Security Today

Shon Harris
Security consultant, educator, author
Presentation is Proprietary and Cannot be Reused without

360 Security Model

Holistic Approach to Security

Every Organization has these EXACT issues…
• •

The responsibility of securing an organization is falling into the laps of individuals who are not security professionals. This is because security is no longer just a technology issue, but is now a business issue that must be dealt with at all levels of an organization.

The biggest hurdle is that the individuals in the industry have a difficult time understanding the ultimate goals of a secure enterprise architecture in a way that allows them to break them down into achievable steps. • This is not because they are ignorant or incapable, but every organization is struggling with the exact same questions;
• • • •

How How How How

do do do do

we we we we

setup a security enterprise architecture? setup an enterprise risk management model? implement security governance? know what “enough security” means?

We are recognizing that more than technical people need to be involved, but cannot figure out how to integrate security into business process.

Are There Gaps?
Do the departments responsible for these different types of security communicate and work well together in your company?

Most Organizations…
► Do

not fully realize that there is a structured way of rolling out and maintaining a security program ► Organizations are bombarded with products, consultants, too much information, and service and product companies with their own agendas ► By not following a structured approach, organizations are wasting time, wasting money, experiencing security compromises, and failing audits

Common Pain Points
Every organization is RECREATING THEIR OWN WHEEL when it comes to developing a secure enterprise architecture.
This only adds layers of confusion because no one fully understands the overall goals or how to accomplish them.

No Enforcement – Just Documents

But We Have Models
► ► ► ► ►

CobiT ISO 17799/BS 7799 NIST documents SABSA Etc.

CobiT – Control Objectives
5.1 Management of IT Security Manage IT Security at the highest appropriate organizational level … 5.2 IT Security Plan Translate business information requirements, IT configuration, information risk action plans, and information security culture … 5.3 Identity Management All users (internal, external, and temporary) and their activity on IT systems (business application, system operation…) 5.4 User Account Management Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges … 5.5 Security Testing, Surveillance, and Monitoring Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically …

BS/ISO I7799

Industry Best Practices Standards

 Guidelines on range of controls for implementing security  Best practices for security management  Divided into 10 sections
          Security policy Security organization Assets classification and control Personnel security Physical and environmental security Computer and network management System access control System development and maintenance Business continuity planning Compliance

NIST Guidelines

SABSA Model

http://www.sabsa-institute.org/UserFiles/Image/3-framework.png

Result of Trying to Understand all Approaches

Exactly Where Are We Trying to Go?
Risk Management ► Enterprise Security Architecture ► Security Governance ► Security Legal and Regulatory Compliance ► Staying out of the Headlines

Need Risk Management Now?

Does your team know how to develop and role this

Goal of Enterprise Security Architecture = Security at All Levels

Security is to be in alignment with organization’s strategic

Enterprise Security Architecture
    Strategic alignment Business enablement Process enhancement Security effectiveness

Without an Enterprise Security Architecture
 Security only takes place at the technical level  Continual confusion and repeating expensive mistakes  Stovepipe solutions, which costs more in maintenance and integration
►Depending

 Unable to use enterprise information to make solid business decisions  Continually putting out fires
►Reactive

upon point solutions, not enterprise solutions

versus proactive

Security Governance
“Security governance is the set of responsibilities and
practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
- IT Governance Institute

Company A Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches. CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review. Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities. Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.

Company B Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits. CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved. CISO took some boilerplate security policies, inserted his company’s name, then had the CEO sign them. All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.

Company A Critical business processes are documented along with the risks that are inherent at the different steps within the business processes. Employees are held accountable for any security breaches they participate in, either maliciously or accidentally. Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.

Company B Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability. Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed. Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services. The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.

The organization is continuing to review its business processes, including security, with the goal of continued improvement.

Security Governance = Managing Security at All Levels

After Looking at the Pretty Graphics

Information Security Mantra
“Security needs to be a business process”
Great strategic goal – but many organizations will never get there under their current approaches.

What are We Doing Today?
► ► ► ► ► ►

Lack of true understanding of overall goals Detailed structure is not fully developed first Bringing in expensive consultants Purchasing products Using managed security services Sending staff to technical security courses CEO
and Board

Consultants Managed Services Products Generic Technology Training C-Level Individuals Department Managers IT and technologists

Why Is Our Current Model Dangerous?
► ►

No real roadmap, so the team is not marching forward
 Continually chasing their own tails

Not making educated and informed decisions
 Making the same expensive mistakes over and over  Relying too heavily on vendors

► ► ► ► ► ►

Lack of continual and useful communication between corporate levels Risk management is talked about, but not understood or implemented Accountability is not truly enforced Point solutions instead of enterprise solutions are rolled out Plans are built around technology and not solution processes People who are responsible for putting out fires are also trying to develop strategy

Security Consulting Issues

COMMUNICATION

Knowledge Requirements and Communication Channels

There Are Cookie Cutter Approaches

Break Your Three Year Plan Down
Project management is required to keep everyone in step and on track

Phases Need Useful Detail and Goals

Mapping Requirements to Security Processes
Security Program Components are the Categories of Control Objectives

Security Program Subcomponents

Defining the Surrounding Process around Specific Subcomponents

Example Vulnerability Management
Almost all regulations require vulnerability management. There are about 100 different ways that vulnerability management is termed in the various laws and regulations.
The difficulty is developing and implementing a successful VM program and ensuring that it maps to all compliancy requirements.

You Need a Fully Functional Program
Vulnerability Management Program Process
               Define roles and responsibilities Develop VM baselines and metrics Develop threat classifications (high, medium, low) Identify and inventory assets Create CSIRT Develop procedures for incident handling Develop communication channels for incident data dissemination Carry out vulnerability assessments Carry out penetration tests Receive vendor vulnerability alerts Validate vulnerability alerts against your inventory of assets Classify new vulnerability (high, medium, low) Test remediation (patches, hotfix) and deploy – patch management Implement preventive controls based on new vulnerability releases Audit vulnerability management processes and continually improve

Qualys, Foundstone Scanner, and ISS cannot do all of this for you. The product is just one component of the process.

Necessary steps of this process;
          

Another Example Data Classification and Data Protection

Risk assessment of not protecting sensitive data Define sensitive data as it maps to business drivers Define classification criteria (determine value of data via business impact analysis) Define data owner and custodian responsibilities Develop the necessary policies, standards, guidelines and procedures for internal use Know how to detect “sensitive data” at rest and in transit Mitigating third party risks (they have copies of sensitive data your are responsible for protecting) Response procedures when users attempt to release sensitive data and enforcement tactics Document data classification process, which includes a risk matrix, and control descriptions for auditors and compliance Know how to modify classification criteria based on business and regulatory needs Understanding data protection controls that should be in place;
► ► ► ► ►

Access control User provisioning Encryption Digital rights management Monitoring

 Training on data classification program, processes, and product use  Integrate data classification and data protection processes into internal auditing practices  Develop documentation and resources for external auditors for compliancy validation

This Level of Detail Per Program Component

Program Components

When?
Do you have to accomplish all of this today?
 In a week?  In a year?  In 2 years? No, but you need a plan today and if it is worthless you will not accomplish this stuff in 10 years!

3 Year Plan – Are Your Phases Even Useful – or Too High Level?

Security Programs…
Structure or Chaos – or In Between?

Swamp guides become more valuable than security architects

If you don’t know where you are, you can’t get to where you want to go.

All Organizations

We are currently around here

We need a new model to empower organizations and allow them to understand security in business terms We need a model that takes the theoretical best practices and turns them into practical action items Companies need to be able to take ownership of their internal security program

We Need to Evolve

The current approach will continue to provide a gap between what we preach and what we practice. Holistic, integrated security, that is integrated into business processes.

Security Maturity Evolution
Assurance
Auditing, monitoring, and reporting processes and controls in place to ensure they are meeting standards and that they are effective

Security Organizational Structure Documented Strategy, Principles, and Policy
Individuals and organizations assigned responsibility, accountability, and authority to support the infrastructure

Baseline Security Standards
Security controls defined to establish a consistent basis for managing risk

Security Capability

Initiate Stakeholder Security Program
Stakeholder sponsored program with responsibilities assigned

Clearly defined set of technology-independent policies developed from the business strategy

Security Metrics
Measure the efficiency, effectiveness, value, and continuous performance improvement of the individual security process

Compliance and Certification
Establish compliance measurement and reporting system

Security Architecture
Architecture principles and policies in place to define core security functions

Security Technical Framework
Establishment of standards and technologies to support stakeholder interaction

Level 1 Level 2 Level 3

Defined Integrated Optimized Evolution

How to be Successful
► ► ► ► ► ► ► ► ► ►

Gather much more data – do not work in a vacuum Break the pieces down into achievable goals that are inexpensive
 Quick wins will be much quicker

Learn from each phase, improve, and incorporate knowledge into next phase Phases will allow the group to understand more about the current processes and business as a whole Use products that are currently in-house and in the market to accomplish many of these tasks through automation Do not create metrics, baselines, processes “in the dark” – which would waste a lot of money and be useless Provide a structured risk-based approach that is measurable and controllable Understand how to incorporate security into business units and processes Understand how to continually improve and be innovative in a healthy manner Protect the company in a more effective and understandable process

Success of Failure
What will Allow this Project to Succeed?

What will Cause this Project to Fail?

 

Take the time to gather all of the necessary data before running forward Get feedback from all departments that would be involved and affected Provide real information for decision makers and not superficial data Solid and reasonable phased approach Realize and communicate the true benefit that this will provide for ALL security needs and departments Realize that this is a long jog, not a short sprint

  

If necessary resources and funds are not provided through ALL PHASES Viewed as a bottleneck for business expansion. Must be enforced as a “must have” not a “nice to have” If one person does not own this process and keep people on track More communication does not take place Wrong people are on the security committee Other projects take precedence and motivation fades

Improvement Will Not Happen Accidentally

Shon Harris

www.LogicalSecurity.com (888) 373-5116 info@LogicalSecurity.com Logical Security is on the GSA Schedule and is a woman-owned, veteran owned company

Sign up to vote on this title
UsefulNot useful