change management: security's friend or foe?
TRANSCRIPT
CHANGE MANAGEMENT:
SECURITY’S FRIEND OR FOE?
Larry Whiteside Jr. / Chief Security Officer
Sponsored by:
AGENDA Who am I and why do I care The History of Change Who is making your changes Security’s Relationship with Change
Management Breach and Change Management Security’s role in Change
Governance Possible measurements that will
positively impact your security posture
Ask Questions in GoToWebinar!
WHO AM I / WHY DO I CARE?
Over 20 years Cyber Security/ Risk Management / Physical Security
C-Level Security Executive across many verticals
DoD, Federal, Financial Services, Healthcare, Energy/Utilities
Consulting in many verticals
Education, Healthcare, Financial Services
Community Involvement
Co-Founder of International Consortium of Minority Cyber Security Professionals (ICMCP), ISSA, ASIS, OWASP, Security Advisor Alliance (SAA)
Speaking and Writing
SC Magazine, CSO Online, RSA Conference, Gartner Security Conference, industry webinars, securitycurrent.com, SecureWorld, Evanta CISO Summit, and many others
Larry Whiteside Jr.Chief Security Officer
THE HISTORY OF CHANGE
1980s• Change Management as a discipline
began to emerge driven by leading consulting firms
1990s• Industries undergoing significant and
rapid change in areas such as IT began highlighting the benefits of Change Management programs on a broader scale
• ITIL, LEAN, etc…
2000s• Widespread acceptance of Change
Management as a business competency for leading change
• Marked increase from 34% in 2003 to 72% in 2011
198
0s
199
0s
200
0s
WHO IS MAKING CHANGES?
Outsiders (Third-parties: IT contractors & consultants)
Shared Accounts (Windows Admins, root, DBAs, System Admins,…)
Named Accounts (Developers, IT Contractors, Network Admin,…)
Service Accounts
Local Account / Credentials
Windows / UNIX system administrator
Help Desk administrator (password changes/access to files etc. )
SECURITY’S RELATIONSHIP WITH CHANGE MANAGEMENT
You should want certain questions answered
IT is responsible, but Security must hold them accountable
BREACHES AND CHANGE MANAGEMENT
3 of 7 Phases of Cyber Kill chain impact config and change management
Stage #3 Delivery
Stage #4 Exploitation
Stage #5 Installation
Malicious internal users
Configuration mistakes by authorized people
If security is monitoring change and configuration, these changes can be identified
SECURITY’S ROLE IN CHANGE GOVERNANCE
Know your systems and environment
Security should know about more than just FW changes
Do you check adherence to patch policy (if you even have a patch policy)?
If a change is made by a legitimate or non-legitimate admin can you determine what it was?
How many outages have you had due to undocumented changes?
METRICS THAT WILL POSITIVELY IMPACT YOUR SECURITY POSTURE Patch Policy adherence
Unauthorized changes
Changes processes which caused outages
FW changes processed
Other High Risk Scenarios: Remote connections / ‘leapfrog’ logins
Changes via Embedded Scripts (‘rm’ ‘cp’ with ‘sudo’ )
Changes to Active Directory (Password Resets, Adding Users, Changing Groups, Modifying Access, etc.)
Changes within Registry Editor such as Edit or Modify Specific Values (Firewalls, User Access Control, Applications / Software, Windows Components)
TAKEAWAYS AND RECOMMENDATIONS Know your environment Get involved in your change process
If you don’t have one, help create one
Find others already doing change and config management and copy models that work (adapt and change things to fit your particular business) No need to recreate the wheel
Create metrics that matter and impact security
THANK YOU!
CHECK OUT USER ACTIVITY
MONITORING!
@LARRYWHITESIDE
Q&A After brief Intro to ObserveIT
WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital
The leading provider of User Activity Monitoring for Employees, Privileged Users and Third-party Vendors
Capture User Activity
Logging for all user actions
Video-like Playback
Instant Notification
Rule-Based Analytics
Report & Audit
Real-Time Drill Down
User Interaction
Kill Sessions
USER ACTIVITY MONITORING
Collect Know Act
Escalated privileges
_____________________________________________________
USER ACTIVITY MONITORING &
CHANGE MANAGEMENT:
Configuration
changes _________________________________________
____________ Embedded Scripts Unsecure ‘shell’ Unauthorized
access Unapproved
‘setuid’
Lateral Movement ‘rm’ ‘cp’ with ‘sudo’ Creating
“backdoors” ‘leapfrog’ logins
“ONE SCREEN CAPTURE IS WORTH A THOUSAND LOGS”
COLLECT: 100% VISIBILITY
“PROACTIVELY INVESTIGATE RISKY USER ACTIVITY”
Real-time Alerts Who? Did what? On which
computer? When? From which client?
KNOW: INSTANT NOTIFICATION
“PREVENT RISKY ACTIVITY”
ACT: STOP INSIDER THREATS
Real-Time Drill Down
User Interaction Message Warn
Kill Sessions
Audit and Compliance
WHO’S BEING OBSERVED?
Employees__________________________________________
Custom & Commercial Apps:
Third-parties__________________________________________
Service Providers & Contractors:
Privileged Users
__________________________________________
Critical Systems, Files & Data:
SOXEU Data
Protection Reform HIPAA
Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing
data
HOW IT WORKS
Q&A