a practical example to using sabsa extended security-in-depth strategy
DESCRIPTION
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.TRANSCRIPT
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
Who Am I?
Allen Baranov, CISSPInformation Security Professional
SABSA Foundation Certified
Specialist In Security Management, Security Architecture and Risk and Compliance
Looking for new permanent position!
See LinkedIn for more details or email me for more information!
au.linkedin.com/in/allenbaranov/
This is my proposal for an extended Security-in-Depth Strategy. It is based on the one in the official SABSA documentation but extended to be more practical as
you’ll see later in this presentation.
Assu
ranc
e • Deter• InviteNegotiate
• Prevent• AllowEnforcement
• Contain (Deny)• (Continue to) Allow
Post Breach Enforcement
• Detect and Notify• Detect and Process (Service)Activity Monitoring
• Evidence & Track• Baseline and service improvementTraffic Monitoring
• Recover and Restore• Monitor and Optimise (Hierarchical Storage Management)
Data Availability Maint.
Extended SABSA Security-in-Depth Strategy
Deter
Prevent
Contain
Detect and Notify
Evidence & Track
Recover + Restore
Assure
Original SABSA Security-in-Depth Strategy
This is the original SABSA S-i-D Strategy diagram. You will see that it has “negative” actions which (IMHO) doesn’t fit with the SABSA risk/opportunity philosophy.
… so I extended it. For each negative action, there is a positive one and I have grouped them into 6 groups. I moved Assurance to its own super group with each
level feeding back to it. This is still a WIP and I am keen for feedback.
Assu
ranc
e • Deter• InviteNegotiate
• Prevent• AllowEnforcement
• Contain (Deny)• (Continue to) Allow
Post Breach Enforcement
• Detect and Notify• Detect and Process (Service)Activity Monitoring
• Evidence & Track• Baseline and service improvementTraffic Monitoring
• Recover and Restore• Monitor and Optimise (Hierarchical Storage Management)
Data Availability Maint.
Extended SABSA Security-in-Depth Strategy
Deconstructing the purpose of a Firewall.
• Operates on the network layer.
• It usually defines the border between two networks of differing levels of risk.
• It investigates traffic and makes decisions on how to pass the traffic based on predefined rules (known as rulebase or policy)
• It can be used for tracking connectivity.
• Firewalls may also do deeper inspection into network traffic and Firewalls may be physical hardware, software, dedicated boxes, a service or a virtual machine.
Practical Example - Firewalls
I extended it so as to come up with a practical way to use SABSA for writing a Firewall Standard. The first thing to do is to work out exactly what a Firewall is aiming to achieve. Then to fit it into the 6 layers of the model. See next slide.
•Deter – create logical border between networks• Invite authorised traffic to be used for business purposes
Negotiate Network Usage
•Prevent – prevent unauthorised traffic from flowing across the network boundary•Allow – allow authorised (business enhancing) traffic across the network boundary.
Enforcement of predefined rules
•Contain (Deny) – Temporarily stop a compromised network leaking onto a “clean” network.• (Continue to) Allow “clean” networks to communicate until a breach is detected.
Post Breach Network Management
•Detect and Notify – monitor all traffic and notify of suspicious traffic.•Detect and Process – allow network traffic to pass and baseline “normal”
Network Activity Monitoring
•Evidence & Track – watch for anomalies on traffic flow and suspicious connections to build a profile of activities.•Baseline and service improvement – watch for opportunities to improve connectivity and gain understanding of
network usage across the org.
Network Traffic Monitoring
•Recover and Restore – have redundant devices and network connections with automatic service continuation.•Monitor and Optimise – Look for opportunities for reducing speed in some connections and increasing speed for
others.
Network Availability Maint.
Practical Example - Firewalls
I then took each layer and this became a section in the Standard. Note that especially the “Negotiate” section should be written as a contract with both what
will be delivered and what is expected.
This way the Standards can be more comprehensive.
They are also not so negative and they show the balance of what is needed for compliance and security against what is offered.
The firewall standard, for example, shows that without a firewall all the benefits of the Internet would not be available.
Also, while we are monitoring for bad traffic, we could also be monitoring for performance.
There is one more major advantage that turns the whole SABSA philosophy on its head but I will save that one for next time… ;)
For more, visit my blog – http://securethink.blogspot.com.au
…other bits and piecesWhat is SABSA?SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management used successfully by numerous organisations around the world. Now used globally to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management, SABSA has evolved since 1995 to be the 'approach of choice' for commercial organisations and Government alike. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.
Although copyright protected, SABSA is an open-use methodology, not a commercial product.
ImagesAll images are used with permission. Some are from the site stock.xchng (http://www.sxc.hu/)