2010 Shifting Landscape Security Model ESPC Distribute Final

8/3/2019 2010 Shifting Landscape Security Model ESPC Distribute Final

http://slidepdf.com/reader/full/2010-shifting-landscape-security-model-espc-distribute-final 1/36

Shifting

Model

Salsa-CSI2c/o

Brian Smith-Sweene

[email protected]@bsmithsweeney

Security

Strategic

Landscape

presents...

http://home/bjs306/Desktop/bjs306/



mailto:[email protected]



Previously on theShifting Landscape...



“What thehell's goingon here?

Cosmo, what...what

happened?”“The worldchanged onus, Marty.”

“Andwithout

our help.”

worldchanged



COBIT

NIST

ITIL

CMM

ESA

(zomg)



You'd like tobe here

This is more likely

You arehere



Common Thankfully, we've got lots in



Common

Common

Common

drivers

interest

environment



The Plan?● Model

●

Document Library● Web 2.2.5-15 interface

● Recipes

● Maintenance & support



The Issues

● Need Common Language

● Need Enterprise Threat Modeling

● Complex Compliance Landscape

● Tie Business to Security

● Diverse Needs

●

Need Some Tools



DriverDriver

Threats Complianc

Business Requirements



DriverDriver

Failure penalty

Description

Requirements

Threats Complianc




Projects●Name●Goal●Deliverables●Success criteria●Milestones

● Time●Monetary cost●Political cost●Experience●Risks

Driver



Category:Operations

Category:

Crypto

Project

Project

Project

Project

Project

Project

Project

Project

Driver



Category:Operations

Project

Project

Project

Project

DriverDriverDriver

Link



Salsa-CSI2 Home Page

http://security.internet2.edu/csi2

Shifting Landscape on the web (coming soon)

https://spaces.internet2.edu/display/SalsaCSI2WG/Shifting+Landscape

....and on Twitter!

@landscapeshift

Educause/Internet2 Information Security Guide

https://wiki.internet2.edu/confluence/display/itsg2/Home





Thanks to the artists!

● “Loan Boat”,

http://www.sxc.hu/photo/710974● “Compass 1”,

http://www.sxc.hu/photo/649876

● “precaution”http://www.sxc.hu/photo/1033084

● “Info Sign – Question Mark”, AlistairWilliamson. http://www.sxc.hu/photo/594095

















1

Shifting

Model

Salsa-CSI2c/o

Brian Smith-Sweeney

[email protected]@bsmithsweeney

Security

Strategic

Landscape

presents...

Who am I?Brian Smith-Sweeney, Project LeadNew York University, Technology Security Services

What is Salsa-CSI2?From http://security.internet2.edu/csi2:

“The Computer Security Incidents - Internet2 (CSI2)Working Group will organize activities to identify how security incidents can be better identified and the

information about the incidents to be shared to improve theoverall security of the network and the parties connected tothe network.”

What is the Shifting Landscape?Read on, and see previous presentations at SPC08 and 09.

What is the Matrix? http://xkcd.com/566/



2

Previously on theShifting Landscape...

The Shifting Landscape Strategic Security Model isa new project we're launching to answer a significant“meta” problem faced by the higher-education

security community: the question of where to put our limited resources to most effectively and efficientlyimprove the security posture of our networks and theInternet as a whole.



3

“What thehell's going

on here?Cosmo, what...

whathappened?”

“The worldchanged onus, Marty.”

“Andwithout

our help.”

worldchanged

For several years Salsa-CSI2 has presented in variousforums on the concept of the Shifting Landscape in ITsecurity, specifically as it relates to higher-education. We

have demonstrated that attacker methods andmotivations have changed, as has the default securityposture on many systems on the Internet, resulting in asignificantly different threat landscape than was presentwhen many information security professionals beganworking in higher education.

Salsa-CSI2 has also identified a key problem - thatsecurity programs have not nearly kept pace with thisshift. Many schools are operating in a manner strategically similar to the way they did 10 years ago,with minor tactical or operational changes. Wherever possible, however inefficient or ineffective, old tools andprocesses have been shoehorned in to solve new

problems.



4

COBIT

NIST

ITILCMMI

ESA

(zomg)

To address this Salsa-CSI2 encouraged, inpresentations to our peers, higher-ed securityprograms to approach IT security differently, and

move from focusing on firefighting to developingcoherent security strategies that most effectivelyleverage available resources.

There are a number of frameworks and controlstructures for aiding in this process but they all haveone or more of the following failings:

* Closed development and maintenance process* High barrier to entry and cost of implementation* Lack of specific guidance for implementing aninformation security program



5

You'd like tobe here

This is more likely

You arehere

Of course, as we have been studying these shifts othekey factors have come into play. IT Security ismaturing as an industry, and as such is expected toparticipate more in the overall IT structure.

Mature means formalized budget, documentedplanning, metrics, and – gasp – strategic plans.

Anyone who's ever been involuntarily pushed todevelop strategic planning documentation knowshow difficult it can be to produce usefuldocumentation that accurately represents what youmight actually be doing for the next few years.Documents created this way tend to be long, wordy,meandering, and painful to produce.

But what if you could make something that was

actually useful, both to your executive managementand your operations staff?



6

Common Thankfully, we've got lots in

IT professionals, particularly information securityprofessionals in higher-education, have faced thiskind of problem before, and there's a solution that's

worked reasonably well: package up the knowledgework produced by those that have the resources todo so, make it generally accessible, and give it backto the community. It works for code, it's workedreasonably well for policy issues, and I think we cando it for strategic planning.



7

Common

Common

Common

drivers

interest

environment

Drivers are the reasons we do our jobs – the thingsthat make IT security important. These tend to berelatively consistent in higher-education: similar

compliance issues, similar threat landscape, similarbusiness drivers. More on this later

Our environments are also quite similar – many higheeducation institutions run more open, heterogeneounetworks than our peers in the commercial sector.This is largely due to the key principle of higher-

education institutions: academic freedom.

Thankfully we have a common interest – higher-education IT professionals understand intuitively thaby helping each other we are forwarding the missionof our own institutions. Educause, Internet2, theREN-ISAC are all excellent examples of

organizations built around this concept.



8

The Plan?● Model

●

Document Library● Web 2.2.5-15 interface

● Recipes

● Maintenance & support

So, what do we do with all this commonality?

First, we need a model – a common language for describing the various components oan information security program, and how they fit together. We've begun a project-based model which we'll talk more about later.

Once we have the model we need a library of documentation (project plans) thatimplement the model, to create a knowledge repository other folks can use.

A large repository like that will of course require an interface of some kind – somethingbetter organized than other similar documentation efforts. Highly interactive, highlycustomized reports. Think kayak.com.

Recipes could then be crafted via this interface that group together projects to solvecommon problems. Someone could then come to the site and say “I don't really wa

to turn all the knobs here, but I need a series of projects to help me deal with PCI”,and the system would provide them a map of what's worked at other institutions.

Finally any large software project and documentation effort needs to have amaintenance model built-in at the very beginning. Many projects, particularlydocumentation efforts, fail in the maintenance stage. Some ideas have been floatedto work this into existing process – like having every Educause SPC speaker subma SLSM project plan representing their talk.

Incidentally, 2.2.5-15 is the first kernel (thanks redhat) I worked on regularly as a

professional sysadmin. I'm a big proponent of using the kernel naming convention fdescriptions of web technology, with odd numbers being dangerous and broken.



9

The Issues

● Need Common Language

● Need Enterprise Threat Modeling

● Complex Compliance Landscape

● Tie Business to Security

● Diverse Needs

● Need Some Tools

We definitely want to charge forward as best we can, but there are someclear challenges here. Namely:

* Lack of a generalized and reasonably accessible enterprise IT securitythreat model. Existing models tend to operate runway-level or 50k ft view we need something in between.

* Lack of a generally accepted method for tying business process tosecurity operations

* No comprehensive list of regulatory issues relevant to higher-education.Navigating the compliance landscape in the US is nearly impossible.

* No structured language enabling correlation and description of various Isecurity components.

* No easily accessible tool for modeling and reporting on this data

* Diverse IT security needs and resources of higher-education institutions

With this in mind, let's move on to the state of the current (very theoretical)model.



10

DriverDriver

Threats Compliance


There are four components to the model.

The first component is drivers (borrowed from NAC's now

defunct Enterprise Security Architecture document.) Driverare the "whys" of an infosec program.

There are three kinds of drivers (listed around the triangle).

Most of us are used to dealing with threats and complianceissues, but traditionally view security and business

requirements at odds with each other. I believe this is afalse contradiction and that instead security mustencompass business requirements. This is a view thatseems to be gaining ground in the security community andwon't work to prove it here, but rather take that to be a givefor the model.



11

DriverDriver

Failure penalty

Description

Requirements

Threats Compliance


In the model drivers have three key attributes:

The description provides an overall summary of the driver, itspurpose, its scope, and pointers relevant reference material.

Requirements indicate what one needs to do to address the driver.For compliance issues this might be a simple checklist, for threatit might be a more complex measure of risk and mitigation. Thermay also be auditing requirements.

The failure penalty indicates the impact on the organization if the

driver is not appropriately addressed. This can be used in riskcalculation which we'll discuss later. For compliance issues thiscould involve legal ramifications, business requirements mightmean some key business process fails, and for threats the failurestate could be compromise and data ex-filtration



12

Projects●Name●Goal●Deliverables●Success criteria●Milestones

● Time●Monetary cost●Political cost●Experience●Risks

Driver

Projects are the "whats" and "hows" of an infosec program. Projects have an extensiveamount of structured data associated with them. We're not interested in reinventingthe wheel for projects and will likely leverage the extensive existing material fromplaces like the PMI on appropriate metadata for projects (see slide above).

Some metadata elements will be used to capture the kind of operational experience thwe try to gather today via mailing list postings and hallway conversations with our peers in other higher-ed security groups. These currently include:

* Known project risks – what did you discover during your rollout that endangered thesuccess of the project, and that another school might want to be aware of? This cainclude anything from “the vendors we looked at weren't up to the taks” to “there wesignificant political hurdles to implementing network DLP at my institution”.

* Operational experience – notes that might not have been an obvious part of theproject at the outset, but which made the project more effective or efficient.

* Resources – here we'll try to capture information about traditional costs likehardware, software, and man hours, as well as less obvious costs like impact on thecommunity or depleted political capital.

* Worth it? - A flag and accompanying comments field summarizing the institutions'

experience with the project and whether or not, knowing what they know now, theywould do the project again.



13

Category:

Operations

Category:

Crypto

Project

Project

Project

Project

Project

Project

Project

Project

Driver

Project groups are a simple, default way to organize projectfor folks that just want to walk a project library without aspecific question in mind. The model will not enforce a

specific group behavior – one might, for example, allowprojects to belong to multiple groups – but instead wouldallow for contributors to enforce their own rules for grouping

For example, one might imagine a project group taxonomybased off the CISSP Common Body of Knowledge, or theEducause/Internet2 Security guide, or any other grouping

structure. There are a number of existing documentationefforts that have a taxonomy or group structure in place.



14

Category:

Operations

Project

Project

Project

Project

DriverDriverDriver

Link

The last object to discuss are links. Links are a simple butpowerful concept in this model and will likely be where mosof the intelligence in the system is implemented.

Put simply links connect other kinds of elements. Driversmight be linked to projects via a link that indicates howmuch that project meets the requirements of the driver (amet by link). Links of that form might provide a measure ofhow much the project meets the requirement in the case ofa compliance requirement driver, or mitigates in the case o

a threat driver.

Projects can be linked to each other to demonstrate a prerequisite relationship, or a just a simple note indicating“these project are related, you might one to consider both iyou're considering either” (a related link).



15

Here's a more complete diagram of what the overall modelmight look like. Note the inclusion of risk assessment withan outstanding question. We're not yet sure how to

implement risk assessment in the model. It might be a typof link, a bit of calculation that exists outside the model butuses the model to generate a report, or something elseentirely.

Also note: this model is specifically scoped to planning rathe

than operations at this time. We may work to includeoperations once we have the planning stuff down.



16

Questions? Comments? Interested in getting involved? Feefree to reach out to the Salsa-CSI2 group, latest contactinformation can be found at:

http://security.internet2.edu/csi2/



17

Salsa-CSI2 Home Page

http://security.internet2.edu/csi2

Shifting Landscape on the web (coming soon)

https://spaces.internet2.edu/display/SalsaCSI2WG/Shifting+Landscape

....and on Twitter!

@landscapeshift

Educause/Internet2 Information Security Guide

https://wiki.internet2.edu/confluence/display/itsg2/Home

Also referenced in this document is the NACEnterprise Security Model. NAC no longer existsand has been subsumed by the Open Group. The

NAC ESA can now be found at:

http://www.opengroup.org/pubs/catalog/h071.htm

The NAC ESA influenced some of the sample textincluded in this presentation. Thanks to the Open

Group for continuing to make this documentavailable.



18

Thanks to the artists!

● “Loan Boat”,

http://www.sxc.hu/photo/710974● “Compass 1”,


● “precaution”http://www.sxc.hu/photo/1033084

● “Info Sign – Question Mark”, AlistairWilliamson. http://www.sxc.hu/photo/594095

Images from this presentation are taken fromwww.stockxchng.com, following their Image licenseagreement here:

http://www.sxc.hu/help/7_2

2010 Shifting Landscape Security Model ESPC Distribute Final

Documents

Transcript of 2010 Shifting Landscape Security Model ESPC Distribute Final