Download - Information Security Gm Aug09
Information Security Considerations and Recommendations for IT Decision Makers and Business Unit General Managers
Black Opp Systems
John [email protected] 2009
1August 2009 Black Opp Systems
Contents
• Summary• Market Environment• Making Decisions• Information Security Technology Review
• Resources
2August 2009 Black Opp Systems
Risk Management Policy Management Business Continuity
Application Security Compliance Internal Auditing
Identity and Access Mgmt
Encryption/Key Management
Data Loss Prevention
Network Monitoring SEIMEndpoint enforcement
Summary
– Purpose• Enable IT and security management to operate more
effective information security programs• Provide business unit general managers with context with
respect to information security to make better decisions– Approach
• Evaluation of the information security market, business needs and infrastructure trends
• Supported by quantitative data from various industry sources– IDC, Fortune Inc., Symantec, CSI, Ponemon Institute,
datalossDB.org
August 2009 Black Opp Systems 3
Market Environment – General Observations
– Information security market (products and services)• Fragmented, high growth, constantly evolving• Information security becoming a component of risk
management– Typical attitude
• Information security spending remains a priority• Do not want another product to manage
– Technology• Start-up driven innovation
– Point solutions
• No silver bullet– Lots of process in every solution
August 2009 Black Opp Systems 4
Market Environment –Information security system best practices
Business Requirements
Life Cycle Review
Bu
siness D
rivers
Policy
Risks
Requirements
Definition
Strategy
Risk model
Data map
Control map
Control
Implement
Manage
Audit
Bu
siness E
nab
leme
nt
5August 2009 Black Opp Systems
Market Environment – Information security system
– Best practices• Driven by business requirements• Focus on risk reduction• Security program driven by policy• Management through analysis of metrics• Results in business enablement
– Common shortcomings• Focus on technology rather than process• Decisions driven by fear• Event orientation around regulatory compliance• Ad-hoc staffing, responsibilities and policies• Restricts business agility, growth and income
August 2009 Black Opp Systems 6
Market Environment – Representative issues
August 2009 Black Opp Systems 7
SupplierSupplier CustomerCustomer
ShoppingShopping
PurchasingPurchasing
Using andUsing andMaintainingMaintaining
MarketingMarketing
SellingSelling
Shipping Shipping
Service andService andSupportSupport
DesignDesign DevelopmentDevelopment
PayablesPayablesReceivablesReceivables
ReceivingReceiving
Collaborative CommerceCollaborative CommerceIntellectual PropertyIntellectual Property
Search, Discovery, OfferingSearch, Discovery, OfferingReputationReputation
Trusted TransactionsTrusted TransactionsIntegrityIntegrity
Electronic Funds TransferElectronic Funds TransferValueValue
Logistics/Supply Chain ManagementLogistics/Supply Chain ManagementTheftTheft
Customer Relationship ManagementCustomer Relationship ManagementPrivacyPrivacy
Market Environment – Information security system
• Where security programs often go wrong– Flawed understanding environmental conditions
• Why are so many security products ineffective? Asymmetric information favors attacker
• Failure to recognize that: – Trust management is an arms race, risk management is manageable
(and manageable at a profit)– Risk control encapsulates trust
– Flawed understanding security system requirements
• Primary system requirements are always security, scalability and integration
• Only platform vendors can deliver security that is integrated enough to scale and invisible enough to ignore
– Flawed understanding of process
• Security is a means and not an end
August 2009 Black Opp Systems 8
Market Environment – Threat evolution
August 2009 Black Opp Systems 9
Examples:
Trends:
=> Attackers focus on the network layer=> Proliferation of worms
=> Dissolving network perimeter=> Attackers focus on the application layer
=> Attackers shift to client side attacks
Market Environment – Threat Economy
August 2009 Black Opp Systems 10
Writers Middle Men Second Stage Abusers
Bot-Net Management:
For Rent, for Lease, for Sale
Bot-Net Creation
Personal Information
Electronic IP Leakage
Worms
Spyware
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
First Stage Abusers
Machine Harvesting
Information Harvesting
Hacker/Direct Attack
Internal Theft: Abuse of Privilege
Information Brokerage
Spammer
Phisher
Extortionist/ DDoS-for-Hire
Pharmer/DNS Poisoning
Identity Theft
Compromised Host and
Application
End Value
Financial Fraud
Commercial Sales
Fraudulent Sales
Advertising Revenue
Espionage (Corporate/
Government)
Fame
Extorted Pay-Offs
Theft
Market Environment – Compliance Structure
August 2009 Black Opp Systems 11
Risk Management , Policy, Controls and Configuration Guidance
FISMA HIPAA SOX GLB INTEL COMSEC DoD ISO PCI
SP 800-53 DCID NSA Req DoD IA Controls
17799/27001
DSS GuideSP 800-68 DISA STIGSNSA
Guides
Market Environment – Information security system
– Threat landscape• Cybercrime• Internal malicious activity• Business partners
– Key concerns• Brand protection• Risk reduction• Service availability• Employee productivity• Regulatory fines• Reputational damage
August 2009 Black Opp Systems 12
Market Environment -The customer security system: product and service categories
Security Products
Risk management
Policy management
Business continuity
Application security
Data security
Encryption
Endpoint and network enforcement
SEIM/monitoring
Security services
Risk management
Policy development
Assessment
Compliance
Audit
Architecture
Implementation
13August 2009 Black Opp Systems
Market Environment – Representative Security Framework (NIST)
August 2009 Black Opp Systems 14
Security Life CycleSP 800-39
Determine security control effectiveness
(i.e., controls implemented correctly, operating as intended, meeting
security requirements for information system).
SP 800-53A
ASSESSSecurity Controls
Define criticality/sensitivity of information system according
to potential worst-case, adverse impact to mission/business.
FIPS 199 / SP 800-60
CATEGORIZE Information System
Continuously track changes to the information system that may
affect security controls and reassess control effectiveness.
SP 800-37 / SP 800-53A
MONITORSecurity State
SP 800-37
AUTHORIZE Information System
Determine risk to organizational operations and assets,
individuals, other organizations, and the Nation;
if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound systems engineering
practices; apply security configuration settings.
IMPLEMENT Security Controls
SP 800-70
FIPS 200 / SP 800-53
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
ASSESSSecurity Controls
CATEGORIZE Information System
MONITORSecurity State
AUTHORIZE Information System
IMPLEMENT Security Controls
Market Environment – Security and Compliance Best Practices
• Assure appropriate management structure is in place to oversee security
and compliance
• Establish policies, procedures and standards
• Communicate policies and procedures to all stakeholders
• Ensure security and compliance policies and procedures are being
executed
• Enforce the policies, standards, and procedures consistently through
appropriate process, controls and automation
• Implement a feedback loop to enable monitoring and modifications
– Establish that due diligence is made to provide appropriate
security and compliance
August 2009 Black Opp Systems 15
Making Decisions
• Decision making process– Understand the business conditions
• Team capability, operating environment, threat model, business drivers, etc.
– Determine the requirements for success• Business goals, security requirements, operational metrics
– Identify potential solutions• Usually three or four reasonable choices
– Quantitatively model the business impact of each solution• Need to account for uncertainty associated with each choice
– Choose the optimal solution
August 2009 Black Opp Systems 16
Making Decisions
• Illustrating the decision making process through an example– Company
• Major storage equipment supplier– Organization
• Information technology and security operations– Problem
• Save 25% in annual operating costs achieving compliance• Measure the business value of the project
August 2009 Black Opp Systems 17
Making Decisions
• Business conditions– IT and security organization
• General reputation for technical excellence• Cost reduction for compliance identified as key project for
overall organization savings• Project plan in process with TCO and ROI as key metrics
– Issues• Was the proposed project plan the most effective?• Were there more effective and efficient alternatives?• What was the value contributed to the business by doing the
project?
August 2009 Black Opp Systems 18
Making Decisions
• Current conditions– Status quo approach to the problem
• Reduce costs through headcount reductions• Meet ROI and TCO goals
– Issues• No systematic measure of business value• Lacking ability to quantitatively predict whether cost
reduction targets could be met
August 2009 Black Opp Systems 19
Making Decisions
• Decision making approach – Understand current system characteristics– Acquire qualitative and quantitative data– Develop model of operational cost over a three year time period
considering viable options– Develop model of business value and drivers over three years
considering viable options– Evaluate NPV, ROI and TCO of viable plans– Move forward with actions required to meet goals and best
practices to be applied
August 2009 Black Opp Systems 20
Information Security Technology Review
• Discussion around the following areas
August 2009 Black Opp Systems 21
Risk Management Policy Management Business Continuity
Application Security Compliance Internal Auditing
Identity and Access Management
Encryption/Key Management
Data Loss Prevention
Network Monitoring SEIMEndpoint Enforcement
Information Security Technology Review
• Discussion topics– Best practices– Business impact– Process– Scalability– Integration– Product vendors– Service vendors
August 2009 Black Opp Systems 22
Resources
• Threat environment– OSF Dataloss DB– Symantec Internet threat report
• Security practices– CSI
– Verizon Business
• Business Impact– Ponemon Institute
• Process guidelines– NIST– ISO 17799
• Application security– OWASP– WASC
August 2009 Black Opp Systems 23