Post on 14-Jul-2015
Risk Based Security and Self Protection
Miguel Sanchez, Sr. Sales Engineer
February 16, 2015
Presenter for today:
Miguel Sanchez
Sr Sales Engineer, First Communictions
First Communications: At A Glance
Technology Provider since 1998,
serving thousands of Businesses
throughout the Midwest
24x7x365 Network Management
Center (NMC)
Data Center and Colocation Facilities
in Cleveland and Downtown Chicago
Serving Diverse Businesses ranging
from SMB to Enterprise
Headquartered in Akron, Ohio
Our MissionTo Empower our customers through leading-edge technology solutions delivered with a first-class experience.
Today’s Topic Agenda
• Current State of Information Security
• Overview of Risk Based Security models
• Risk Management Process• Multi-tiered Risk Management Model• Three levels of Risk Management
• Runtime Application Self Protection
Current State of Information Security
• The threat landscape has changed considerably over the past few years due to the disappearance of the perimeter defense for the following reasons:
– Change– Mobility and consumerization– Ecosystem– Cloud
– Infrastructure
Current State of Information Security
• The growing attacking power of cyber criminals has increased significantly and are not just some hackers operating out of someone’s basement anymore
• We need to take into consideration the following threats:– Criminal syndicates– State sponsored attackers– Hactivists
– Lone wolf hacker
Perimeter Security
• One of the first and most basic lines of network perimeter defense is a firewall. – A device that inspects inbound and outbound traffic on a
network.
• In addition to firewalls, traditional responses to new threats has been to add stand-alone security technologies to the network.
Next Generation Firewalls
• There have been tremendous advancements in the Next Generation Firewalls that should be a part of any Information Security Plan that include the following Unified Threat Management (UTM) capabilities:
• Stateful Packet Inspection• Application Control• Intrusion Detection/Prevention• Data Loss Prevention• Content Filtering
• Anti-malware/Anti-spam• IPv6 support• Virtualized environments• Endpoint security• VPN
Information Security: Reactive to ProactiveFor most small to medium organizations, Information Security is a Reactive vs a Proactive process.
•How many breaches do you hear in the news of compromised systems that are discovered weeks or months after the actual event?
•How do we get to a model that is more proactive and workable for various organizations regardless of size?
Information Security Constraints
What are some of the constraints for implementing effective Information Security?
•Shrinking budgets
•Lack of security focus
•Lack of resources•Lack of a common approach to information security
Risk based Security
• There has been a steady and slow change at the way organizations approach Information Security using a Risk Based model.
• Today’s CSO/CISOs are being asked to prioritize risks—by identifying which ones need to be addressed and which ones should be accepted as the cost of doing business.
Risk Based Security
What are some of the factors that drive a Risk Based Security model:•Compliance•Recent security event•Threat landscape•Proactive approach
What are the top drivers for your Information Security / Risk Management program?
Wisegate Community Viewpoints
Risk Management ModelRisk management is the ongoing process of identifying, assessing, and responding to risk.
•Managing Risk– Businesses and Organizations need to understand the likelihood
or the probability that an event will occur and it’s resulting consequence or impact.
•Risk Tolerance– Using the Risk Management Model, organizations can determine
the acceptable level of risk for the delivery of services and this can be expressed as their risk tolerance.
Risk Management Process
• There are several Risk Management frameworks that organizations are using including NIST SP 800-39. ITIL, ISO 27000 Series, PCI, HIPPA, Internally Developed systems or a combination of others.
• For this discussion we will be using the NIST SP 800-39 framework
Risk Management Process• Managing risk is a complex and multifaceted process. It requires the
involvement of the entire organization using a Multitiered Risk Management Process.
• Risk management is a comprehensive process that requires organizations to:
Frame Risk
Establishing a realistic and credible risk frame requires organizations to identify the following:
•Risk assumptions •Risk constraints•Risk tolerance •Priorities and trade-offs
Assess Risk
• The Risk Assessment component identifies:– Threats – Vulnerabilities– Consequences/impact
– The likelihood that harm will occur.
• The end result is a determination of risk
Respond to Risk
• The purpose is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by:
– Developing– Evaluating– Determining
– Implementing
Monitor Risk
• The purpose of the risk monitoring component is to: – Verify– Determine ongoing effectiveness– Identification of risk-impacting changes
Risk Management Process
NIST SP800-39
Information and communications flow
Assess
Monitor Respond
Frame
Information and communications flows
Making Risk Management Work
• Risk management can be broken down into three distinct areas: – Tier 1 Organization level (Strategic)– Tier 2 Mission/business process level
(Tactical)– Tier 3 Information system level (Operational)
Multitiered Risk Management
NIST SP800-39
Strategic Risk
Tactical Risk
• Traceability and Transparency of Risk-Based Decisions
• Organization-Wide Risk Awareness
• Inter-Tier and Intra-Tier Communications
• Feedback Loop for Continuous Improvement
Tier 1 Organization
• Organizational perspective that establishes and implements structures for:– Governance– Risk Executive– Risk Tolerance– Investment strategies
Tier 2 Mission/Business Processes
• Tier 2 addresses risk from a business process perspective by designing, developing, and implementing business processes that support the business functions defined at Tier 1.
– Risk-Aware Mission/Business Processes – Enterprise Architecture – Information Security Architecture
Information Security Architecture
NIST SP800-39
Tier 3 Information Systems View
• The risk management activities at Tier 3 reflect the organization’s risk management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems that support the mission/business functions of organizations.
• Risk management activities are also integrated into the system development life cycle of information systems at Tier 3.
• There are typically five phases in system development life cycles: (i) initiation; (ii) development/ acquisition; (iii) implementation; (iv) operation/maintenance; and (v) disposal.
Three Levels of Risk Management
When we look at the Multitiered Risk Management model, it is the similar to the three levels of Risk Management in other models with the following correlations:
•Tier 1 Organization– Risk Management strategy
•Tier 2 Business Processes– Tactical/Architecture
•Tier 3 Information Systems
– Processes/Operational
Risk Management Process Applied Across All The Tiers
NIST SP800-39
Assess
Monitor Respond
Frame
Tier 1 - Organization
Tier 2 – Mission/Business Processes
Tier 3 – Information Systems
Cybersecurity Framework
NIST Cybersecurity Framework
Risk Based Security
We will look at a sample outline that can be used for implementing a Risk Based Security Plan:
1.Identify what is of value
2.Collect data on that value
3.Perform a risk assessment
4.Present to the organization
5.Identify control objectives
6.Identify and select controls
7.Implement controls
8.Operate controls
9.Monitor and measure
10.Operate a feedback loop
Frame and Assess
• Identify what is of value– Tangible versus intangible assets– Collaborative effort
• Collect data on that asset– Asset valuation
– Impact– Threat landscapes– Frequency and likelihood– Vulnerabilities
Assess and Frame
• Perform Risk Assessment– Objectives– Methodology
• Present to the organization– Key risks to the achievement of organizational goals
– Open discussion– Not a precise prediction of future
Respond
• Identify Control Objectives– A control objective is the aim or purpose of controls put in place
and intended to mitigate risk– Best solution
• Identify and select controls– TCO– Flexibility– Amount spent– Does the control reduce the risk by an expected amount?
• Implement controls– Ensure that implementation follows the objectives and
requirements previously set• Operate controls
Monitor
• Monitor and measure– Measure on an ongoing basis– Focus on clearly identifiable changes in risk
• Operate a feedback loop– Risk Based Security Management is cyclical and
ongoing
– Data collected should create a feedback loop
Cybersecurity Framework
NIST Cybersecurity Framework
Risk Management Evolution
Up and Coming Technology for Information Security
Runtime Application Self Protection
• Realistic detection rates for today’s advanced threats are typically around 5-10 percent.
• Compounding the security threat to applications is the heavy reliance on mobile devices for access and the use of these mobile devices within the enterprise network.
• Applications need self-defense or as Gartner calls it, runtime application self-protection (RASP).
Runtime Application Self Protection
• Runtime Application Self Protection (RASP)– The next layer of Information Security?– Is a security technology that is built or linked into an application
or application runtime environment – RASP runs on the application server and monitors the execution
of the application from the stack. – Gartner predicts “25% of Web and cloud applications will
become self-protecting, up from less than 1% today.”
Runtime Application Self Protection
• Applications should not be delegating — as is done today — most of their runtime protection to external devices.
• Applications should be capable of self-protection — that is, have protection features built into the application runtime environment.
• RASP, as with any new technology, does have its drawbacks– Performance
• 5-10%
– Implementation• Web• Virtualized environments
Runtime Application Self Protection
Conclusion
• A Risk Based Security model helps to provide a flexible, fluid and ongoing Information Security framework that needs collaboration
• A different perspective in Information Security
• Various models to accomplish an organizations overall strategic objectives
Conclusion
• Runtime Application Self Protection(RASP) is an emerging technology that can address the quickly disappearing perimeter for Information Security
Thank you!Miguel Sanchez
Sr Sales Engineer
(312) 673-4014
msanchez@firstcomm.com