CHANGE MANAGEMENT:

SECURITY’S FRIEND OR FOE?

Larry Whiteside Jr. / Chief Security Officer

Sponsored by:

AGENDA Who am I and why do I care The History of Change Who is making your changes Security’s Relationship with Change

Management Breach and Change Management Security’s role in Change

Governance Possible measurements that will

positively impact your security posture

Ask Questions in GoToWebinar!

WHO AM I / WHY DO I CARE?

Over 20 years Cyber Security/ Risk Management / Physical Security

C-Level Security Executive across many verticals

DoD, Federal, Financial Services, Healthcare, Energy/Utilities

Consulting in many verticals

Education, Healthcare, Financial Services

Community Involvement

Co-Founder of International Consortium of Minority Cyber Security Professionals (ICMCP), ISSA, ASIS, OWASP, Security Advisor Alliance (SAA)

Speaking and Writing

SC Magazine, CSO Online, RSA Conference, Gartner Security Conference, industry webinars, securitycurrent.com, SecureWorld, Evanta CISO Summit, and many others

Larry Whiteside Jr.Chief Security Officer

THE HISTORY OF CHANGE

1980s• Change Management as a discipline

began to emerge driven by leading consulting firms

1990s• Industries undergoing significant and

rapid change in areas such as IT began highlighting the benefits of Change Management programs on a broader scale

• ITIL, LEAN, etc…

2000s• Widespread acceptance of Change

Management as a business competency for leading change

• Marked increase from 34% in 2003 to 72% in 2011

198

0s

199

0s

200

0s

WHO IS MAKING CHANGES?

Outsiders (Third-parties: IT contractors & consultants)

Shared Accounts (Windows Admins, root, DBAs, System Admins,…)

Named Accounts (Developers, IT Contractors, Network Admin,…)

Service Accounts

Local Account / Credentials

Windows / UNIX system administrator

Help Desk administrator (password changes/access to files etc. )

SECURITY’S RELATIONSHIP WITH CHANGE MANAGEMENT

You should want certain questions answered

IT is responsible, but Security must hold them accountable

BREACHES AND CHANGE MANAGEMENT

3 of 7 Phases of Cyber Kill chain impact config and change management

Stage #3 Delivery

Stage #4 Exploitation

Stage #5 Installation

Malicious internal users

Configuration mistakes by authorized people

If security is monitoring change and configuration, these changes can be identified

SECURITY’S ROLE IN CHANGE GOVERNANCE

Know your systems and environment

Security should know about more than just FW changes

Do you check adherence to patch policy (if you even have a patch policy)?

If a change is made by a legitimate or non-legitimate admin can you determine what it was?

How many outages have you had due to undocumented changes?

METRICS THAT WILL POSITIVELY IMPACT YOUR SECURITY POSTURE Patch Policy adherence

Unauthorized changes

Changes processes which caused outages

FW changes processed

Other High Risk Scenarios: Remote connections / ‘leapfrog’ logins

Changes via Embedded Scripts (‘rm’ ‘cp’ with ‘sudo’ )

Changes to Active Directory (Password Resets, Adding Users, Changing Groups, Modifying Access, etc.)

Changes within Registry Editor such as Edit or Modify Specific Values (Firewalls, User Access Control, Applications / Software, Windows Components)

TAKEAWAYS AND RECOMMENDATIONS Know your environment Get involved in your change process

If you don’t have one, help create one

Find others already doing change and config management and copy models that work (adapt and change things to fit your particular business) No need to recreate the wheel

Create metrics that matter and impact security

THANK YOU!

CHECK OUT USER ACTIVITY

MONITORING!

@LARRYWHITESIDE

Q&A After brief Intro to ObserveIT

WHO IS OBSERVEIT?

HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital

The leading provider of User Activity Monitoring for Employees, Privileged Users and Third-party Vendors

Capture User Activity

Logging for all user actions

Video-like Playback

Instant Notification

Rule-Based Analytics

Report & Audit

Real-Time Drill Down

User Interaction

Kill Sessions

USER ACTIVITY MONITORING

Collect Know Act

Escalated privileges

_____________________________________________________

USER ACTIVITY MONITORING &

CHANGE MANAGEMENT:

Configuration

changes _________________________________________

____________ Embedded Scripts Unsecure ‘shell’ Unauthorized

access Unapproved

‘setuid’

Lateral Movement ‘rm’ ‘cp’ with ‘sudo’ Creating

“backdoors” ‘leapfrog’ logins

“ONE SCREEN CAPTURE IS WORTH A THOUSAND LOGS”

COLLECT: 100% VISIBILITY

“PROACTIVELY INVESTIGATE RISKY USER ACTIVITY”

Real-time Alerts Who? Did what? On which

computer? When? From which client?

KNOW: INSTANT NOTIFICATION

“PREVENT RISKY ACTIVITY”

ACT: STOP INSIDER THREATS

Real-Time Drill Down

User Interaction Message Warn

Kill Sessions

Audit and Compliance

WHO’S BEING OBSERVED?

Employees__________________________________________

Custom & Commercial Apps:

Third-parties__________________________________________

Service Providers & Contractors:

Privileged Users

__________________________________________

Critical Systems, Files & Data:

SOXEU Data

Protection Reform HIPAA

Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing

data

HOW IT WORKS

Q&A