innovation change transformation enterprise security office enterprise security: planning today for...
TRANSCRIPT
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Enterprise Security: Planning Today for Tomorrow’s Unknown Threats
Christopher BuseChief Information Security
OfficerState of Minnesota
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Agenda Vulnerability and threat trends Minnesota’s enterprise-wide
vulnerability management approach Q & A
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Payoff Update on the current threat
landscape Understanding of why the problem is
simply too big to solve on an agency by agency basis
Tips to form audit recommendations with serious impact
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
My Job Build a world class enterprise
security program for the State of Minnesota
Challenges- Security- Cultural- Financial- Human Resources
Our Organization
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Threat Update
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
The Landscape is Hostile Exponential
increase in threats Threats more
complex and stealthy
Perpetrated by well funded criminal groups
Zero day is now everyday
Vulnerabilities Reported 1995-2006
171 345 311 262 417
1,090
2,437
4,129
3,7843,780
5,990
8,064
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
5500
6000
6500
7000
7500
8000
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
Year
Vu
lne
rab
iliti
es
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Mobile Phone Attacks Today’s phones are
computes iPhone Blackberry Examples Blackjacking Exploit
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
RSA Takeaway Bad guys are getting much better Crimes of notoriety now crimes
perpetrated for financial gain Almost everything bad starts by
exploiting a vulnerability
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Minnesota’s Approach
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
What is a Vulnerability? Typically a logic flaw in a piece of
software Exploited by hackers to obtain
unauthorized access Over 8000 new vulnerabilities in
2006
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Dissecting the Problem Vulnerabilities that we can find and fix
- In the wild long for at least a week- Reputable vendors have signatures
Zero day vulnerabilities- Problems just identified- Most likely no signatures- Sometimes workarounds to minimize risk
Unknown vulnerabilities- Something bad is happening- Scanning shows that nothing is wrong- AV and all else is up to date
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Plan of AttackClassificatio
nApproach Toolset
Find and Fix Active Scanning and Remediation
ip360, Webinspect, Core Impact
Zero Day Threat Dissemination Services
Commercial Services, ip360, Secure Portal
Unknown Behavior Analysis SIEM, IDS/IPS, Netflow
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Find and Fix
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Desired Outcome Develop a comprehensive vulnerability
management program- Promptly identify vulnerabilities- Classify vulnerabilities, based on criticality- Remediate issues
Inventory Assess Prioritize Remedy Verify
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Strategy Invest in an Enterprise Vulnerability
Management Solution Join forces with Minnesota Colleges
and Universities to build out a common vulnerability management program and share a common vulnerability management platform
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Personnel Office of Enterprise Technology and MnSCU
Office of the Chancellor:- Oversee the program- Maintain enterprise tools- Provide training and technical support to
agencies- Analyze and disseminate security advisories
Agencies and MnSCU Institutions:- Use the tools to assess all technology assets- Establish vulnerability management team- Remediate issues
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Team Interactions
Agency Vulnerability Management Team
• Network Support• Server Support• Workstation Support• Application Support
OET Central Vulnerability Management Team
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Tools ip360 by nCircle
- VNE Manager appliance Harden BSD OS Web based console
- Device Profiler Harden BSD OS Flash memory
- Security Intelligence Hub (SIH) Oracle Database Canned and custom reporting
TCO expected to be about 13 million over 12 years
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Architecture
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Program Status Software and hardware infrastructure built Installations complete at most large agencies Policies and detailed standards being
finalized Lots of scanning activity
- External face of government- Inside secure agency networks- Across the WAN
Areas to focus on next- Mobile device vulnerabilities- Web application vulnerabilities
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Zero Day Exploits
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Shootin Cattle World one giant herd Sharpshooters take
aim and fire One cow drops Lead cow puts
impenetrable shield to stop more bullets
The herd is once again safe
Snoop Doggie Moo
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Key Takeaways One cow always
takes a bullet for the good of the team
It’s best not to be THAT cow
Snoop
I Paid Da CostTo Be Da Boss
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Strategy Manage an enterprise-wide threat
dissemination service Subscribe to several commercial
vulnerability notification services Communicate targeted notices to
agencies- Leverage inventory date in ip360- Communicate over secure portal
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Status Targeted advisory service dependent
on ip360 inventory data Until ip360 fully deployed, broadcast
critical alerts to agencies Plan to implement a secure portal
this year
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Unknown Vulnerabilities
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Strategy Actively look for signs of anomalies
- IDS/IPS systems- Network flows - Security Information and Event
Management (SIEM) system Quarantine machines exhibiting
abnormal behavior
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
SIEM Real time analysis of security event
data- Identify threats- Reporting on log data for forensic
activities and compliance monitoring SIM is responsible for storage and
reporting SEM is responsible for analysis and
threat identification
Security Information and Event Management Solution
Collection- Intrusion Detection Systems- Servers- Routers- Switches- Firewalls- Desktops
SIM SEM
Filtering & Aggregation
Integrity Protection
Storage
Data Management
Normalization
Correlation
Incident Initiation
Alerting
Case Management
Forensic Investigation
Compliance Reporting
Agency 1
RoutersSwitches Firewalls
Servers`
Local Console
Intrusion Detection Systems
Logging Appliance
Agency 2
Agency N
Central Location
Logging Appliance Log Storage
Event Correlation engine
Event Data
`
Monitoring Console
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Status Joining forces with MnSCU to build
one SIEM solution for higher education and government
Currently working on RFP Plan to have solution running by June
2009 SIEM technology carries a hefty price
tag
Innovation Change Transformation
Enterprise Security Office
www.security.state.mn.us
Audit Tips
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Stuff To Consider Enterprise-wide vulnerability and
threat management audit Problem simply too costly to solve on
an agency by agency basis Scanners only address known
vulnerabilities with signatures- Need strategy to limit damage from
zero day vulnerabilities- Need to be able to recognize abnormal
network traffic
Innovation Change Transformation
Office of Enterprise Technology
Enterprise Security Office
www.security.state.mn.us
Questions