dcd converged brazil 2016
TRANSCRIPT
Racks & Stacks, Users & Clouds
All are part of a layered security strategy
Scott CarlsonExecutive Security Advisor
These are my opinions based on my history in fortune 500 Banking, Education, Stock Trading.
Know Your Business• Business Acumen
• Your People Matter
• Your Locations Matter
• Understand Executive Language
• Understand Your Risks
• Be a business enabler not a business blocker (How vs No)
• When you are “At the table” you need to have conversations in business language
Telling the Truth• Build a culture of trust & sharing
• Build a culture of operations
• There are no magic tools
• Ask the HARD questions
• PROVE that it works• Positive and negative tests• Continuous testing
8
Today’s Security Solutions are moving…
predictive : preventative capabilities
detective : reactive measures to
Know your Controls• “Tools” are not “Controls”
• Edge - Internal - Inbound - Outbound
• On-Premise - Cloud - SAAS
• Security Zones - Trust Layers - Privilege
• Application - Data - People - Use Cases
• Existence vs Working vs Operational
• Buy vs Build vs Outsource
• Best of Breed vs Best of Suite
• Be able to explain your philosophy
Philosophy of Controls
• When we control all aspects of the network, controls must exist at the physical and logical layer of the network that meet appropriate standards controls globally
• Security controls must exist at all layers of physical zones in physical data centers
• When Physical data centers are built, availability zones get deployed within geographic regions, which get built per architectural and secure zoning blueprints
• Where feasible, automation must deploy the controls via pre-defined templates and keep enforcement in place even when the control is dropped
• When multi-tenancy is required, controls effectively separating the security zones must be employed and tested
• A physical control plane must remain separate from any data plane
• Physical separation must exist between employee networks and Customer networks
• Centralized security operations staff must be aware and monitor all physical security controls
On-Premise Data Center• When we do not control all aspects of the environment, we must
rely on a provider to deliver physical controls, audited against appropriate standards, with the appropriate legal contracts in place
• Cloud services must be pre-defined, approved, and must be deployed via template to ensure appropriate application
• Any cloud solution implemented must be tested to be equivalent in control state to our physical data center deployment of that same control
• Cloud controls can be implemented in any way as long as they deliver the target state effectively
• The management control plane must remain separate from the data plane
• Ingress/Egress from the cloud provider must be protected in equivalent way to on-premise data center solutions
• Cloud native controls should be used where feasible but multi-provider monitoring and management must be built
• Centralized security operations staff must be aware and monitor all cloud security controls
Hosted Cloud / Public Cloud
Data Center solutions versus Cloud solutions
Server ControlsWindows Servers• Anti-Virus• Data Leakage Prevention• Local Vulnerability Assessment – BT Retina• Security Investigations• Imaging/Patching• Privilege Lock-down – BT PBW• Anti-malware, I/O Logging• Change Detection• Software Vulnerability Mitigation• Password Control – BT Password Safe• Account Management• Keystroke Logging – BT PBW• Privilege Management – BT PBW• FIM
Unix/Linux Servers• Anti-Virus – NONE RECOMMENDED• Data Leakage Prevention – NONE RECOMMENDED• Local Vulnerability Assessment – BT Retina• Security Investigations• Imaging/Patching• Privilege Lock-down – BT PBUL• Anti-malware, I/O Logging• Change Detection• Software Vulnerability Mitigation• Password Control – BT Password Safe• Account Management• Keystroke Logging – BT PBUL• Privilege Management – BT PBUL• FIM
SAMPLE
14
Account and System Strategy
Account Behavior
Information Coverage
Identity Knowledge (IAM)
Location Awareness
End User Behavior
Machine Integrity
Data movement
Intrusion Detection
End-point policies
Anti-malware, unexpected software
(Good or Bad) accounts can perform (Authorized or Unauthorized) Actions from(Expected or Unexpected) Locations on(Expected or Unexpected) Machines with(Safe or Unsafe) Software installed
Compliant is NOT the same as being Secure
Security is a Journey not a ProjectFollow the 4 if-then rule…
“if A then if B then if C then if D”
Strategy for success• Multi-Year Journey
• Budgets of Capital/Operating
• Do not overstate what you can actually do
• Never let a good crisis go to waste
• Walls of Shame & Walls of Fame
• Frequent Discussions
• Plan and be ready