Security TodaySecurity Today

Shon HarrisShon HarrisSecurity consultant, educator, authorSecurity consultant, educator, author

360 Security Model360 Security Model

Holistic Approach to SecurityHolistic Approach to Security

Every Organization has these EXACTEvery Organization has these EXACTissuesissues……

•• The The responsibility of securing an organizationresponsibility of securing an organization is falling into the laps of is falling into the laps ofindividuals who are not security professionals.individuals who are not security professionals.

•• This is because security is no longer just a technology issue, but is now aThis is because security is no longer just a technology issue, but is now abusiness issue that must be dealt with at business issue that must be dealt with at all levels of an organization.all levels of an organization.

•• The The biggest hurdlebiggest hurdle is that the individuals in the industry have a difficult is that the individuals in the industry have a difficulttime understanding the ultimate goals of a secure enterprise architecture intime understanding the ultimate goals of a secure enterprise architecture ina way that allows them to break them down into achievable steps.a way that allows them to break them down into achievable steps.

•• This is not because they are ignorant or incapable, but This is not because they are ignorant or incapable, but everyeveryorganization is struggling with the exact same questionsorganization is struggling with the exact same questions;;•• How do we setup a security enterprise architecture?How do we setup a security enterprise architecture?•• How do we setup an enterprise risk management model?How do we setup an enterprise risk management model?•• How do we implement security governance?How do we implement security governance?•• How do we know what How do we know what ““enough securityenough security”” means? means?

•• We are recognizing that more than technical people need to be involved,We are recognizing that more than technical people need to be involved,but but cannot figure out how to integrate security into businesscannot figure out how to integrate security into businessprocessprocess..

Are There Gaps?Are There Gaps?Do the departments responsible for these different types ofDo the departments responsible for these different types of

security communicate and work well together in your company?security communicate and work well together in your company?

Most OrganizationsMost Organizations……

▶ Do not fully realize that Do not fully realize that there is a structuredthere is a structuredwayway of rolling out and maintaining a security of rolling out and maintaining a securityprogramprogram

▶ Organizations are bombardedOrganizations are bombarded with products, with products,consultants, too much information, and serviceconsultants, too much information, and serviceand product companies with their own agendasand product companies with their own agendas

▶ By not following a structured approach,By not following a structured approach,organizations are wasting time, organizations are wasting time, wasting moneywasting money,,experiencing security compromises, and failingexperiencing security compromises, and failingauditsaudits

Common Pain PointsCommon Pain PointsEvery organization is Every organization is RECREATING THEIR OWNRECREATING THEIR OWN

WHEELWHEEL when it comes to developing a secure when it comes to developing a secureenterprise architecture.enterprise architecture.

This only addslayers ofconfusion

because no onefully understandsthe overall goals

or how toaccomplish them.

But We Have ModelsBut We Have Models

▶ CobiTCobiT▶ ISO 17799/BS 7799 ISO 17799/BS 7799▶ NIST documents NIST documents▶ SABSA SABSA▶ Etc. Etc.

CobiTCobiT –– Control Objectives Control Objectives5.1 Management of IT Security

Manage IT Security at the highest appropriateorganizational level …

5.2 IT Security Plan

Translate business information requirements, ITconfiguration, information risk action plans, andinformation security culture …

5.3 Identity Management

All users (internal, external, and temporary) and theiractivity on IT systems (business application, systemoperation…)

5.4 User Account Management

Ensure that requesting, establishing, issuing,suspending, modifying, and closing user accountsand related user privileges …

5.5 Security Testing, Surveillance, andMonitoring

Ensure that IT security implementation is tested andmonitored proactively. IT security should bereaccredited periodically …

Industry Best Practices StandardsIndustry Best Practices StandardsBS/ISO I7799BS/ISO I7799

Guidelines on range of controls for implementing securityGuidelines on range of controls for implementing security Best practices for security managementBest practices for security management Divided into 10 sectionsDivided into 10 sections

Security policySecurity policy Security organizationSecurity organization Assets classification and controlAssets classification and control Personnel securityPersonnel security Physical and environmental securityPhysical and environmental security Computer and network managementComputer and network management System access controlSystem access control System development and maintenanceSystem development and maintenance Business continuity planningBusiness continuity planning ComplianceCompliance

NIST GuidelinesNIST Guidelines

SABSA ModelSABSA Model

http://www.sabsa-institute.org/UserFiles/Image/3-framework.png

More ModelsMore Models

▶ Extended Enterprise Architecture FrameworkExtended Enterprise Architecture Framework▶ The U.S. Department of Defense (The U.S. Department of Defense (DoDDoD))

Architecture Framework (Architecture Framework (DoDAFDoDAF))▶ Zachman FrameworkZachman Framework▶ The Open Group Architecture Framework (TOGAF)The Open Group Architecture Framework (TOGAF)▶ Capgemini'sCapgemini's Integrated Architecture Framework Integrated Architecture Framework▶ United States Government United States Government Federal EnterpriseFederal Enterprise

ArchitectureArchitecture (FEA) (FEA)▶ The UK Ministry of The UK Ministry of DefenceDefence (MOD) Architecture (MOD) Architecture

Framework (MODAF)Framework (MODAF)▶ NIH Enterprise Architecture FrameworkNIH Enterprise Architecture Framework

Result of Trying to Understand allResult of Trying to Understand allModelsModels

Exactly Where Are We Trying to Go?Exactly Where Are We Trying to Go?

▶ Enterprise Security Architecture Enterprise Security Architecture▶ Security Governance Security Governance▶ Enterprise Risk Management Enterprise Risk Management▶ Staying out of the Headlines Staying out of the Headlines

First, let’s understand some of theseconcepts…

Goal of Enterprise SecurityGoal of Enterprise SecurityArchitecture = Security at All LevelsArchitecture = Security at All Levels

Security is to be in alignment withorganization’s strategic goals.

Enterprise Security ArchitectureEnterprise Security Architecture

StrategicStrategicalignmentalignment

BusinessBusinessenablementenablement

ProcessProcessenhancementenhancement

SecuritySecurityeffectivenesseffectiveness

WithoutWithout an Enterprise Security an Enterprise SecurityArchitectureArchitecture

Security is in Security is in silossilos Security only takes place only at the Security only takes place only at the technical leveltechnical level Continual confusion and Continual confusion and repeating expensiverepeating expensive

mistakesmistakes Stovepipe solutionsStovepipe solutions, which costs more in, which costs more in

maintenance and integrationmaintenance and integration▶ Depending upon point solutions, not enterprise solutionsDepending upon point solutions, not enterprise solutions

Unable to use enterprise information to make solidUnable to use enterprise information to make solidbusiness decisionsbusiness decisions

Continually putting out firesContinually putting out fires▶ ReactiveReactive versus proactive versus proactive

Security GovernanceSecurity Governance

““Security governance is the set of responsibilitiesSecurity governance is the set of responsibilitiesand practices exercised by the board andand practices exercised by the board and

executive management with the goal of providingexecutive management with the goal of providingstrategic direction, ensuring that objectives arestrategic direction, ensuring that objectives areachieved, ascertaining that risks are managedachieved, ascertaining that risks are managed

appropriately and verifying that the enterpriseappropriately and verifying that the enterprise’’ssresources are used responsibly.resources are used responsibly.””

- IT Governance Institute- IT Governance Institute

All security activity takes place withinAll security activity takes place withinthe security department, the security department, thus securitythus securityworks within a siloworks within a silo and is not integrated and is not integratedthroughout the organization.throughout the organization.

Executive management Executive management holds businessholds businessunit managers responsibleunit managers responsible for carrying for carryingout risk management activities for theirout risk management activities for theirspecific business units.specific business units.

CISO took some CISO took some boilerplate securityboilerplate securitypolicies, inserted his companypolicies, inserted his company’’s name,s name,then had the CEO sign them.then had the CEO sign them.

Executive management Executive management sets ansets anacceptable risk levelacceptable risk level that is the basis for that is the basis forthe companythe company’’s security policies and alls security policies and allsecurity activities.security activities.

CEO, CFO and business unit managersCEO, CFO and business unit managersfeel as though information security isfeel as though information security isthe responsibility of the CIO, CISO andthe responsibility of the CIO, CISO andIT department and IT department and do not get involveddo not get involved..

CEO, CFO, CIO and business unitCEO, CFO, CIO and business unitmanagers managers participate in a riskparticipate in a riskmanagementmanagement committee that meets committee that meetseach month and information security iseach month and information security isalways one topic on the agenda toalways one topic on the agenda toreview.review.

Board members do not understandBoard members do not understand that thatinformation security is in their realm ofinformation security is in their realm ofresponsibility and focus solely onresponsibility and focus solely oncorporate governance and profits.corporate governance and profits.

Board members understandBoard members understand that thatinformation security is critical to theinformation security is critical to thecompany and demand to be updatedcompany and demand to be updatedquarterly on security performance andquarterly on security performance andbreaches.breaches.

Company BCompany BCompany ACompany A

The organization does not analyze itsThe organization does not analyze itsperformance for improvement, but doesperformance for improvement, but doescontinually march forward and continually march forward and makesmakesthe same mistakes over and over again.the same mistakes over and over again.

The organization is continuing to reviewThe organization is continuing to reviewits business processes, includingits business processes, includingsecurity, with the goal of security, with the goal of continuedcontinuedimprovement.improvement.

Security products, managed services,Security products, managed services,and consultants are purchased andand consultants are purchased anddeployed without any real research ordeployed without any real research orperformance metrics to be able toperformance metrics to be able todetermine the return on investment ordetermine the return on investment oreffectiveness. Company has a effectiveness. Company has a falsefalsesense of securitysense of security because it is using because it is usingproducts, consultants, and/or managedproducts, consultants, and/or managedservices.services.

Security products, managed services,Security products, managed services,and consultants are purchased andand consultants are purchased anddeployed in an deployed in an informed mannerinformed manner. They. Theyare also constantly reviewed to ensureare also constantly reviewed to ensurethey are cost effective.they are cost effective.

Policies and standards are developed,Policies and standards are developed,but but no enforcement or accountabilityno enforcement or accountabilitypractices have been envisioned orpractices have been envisioned ordeployed.deployed.

Employees are held accountableEmployees are held accountable for any for anysecurity breaches they participate in,security breaches they participate in,either maliciously or accidentally.either maliciously or accidentally.

Business processes are not documentedBusiness processes are not documentedand are not analyzed for potential risksand are not analyzed for potential risksthat can affect operations, productivity,that can affect operations, productivity,and profitability.and profitability.

Critical business Critical business processes areprocesses aredocumenteddocumented along with the risks that along with the risks thatare inherent at the different stepsare inherent at the different stepswithin the business processes.within the business processes.

Company BCompany BCompany ACompany A

Security Governance = ManagingSecurity Governance = ManagingSecurity at All LevelsSecurity at All Levels

After Looking at the Pretty GraphicsAfter Looking at the Pretty Graphics

What are We Doing Today?What are We Doing Today?▶ Lack of true understanding of overall goalsLack of true understanding of overall goals▶ Detailed structure is not fully developed firstDetailed structure is not fully developed first▶ Bringing in expensive consultantsBringing in expensive consultants▶ Purchasing productsPurchasing products▶ Using managed security servicesUsing managed security services▶ Sending staff to technical security coursesSending staff to technical security courses

IT and technologists

Department Managers

C-Level Individuals

CEOand

Board

Generic Technology Training

Consultants

Managed Services

Products

Why Is Our Current ModelWhy Is Our Current ModelDangerous?Dangerous?

▶ Not enough data gatheredNot enough data gathered to understand how the organization works to understand how the organization worksand identify goalsand identify goals Continually having to change because new company requirements areContinually having to change because new company requirements are

identifiedidentified

▶ No real roadmap, so the team is not marching forwardNo real roadmap, so the team is not marching forward Continually chasing their own tailsContinually chasing their own tails

▶ Not making educated and informed decisionsNot making educated and informed decisions Making the Making the same expensive mistakessame expensive mistakes over and over over and over

Relying too heavily on consultantsRelying too heavily on consultants

▶ Lack of continual and useful Lack of continual and useful communicationcommunication▶ People who are responsible for People who are responsible for putting out firesputting out fires are also trying to are also trying to

develop strategydevelop strategy▶ Accountability is Accountability is not truly enforcednot truly enforced▶ Point solutionsPoint solutions instead of enterprise solutions are rolled out instead of enterprise solutions are rolled out▶ Plans are built around Plans are built around technology technology and not solution processesand not solution processes

Security Consulting IssuesSecurity Consulting Issues

COMMUNICATIONCOMMUNICATION

Knowledge Requirements and Communication Channels

There Are Cookie Cutter ApproachesThere Are Cookie Cutter Approaches

Enterprise Security ArchitectureEnterprise Security ArchitectureComponentsComponents

Architecture SubcomponentsArchitecture Subcomponents

Laying Out StepsLaying Out Steps

Steps of a Risk ManagementSteps of a Risk ManagementProgramProgram

Fully Understand WHAT You are DoingFully Understand WHAT You are DoingBEFORE Jumping InBEFORE Jumping In

Vulnerability Management Program Process Vulnerability Management Program Process Define roles and responsibilitiesDefine roles and responsibilities Develop VM baselines and metricsDevelop VM baselines and metrics Develop threat classifications (high, medium, low)Develop threat classifications (high, medium, low) Identify and inventory assetsIdentify and inventory assets Create CSIRTCreate CSIRT Develop procedures for incident handlingDevelop procedures for incident handling Develop communication channels for incident data disseminationDevelop communication channels for incident data dissemination Carry out vulnerability assessmentsCarry out vulnerability assessments Carry out penetration testsCarry out penetration tests Receive vendor vulnerability alertsReceive vendor vulnerability alerts Validate vulnerability alerts against your inventory of assetsValidate vulnerability alerts against your inventory of assets Classify new vulnerability (high, medium, low)Classify new vulnerability (high, medium, low) Test remediation (patches, Test remediation (patches, hotfixhotfix) and deploy ) and deploy –– patch management patch management Implement preventive controls based on new vulnerability releasesImplement preventive controls based on new vulnerability releases Audit vulnerability management processes and continually improveAudit vulnerability management processes and continually improve

Qualys, Foundstone Scanner, and ISS cannot do all ofthis for you. The product is just one component of the

process.

Data Classification and Data ProtectionData Classification and Data Protection

Data Classification ProgramData Classification Program Risk assessment of not protecting sensitive dataRisk assessment of not protecting sensitive data Define sensitive data as it maps to business driversDefine sensitive data as it maps to business drivers Define classification criteria (determine value of data via business impact analysis)Define classification criteria (determine value of data via business impact analysis) Define data owner and custodian responsibilitiesDefine data owner and custodian responsibilities Develop the necessary policies, standards, guidelines and procedures for internal useDevelop the necessary policies, standards, guidelines and procedures for internal use Know how to detect Know how to detect ““sensitive datasensitive data”” at rest and in transit at rest and in transit Mitigating third party risks (they have copies of sensitive data your are responsible forMitigating third party risks (they have copies of sensitive data your are responsible for

protecting)protecting) Response procedures when users attempt to release sensitive data and enforcement tacticsResponse procedures when users attempt to release sensitive data and enforcement tactics Document data classification process, which includes a risk matrix, and control descriptions forDocument data classification process, which includes a risk matrix, and control descriptions for

auditors and complianceauditors and compliance Know how to modify classification criteria based on business and regulatory needsKnow how to modify classification criteria based on business and regulatory needs Understanding data protection controls that should be in place;Understanding data protection controls that should be in place;

▶ Access controlAccess control▶ User provisioningUser provisioning▶ EncryptionEncryption▶ Digital rights managementDigital rights management▶ MonitoringMonitoring

Training on data classification program, processes, and product useTraining on data classification program, processes, and product use Integrate data classification and data protection processes into internal auditingIntegrate data classification and data protection processes into internal auditing

practicespractices Develop documentation and resources for external auditors for compliancy validationDevelop documentation and resources for external auditors for compliancy validation

This Level of Detail Per ProgramThis Level of Detail Per ProgramComponentComponent

Program Components

Don’t buy a tool and THEN figureout your process.

Break Your Three Year Plan DownBreak Your Three Year Plan Down

ProjectProjectmanagement ismanagement isrequired to keeprequired to keepeveryone in stepeveryone in step

and on track.and on track.

Phases Need Useful Detail and GoalsPhases Need Useful Detail and Goals

When?When?

Do you have to accomplish all of this Do you have to accomplish all of this today?today? In a week?In a week? In a year?In a year? In 2 years?In 2 years?

No, but you need a plan today and if it isworthless you will not accomplish this stuff in

10 years!

3 Year Plan 3 Year Plan –– Are Your Phases Even Are Your Phases EvenUseful Useful –– or Too High Level? or Too High Level?

Structure or Chaos Structure or Chaos –– or In Between? or In Between?

If you donIf you don’’t know where you are, you cant know where you are, you can’’t get tot get towhere you want to go.where you want to go.

Where is Your Architecture?Where is Your Architecture?

Swamp guidesbecome

more valuablethan

securityarchitects

All OrganizationsAll Organizations

We are currently around here

We Need to EvolveWe Need to Evolve▶ We need to We need to empower organizationsempower organizations and allow them and allow them

to understand security in business terms.to understand security in business terms.▶ We need take the theoretical best practices andWe need take the theoretical best practices and

turns them into turns them into practical action items.practical action items.▶ Companies need to be able to take Companies need to be able to take ownershipownership of of

their internal security program.their internal security program.

The current approach will continue to provide a gap between what we preachand what we practice.

Holistic, integrated security, that is integrated into business processes.

Security Maturity EvolutionSecurity Maturity Evolution

Security MetricsMeasure the efficiency, effectiveness,value, and continuous performance

improvement of the individual securityprocess

Evolution

InitiateStakeholder

SecurityProgram

Stakeholder sponsoredprogram with

responsibilitiesassigned

SecurityArchitecture

Architecture principles andpolicies in place to define

core security functions

AssuranceAuditing, monitoring, and reportingprocesses and controls in place to

ensure they are meeting standards andthat they are effective

Security TechnicalFramework

Establishment of standards andtechnologies to support stakeholder

interaction

SecurityOrganizational

StructureIndividuals and organizations

assigned responsibility,accountability, and authority to

support the infrastructure

DocumentedStrategy, Principles,

and PolicyClearly defined set of

technology-independentpolicies developed from the

business strategy

Compliance andCertification

Establish compliance measurementand reporting system

Baseline SecurityStandards

Security controls defined toestablish a consistent basis

for managing risk

Secu

rity

Cap

abili

ty

Defined

Integrated

Optimized

Level 1

Level 2

Level 3

How to be SuccessfulHow to be Successful▶ Figure out what needs to be protected, Figure out what needs to be protected, where you arewhere you are and and

where you need to gowhere you need to go▶ Gather A LOT of organizational data Gather A LOT of organizational data –– do not work in a do not work in a vacuumvacuum▶ Get Get at least one personat least one person out of the responsibility of continually out of the responsibility of continually

fighting firesfighting fires▶ Stop spending moneyStop spending money until a structured risk-based architecture until a structured risk-based architecture

is developed that can be measurable and controllableis developed that can be measurable and controllable▶ Break the pieces down into Break the pieces down into achievable goalsachievable goals that are that are

inexpensiveinexpensive▶ Learn from each phase, improve, and Learn from each phase, improve, and incorporate knowledgeincorporate knowledge

into next phaseinto next phase▶ Do not create metrics, baselines, processes Do not create metrics, baselines, processes ““in the darkin the dark”” ––

which would which would waste a lot of money and be uselesswaste a lot of money and be useless▶ Understand how to incorporate security into Understand how to incorporate security into business unitsbusiness units and and

processesprocesses▶ Make the 3 year plan a Make the 3 year plan a living documentliving document –– you will only continue you will only continue

to learnto learn

Business Case CommunicationBusiness Case CommunicationWhat will Allow this ProjectWhat will Allow this Project

to Succeed?to Succeed? Take the time to gather all of theTake the time to gather all of the

necessary data before runningnecessary data before runningforwardforward

Get feedback from allGet feedback from alldepartments that would bedepartments that would beinvolved and affectedinvolved and affected

Provide real information forProvide real information fordecision makers and notdecision makers and notsuperficial datasuperficial data

Solid and reasonable phasedSolid and reasonable phasedapproachapproach

Realize and communicate theRealize and communicate thetrue benefit that this will providetrue benefit that this will providefor ALL security needs andfor ALL security needs anddepartmentsdepartments

Realize that this is a long jog,Realize that this is a long jog,not a short sprintnot a short sprint

What will Cause thisWhat will Cause thisProject to Fail?Project to Fail?

If necessary resources andIf necessary resources andfunds are not provided throughfunds are not provided throughALL PHASESALL PHASES

Viewed as a bottleneck forViewed as a bottleneck forbusiness expansion. Must bebusiness expansion. Must beenforced as a enforced as a ““must havemust have”” not nota a ““nice to havenice to have””

If one person does not ownIf one person does not ownthis process and keep peoplethis process and keep peopleon trackon track

More communication does notMore communication does nottake placetake place

Wrong people are on theWrong people are on thesecurity committeesecurity committee

Other projects takeOther projects takeprecedence and motivationprecedence and motivationfadesfades

Improvement Will Not Happen AccidentallyImprovement Will Not Happen Accidentally

Shon HarrisShon HarrisSecurity Coach Security Coach –– Not Consultant Not Consultant

ShonHarris@LogicalSecurity.comShonHarris@LogicalSecurity.com

(972) 347-1233(972) 347-1233

Logical SecurityLogical Security

Questions?Questions?