Racks & Stacks, Users & Clouds

All are part of a layered security strategy

Scott CarlsonExecutive Security Advisor

These are my opinions based on my history in fortune 500 Banking, Education, Stock Trading.

YOU

Used with creative commons license with permission from http://xkcd.com

Know Your Business• Business Acumen

• Your People Matter

• Your Locations Matter

• Understand Executive Language

• Understand Your Risks

• Be a business enabler not a business blocker (How vs No)

• When you are “At the table” you need to have conversations in business language

Telling the Truth• Build a culture of trust & sharing

• Build a culture of operations

• There are no magic tools

• Ask the HARD questions

• PROVE that it works• Positive and negative tests• Continuous testing

8

Today’s Security Solutions are moving…

predictive : preventative capabilities

detective : reactive measures to

Know your Controls• “Tools” are not “Controls”

• Edge - Internal - Inbound - Outbound

• On-Premise - Cloud - SAAS

• Security Zones - Trust Layers - Privilege

• Application - Data - People - Use Cases

• Existence vs Working vs Operational

• Buy vs Build vs Outsource

• Best of Breed vs Best of Suite

• Be able to explain your philosophy

Philosophy of Controls

• When we control all aspects of the network, controls must exist at the physical and logical layer of the network that meet appropriate standards controls globally

• Security controls must exist at all layers of physical zones in physical data centers

• When Physical data centers are built, availability zones get deployed within geographic regions, which get built per architectural and secure zoning blueprints

• Where feasible, automation must deploy the controls via pre-defined templates and keep enforcement in place even when the control is dropped

• When multi-tenancy is required, controls effectively separating the security zones must be employed and tested

• A physical control plane must remain separate from any data plane

• Physical separation must exist between employee networks and Customer networks

• Centralized security operations staff must be aware and monitor all physical security controls

On-Premise Data Center• When we do not control all aspects of the environment, we must

rely on a provider to deliver physical controls, audited against appropriate standards, with the appropriate legal contracts in place

• Cloud services must be pre-defined, approved, and must be deployed via template to ensure appropriate application

• Any cloud solution implemented must be tested to be equivalent in control state to our physical data center deployment of that same control

• Cloud controls can be implemented in any way as long as they deliver the target state effectively

• The management control plane must remain separate from the data plane

• Ingress/Egress from the cloud provider must be protected in equivalent way to on-premise data center solutions

• Cloud native controls should be used where feasible but multi-provider monitoring and management must be built

• Centralized security operations staff must be aware and monitor all cloud security controls

Hosted Cloud / Public Cloud

Data Center solutions versus Cloud solutions

Server ControlsWindows Servers• Anti-Virus• Data Leakage Prevention• Local Vulnerability Assessment – BT Retina• Security Investigations• Imaging/Patching• Privilege Lock-down – BT PBW• Anti-malware, I/O Logging• Change Detection• Software Vulnerability Mitigation• Password Control – BT Password Safe• Account Management• Keystroke Logging – BT PBW• Privilege Management – BT PBW• FIM

Unix/Linux Servers• Anti-Virus – NONE RECOMMENDED• Data Leakage Prevention – NONE RECOMMENDED• Local Vulnerability Assessment – BT Retina• Security Investigations• Imaging/Patching• Privilege Lock-down – BT PBUL• Anti-malware, I/O Logging• Change Detection• Software Vulnerability Mitigation• Password Control – BT Password Safe• Account Management• Keystroke Logging – BT PBUL• Privilege Management – BT PBUL• FIM

SAMPLE

14

Account and System Strategy

Account Behavior

Information Coverage

Identity Knowledge (IAM)

Location Awareness

End User Behavior

Machine Integrity

Data movement

Intrusion Detection

End-point policies

Anti-malware, unexpected software

(Good or Bad) accounts can perform (Authorized or Unauthorized) Actions from(Expected or Unexpected) Locations on(Expected or Unexpected) Machines with(Safe or Unsafe) Software installed

Where to start?

Start with use cases and use ”Four IF’s”

Compliant is NOT the same as being Secure

Security is a Journey not a ProjectFollow the 4 if-then rule…

“if A then if B then if C then if D”

Strategy for success• Multi-Year Journey

• Budgets of Capital/Operating

• Do not overstate what you can actually do

• Never let a good crisis go to waste

• Walls of Shame & Walls of Fame

• Frequent Discussions

• Plan and be ready

Thanks!

Scott Carlsontwitter: @Scottophile

email: scarlson@beyondtrust.com