dcd converged brazil 2016

Click here to load reader

Post on 15-Jan-2017




2 download

Embed Size (px)


Presentation Title Goes Here

Racks & Stacks, Users & Clouds

All are part of a layered security strategyScott CarlsonExecutive Security AdvisorThese are my opinions based on my history in fortune 500 Banking, Education, Stock Trading.

Solid security strategies begin when you break down your environment piece by piece and build predictive and defensive controls to your level of risk comfort. Components of your data center, server infrastructure, access, and external deployments (public cloud) have various ways in which to securely deploy, monitor, and reduce surface area of attack. Doing this in practice, can be a lot different than just passing your local compliance regulations. This session will focus on how to execute for secure coverage at all layer1

Dont be scared of this2

YOUUsed with creative commons license with permission from http://xkcd.com

Yes, the CISO or information security team is expected to be an information security universal converter box3

Know Your BusinessBusiness AcumenYour People MatterYour Locations MatterUnderstand Executive LanguageUnderstand Your RisksBe a business enabler not a business blocker (How vs No)

When you are At the table you need to have conversations in business language

Your Risks define your next step of actions5

Telling the TruthBuild a culture of trust & sharingBuild a culture of operationsThere are no magic toolsAsk the HARD questionsPROVE that it worksPositive and negative testsContinuous testing

I look at information security like I look at an employee review. Your CISO, CEO, Board should never be surprised by information, they should have constant updates that includes the truth about how the company is really doing. Just like when you are asking for feedback from your boss, you want the truth. Information security should be about providing the truth about how things are.6

8Todays Security Solutions are movingpredictive : preventative capabilitiesdetective : reactive measures to

Know your ControlsTools are not ControlsEdge - Internal - Inbound - OutboundOn-Premise - Cloud - SAASSecurity Zones - Trust Layers - PrivilegeApplication - Data - People - Use Cases

Existence vs Working vs OperationalBuy vs Build vs OutsourceBest of Breed vs Best of Suite

Be able to explain your philosophy

Philosophy of ControlsWhen we control all aspects of the network, controls must exist at the physical and logical layer of the network that meet appropriate standards controls globallySecurity controls must exist at all layers of physical zones in physical data centersWhen Physical data centers are built, availability zones get deployed within geographic regions, which get built per architectural and secure zoning blueprintsWhere feasible, automation must deploy the controls via pre-defined templates and keep enforcement in place even when the control is droppedWhen multi-tenancy is required, controls effectively separating the security zones must be employed and tested A physical control plane must remain separate from any data planePhysical separation must exist between employee networks and Customer networksCentralized security operations staff must be aware and monitor all physical security controls

On-Premise Data CenterWhen we do not control all aspects of the environment, we must rely on a provider to deliver physical controls, audited against appropriate standards, with the appropriate legal contracts in placeCloud services must be pre-defined, approved, and must be deployed via template to ensure appropriate applicationAny cloud solution implemented must be tested to be equivalent in control state to our physical data center deployment of that same controlCloud controls can be implemented in any way as long as they deliver the target state effectivelyThe management control plane must remain separate from the data planeIngress/Egress from the cloud provider must be protected in equivalent way to on-premise data center solutionsCloud native controls should be used where feasible but multi-provider monitoring and management must be builtCentralized security operations staff must be aware and monitor all cloud security controls

Hosted Cloud / Public CloudData Center solutions versus Cloud solutions

Server ControlsWindows ServersAnti-VirusData Leakage PreventionLocal Vulnerability Assessment BT RetinaSecurity InvestigationsImaging/PatchingPrivilege Lock-down BT PBWAnti-malware, I/O LoggingChange DetectionSoftware Vulnerability MitigationPassword Control BT Password SafeAccount ManagementKeystroke Logging BT PBWPrivilege Management BT PBWFIMUnix/Linux ServersAnti-Virus NONE RECOMMENDEDData Leakage Prevention NONE RECOMMENDEDLocal Vulnerability Assessment BT RetinaSecurity InvestigationsImaging/PatchingPrivilege Lock-down BT PBULAnti-malware, I/O LoggingChange DetectionSoftware Vulnerability MitigationPassword Control BT Password SafeAccount ManagementKeystroke Logging BT PBULPrivilege Management BT PBULFIMSAMPLE

Account and System Strategy14Account BehaviorInformation CoverageIdentity Knowledge (IAM)Location AwarenessEnd User BehaviorMachine IntegrityData movementIntrusion DetectionEnd-point policiesAnti-malware, unexpected software(Good or Bad) accounts can perform (Authorized or Unauthorized) Actions from(Expected or Unexpected) Locations on(Expected or Unexpected) Machines with(Safe or Unsafe) Software installed


Where to start?

Start with use cases and use Four IFs

Compliant is NOT the same as being Secure

Security is a Journey not a Project

Follow the 4 if-then ruleif A then if B then if C then if D

The 4 if-then rule means the following. If you are doing something and figuring out which security control to do first, you should sequence your use caseIf A then If B then if C then if DIn information security this means an attacker or insider must get past control A before they get into Control B. If control A doesnt exist and its the first point to entry, you should probably prioritize control A17

Strategy for successMulti-Year JourneyBudgets of Capital/OperatingDo not overstate what you can actually doNever let a good crisis go to wasteWalls of Shame & Walls of FameFrequent DiscussionsPlan and be ready

Winston Churchhill - Never let a good crisis go to waste18


Scott Carlsontwitter: @Scottophileemail: [email protected]