Embed Size (px)
Citation preview
BUILDING SECURITY BASED UPON RISK
Jeff BardinPrinciple, Treadstone [email protected]
Shift Happens - Globalization (Shift Happens - Globalization.lnk)
2
Security Bhttp://datalossdb.org/reaches
2007 – Fidelity InvestmentsA lost laptop exposed sensitive data on 196,000 current and former large customer employees
Institution offered 12 months free credit monitoring to all affected customer employees
Lost, unencrypted media
2007 - CIBCA backup computer file containing personal information of 500K customers was lost in transit. The data included names, addresses, DoBs, account numbers and SSNs.
Impact: Unknown
Lost, unencrypted media
2007 - MasterCardSystem vulnerability in a third party payment processor
Up to 40 million credit card accounts compromised
System Vulnerability
2007 – Deutsche BankBank employee sent unauthorized emails to ~175 institutional accounts just as customer was entering an initial public offering
Damaged reputation and missed out on millions of dollars in I.P.O. fees.
Internal threat
2007 - MasterCardCustomers' financial documents disposed of in trash bins
Thieves used details to conduct fraudulent transactions
Unintentional distribution
We Need to Cover Our Environment –I Need This Stuff – No Really –Hey! This is My Job
Firewalls– Perimeter– Desktop
Application Layer FirewallsIntrusion Detection– Host and Network
Intrusion Prevention– Host and Network
Anti Virus– Servers– Desktops– Email– Gateways
Content FiltersVPNSSL VPNSSH
Encryption– Whole Disk Encryption– Tape Encryption– Email Encryption– Wireless Encryption– PKI– Database
Data Loss Prevention– Network– Server– Desktop
Security Information Event MonitoringVulnerability scanners– Infrastructure– Application
Anti SpywareMobile SecurityRisk and Compliance SecurityEndpoint SecurityeDiscoveryAnti SpamGovernance, Risk & ComplianceForensicsInvestigationsIdentity ManagementAccess Management
What Does Risk Do in Security?
Mission Statementthe Office of Risk Management (ORM) is charged with business risk management that ensures organizational survivability during times of potential disaster, the ability to minimize business risk, and to maximize the return on investment while driving business opportunities and competitive advantage.
Responsibilities
The ORM is responsible for; providing a continuous, proactive and systematic process to understand, manage and communicate enterprise-level risk delivering timely and accurate risk information to senior management facilitating informed strategic decisions that contribute to the achievement of overall corporate objectives.
What Are the Business Risks?
Loss, destruction, modification, interruption or disclosure of data– Substantially reduced
employee productivity– Increased legal exposure due
to transmissions of offensive material
– Damage to critical systems– Costly damage to company
reputation, bond ratings, stock price
– Financial pain –litigation/fines
– Distraction from the mission
Examples
Microsoft Office el Macro-Enabled W
Parental Warning – Risk Appetite
P a r e n t a lA D V I S O R YDEPTH OF ASSESSMENT DETERMINES ISSUES DISCOVERED. 1 FOOT = 3 BODIES; 5 FEET = 50 BODIES; 10 FEET = 125 BODIES.
Challenges
Information Security is perceived as a business inhibitor, that costs too much and is not a BUSINESS ACCELERATOR
Need a holistic, risk-based approach that makes security more effective, aligns it with the business, and makes it cost effective
ineffectivenot protecting what’s importantresource-constrained
costlytoo many security productstoo many security procedurestoo many security vendors
inhibiting compliancetoo many controls - manual, complicated, labor-intensive
PCIDSS HIPAA Internal
Policy GLBA HSPD 12
CSB 1386CountryPrivacyLaws
SOX EU CDR UK RIPA
FISMA COCOMData
Security Act
FACTA EU DataPrivacy
FFIEC BASEL II J-SOX IRS 97-22 NERC
NISPOM PartnerRules ACSI 33 NIST 800
StatePrivacy
Laws
Bombarded by Regulations, Statutes and Followed Standards
Data at Rest?
Different Risks at Different Times
NetworkNetwork
Media TheftMedia TheftDevice TheftDevice Theft
TakeoverTakeover
FraudFraud
InterceptIntercept
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer portal
Media LossMedia Loss
UnauthorizedAccess
UnauthorizedAccess
DoSDoS
CorruptionCorruption
UnavailabilityUnavailability
EavesdroppingEavesdropping
Data TheftData Theft
Remote Employees
WW Partners
Data LossData Loss
Device LossDevice Loss
Unintentional Distribution
Unintentional Distribution
UnauthorizedAccess
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
Ever Changing Threat Landscape
Posture Erosion Over Time
Security Improvements Lower Risk• Awareness training• Policy development• Operating system hardening• Patch & vulnerability management• Behavior based – Anomaly based
Low
High
Ris
k
Time
Changing threats, technology,business• New exploits• New system functions• New regulations• Staff turnover
Changing threats, technology,business• New exploits• New system functions• New regulations• Staff turnover
Security Improvements Lower Risk• Awareness training• Policy development• Operating system hardening• Patch & vulnerability management• Behavior based – Anomaly based
Case Studies19 January 2009 13
Case 1 - Strategic Plan Alignment –The Challenge
Drive Security to:Management simplicityReduced costs while adding functionalityExpand the corporate security postureGetting a seat at the tableChanging the view of information security as purely a technical issueApply a risk-based approach
19 January 2009 14
Premises to Operate UnderReduce the number of vendorsReduce the number of consolesReduce the number of databasesReduce the number of agentsConsolidate functions into as fewdevices as possibleBest of suite may be better than best ofbreedExpand our security reach – improve our postureConsolidate, Integrate, Standardize, O3
(Operationalize, Optimize, Outsource)
ResultsWhat worked
– Simplified environment – enhanced information visibility
– Centralized management while expanding security coverage
– Removed five vendors– Reduced number of consoles,
databases, backup agents, event correlation agents, monitoring agents
– Annual cost savings of $247K in maintenance costs. Reduced annual labor budget by $550k
• Total reduction over $797 year 1• Total reduction $1.594M year 2
– Built good will and credibility– Role based segmentation– Built trust – aligned with business needs
– moved to a strategic, advisory role
What did not- Speed in execution- IT support was spotty
- CIO/CTO reduced other staff and funding before completion of the implementation- Removal of existing vendors
slowed due to premature staff and funding reductions
Case 2 - Can I Buy Time? - Maybe More! – Using Open Source
Open BSD (www.openbsd.org)– operating systems built with security
as its primary objective. Linux (www.linux.com)– which has a history of high-quality,
stable and secure code, making this OS a vital building block on which to build security infrastructure (most security appliance solutions are built upon it).
Snort (www.snort.org)– the open source IDS tool
maintained by Sourcefire, among the most widely deployed IDS tools around.
OWASP (www.owasp.org)– Free application security tools– Webscarab, Webgoat, Paros
Kismet– wireless network detector, sniffer,
and intrusion detection system
Wireshark (www.wireshark.org)– a high-quality open source protocol
analyzer (network – VoIP)OpenVPN / SSH / SSL (www.openssl.org)– a full-featured SSL VPN – SSH – SSL
Nessus (www.nessus.org)– free version for vulnerability scanning
Nmap (www.nmap.org)– Network exploration and security auditing
Microsoft Baseline Security Analyzer (MBSA)– free vulnerability scanner for Windows
devicesWindows Server Update Services (WSUS)– patch management for windows servers
Poor mans Network Access Control– Perl – Asset list by MAC address
Truecrypt Encryption (www.truecrypt.org)– Whole Disk and – Removeable Media
Tcpdump, PGP, GnuPG, etc.
http://blogs.csoonline.com/security_on_a_shoestring_budget
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control
logs
DHCP logs
Linux, Unix, Windows OS logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
Compliance MonitoringIP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring SLA Monitoring
Case 3 - Too Many Logs – Too Many Devices – Too Many Consoles
Deployed a Security Information and Event Monitoring (SIEM) Solution
Server Engineering Business Ops. Compliance Audit Application & DatabaseNetwork Ops.Risk Mgmt. Security Ops. Desktop Ops.
Log ManagementAble to aggregate data from any enterprise IP device
Did not have to deploy any agents
Simplify ComplianceAccess Control
Configuration ControlMalicious Software
Policy EnforcementsUser Monitoring & ManagementEnvironmental & Transmission
Security
Enhance Security & Mitigate Risk
Access Control EnforcementSLA Compliance Monitoring
False Positive ReductionReal-time Alerts
Unauthorized Network Service Detection
Privileged User Monitoring
Optimize IT & Network OperationsMonitor network assetsTroubleshoot network issuesAssist with Helpdesk operationsOptimize network performanceGain visibility into user behaviorBuild baseline of normal network activity
All the Data
ReportAlert/Correlation
Incident Mgmt.Log Mgmt.
Asset Mgt. Forensics
Baseline
Case 4 - Incorporating Two Tools to Demonstrate Value - Data loss prevention & Transport layer security (eval to purchase)
Outbound data leakage – sensitive emaildiscovered with data loss prevention tool
First day TLS enabled - 28% email domains remediated. 23% customer email domains remediated.
Cost of TLS? - $349 for a digital certificate. TLS a function of existing technology.
Specific Measurable Achievable
Realistic Timely
Phase II of Transport layer security -90 Days After Phase I Completion
Clear message created ‐ Communication to customers through Client ManagementPosting on customer portal – TLS definitions – How to Enable TLS
Case 5 - Awareness
Multiple media types used for security awarenessSeminars
Awareness Day
Annual testing
Posters - Flash animation
Email -Web postings
Bookmarks
Blogs
Wikis
Forums
eBooks
Podcasts – Vodcasts (MP3)
Reward Positive Behavior
The Richter Scales - Shortcut.lnk
Awareness
Data Protection Jeopardy
What worked – overall program requires multiple media types, with proper timing. Game show format. Targeted to age groups.Created Policy & Awareness Council. Reduced security incident call volumeby 25% in 90 days.What did not – too much too soon too often
Data Protection Jeopardy
Awareness
Generation X and MillennialsUS Population – 44%Corporate Population – 45%Your Population - ?
Organizational Structure
CIO
SecEngineer
SecArchitect
Firewall/IDS –IPS Eng
SecAdmin
SecTester
SecAnalyst
CISO
VP, DEV
VP, IT
QualityAssurance
SysEngineer
IT Architect
NetworkEng
SysAdmin
ITAnalyst
CIRO
http://blogs.csoonline.com/protect_what_you_own
Demand Excellence
Avoid posture erosionExamine new technologies– Proactive and Preventive
Require clean pipesDemand defect free productsBuild a strong security schedule into your contractsTruly determine exploitable vulnerabilities
Security is a budget line itemSecurity must be risk-basedMake your developers write ‘proper’ codeRisk must be delivered in business termsProtect data at inception through its lifeNever underestimate your opponent(s) – von ClauswitzEducate, educate, educate
In Summary
Move to management simplicityReduce costs while adding functionalityExpand the corporate security posture and reachGive your CISO a seat at the tableChange the view of information security as purely a technical issueKnowing what data is going where is required – use it to prove needApply a risk-based approach– Reduce the number of vendor– Reduce the number of consoles– Reduce the number of databases– Reduce the number of agents– Consolidate functions into as few devices as possible– Best of suite may be better than best of breed
Open source can be effectiveAggregate your log data to a single, correlated viewUsing metrics before funding and after funding– Measure everything – smartly
Awareness is a kaleidoscopeUsing vendors to demonstrate the need is a good thingOrganize to truly build security in
Don’t Use a Sledgehammerto push in a tack
Consolidate, Integrate, Standardize, O3
CIRO
