Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
-
Upload
andrew-gerber -
Category
Technology
-
view
792 -
download
4
description
Transcript of Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Copyright © 2014 Splunk Inc.
Andrew GerberManaging Information Security Consultant, Wipro
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
2
DisclaimerDuring the course of this presentation, we may make forward looking statements regarding future events or the
expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important
factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other
commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
3
AboutAndrew Gerber is a managing information security consultant at Wipro. Over the last ten years he has focused on security information and event management (SIEM), security analytics, and security operations center (SOC) design. Andrew additionally has experience evaluating information security program maturity and building effective managed security service offerings. Andrew has worked with clients in North America, Europe, and Asia, including several Fortune 100 and Fortune Global 100 industry leaders in financial services, healthcare, manufacturing, retail, and law enforcement. Andrew holds a B.S. in computer science and an M.B.A. from Purdue University.
Wipro Ltd. (NYSE:WIT) is a global information technology, consulting, and outsourcing company with over 145,000 employees across 6 continents and over 175 cities. Wipro posted revenues of $7.3 billion for the financial year ended March 31, 2014. Wipro helps customers do business better by leveraging our industry-wide experience, deep technology expertise, comprehensive portfolio of services, and vertically aligned business model. Wipro is proud of its strategic partnership with Splunk and the value Wipro delivers using Splunk as a platform across industries and applications, with a focus in enterprise information security managed services.
4
Agenda
New approach to Enterprise Security– Situational Awareness– Kill Chain
Techniques using this new approach– Looking for threat behavior – Profiling VPN access– Looking for an attacker trying to get out of environment as well as identifying
potential delivery vectors – Profiling Network Jumpers– A framework for developing additional techniques
Recommendations and best practices for further development and implementation of this approach
5
The Enterprise Security LandscapeAttacks and breaches on the rise, threat actors motivated by previous attacks’ successes
Attackers still have a remarkably easy time getting in
– Organizations are still not implementing basic controls (i.e. geographic restrictions, segmentation, account lockouts)
A LOT CAN BE DONE WITH BASIC CONTROLS
– Organizations are still not monitoring/responding to IOCs (Indicator of Compromise); a recent breach analysis showed - multiple alerts on potential malware and malicious activity completely missed
INFORMATION AND ALERTS FROM ALL SOURCES MUST BE ANALYZED
Don’t focus solely on alerts for denied or failure events
– FOCUS ON PROFILING BEHAVIOR OVER TIME & ACROSS PLATFORMS TO DISTINGUISH ANOMALIES
6
ThreatsThreats are increasing, attacker dwell time still well over 200 days on average.
Move from generic malware targeting everyone to deliberate, smart attackers targeting you, with a specific objective.
With attackers identifying high-value objectives, the investment they are willing to make increases.
We can see attackers’ methodology evolving over time to adapt to organizations’ actions and responses.
People are being targeted more, resulting in more valid-credential based attacks and less need for vulnerability exploits of network/security devices.
Threat actors now look more like legitimate users. You can still tell them apart, just not with legacy tools/strategies.
Breaches by Asset Category over Time
From Verizon’s 2014 Data Breach Investigations Report
7
Threats: Who Attacks and Why?
From IBM’s 2013 Cyber Security Intelligence Index
Categories of Attackers Attacker Motivation
8
Risks: Clear and Present Danger
Brand / Revenue / Financial Data / Product Data / Customer & Patient Records / Financial Theft / Blackmail / Job Loss / Operations Disruption and Manipulation / Competitive Espionage / …
9
Situational AwarenessChanging threat environments demand enhanced security monitoring, often called “situational awareness”
Advanced targeted threats have increased the requirement for the proactive detection of potential incidents above standard due diligence levels.
Situational awareness expands on security information and event management (SIEM) processes, and requires a combination of asset and threat information and activity data, in combination with analysis and reporting capabilities.
Advanced analysis capabilities to support “human in the loop” investigation and decision making are critical requirements. From Gartner’s note “Delivering Situational Awareness” (G00214313)
Tech
Process
People
To deliver situational awareness, we need to add a process/approach/model to the people (us) and the technology (Splunk) deployed to provide enterprise security.
10
Kill ChainModel to identify threat behavior across the lifecycle of an attack– Move from looking at single alert or single aspect of the attack– Must look at entire spectrum of activities (all data) to determine attack/threat
Detection earlier in kill chain = lower impact and mitigation costDetection later in kill chain = greater impact, must look back in time to determine infection/impact and how to contain/mitigate
11
Beyond SIEM – True Security Analytics:
Brings together information that would be time consuming or impossible to manually analyze (goes beyond centralized logging)Enables a deep investigation of what otherwise could only be aggregated and/or ignoredAllows dynamic correlation – visual representation makes anomalies obviousEnables exploration of loose relationships between events, driven by “human-in-the-loop” processes, leading to a “hypothesis test findings” approach instead of an “event evaluate” approach.Accelerates analyst decision trees around behaviorIs cohesive and behaviorally driven, with a monitoring/response posture based on knowing your users, assets, and environment
12
Use cases to implement with Splunk
Use Case 1 - Detect inappropriate or malicious remote access– VPN profiling of employees, contractors, vendors, and other insiders – Useful to identify following kill chain stages
C2, Exfiltration– Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)
Use Case 2 - Detect attempted and actual bypass of network controls – Detect network jumping and off-network activity– Useful to identify following kill chain stages
Delivery, C2, Exfiltration– Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)
Do this:Profile VPN Activity
14
What & Why?Find abnormal remote access usage pattern in remote access– VPN access with valid credentials used in major attacks, including recent healthcare industry
breach
Profile remote usage by employees, contractors, vendors, and other insiders
Look for:– Indicators of Delivery, C2, Exfiltration, as well as employee or insider FTA– Identify potentially compromised credentials
Key points to look for:– Increase in login frequency – Odd times/locations– Improbable travel distance between logins or login attempts
(velocity requirements between consecutive geographical login locations too high)
15
Design & ApproachOverview – Geographic and Network VPN Trends
Overview – User-based VPN Trends
Geographic Analysis with “Traveler” identification
“Traveler” mapping & improbable behavior analysis
16
Design & Approach - Workflow
Multiple login failures by count and over time and successful logins provide insight into VPN behavior.
User level VPN Trends
At-a-glance profiling of VPN login success and failuresGeolocation and domain charting identify normal vs. abnormal access• Top Level Domains and other domain names to find anomalies,
i.e. connections from .edu TLD or external VPN services
Geographic & Network VPN Trends
Identify repeat VPN login failure trends by userEasy to spot outlier and clustered events
17
Design & Approach - Workflow
Determine unlikely distance/time combinations between VPN logins
“Traveler” mapping & improbable behavior analysis
Per-country trends & users with multiple locations in a given time period
Also identify relative distances for users from a relevant fixed location
Geographic Analysis with “Traveler” identification
18
Key Events – VPN Authentication Success/FailureThe key searches are looking for VPN authentication success and failure, which we will expand on throughout this use case.
19
Overview – Geographic & Network VPN Trends
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete" | iplocation IP| geostats count by Username globallimit=0
index=vpn sourcetype=ACMEvpn "Login failed"| eval userinfo=user.":".user_bunit | iplocation src_ip | geostats count by userinfo globallimit=0
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"| stats count by IP | lookup dnslookup clientip as IP | rex field=clienthost ".*(?P<toplevel>\.\w+)$" | stats count by toplevel
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"| stats count by IP | lookup dnslookup clientip as IP | rex field=clienthost ".*\.(?P<midlevel>\w+)\.(?P<toplevel>\w+)$“| eval thedomain=midlevel.".".toplevel | eval lendomain=len(thedomain) | where lendomain>0 | stats count by thedomain | sort -thedomain | sort -count
20
Overview – User-based VPN Trends
index=firewall (sourcetype=ACMEvpn AND"AAA user authentication Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND action!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | stats count by fulluser | search count>3
index=firewall (sourcetype=ACMEvpn AND"AAA user authentication Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND action!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | top fulluser
index=firewall sourcetype=ACMEvpn"Security Negotiation Complete" | stats sparkline(count), count by Username | sort -count
21
Overview – User-based VPN Trends
index=firewall sourcetype=ACMEvpn "AAA user authentication Rejected" user=* | rex "user\s\=\s(?<fulluser>.*)"| timechart count by fulluser useother=f limit=25
22
Geographic Analysis with “Traveler” identification
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"| iplocation IP | eval regionlen=len(Region) | where regionlen>0| eval regioncity=City.",".Region| stats sparkline(dc(IP)),dc(IP) as howmanyIP,dc(regioncity) as howmanyRegion, values(regioncity) as Locations by Username | sort -howmanyip | where howmanyRegion>1
index=firewall index=firewall sourcetype=ACMEvpn "Security Negotiation Complete" |dedup IP | iplocation allfields=true IP |eval citylen=len(City) | eval short_lon=round(lon,2) | eval short_lat=round(lat,2) | strcat short_lat "," short_lon as latlon | eval HQ="37.235,-115.811" | where citylen>0| haversine originField=HQ latlon units=mi | table _time,Username,City,Region,distance | sort -distance | eval distance=round(distance,0)
23
“Traveler” mapping & improbable behavior analysisindex=firewall index=firewall sourcetype=ACMEvpn "Security Negotiation Complete" | iplocation allfields=true IP | eval short_lon=round(lon,2) | eval short_lat=round(lat,2) | strcat short_lat "," short_lon as latlon | transaction Username maxspan=1d mvlist=t mvraw=f delim="|" | eval first_src=mvindex(IP,0) | eval last_src=mvindex(IP,-1) | where (first_src != last_src) | eval first_tz=mvindex(Timezone,0) | eval last_tz=mvindex(Timezone,-1) | where first_tz != last_tz | eval first_latlon=mvindex(latlon,0) | eval last_latlon=mvindex(latlon,-1) | eval firstlatlonlen=len(first_latlon) | eval lastlatlonlen=len(last_latlon)| where firstlatlonlen>1 | where lastlatlonlen>1| eval bothtz=first_tz.last_tz | eval tzlen=len(bothtz) | where tzlen>20| haversine originField=first_latlon last_latlon units=mi | eval rate_mps=distance/duration | eval rate_mph=rate_mps * 3600| eval tdm=duration/60 | eval tdm=round(tdm,2) | eval rate_mph=round(rate_mph,2)| makemv delim="|" src_ip | makemv delim="|" Username| eval username=mvindex(Username,0) | table _time,rate_mph,tdm,username,first_tz,last_tz,first_src,last_src,bothtz| rename tdm as "Time Difference(Minutes)" | rename rate_mph as "Speed(MPH)" | search "Speed(MPH)" >100 | sort - "Speed(MPH)" | iplocation last_src | geostats count by username
24
Design & Extension Notes
Additional panels:– Simultaneous logins (often rare as a legitimate scenario)– Increase in data volume over connection (sign of exfiltration, data collection)– Potential to add algorithms to refine results and accelerate analysis
Additional Information about user access patterns– “Out-of-Office” information - Integrate with Exchange– PTO/Absence/etc. - Integrate with HR/Time management systems
Do this:Monitor Network Jumping and Off-Network Activity
26
What & Why?Find assets & users jumping from corporate LAN, WLAN to Guest Network– Detect attempts to bypass security controls– Detect malware vector of “benign” off-network browsing
1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report)– If controls exist around Guest network usage, still implement this for attestation
Profile jumping behavior to look for patterns and anomalies– Identify the User, IP address, MAC address– Identify activity before and after jumping– Filter out insider Fraud, Thief, Abuse from possible
Indicators of Compromise
Key points to look for include– Assets and users jumping periodically –
Normal business users should be on corporate network– Network jumps which don’t appear to be pre-meditated
(i.e. looking for programmatic jumps) – Volume, periodicity, destination, traffic type can all be
indicators of potential Exfiltration
“40% [of companies] reported that they had been exposed to a security threat as a direct consequence of an off-network user’s laptop getting compromised within the last twelve months.”
From Google report, “Off-Network Workers –The Weakest Link to Corporate Web Security”
27
Design & ApproachOverview – Long/Short Term Off-Net Jumping Trends
Identify a user of interest and drill-down to investigate
Behavior investigation – longitudinal trending
Behavior investigation – Pre-Jump Activity
Behavior investigation – Guest Network Activity
28
Design & Approach - Workflow
Selection to lookup user
Dynamic drilldown begins at this point on this dashboard:
When you click on the row, the IP, Hostname, MAC is passed on the following subpanels, this is based on drilldown parameters being set in this panel’s XML source.
Rapid investigation to identify users of interestSelection enables deep investigation via initial drilldown into user activity/details
At-a-glance profiling of corporate credentials used on guest network – activity for today, 7-days, 14-days
Long/Short Term Off-Net Jumping TrendsVisual analysis to determine what look abnormal
Selection determines drill down
29
Design & Approach - Workflow
Patterns identify potential repeat offender, or possible C2/exfiltration
look at guest network activity to clarify – compare these two trends
Behavior Investigation – Longitudinal Trending
30
Design & Approach - Workflow
Looking back in time from the jump
User activity on the corporate network preceding the jump
Behavior Investigation – Pre-Jump Activity• Does the jump make sense? – driven by business logic or “benign” behavior• Does the jump look like attacker trying to get out? – more “random” patterns• Does the jump look like insider threat? – exfiltration, etc.
Looking back in time to the jump
User device to IP address mapping of jumper
Looking in time after the jump
User activity on the guest network after the jump
31
Key Event – Guest network DHCP requestKey search to identify this activity• Look at guest network firewall logs which logs DHCP requests (IP MAC hostname)• Look at DHCP requests using IP address of one of our corporate networks, and the MAC address. • Eliminate mobile devices, limit results to our corporate hostname naming convention• Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.
32
Trending – How it’s Done
index=firewall sourcetype=“ACMEguestFW"
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg=Request ip=“ACMEipSpace”
| regex hostname=“ACMEnamingConvention"
| timechart span=4h limit=30 count by hostname
index=firewall sourcetype=“ACMEguestFW”
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg=Request ip=“ACMEipSpace" earliest=-14d latest=-1d
| regex hostname=“ACMEnamingConvention"
| dedup hostname
| timechart span=1h count
| eval StartTime=relative_time(now(),"-48h@h")
| eval Series=if(_time>=StartTime, "Yesterday’s Count", “2 Week Average")
| eval Hour = strftime(_time,"%H") | chart max(count) by Hour Series
33
Trending – How it’s Done
index=firewall
sourcetype=“ACMEguestFW" ip=“ACMEipSpace"
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg="Request"
| regex hostname=“ACMEipSpace"
| timechart span=1h count by hostname
34
Identify User, present additional data – How it’s Done
index=firewall (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) sourcetype=“ACMEguestFW" ip=“ACMEipSpace" dhcp_msg="Request"| regex hostname=“ACMEipSpace" | stats count by ip,_time,hostname,mac| sort _time
View the XML Source for theDashboard (“Edit Source”),find the panel, and add:
<drilldown> <set token="source_ip">$row.ip$</set> <set token="mac">$row.mac$</set> <set token="hostname">$row.hostname$</set></drilldown>
Make this panel only appear when the drilldown is activated:<panel><single id="jumpername" depends="$source_ip$">
Search uses $source_ip$ based on click and searches the internal firewall logs to find the most recent user from that IP address:index=firewall sourcetype=ACMEfw src=$source_ip$ | rex field=src_user "\w+\\\(<browseusername>\w+)" | dedup browseusername | table browseusername
1
2
3
4
Drill-down to lookup
user
35
Longitudinal Trending – How It’s Done
This panel is driven by the same drill-down we’ve been using, based on $hostname$ from the guest network firewall logs. The search simply returns the jumping pattern over the past week and charts it in 15-minute spans.
index=firewall hostname=$hostname$ dhcp_msg=Request sourcetype=ACMEguestFW | timechart span=15m count
36
Behavior Investigation – Pre-Jump Activity
Select “Edit Panels” for the Dashboard and then“Add Input”, select “Radio”, drag the input to thepanel, and customize in the GUI, or add the XMLcode directly in “Edit Source”. This dropdown inputsets the token $category$ to the value selected:
<input type="dropdown" token="category“ searchWhenChanged="true"> <label>Select Category</label> <populatingSearch earliest="@d" latest="now" fieldForLabel="category" fieldForValue="category">index=firewall sourcetype=pan* src_ip=$source_ip$ | stats count by category</populatingSearch> <choice value="*">ALL</choice></input>
3
Search the Windows DNS logs for requests and responses triggered by the Jumper on the corporate network. Still using the same drilldown from before for source_ip:
index=winevents sourcetype="MSAD:NT6:DNS" src_ip=$source_ip$ | stats count by questionname,questiontype,response,src_ip | rex mode=sed field=questionname s/\(\d+\)/./g | sort –count
This is a basic filtering search | stats to take a count of queries made, type and the response by the source ip | regex to use sed to change format of DNS queries to exclude (<digits>) | sort by count
1
Selection determines drill downCombined Static & Dynamic Dropdown input. Static (default) vaue of ALL maps to a value of “*”, dynamic options populated by a search:
index=firewall sourcetype=ACMEfw src_ip=$source_ip$ | stats count by category2
37
Guest Network Sessions for Jumper
Again going back to the same drill-down, use the MAC address identified and list guest network IPs associated with the MAC we’ve tied to a corporate asset:
index=firewall sourcetype=“ACMEguestFW” (ip!=“ACMEipSpace" AND ip!="0.0.0.0") mac=$mac$| stats count by mac,ip | fields - count
Get a list of IP addresses for the identified jumper based on MAC address from the Guest network firewall logs.
38
Behavior investigation – Guest Network Activity
List hosts accessed by the jumper on the guest network, filtered by pass/block/all as per the station radio input above and using the source selected in the original drilldown on the dashboard:
index=network sourcetype=ACMEguestWLC srcip=$source$ action=$action$ | stats count by srcip,hostname,action,msg,dstip | sort -count
3
Static form input defined to filter the panel’s search on action field (block, pass, all)
View the XML Source for theDashboard (“Add Input”), select“Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This radio input sets the token $action$ to the value selected:
<input type="radio" token="action" searchWhenChanged="true"> <choice value="pass">pass</choice> <choice value="block">block</choice> <choice value="*">all</choice> <default>*</default></input>
21
39
Design & Extension Notes
Areas to continue the investigation– Select user of interest to drive additional panels – including additional historical trending– Additional review of DNS requests– Data volume on guest network– Threat list mapping for known C2 servers, site hosting malware/malvertising
Practical integrations– Capture page, walled garden for jumpers with training and/or restriction on Guest Network
Potential to add algorithms to refine results and accelerate analysis– High level charts – 14 day, 7 day, today– Integrate additional data sources to further identify behavior
Next Steps:Continuing with other Situational Awareness & Kill Chain Use Cases
41
Developing Additional Use Cases
Have a disciplined approachStart with a behavior, choose a point on the kill chainIdentify what logs sources you haveThink about and try different visualizationsUse statistics and simple algorithms to clarify the dataFind related log sourcesThink longitudinallyFind outliers, shift your parameters, and let more outliers emerge
42
Additional ExamplesIdentifying Pass-the-Hash (PtH) Attacks and other Credential Theft Techniques– Look for lateral movement, then get specific in your search for specific techniques. Methods include RDP and other
remote access tools, the use of PsExec, as well as Windows Management Instrumentation (WMI). – The NSA report “Spotting the Adversary with Windows Event Log Monitoring” provides many good ideas to build on. For
PtH: “The successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event
level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.”
“A failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.”
Validating and Monitoring Mitigation Actions (Closed-Loop Management)– When mitigating risks and threats in your environment, you need to validate that your measures take effect while
monitoring and minimizing disruption to mission-critical business operations.– Look for metrics that are leading indicators to help validate progress– Look for trailing indicators that show potential disruption– One example would be forced password expiry impairing users who only use applications with integrated authentication
that do not support password resets
43
Kill Chain Based Attack Lifecycle Concept
44
Security ControlsThe average enterprise today has decent but incomplete coverage via a collection of security controlsIn addition to gaps in security controls there is usually an even larger gap in which security controls are centrally logged and monitoredMulti-control correlation is rarely done, and even more rarely done rightSecurity controls in silos are not enoughApproach to analysis needs to be cohesive and behaviorally driven, with a monitoring/response posture based on knowing your users, network, and environmentNeed to evolve:– From compliance reporting to threat detection– From finding/neutralizing malware to dissecting/disrupting attack– From static views of data to longitudinal data analytics
45
Security Control Frameworks
• Perimeter-in• Critical assets/crown jewels• Kill chain/behavior-based• Quick wins
Security ControlMonitoring Priorities:
SANS Critical Security Controls V5 – SANS Top 20
(ISC)2 Common Body of Knowledge(10 Domains)
ISO 27001:2013(114 Controls in 14 Groups)
NIST Special Publication 800-53 Rev. 4(224 controls in 18 families)
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses6. Application Software Security7. Wireless Access Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate
Training to Fill Gaps10. Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches11. Limitation and Control of Network Ports,
Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring, and Analysis of
Audit Logs15. Controlled Access Based on the Need to
Know16. Account Monitoring and Control17. Data Protection18. Incident Response and Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises
1. Access Control2. Telecommunications
and Network Security
3. Information Security Governance and Risk Management
4. Software Development Security
5. Cryptography6. Security Architecture
and Design7. Operations Security8. Business Continuity
and Disaster Recovery Planning
9. Legal, Regulations, Investigations and Compliance
10. Physical (Environmental) Security
1. Information security policies (2 controls)
2. Organization of information security (7 controls)
3. Human resource security - 6 controls that are applied before, during, or after employment
4. Asset management (10 controls)5. Access control (14 controls)6. Cryptography (2 controls)7. Physical and environmental security
(15 controls)8. Operations security (14 controls)9. Communications security (7
controls)10. System acquisition, development
and maintenance (13 controls)11. Supplier relationships (5 controls)12. Information security incident
management (7 controls)13. Information security aspects of
business continuity management (4 controls)
14. Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
1. Access Control2. Awareness & Training3. Audit & Accountability4. Certification,
Accreditation & Security Assessments
5. Configuration Management
6. Contingency Planning7. Identification And
Authentication8. Incident Response9. Maintenance10. Media Protection11. Physical & Environmental
Protection12. Planning13. Personnel Security14. Risk Assessment15. System & Services
Acquisition16. System & Communication
Protection17. System & Information
Integrity18. Program Management
THANK YOUAndrew [email protected]