building a security program from the ground up: crawl, walk, run!
DESCRIPTION
When auditors ask for details regarding change control, vulnerability management programs, patch cycles and system hardening guidelines, is it uncomfortable? Do you cringe when customers and partners as for your security policies and guidelines? Need to have a security assessment and never been through the process? This is the webcast for you. Learn to crawl, walk and eventually run a successful security program. And we won’t even used the words cyber, APT or next generation. Promise.TRANSCRIPT
Building A Security Program From The Ground Up
Joff ThyerBlack Hills Information Security
Paul AsadoorianSecurity Weekly / Tenable Network Security
Why this talk?
My Wife Had A Baby
Pretty sure its mine, though older one
blames the mailman...
My 10 Month Old Just Started Walking
More like falling with style....
http://securityweekly.com Copyright 2014
About Me
• Day Job: Tenable Network Security Product Evangelist (Primarily Nessus)
• Founder of Security Weekly (weekly podcast, Internet TV)
• Gets hands (and other parts) dirty on penetration tests at Black Hills Information Security
• Loves family, embedded devices, beer, cigars, fishing, freedom & Kung Fu movies
Hail Nessus... <3 Beer Beer+Cigars = Fishing
http://securityweekly.com Copyright 2014
About Joff
• Security Consultant and Security Solutions Developer at Black Hills Information Security
• Remember Derbycon 2011? (“Covert Channels using IP Packet Headers”
• Packet Ninja ----------------------->
• Teaches for SANS
• Helps out with Security Weekly
http://securityweekly.com Copyright 2014
Crawl, Walk, Run
• Crawl - Know your network & systems, establish policies and procedures, have relations with network/sysadmins, define “secure”, awareness
• Walk - Implement patch management, vulnerability management, change control, hardening, IPS/Firewall/Anti-Virus, SDLC
• Run - Active defense, advanced roll-back/leap forward, cloud integration, threat & risk intelligence, advanced monitoring & event management
http://securityweekly.com Copyright 2014
Policy & Procedures
• Policy = Who, What, Where, Why
• Procedures = How
• Policy must be signed off
• Procedures must be integrated
• Network & Systems Admins
• Help Desk & Desktop IT
• Operations
• Software Development
• Physical Security
http://securityweekly.com Copyright 2014
Knowing Your Network
• Identifying new hosts
• Sniffing
• Logs
• Virtualization
• Keeping a Software Inventory
• Tracking infrastructure (switches, routers, storage)
• Getting ahead of new projects & software
http://securityweekly.com Copyright 2014
Segment Your Network?
• Trusted vs. Untrusted
• Segment properly
• Not an excuse for poor security
http://securityweekly.com Copyright 2014
Relations
• Develop a good great relationship with all systems administrators
• You are there to help
• This goes for developers too
• Do’s and Don’ts:
• Do bring them donuts
• Don’t go over their heads
• Do use positive re-enforcement
• Do not beat them with sticks
http://securityweekly.com Copyright 2014
User Awareness
• Create a security-minded culture
• Again, positive re-enforcement
• Computers are smarter than people?
• Basic user awareness can be automated, run constantly, and effective
http://securityweekly.com Copyright 2014
Patch Management
• MUST:
• Make effort to patch everything
• Have prioritization factors
• Use tools and automation
• Have nots:
• A 90-day patch window for ALL
• Only include Windows/UNIX/LINUX
• Leave patching to users
http://securityweekly.com Copyright 2014
Vulnerability Management
• Find all of your vulnerabilities
• Vuln management does not come with a bucket of sand
• Do the full spectrum:
• Network scanning
• Credentialed patch auditing
• Configuration Auditing
• Passive Scanning
• Send the results to the right people!
http://securityweekly.com Copyright 2014
Hardening & Change Control
• Do have a plan to configure, harden and keep systems secure
• “Only enable stuff you need”
• Balance: System has to be usable
• Real Problem: Keeping “secure”
• Constant process, change control
http://securityweekly.com Copyright 2014
IPS/Firewall/Anti-Virus
• These things are “good” (not great)
• They are like a flu shot:
• There is a known threat
• Generally you know how to remediate
• You vaccinate, little impact to user
• It can stop known threats
• Should not cost a lot
http://securityweekly.com Copyright 2014
SDLC
• Get ahead of the process
• Interview developers and project leaders (what does the stuff DO?)
• Use secure libraries
• Build security into all phases:
• Planning
• Development
• QA
• Post-Production scanning (pen testing)
http://securityweekly.com Copyright 2014
802.1x / NAC
• Prevent “bad” things from getting on the network in the
first place
• If “bad” things happen, put them in a different network for
a while and remediate
• Control new systems and software to avoid surprise!
http://securityweekly.com Copyright 2014
Keep Em’ Rollin’
• If When compromise happens
• Understand how/why
• Build a new image with remediation
• Rollout new system
http://securityweekly.com Copyright 2014
Application Whitelisting
• Yep, its hard.
• Yep, we’ve talked about it before
• However:
• It can be an effective mechanism for defeating malware
• You have to really know your systems
• We did a whole webcast on it “Fighting Malware: Taking Back The Endpoint”
• I am working on posting the video/slides, check securityweekly.com/webcasts
• (oh and computers are smarter than people)
http://securityweekly.com Copyright 2014
Advanced Security Event Mgt
• Take logs from lots of things:
• Systems, Network, Applications, Databases, security devices
• And Do “Stuff” with them:
• Who is attacking me and how?
• Intrusion analysis and attack paths
• Find compromised systems
• Detect behavior that requires action
For Slides Join Our Mailing List:
http://securityweekly.com/insider
Podcast/Blog/Videos: http://securityweekly.com
Contact Me: [email protected]
http://tenable.com/careershttp://www.blackhillsinfosec.com