Carry out vulnerability assessmentsCarry out vulnerability assessments Carry out penetration testsCarry out penetration tests Receive vendor vulnerability alertsReceive vendor vulnerability alerts Validate vulnerability alerts against your inventory of assetsValidate vulnerability alerts against your inventory of assets Classify new vulnerability (high, medium, low)Classify new vulnerability (high, medium, low) Test remediation (patches, hotfix) and deploy – patch managementTest remediation (patches, hotfix) and deploy – patch management Implement preventive controls based on new vulnerability releases Implement preventive controls based on new vulnerability releases Audit vulnerability management processes and continually improveAudit vulnerability management processes and continually improve

Qualys, Foundstone Scanner, and ISS cannot do all of this for you. The product is just one

component of the process.

Another ExampleAnother ExampleData Classification and Data ProtectionData Classification and Data Protection

Necessary steps of this process;Necessary steps of this process; Risk assessment of not protecting sensitive dataRisk assessment of not protecting sensitive data Define sensitive data as it maps to business driversDefine sensitive data as it maps to business drivers Define classification criteria (determine value of data via business impact Define classification criteria (determine value of data via business impact

analysis)analysis) Define data owner and custodian responsibilitiesDefine data owner and custodian responsibilities Develop the necessary policies, standards, guidelines and procedures for internal Develop the necessary policies, standards, guidelines and procedures for internal

useuse Know how to detect “sensitive data” at rest and in transitKnow how to detect “sensitive data” at rest and in transit Mitigating third party risks (they have copies of sensitive data your are Mitigating third party risks (they have copies of sensitive data your are

responsible for protecting)responsible for protecting) Response procedures when users attempt to release sensitive data and Response procedures when users attempt to release sensitive data and

enforcement tacticsenforcement tactics Document data classification process, which includes a risk matrix, and control Document data classification process, which includes a risk matrix, and control

descriptions for auditors and compliancedescriptions for auditors and compliance Know how to modify classification criteria based on business and regulatory needs Know how to modify classification criteria based on business and regulatory needs Understanding data protection controls that should be in place;Understanding data protection controls that should be in place;

► Access control Access control ► User provisioning User provisioning ► EncryptionEncryption► Digital rights managementDigital rights management► MonitoringMonitoring

Training on data classification program, processes, and product useTraining on data classification program, processes, and product use Integrate data classification and data protection processes into internal auditing Integrate data classification and data protection processes into internal auditing

practicespractices Develop documentation and resources for external auditors for compliancy Develop documentation and resources for external auditors for compliancy

validationvalidation

This Level of Detail Per Program This Level of Detail Per Program ComponentComponent

Program Components

When?When?

Do you have to accomplish all of this Do you have to accomplish all of this today?today? In a week?In a week? In a year?In a year? In 2 years?In 2 years?

No, but you need a plan today and if it is worthless you will not accomplish

this stuff in 10 years!

3 Year Plan – Are Your Phases 3 Year Plan – Are Your Phases Even Useful – or Too High Level?Even Useful – or Too High Level?

Structure or Chaos – or In Between?Structure or Chaos – or In Between?

If you don’t know where you are, you can’t get If you don’t know where you are, you can’t get to where you want to go.to where you want to go.

Security Programs…Security Programs…

Swamp guides become

more valuable than security architects

All OrganizationsAll Organizations

We are currently around here

We Need to EvolveWe Need to Evolve► We need a new model to empower We need a new model to empower

organizations and allow them to understand organizations and allow them to understand security in business termssecurity in business terms

► We need a model that takes the theoretical We need a model that takes the theoretical best practices and turns them into practical best practices and turns them into practical action itemsaction items

► Companies need to be able to take ownership Companies need to be able to take ownership of their internal security programof their internal security program

The current approach will continue to provide a gap between what we preach and what we practice.

Holistic, integrated security, that is integrated into business processes.

Security Maturity EvolutionSecurity Maturity Evolution

Security MetricsMeasure the efficiency, effectiveness, value, and continuous performance

improvement of the individual security process

Evolution

InitiateStakeholder

SecurityProgram

Stakeholder sponsored program with

responsibilities assigned

Security Architecture

Architecture principles and policies in place to define

core security functions

AssuranceAuditing, monitoring, and reporting processes and controls in place to

ensure they are meeting standards and that they are effective

Security Technical Framework

Establishment of standards and technologies to support stakeholder

interaction

Security Organizational

StructureIndividuals and organizations

assigned responsibility, accountability, and authority to

support the infrastructure

Documented Strategy, Principles,

and PolicyClearly defined set of

technology-independent policies developed from the

business strategy

Compliance and Certification

Establish compliance measurement and reporting system

Baseline Security Standards

Security controls defined to establish a consistent basis

for managing risk

Se

cu

rity

Ca

pa

bil

ity

Defined

Integrated

Optimized

Level 1

Level 2

Level 3

How to be SuccessfulHow to be Successful► Gather much more data – do not work in a Gather much more data – do not work in a vacuumvacuum► Break the pieces down into Break the pieces down into achievable goalsachievable goals that are that are

inexpensiveinexpensive Quick wins will be much quickerQuick wins will be much quicker

► Learn from each phase, improve, and Learn from each phase, improve, and incorporate knowledgeincorporate knowledge into next phaseinto next phase

► Phases will allow the group to understand more about the Phases will allow the group to understand more about the current processes and business as a wholecurrent processes and business as a whole

► Use products that are currently in-house and in the market to Use products that are currently in-house and in the market to accomplish many of these tasks through accomplish many of these tasks through automationautomation

► Do not create metrics, baselines, processes “in the dark” – Do not create metrics, baselines, processes “in the dark” – which would which would waste a lot of money and be uselesswaste a lot of money and be useless

► Provide a Provide a structuredstructured risk-based approach that is measurable risk-based approach that is measurable and controllable and controllable

► Understand how to incorporate security into Understand how to incorporate security into business unitsbusiness units and processesand processes

► Understand how to continually Understand how to continually improve and be innovativeimprove and be innovative in a in a healthy mannerhealthy manner

► Protect the company in a more Protect the company in a more effectiveeffective and understandable and understandable processprocess

Success of FailureWhat will Allow this Project to Succeed?

Take the time to gather all of the necessary data before running forward

Get feedback from all departments that would be involved and affected

Provide real information for decision makers and not superficial data

Solid and reasonable phased approach

Realize and communicate the true benefit that this will provide for ALL security needs and departments

Realize that this is a long jog, not a short sprint

What will Cause this Project to Fail?

If necessary resources and funds are not provided through ALL PHASES

Viewed as a bottleneck for business expansion. Must be enforced as a “must have” not a “nice to have”

If one person does not own this process and keep people on track

More communication does not take place

Wrong people are on the security committee

Other projects take precedence and motivation fades

Improvement Will Not Happen Improvement Will Not Happen AccidentallyAccidentally

Shon HarrisShon Harris

www.LogicalSecurity.comwww.LogicalSecurity.com

(888) 373-5116(888) 373-5116

info@LogicalSecurity.cominfo@LogicalSecurity.com

Logical Security is on the GSA Schedule and is a woman-owned, Logical Security is on the GSA Schedule and is a woman-owned,

veteran owned companyveteran owned company