comprehensive risk management for a cyber secure organization
TRANSCRIPT
Comprehensive Risk Management for a Cyber-Secure Organization
Presented by
Joe HessmillerDirector
Computer Aid, Inc.
The Take-Away
• Security is a Process.
• All Three Information Security Control Areas (Physical,
Technical and Administrative) Rely Heavily on
Comprehensive Monitoring to Be Effective
• Automation is Key to Continuously Monitoring Threat
Vulnerabilities (Conditions of Failure)
• Automation is Key to Modifying Behavior by Persistent
Enforcing and Reinforcing of Security Practices
At the End of this Presentation You Will Be Able to…
• Present to Stakeholders the Need for
Automated Support for Information
Security ‘Ensurance’
• Present to Stakeholders an Effective
Approach to Automating Information
Security ‘Ensurance’
Bad Things Happen to Good Systems
http://seekingalpha.com/article/1324971-pandemic-cyber-security-failures-open-an-historic-opportunity-for-investors
Major Violations Occur
Too Frequently
The REAL Challenge of Information Security:
Preventing Human Error through Situational Awareness
“Industry has done a great job of increasing productivity and reducing costs, Habibi says, but the time has come to focus on preventing human error. He sees human reliability as the next area ripe for optimization across industry. Optimization is sorely needed here, according to Habibi, because industry has “essentially created a monster of complex information systems combining ERP, production management and real-time systems.”
A key concept of human reliability, according to Habibi is “situation awareness.” Habibi says that situation awareness is essential to preventing errors because it addresses the physical environment (e.g., control room ergonomics, lighting, temperature, comfort, traffic, noise.), organizational culture (e.g., policies and procedures, shift schedules, reporting, work ethic, motivation, training, knowledge and skills) and the human-automation relationship.”
The Human Reliability Challenge, David Greenfield, Director of Content/Editor-in-Chief , AutomationWorld, April 25, 2013 http://www.automationworld.com/safety/human-reliability-challenge
Security is a Process
“If we've learned anything from the past couple of years, it's that
computer security flaws are inevitable. Systems break, vulnerabilities
are reported in the press, and still many people put their faith in the
next product, or the next upgrade, or the next patch. "This time it's
secure." So far, it hasn't been.
Security is a process, not a product. Products provide some
protection, but the only way to effectively do business in an insecure
world is to put processes in place that recognize the inherent insecurity
in the products. The trick is to reduce your risk of exposure regardless
of the products or patches.
The Process of Security, by Bruce Schneier, Information Security, April 2000
A Complex Process
Physical Logical Administrative
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
Control Application Areas
Fu
ncti
on
ali
ty
Information
Security Matrix
A Complex ProcessOrganized Into Information Security Matrix
Areas of Vulnerability
Responses to Threats
Useful Policies DO Exist
Standards Exist for “Mature”
Policies and Procedures
http://www.pkfavantedge.com/wp-content/uploads/2013/COBIT_Security.pdf
http://cmmiinstitute.com/assets/Security-and-CMMI-SVC.pdf
Even Specific Security Standards Exist
NIST SP 800-100 Information Security Handbook: A Guide for Managers
ISO 27002 Information Security – Code of Practice
Checklist Resources Available
http://www.slideshare.net/ATBHATTI/audit-checklist-for-
information-systems-14849697
Automated Tools Focused on Specific Threats Exist
• Fireeye: Malware Protection Service (MPS)
• Microsoft: Systems Management Server (SMS) and Active Directory (AD)
• TripWire (nCircle): IP360 and Configuration Compliance Manager
• AlienVault: Unified Security Management
• Symantec: Protection Suite Enterprise Edition (ED), NetBackup and Veritas Cluster Server (VCS)
• PfSense
• APC Infrastruxure
• VMware vSphere
• Honeywell: NOTIFIER fire alarm systems, Access control systems and Intrusion detection systems
“Hard” Data Sources
But, Automation Has a Long Way to Go
Automation possibilities in information security management 2011, http://www.sba-research.org/wp-content/uploads/publications/PID1947709.pdf
We Need Comprehensive Monitoring and Control
Effective automation can address the challenges.
Part of the solution is consolidating information security monitoring data into a comprehensive risk management platform for analysis and reporting.
Another part of the solution is getting ALL of the important data. This includes feedback on information security conditions from the people in the process.
Then, the main part is possible; changing behaviors BY monitoring and control.
Administrative Control Silo
Physical Control Silo
Logical Control Silo
Automated Conditions Monitoring and Analysis System
What Does Comprehensive Information Security Automation Look Like?
Controls,
Mechanisms
Standards,
Guidelines
The “Missing” Link in Information Security Automation
Incorporate:
• “Hard” Data from Automated Systems with
• Human Feedback for
• COMPREHENSIVE Information Security Assessment and
• REINFORCEMENT of Information Security Policies
Automated Security Control Room
‘Hard’ Data
From Monitoring
Systems
‘Soft’ Data
From
Human
Assessments
Comprehensive, At-a-Glance Insight Into Info Security Conditions
Accountability = Behavior Change
• Periodic Assessment
– Reminders of “Should Do’s
– Validation of “Did Do”s
– Two-way Feedback
• Situational Awareness
• Behaviors Change
“What gets measured, gets done.”
Why Automate Control Functionality
• So It Will be Done Comprehensively
• So It Will Be Done Consistently
• So it Will Be Done Effectively
• So It Will Be Done Efficiently
• So We Will Have Comprehensive Data for
Analysis
• BEHAVIOR WILL BE CHANGED