Does Anyone Remember Enterprise Security Architecture?
Transcript of Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Rockie BrockwayBusiness Risk DirectorBlack Box Network Services
Bio
23 Year veteran in InfoSec/Risk
Many certs have expired (including those I’ve taught)
Business Systems and Impact Analyst
Enterprise Security Architect
Penetration tester
Speaker/Trainer/BSidesCLE organizer
Woodworker/Hacker
[email protected]://www.linkedin.com/pub/rockie-brockway/9/634/641
@rockiebrockway
History Lesson
History Lesson
History Lesson
History Lesson
History Lesson
The Compliance Conundrum
Sure are lots of them
Sure are a lot of tools that map out overlaps
Many are focused on protecting certain data types
Others are best practice frameworks
But at the end of the day …
Information is Beautiful
Breach Business Impact Continues to Grow
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
IT Spend vs. Breaches
IT/InfoSec spend increasing, breaches continue to increase
As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect
Gartner Verizon DBIR
2007 2008 2009 2010 2011 2012 2013 20142.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
Spend (T)
2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
Breaches
Project and/or Compliance = Incorrect
Breach Business Impact Continues to Grow
Reasons:While most orgs understand data protection is a crucial strategic business issue, they continue to approach it on either
• A project by project basis and/or• From a Compliance perspective
The reality is that data security inherently relates to financial business risk and must be treated as a function of the business itself
Unintended Consequences?
A Tale of breached companies and their stock performance vs. the S&P 500 since their breach announcement date
Could this become an enterprise business strategy?
http://seanmason.com/2015/06/03/impact-on-stocks-following-a-data-breach-june-2015-edition/
Complexity in the Enterprise
From the Enterprise to the Application, more complexity means less security
Simple, individual projects do not need “Architecture”
“Architecture” is required to successfully fit an individual project into a larger, more complex set of projects
Organizing Complexity Through Architecture
The SABSA Information Systems Architecture paper lays out the following (paraphrasing):
Like the design of buildings and cities, information architecture must take into consideration:
• Organizational goals to be achieved by the systems• The environment where the systems will be built
and used• The technical capabilities required to build and
operate the systems
Organizing Complexity Through Architecture
What Architecture provides in managing Complexity• Usability• Scalability• Easy way to reuse components• Modularity• A relationship between technical solutions and the
strategic needs of the business• A way to reduce costs
And most importantly …
Business Security and Operational Risk Management
So …
Enterprise Security Architecture
Security inherently relates to business risk and must be treated as a board supported function of the business
Most organizations understand that information security is a crucial strategic business issue but continue to approach it on a project by project basis and/or from a compliance perspective
Enterprise Security Architecture aligns organizational business strategy and goals with the protection of the organization’s business critical data
Enterprise Security Architecture
Stakeholder Goals (aka Business Systems Analysis)
Working with the stakeholders to define/redefine and/or establish their business model’s goals that lead to the value of the Brand and the associated business critical data that is critical to the success of the business.
An understanding of the stakeholders needs is absolutely critical in being able to define the necessary requirements of the protection of the organization’s business critical data
Enterprise Security Architecture
Risk Management
Risk must (at minimum) take into account the following:
• Asset Value• Vulnerability• Threat
In order to derive the following• Likelihood• Business Impact
Risk Management in its simplest form should educate the stakeholders and enable the business to take more risk to grow and innovate
Enterprise Security Architecture
Policy & Standards
Policy and standards describe both what is allowed and not allowed within the business system
Governance is critical to ensure policies and standards are in use as well as practical
In many organizations this is where the business tends to focus on due to audit and regulatory enforcement penalties
Enterprise Security Architecture
Security Architecture
The actual underlying architecture to the ESA that implements the controls that support the policy, standards and risk management
The organization’s strategic framework that aligns Development and Operations (DEVOPS)
Should be utilized to make organizational platform changes not possible at project levels
Enterprise Security Architecture
Together, Risk Management, Policy and Standards and Security Architecture govern security Processes and Defense in Depth Architecture through Design Guidance, Runtime Support and Assurance Services.
Security Metrics are used for decision support for RM, P&S and SA
Process
SDLC
Security adds value to all areas of the SDLC, from initiation to disposition
Enables collaboration with and guidance by experienced secure software builders.
Since the addition of security processes to the SDLC adds expense, it is critical to assess the processes to ensure that expense is justified and acceptable as well as to identify reusable services that will speed up development over time.
Application Security Verification Standard 2014 is an excellent usable SDLC framework (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf)
Process
Identity Management
Creation, communication, recognition and usage of Identity in the Enterprise, including:
• Provisioning• Directories• Multi-factor Authentication• Federation• Role Based Access Controls
Investment, alignment and implementation should all be strategic results of Risk Management and Policy and Standards
Process
Vulnerability Management
The set of all processes for discovering, reporting and mitigating known vulnerabilities at any layer
Vulnerability Management is typically broken down into Intelligence/Patching activities and Scanning activities
It is critical to have vulnerability accountability and ownership throughout the enterprise, with the associated metrics
Process
Threat Management
Threat management refers to actual threats to the systems, must include threat actor/vector
Associated tools and processes include:• Event and Security Monitoring• Digital Forensics• Incident Management/Response• Business Continuity Planning
And perhaps the best process to understand the business/security tradeoff model …
SIDENOTE: Threat Modeling
Understand the attack paths (Kill Chain is the new sexy) <- DRINK!• What is the objective?• Reconnaissance detection/prevention?• Exploitation detection/prevention?• Lateral movement detection/prevention?• Persistence detection/prevention?• Exfiltration detection/prevention?
$ACTOR does $ACTION to $ASSET resulting in $OUTCOME because of $MOTIVATION-Bruce Potter Derbycon 2014 talk
Defense in Depth
Data Security
This element of Defense in Depth is primarily concerned with securing access to data and its use (very Database oriented)
SDLC defines secure patterns of database integration and data usage
Vulnerability scans on specific DB issues
IPS and Monitoring for specific DB threats
Defense in Depth
Application Security
Focused on the following:• Code protection
• RBAC• Output analysis• SDLC• Application scanning• Fuzzing
• Delivering reusable application security services
Defense in Depth
Endpoint Security
Focused on access control on servers and workstations• Host firewalls• AV• Host IDS/IPS• File integrity monitoring• Baselining• Policy auditing (CIS, etc.)• Advanced/Behavioral endpoint controls• DLP
Defense in Depth
Network Security
Design and operations for security mechanisms for the network
• Firewalls and DMZs• IDS/IPS• Email/Web content and malware controls• DLP• Identity access controls• Wireless controls
Metrics
Risk Metrics
Measurements of the overall assets:• Vulnerabilities• Threats• Countermeasures
Since risk metrics are focused on assets this allows the Security Architecture to be measured in business terms without the stakeholders needing to be experts in information security
Metrics
Enterprise Reporting
Describe the states and rates of security throughout the enterprise:
• Key Risk Indicators• Key Performance Indicators• Key Influence Indicators• Key Value Indicators
These metrics must be objective and quantitative to provide business value to the stakeholders and system owners
Metrics
Domain Reporting
Process and Defense in Depth individual systems metrics. Some examples include:
• Vulnerability time to remediation• Daily inbound email malware• Daily outbound web requests to known high
risk sites• Denied access to business critical systems
and folders• Multiple login attempts of one account on
multiple machines over a small period of time
• DB health and uptime• PMO metrics
ESA Mapping
Mapping to relevant compliance frameworksISO 27001
NIST Cybersecurity Framework
PCI-DSS
Benefits
ESA FTW!
• Brings focus to the key areas of concern for the business
• Allows business owners to make educated security/risk decisions without having to be an infosec professional
• Enables disparate Enterprise Security groups to understand their role in the business
• METRICS!• Encourages repeatable processes• Organizes your Enterprise’s complexity• Focuses on Security, not Compliance (but still
maps to compliance, we still have auditors :P)• Reduce the likelihood your organization will
contribute to informationisbeatiful.net
Q&A and References
Does Anyone Remember Laughter?http://www.imdb.com/title/tt0075244/
ARCTEC PAPER http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
SABSA PAPERhttp://www.sabsa-institute.com/members/sites/default/inline-files/SABSA_White_Paper.pdf
Application Security Verification Standard 2014https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
CIShttp://www.cisecurity.org/ [email protected]