Security Risk Management

Marcus Murray, CISSP, MVP (Security)Senior Security Advisor, Truesec

marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Agenda What is Risk Management? Security Strategy

Mission and Vision Security Principles Risk Based Decision Model Tactical Prioritization

Representative Risks and Tactics

Marcus Murray, MVP marcus.murray@truesec.se

What is Risk Management?

The process of measuring assets and calculating risk!

Something we all do! (More or less)

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murray, MVP marcus.murray@truesec.se

Security Operating Security Operating PrinciplesPrinciples

Corporate Security Corporate Security Mission and VisionMission and Vision

Risk Based Security Strategy

Risk Based Decision ModelRisk Based Decision Model

Tactical PrioritizationTactical Prioritization

Marcus Murray, MVP marcus.murray@truesec.se

Information Security Mission

Assess RiskAssess Risk

Define Define PolicyPolicy

ControlsControls

AuditAudit

Operating Principles

Mission Mission and Visionand Vision

Risk Based Decision Model

Tactical Prioritization

Prevent malicious or Prevent malicious or unauthorized use that unauthorized use that results in the loss of results in the loss of Company Intellectual Company Intellectual property or productivity property or productivity by systematically by systematically assessing, assessing, communicating and communicating and mitigating risks to digital mitigating risks to digital assetsassets

Marcus Murray, MVP marcus.murray@truesec.se

Information Security Vision

Key Client Assurances My Identity is not compromised Resources are secure and available Data and communications are private Clearly defined roles and accountability Timely response to risks and threats

An IT environment comprised of services, applications and An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and infrastructure that implicitly provides availability, privacy and security to any client.security to any client.

Operating Principles

Mission Mission and Visionand Vision

Risk Based Decision Model

Tactical Prioritization

Marcus Murray, MVP marcus.murray@truesec.se

Security Operating Principles Management Commitment

Manage risk according to business objectives Define organizational roles and responsibilities

Users and Data Manage to practice of Least Privilege Privacy strictly enforced

Application and System Development Security built into development lifecycle Layered defense and reduced attack surface

Operations and Maintenance Security integrated into Operations Framework Monitor, audit, and response functions aligned to operational

functions

Operating Operating PrinciplesPrinciples

Mission and Vision

Risk Based Decision Model

Tactical Prioritization

Marcus Murray, MVP marcus.murray@truesec.se

Enterprise Risk Model

HighHigh

LowLow HighHigh

Imp

act

to

Bu

sin

es

sIm

pa

ct t

o B

us

ine

ss

(Def

ined

by

Bu

sin

ess

Ow

ner

)(D

efin

ed b

y B

usi

nes

s O

wn

er)

LowLow

Acceptable Risk

Unacceptable Risk

Operating Principles

Mission and Vision

Risk Based Decision Risk Based Decision ModelModel

Tactical Prioritization

Probability of ExploitProbability of Exploit(Defined by Corporate Security)(Defined by Corporate Security)

Risk assessment drives to acceptable risk

Marcus Murray, MVP marcus.murray@truesec.se

Components of Risk Assessment

Asset Threat

Impact

Vulnerability Mitigation

Probability

++

==

What are you trying toassess?

What are you afraid of

happening?

What is the impact to the

business?

How could the threat occur?

What is currently

reducing the risk?

How likely is the threat giventhe controls?

Current Level of Risk

What is the probability that the threat will overcome controls to successfully exploit the

vulnerability and impact the asset?

Operating Principles

Mission and Vision

Risk Based Decision Risk Based Decision ModelModel

Tactical Prioritization

Marcus Murray, MVP marcus.murray@truesec.se

Risk Management Process and Roles

22 55

Security Policy

Compliance

11

PrioritizeRisks

33 44

SecuritySecuritySolutions &Solutions &InitiativesInitiatives

Sustained Sustained OperationsOperations

Engineering Engineering and Operationsand Operations

CorpSecCorpSec

Operating Principles

Mission and Vision

Risk Based Decision Model

Tactical PrioritizationTactical Prioritization

TacticalTacticalPrioritizationPrioritization

Marcus Murray, MVP marcus.murray@truesec.se

Tactical Prioritization by Environment

Operating Principles

Mission and Vision

Risk Based Decision Model

Tactical PrioritizationTactical Prioritization

Policies and Policies and mitigation tactics mitigation tactics appropriate for appropriate for each environmenteach environment

PrioritizedPrioritized

RisksRisks

Data CenterData Center

ClientClient

Unmanaged Unmanaged ClientClient

RASRAS

ExtranetExtranet

Marcus Murray, MVP marcus.murray@truesec.se

Risk Analysis by Asset Class

Exploit of misconfiguration, Exploit of misconfiguration, buffer overflows, open buffer overflows, open

shares, NetBIOS attacksshares, NetBIOS attacks HostHost

Unauthenticated access Unauthenticated access to applications, to applications, unchecked memory unchecked memory allocationsallocations

ApplicationApplication

Compromise of Compromise of integrity or privacy of integrity or privacy of accountsaccounts

AccountAccount

Unmanaged trusts Unmanaged trusts enable movement enable movement among environmentsamong environments

TrustTrust

Data sniffing on the Data sniffing on the wire, network wire, network fingerprintingfingerprinting

NetworkNetwork AssetsAssets

Operating Principles

Mission and Vision

Risk Based Decision Risk Based Decision ModelModel

Tactical Prioritization

Marcus Murray, MVP marcus.murray@truesec.se

Representative Risks and Tactics

Tactical SolutionsTactical SolutionsEnterprise RisksEnterprise Risks

EmbodyTrustworthyComputing

Secure Environment Secure Environment RemediationRemediation

Unpatched DevicesUnpatched Devices

Network Segmentation via Network Segmentation via IPSecIPSec

Unmanaged DevicesUnmanaged Devices

Secure Remote UserSecure Remote UserRemote & Mobile UsersRemote & Mobile Users

2-Factor for RAS & 2-Factor for RAS & AdministratorsAdministrators

Single-Factor Single-Factor AuthenticationAuthentication

Managed Source InitiativesManaged Source InitiativesFocus Controls Across Focus Controls Across

Key AssetsKey Assets

Marcus Murray, MVP marcus.murray@truesec.se

Security Solutions and Initiatives

Mitigate risk to the infrastructure through implementation Mitigate risk to the infrastructure through implementation of key strategiesof key strategies

Mitigate risk to the infrastructure through implementation Mitigate risk to the infrastructure through implementation of key strategiesof key strategies

1.1. Secure Securethe Network the Network PerimeterPerimeter

Secure Wireless Secure Wireless Smart Cards for RASSmart Cards for RAS Secure Remote User Secure Remote User Next Generation AVNext Generation AV Messaging FirewallMessaging Firewall Direct ConnectionsDirect Connections IDC Network CleanupIDC Network Cleanup

2.2. Secure Securethe Networkthe NetworkInteriorInterior

Eliminate Weak Eliminate Weak PasswordsPasswords

Acct SegregationAcct Segregation Patch Management Patch Management

(SMS/WUS/SUS)(SMS/WUS/SUS) NT4 Domain MigrationNT4 Domain Migration Network SegmentationNetwork Segmentation Smart Cards for Admin Smart Cards for Admin

AccessAccess Regional Security Regional Security

AssessmentAssessment

3.3. Secure SecureKey AssetsKey Assets

Automate Vulnerability Automate Vulnerability ScansScans

Secure Source Code Secure Source Code AssetsAssets

Lab Security AuditLab Security Audit

4.4. Enhance Enhance Monitoring Monitoring and Auditingand Auditing

Network Intrusion Network Intrusion Detection SystemDetection System

Host Intrusion Detection Host Intrusion Detection SystemsSystems

Automate Security Automate Security Event AnalysisEvent Analysis

Use MOM for Server Use MOM for Server Integrity CheckingIntegrity Checking

Use ACS for real-time Use ACS for real-time security log monitoringsecurity log monitoring

Marcus Murray, MVP marcus.murray@truesec.se

More information

www.microsoft.se/technet www.microsoft.se/security www.truesec.se/events www.itproffs.se

Marcus Murray, MVP marcus.murray@truesec.se

Marcus Murraymarcus.murray@truesec.se