Post on 29-Nov-2014
description
Achieving Compliance Through Security
Jason Iler – Tripwire Patrick Miller – The Anfield Group
THE AUDIT BLAME CYCLE
2
3
“Boss, We Are Ready For The Upcoming Audits…”
4
“OMG. The Auditors Are Coming When?!?”
5
IT Operations Not Quite As Ready As They Thought…
6
Infosec Must Do Heroics Generating Reports and Presentations from scratch
7
Despite Heroics, The Business Still Fails The Audit…
8
…Infosec Can’t Say, ‘I Told You So’
9
…And Has To Be The Professional Apologist
10
Problems: The Real Business Cost
® Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work
® Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time
® Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes
® The business starts treating audit prep as a legitimate value-adding project, even charging time against it
® Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
11
Security And Compliance Already Don’t Get Along
Compliance Hinders Security…
§ Creates bureaucracy
§ Imposed processes hinder rapid responses to security threats
§ Focuses on ‘checking the box’
§ Does not respond quickly to changes in technology
§ Consumes resources/budget that might otherwise be invested in security controls
Words often used to describe both disciplines:
“hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, shrill, perpetually focused on irrelevant technical minutiae…”
Security Hinders Compliance…
§ Activities difficult to measure/track
§ Notoriously poor at documenting
§ Can focus on ‘high profile’ threats and ignore more common risks (e.g. default passwords)
12
The Goal
® Build an environment where compliance is a natural byproduct of effective security controls
® Establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of… ® IT operations
® Software and service development
® Project management
® Internal audit
CONTINUOUS MONITORING
14
" Enables dynamic security to respond to evolving threats
" Provides details of your information systems § Make risk based decisions § Take control and remain in control of your infrastructure
Spirit of Continuous Monitoring
" Provides continuous input to the C&A process
" Moves the focus back to Security
15
Step 4: Detailed
Reporting
Step 3: Determine Monitoring Frequency
Step 1: Categorize
Assets
Step 2: Determine Risk
Threshold
How To Achieve Continuous Monitoring?
16
Step 1: Categorize Assets
® Establish relative value of Assets ® High, Medium, Lower impact
® DMZ, EMS, Processing, etc
® Categorize logically and by criticality
® Benefits of Categorization ® Easier to make risk-based decisions
® Risks are easier to determine knowing the business the asset supports
® Enables rapid triage during incident response
Categorize Assets
17
Step 2: Determine Risk Threshold
® Identify and select your scoring systems ® OCTAVE, CAESARS, iPOST, iRAMP, etc.
® Set appropriate thresholds to policies and assign weights to control checks ® Example of Policy Thresholds
® < 50% Do Not Operate
® < 75% System should go through preplanning
® < 90% Operational
® Test and control weights need to be set
® Weights affect the Risk scoring
® Examples:
® HIGH – Administrator set to blank or default password
® LOW – Users are part of a remote desktop group
Determine Risk
Threshold
18
Step 3: Determine Monitoring Frequency
® Start with your Policy ® Determine frequency of monitoring
® System-level Frequency
® Security Control-level Frequency
® Application-level Frequency
® Determine the frequency by function and risk associated with each system and security control
Determine Monitoring Frequency
19
Step 4: Provide Detailed Reports
® Provide valuable input to Ops and Security teams ® Incident Response
® Security Alerts
® Change and Compliance metrics
® Use the intelligent data feeds to make accurate risk based decisions
® Create feedback loop to adapt and improve security and risk posture
® Construct reports that have both operational and audit-evidence value
Provide Detailed Reports
20
Benefits of This Approach
® Leverages automation to reduce time & effort for audit and oversight
® Provides assurance that controls are implemented properly and stay that way
® Enables accountability for proper results ® Provides objective data for gap analysis, remediation
planning, and budget priorities ® Enables benchmarking across entities
21
What and How Should I Measure?
® Leverage existing work ® CAESARS
® Continuous Asset Evaluation, Situational Awareness, and Risk Scoring
® www.dhs.gov/xlibrary/assets/fns-caesars.pdf
® iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of State
® www.cio.ca.gov/OIS/Government/events/documents/Scoring_Guide.doc
22
Other Metrics Examples
® Configuration Quality: ® % of configurations compliant with target security standards (risk-aligned)
® e.g. > 95% in High; > 75% in Medium
® number of unauthorized changes with security impact (by area)
® patch compliance by target area based on risk level ® e.g. % of systems patched within 72 hours for High; within 1 week for Medium
® Control effectiveness: ® % of incidents detected by an automated control
® % of incidents resulting in loss
® mean time to discover security incidents
® % of changes that follow change process
23
Report On Status & Progress vs. Goals
24
Focus At A Higher Level
25
Summary
® Continuous Monitoring is not a “checkbox activity” ® Continuous Monitoring is an integral part of effective
Security and Risk Management ® Continuous Monitoring is adaptable to enable you to focus
on the highest risk first
26
Continuous Monitoring is about…..
Risk Management
Empowering
Strengthening
Reducing
Decision Making
Leadership to make educated decisions
The Control Environment
Resources spent on annual IT Audits
Actionable Alerts to focus resources and respond
tripwire.com | @TripwireInc
THANK YOU JASON ILER – TRIPWIRE
PATRICK MILLER – THE ANFIELD GROUP