Does Anyone Remember Enterprise Security Architecture?

Does Anyone Remember Enterprise Security Architecture?Rockie BrockwayBusiness Risk DirectorBlack Box Network Services

Bio

23 Year veteran in InfoSec/Risk

Many certs have expired (including those I’ve taught)

Business Systems and Impact Analyst

Enterprise Security Architect

Penetration tester

Speaker/Trainer/BSidesCLE organizer

Woodworker/Hacker

[email protected]://www.linkedin.com/pub/rockie-brockway/9/634/641

@rockiebrockway

History Lesson

The Compliance Conundrum

Sure are lots of them

Sure are a lot of tools that map out overlaps

Many are focused on protecting certain data types

Others are best practice frameworks

But at the end of the day …

Information is Beautiful

Breach Business Impact Continues to Grow

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

IT Spend vs. Breaches

IT/InfoSec spend increasing, breaches continue to increase

As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect

Gartner Verizon DBIR

2007 2008 2009 2010 2011 2012 2013 20142.9

3

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

Spend (T)

2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

Breaches

Project and/or Compliance = Incorrect

Breach Business Impact Continues to Grow

Reasons:While most orgs understand data protection is a crucial strategic business issue, they continue to approach it on either

• A project by project basis and/or• From a Compliance perspective

The reality is that data security inherently relates to financial business risk and must be treated as a function of the business itself

Unintended Consequences?

A Tale of breached companies and their stock performance vs. the S&P 500 since their breach announcement date

Could this become an enterprise business strategy?

http://seanmason.com/2015/06/03/impact-on-stocks-following-a-data-breach-june-2015-edition/

Complexity in the Enterprise

From the Enterprise to the Application, more complexity means less security

Simple, individual projects do not need “Architecture”

“Architecture” is required to successfully fit an individual project into a larger, more complex set of projects

Organizing Complexity Through Architecture

The SABSA Information Systems Architecture paper lays out the following (paraphrasing):

Like the design of buildings and cities, information architecture must take into consideration:

• Organizational goals to be achieved by the systems• The environment where the systems will be built

and used• The technical capabilities required to build and

operate the systems

Organizing Complexity Through Architecture

What Architecture provides in managing Complexity• Usability• Scalability• Easy way to reuse components• Modularity• A relationship between technical solutions and the

strategic needs of the business• A way to reduce costs

And most importantly …

Business Security and Operational Risk Management

So …

Enterprise Security Architecture

Security inherently relates to business risk and must be treated as a board supported function of the business

Most organizations understand that information security is a crucial strategic business issue but continue to approach it on a project by project basis and/or from a compliance perspective

Enterprise Security Architecture aligns organizational business strategy and goals with the protection of the organization’s business critical data


Stakeholder Goals (aka Business Systems Analysis)

Working with the stakeholders to define/redefine and/or establish their business model’s goals that lead to the value of the Brand and the associated business critical data that is critical to the success of the business.

An understanding of the stakeholders needs is absolutely critical in being able to define the necessary requirements of the protection of the organization’s business critical data


Risk Management

Risk must (at minimum) take into account the following:

• Asset Value• Vulnerability• Threat

In order to derive the following• Likelihood• Business Impact

Risk Management in its simplest form should educate the stakeholders and enable the business to take more risk to grow and innovate


Policy & Standards

Policy and standards describe both what is allowed and not allowed within the business system

Governance is critical to ensure policies and standards are in use as well as practical

In many organizations this is where the business tends to focus on due to audit and regulatory enforcement penalties


Security Architecture

The actual underlying architecture to the ESA that implements the controls that support the policy, standards and risk management

The organization’s strategic framework that aligns Development and Operations (DEVOPS)

Should be utilized to make organizational platform changes not possible at project levels


Together, Risk Management, Policy and Standards and Security Architecture govern security Processes and Defense in Depth Architecture through Design Guidance, Runtime Support and Assurance Services.

Security Metrics are used for decision support for RM, P&S and SA

Process

SDLC

Security adds value to all areas of the SDLC, from initiation to disposition

Enables collaboration with and guidance by experienced secure software builders.

Since the addition of security processes to the SDLC adds expense, it is critical to assess the processes to ensure that expense is justified and acceptable as well as to identify reusable services that will speed up development over time.

Application Security Verification Standard 2014 is an excellent usable SDLC framework (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf)

Process

Identity Management

Creation, communication, recognition and usage of Identity in the Enterprise, including:

• Provisioning• Directories• Multi-factor Authentication• Federation• Role Based Access Controls

Investment, alignment and implementation should all be strategic results of Risk Management and Policy and Standards

Process

Vulnerability Management

The set of all processes for discovering, reporting and mitigating known vulnerabilities at any layer

Vulnerability Management is typically broken down into Intelligence/Patching activities and Scanning activities

It is critical to have vulnerability accountability and ownership throughout the enterprise, with the associated metrics

Process

Threat Management

Threat management refers to actual threats to the systems, must include threat actor/vector

Associated tools and processes include:• Event and Security Monitoring• Digital Forensics• Incident Management/Response• Business Continuity Planning

And perhaps the best process to understand the business/security tradeoff model …

SIDENOTE: Threat Modeling

Understand the attack paths (Kill Chain is the new sexy) <- DRINK!• What is the objective?• Reconnaissance detection/prevention?• Exploitation detection/prevention?• Lateral movement detection/prevention?• Persistence detection/prevention?• Exfiltration detection/prevention?

$ACTOR does $ACTION to $ASSET resulting in $OUTCOME because of $MOTIVATION-Bruce Potter Derbycon 2014 talk

Defense in Depth

Data Security

This element of Defense in Depth is primarily concerned with securing access to data and its use (very Database oriented)

SDLC defines secure patterns of database integration and data usage

Vulnerability scans on specific DB issues

IPS and Monitoring for specific DB threats

Defense in Depth

Application Security

Focused on the following:• Code protection

• RBAC• Output analysis• SDLC• Application scanning• Fuzzing

• Delivering reusable application security services

Defense in Depth

Endpoint Security

Focused on access control on servers and workstations• Host firewalls• AV• Host IDS/IPS• File integrity monitoring• Baselining• Policy auditing (CIS, etc.)• Advanced/Behavioral endpoint controls• DLP

Defense in Depth

Network Security

Design and operations for security mechanisms for the network

• Firewalls and DMZs• IDS/IPS• Email/Web content and malware controls• DLP• Identity access controls• Wireless controls

Metrics

Risk Metrics

Measurements of the overall assets:• Vulnerabilities• Threats• Countermeasures

Since risk metrics are focused on assets this allows the Security Architecture to be measured in business terms without the stakeholders needing to be experts in information security

Metrics

Enterprise Reporting

Describe the states and rates of security throughout the enterprise:

• Key Risk Indicators• Key Performance Indicators• Key Influence Indicators• Key Value Indicators

These metrics must be objective and quantitative to provide business value to the stakeholders and system owners

Metrics

Domain Reporting

Process and Defense in Depth individual systems metrics. Some examples include:

• Vulnerability time to remediation• Daily inbound email malware• Daily outbound web requests to known high

risk sites• Denied access to business critical systems

and folders• Multiple login attempts of one account on

multiple machines over a small period of time

• DB health and uptime• PMO metrics

ESA Mapping

Mapping to relevant compliance frameworksISO 27001

NIST Cybersecurity Framework

PCI-DSS

Benefits

ESA FTW!

• Brings focus to the key areas of concern for the business

• Allows business owners to make educated security/risk decisions without having to be an infosec professional

• Enables disparate Enterprise Security groups to understand their role in the business

• METRICS!• Encourages repeatable processes• Organizes your Enterprise’s complexity• Focuses on Security, not Compliance (but still

maps to compliance, we still have auditors :P)• Reduce the likelihood your organization will

contribute to informationisbeatiful.net

Q&A and References

Does Anyone Remember Laughter?http://www.imdb.com/title/tt0075244/

ARCTEC PAPER http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf

SABSA PAPERhttp://www.sabsa-institute.com/members/sites/default/inline-files/SABSA_White_Paper.pdf

Application Security Verification Standard 2014https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

CIShttp://www.cisecurity.org/ [email protected]

mailto:[email protected]

Does Anyone Remember Enterprise Security Architecture?

Internet

Transcript of Does Anyone Remember Enterprise Security Architecture?