Post on 31-Dec-2015
description
Security Risk Management
Marcus Murray, CISSP, MVP (Security)Senior Security Advisor, Truesec
marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Agenda What is Risk Management? Security Strategy
Mission and Vision Security Principles Risk Based Decision Model Tactical Prioritization
Representative Risks and Tactics
Marcus Murray, MVP marcus.murray@truesec.se
What is Risk Management?
The process of measuring assets and calculating risk!
Something we all do! (More or less)
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Security Operating Security Operating PrinciplesPrinciples
Corporate Security Corporate Security Mission and VisionMission and Vision
Risk Based Security Strategy
Risk Based Decision ModelRisk Based Decision Model
Tactical PrioritizationTactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Information Security Mission
Assess RiskAssess Risk
Define Define PolicyPolicy
ControlsControls
AuditAudit
Operating Principles
Mission Mission and Visionand Vision
Risk Based Decision Model
Tactical Prioritization
Prevent malicious or Prevent malicious or unauthorized use that unauthorized use that results in the loss of results in the loss of Company Intellectual Company Intellectual property or productivity property or productivity by systematically by systematically assessing, assessing, communicating and communicating and mitigating risks to digital mitigating risks to digital assetsassets
Marcus Murray, MVP marcus.murray@truesec.se
Information Security Vision
Key Client Assurances My Identity is not compromised Resources are secure and available Data and communications are private Clearly defined roles and accountability Timely response to risks and threats
An IT environment comprised of services, applications and An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and infrastructure that implicitly provides availability, privacy and security to any client.security to any client.
Operating Principles
Mission Mission and Visionand Vision
Risk Based Decision Model
Tactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Security Operating Principles Management Commitment
Manage risk according to business objectives Define organizational roles and responsibilities
Users and Data Manage to practice of Least Privilege Privacy strictly enforced
Application and System Development Security built into development lifecycle Layered defense and reduced attack surface
Operations and Maintenance Security integrated into Operations Framework Monitor, audit, and response functions aligned to operational
functions
Operating Operating PrinciplesPrinciples
Mission and Vision
Risk Based Decision Model
Tactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Enterprise Risk Model
HighHigh
LowLow HighHigh
Imp
act
to
Bu
sin
es
sIm
pa
ct t
o B
us
ine
ss
(Def
ined
by
Bu
sin
ess
Ow
ner
)(D
efin
ed b
y B
usi
nes
s O
wn
er)
LowLow
Acceptable Risk
Unacceptable Risk
Operating Principles
Mission and Vision
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
Probability of ExploitProbability of Exploit(Defined by Corporate Security)(Defined by Corporate Security)
Risk assessment drives to acceptable risk
Marcus Murray, MVP marcus.murray@truesec.se
Components of Risk Assessment
Asset Threat
Impact
Vulnerability Mitigation
Probability
++
==
What are you trying toassess?
What are you afraid of
happening?
What is the impact to the
business?
How could the threat occur?
What is currently
reducing the risk?
How likely is the threat giventhe controls?
Current Level of Risk
What is the probability that the threat will overcome controls to successfully exploit the
vulnerability and impact the asset?
Operating Principles
Mission and Vision
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Risk Management Process and Roles
22 55
Security Policy
Compliance
11
PrioritizeRisks
33 44
SecuritySecuritySolutions &Solutions &InitiativesInitiatives
Sustained Sustained OperationsOperations
Engineering Engineering and Operationsand Operations
CorpSecCorpSec
Operating Principles
Mission and Vision
Risk Based Decision Model
Tactical PrioritizationTactical Prioritization
TacticalTacticalPrioritizationPrioritization
Marcus Murray, MVP marcus.murray@truesec.se
Tactical Prioritization by Environment
Operating Principles
Mission and Vision
Risk Based Decision Model
Tactical PrioritizationTactical Prioritization
Policies and Policies and mitigation tactics mitigation tactics appropriate for appropriate for each environmenteach environment
PrioritizedPrioritized
RisksRisks
Data CenterData Center
ClientClient
Unmanaged Unmanaged ClientClient
RASRAS
ExtranetExtranet
Marcus Murray, MVP marcus.murray@truesec.se
Risk Analysis by Asset Class
Exploit of misconfiguration, Exploit of misconfiguration, buffer overflows, open buffer overflows, open
shares, NetBIOS attacksshares, NetBIOS attacks HostHost
Unauthenticated access Unauthenticated access to applications, to applications, unchecked memory unchecked memory allocationsallocations
ApplicationApplication
Compromise of Compromise of integrity or privacy of integrity or privacy of accountsaccounts
AccountAccount
Unmanaged trusts Unmanaged trusts enable movement enable movement among environmentsamong environments
TrustTrust
Data sniffing on the Data sniffing on the wire, network wire, network fingerprintingfingerprinting
NetworkNetwork AssetsAssets
Operating Principles
Mission and Vision
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Representative Risks and Tactics
Tactical SolutionsTactical SolutionsEnterprise RisksEnterprise Risks
EmbodyTrustworthyComputing
Secure Environment Secure Environment RemediationRemediation
Unpatched DevicesUnpatched Devices
Network Segmentation via Network Segmentation via IPSecIPSec
Unmanaged DevicesUnmanaged Devices
Secure Remote UserSecure Remote UserRemote & Mobile UsersRemote & Mobile Users
2-Factor for RAS & 2-Factor for RAS & AdministratorsAdministrators
Single-Factor Single-Factor AuthenticationAuthentication
Managed Source InitiativesManaged Source InitiativesFocus Controls Across Focus Controls Across
Key AssetsKey Assets
Marcus Murray, MVP marcus.murray@truesec.se
Security Solutions and Initiatives
Mitigate risk to the infrastructure through implementation Mitigate risk to the infrastructure through implementation of key strategiesof key strategies
Mitigate risk to the infrastructure through implementation Mitigate risk to the infrastructure through implementation of key strategiesof key strategies
1.1. Secure Securethe Network the Network PerimeterPerimeter
Secure Wireless Secure Wireless Smart Cards for RASSmart Cards for RAS Secure Remote User Secure Remote User Next Generation AVNext Generation AV Messaging FirewallMessaging Firewall Direct ConnectionsDirect Connections IDC Network CleanupIDC Network Cleanup
2.2. Secure Securethe Networkthe NetworkInteriorInterior
Eliminate Weak Eliminate Weak PasswordsPasswords
Acct SegregationAcct Segregation Patch Management Patch Management
(SMS/WUS/SUS)(SMS/WUS/SUS) NT4 Domain MigrationNT4 Domain Migration Network SegmentationNetwork Segmentation Smart Cards for Admin Smart Cards for Admin
AccessAccess Regional Security Regional Security
AssessmentAssessment
3.3. Secure SecureKey AssetsKey Assets
Automate Vulnerability Automate Vulnerability ScansScans
Secure Source Code Secure Source Code AssetsAssets
Lab Security AuditLab Security Audit
4.4. Enhance Enhance Monitoring Monitoring and Auditingand Auditing
Network Intrusion Network Intrusion Detection SystemDetection System
Host Intrusion Detection Host Intrusion Detection SystemsSystems
Automate Security Automate Security Event AnalysisEvent Analysis
Use MOM for Server Use MOM for Server Integrity CheckingIntegrity Checking
Use ACS for real-time Use ACS for real-time security log monitoringsecurity log monitoring
Marcus Murray, MVP marcus.murray@truesec.se
More information
www.microsoft.se/technet www.microsoft.se/security www.truesec.se/events www.itproffs.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murraymarcus.murray@truesec.se