a holistic view of enterprise security rafal lukawiecki strategic consultant, project botticelli ltd...

Download A Holistic View of Enterprise Security Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk www.projectbotticelli.co.uk

Post on 22-Dec-2015




0 download

Embed Size (px)


  • Slide 1
  • A Holistic View of Enterprise Security Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk www.projectbotticelli.co.uk Copyright 2005 Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the Comments field in File/Properties.
  • Slide 2
  • 2Objectives Define security in a practical, measurable, and achievable way Introduce security frameworks Introduce OCTAVE Introduce simple risk assessment Introduce the concepts of threat modelling for enterprise security Overview major security technologies
  • Slide 3
  • 3 Session Agenda Defining Security Concepts Building a Secure Environment ProcessesOCTAVE Simplified Security Risk Analysis Formal Threat Modelling Summary
  • Slide 4
  • 4 Defining Security Concepts
  • Slide 5
  • 5Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat therefore, in practice, an impossible goal What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafals Definition)
  • Slide 6
  • 6Challenge Security must be balanced with usability (and accessibility) Most secure = useless Most useful = insecure Know the balance you need Factor the price: both security and usability cost a lot
  • Slide 7
  • 7 Cost-Effectiveness of Security "Appropriate business security is that which protects the business from undue operational risks in a cost-effective manner. Sherwood, 2003 Estimation of cost and effectiveness of security requires knowledge and estimation of: Assets to protect Possible threats or losses Cost of their prevention Cost of contingencies
  • Slide 8
  • 8 Adequate Security CERT usefully suggests: A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances. www.cert.org/governance/adequate.html www.cert.org/governance/adequate.html Risk Appetite defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions Relates to risks that must be mitigated and managed Risk Tolerance residual risk accepted Relates to risk for which no mitigation would be in place
  • Slide 9
  • 9 1 st Conclusion As 100% security is impossible, you need to decide what needs to be secured and how well it needs to be secured In other words, you need: Asset list Threat analysis to identify risks Risk impact estimate for each asset Ongoing process for reviewing assets, threats and risks Someone responsible for this process Operational procedures for responding to changing conditions (emergencies, high risk etc.)
  • Slide 10
  • 10 Digital Security as Extension of Physical Security of Key Assets Strong Physical Security of KA Strong Digital Security Good Security Everywhere Weak Physical Security of KA Strong Digital Security Insecure Environment Strong Physical Security of KA Weak Digital Security Insecure Environment
  • Slide 11
  • 11 Aspects of Security Static, passive, pervasive Confidentiality Your data/service provides no useful information to unauthorised people Integrity If anyone tampers with your asset it will be immediately evident Authenticity We can verify that asset is attributable to its authors or caretakers Identity We can verify who is the specific individual entity associated with your asset Non-repudiation The author or owner or caretaker of asset cannot deny that they are associated with it
  • Slide 12
  • 12 Aspects of Security Dynamic, active, transient Authorisation It is clear what actions are permitted with respect to your asset Loss Asset is irrecoverably lost (or the cost of recovery is too high) Denial of access (aka denial of service) Access to asset is temporarily impossible
  • Slide 13
  • 13 Approaches for Achieving Security Two approaches are needed: Active, dynamic, transient Implemented through behaviour and pattern analysis Passive, static, pervasive Implemented through cryptography
  • Slide 14
  • 14 Behaviour (Pattern) Analysis Prohibits reaching an asset if access is out-of-pattern, e.g.: Password lock-out after N unsuccessful attempts Blocking packets at a router if too many come from a given source Denying a connection based on IPSec filter rules Stopping a user from seeing more than N records in a database per day Time-out of an idle secure session Active Cannot always prevent unauthorised use of asset Can prevent legitimate access need easy and secure unlock mechanisms Strength varies with sophistication on known attacks
  • Slide 15
  • 15Cryptography Using hard mathematics to implement passive security aspects mentioned earlier Static Cannot detect or prevent problems arising from a pattern of behaviour Relies of physical security of Key Assets (such as master private keys etc.) Strength changes with time, depending on the power of computers and developments in cryptanalysis
  • Slide 16
  • 16 Future Security Technologies Behaviour analysis is under tremendous development at present Expect from Microsoft: Microsoft Operations Manager 2005 Already available, more rules on their way Active Protection Set of technologies for intrusion detection and automatic response and ongoing protection Imagine: MOM + IDS based on neural network + GPOs
  • Slide 17
  • 17 Holistic View of Security Security should be: Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment
  • Slide 18
  • 18 Building a Secure Environment
  • Slide 19
  • 19 Defense in Depth Using a layered approach: Increases an attackers risk of detection Reduces an attackers chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication Firewalls, VPN quarantine Guards, locks, tracking devices, HSM Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education against social engineering Physical Security Perimeter Internal Network Host Application Data
  • Slide 20
  • 20 Secure Environment A secure environment is a combination of: Hardened hosts (nodes) Intrusion Detection System (IDS) Operating Processes Standard and Emergency Threat Modelling and Analysis Dedicated Responsible Staff Chief Security Officer (CSO) responsible for all Continuous Training Users and security staff against social engineering
  • Slide 21
  • 21Processes Operating Processes Microsoft Operations Framework (MOF) IT Infrastructure Library BS7799 and related ISO Informal: Standard and Emergency Operating Procedures Risk and Threat Analysis Processes Simple Security Risk Analysis Attack Vectors and Threat Modelling OCTAVE
  • Slide 22
  • 22 Operating Processes As a minimum, define Standard Operating Procedures Set of security policies used during normal conditions Could be based on Windows AD Group Policies Emergency Operating Procedures Tighter policies used during high-risk or under-attack conditions Aim for compliance with an overall operational process framework E.g. Microsoft Operation Frameworks SLAs, OLAs and UCs
  • Slide 23
  • 23 Education & Research As minimum, you really need to subscribe to security advisories: Microsoft Security Notification Service www.microsoft.com/security CERT www.cert.org SANS Institute www.sans.org Other vendor-specific CISCO, Oracle, IBM and so on Apart from notifications, study available operational security guidance www.microsoft.com/technet/security
  • Slide 24
  • 24OCTAVE
  • Slide 25
  • 25OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Carnegie-Mellon University guidance Origin in 2001 Used by US military and a growing number of larger organisations www.cert.org/octave
  • Slide 26
  • 26 Concept of OCTAVE Workshop-based analysis Collaborative approach Guided by an 18-volume publication Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and medium organisations www.cert.org/octave/osig.html
  • Slide 27
  • 27 OCTAVE Process Progressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
  • Slide 28
  • 28 Steps of OCTAVE Processes
  • Slide 29
  • 29 Simplified Security Risk Analysis
  • Slide 30
  • 30Examples Asset: Internal mailbox of your Managing Director Risk Impact Estimate (examples!) Risk of loss: Medium impact Risk of access by staff: High impact Risk of access by press: Catastrophic impact Risk of access by a competitor: High impact Risk of temporary no access by MD: Low impact Risk of change of content: Medium impact
  • Slide 31
  • 31 Creating Your Asset List List all of your named assets starting with the most sen


View more >