information security gm aug09

Information Security Considerations and Recommendations for IT Decision Makers and Business Unit General Managers

Black Opp Systems

John [email protected] 2009

1August 2009 Black Opp Systems

Contents

• Summary• Market Environment• Making Decisions• Information Security Technology Review

• Resources


Risk Management Policy Management Business Continuity

Application Security Compliance Internal Auditing

Identity and Access Mgmt

Encryption/Key Management

Data Loss Prevention

Network Monitoring SEIMEndpoint enforcement

Summary

– Purpose• Enable IT and security management to operate more

effective information security programs• Provide business unit general managers with context with

respect to information security to make better decisions– Approach

• Evaluation of the information security market, business needs and infrastructure trends

• Supported by quantitative data from various industry sources– IDC, Fortune Inc., Symantec, CSI, Ponemon Institute,

datalossDB.org

August 2009 Black Opp Systems 3

Market Environment – General Observations

– Information security market (products and services)• Fragmented, high growth, constantly evolving• Information security becoming a component of risk

management– Typical attitude

• Information security spending remains a priority• Do not want another product to manage

– Technology• Start-up driven innovation

– Point solutions

• No silver bullet– Lots of process in every solution


Market Environment –Information security system best practices

Business Requirements

Life Cycle Review

Bu

siness D

rivers

Policy

Risks

Requirements

Definition

Strategy

Risk model

Data map

Control map

Control

Implement

Manage

Audit

Bu

siness E

nab

leme

nt


Market Environment – Information security system

– Best practices• Driven by business requirements• Focus on risk reduction• Security program driven by policy• Management through analysis of metrics• Results in business enablement

– Common shortcomings• Focus on technology rather than process• Decisions driven by fear• Event orientation around regulatory compliance• Ad-hoc staffing, responsibilities and policies• Restricts business agility, growth and income


Market Environment – Representative issues


SupplierSupplier CustomerCustomer

ShoppingShopping

PurchasingPurchasing

Using andUsing andMaintainingMaintaining

MarketingMarketing

SellingSelling

Shipping Shipping

Service andService andSupportSupport

DesignDesign DevelopmentDevelopment

PayablesPayablesReceivablesReceivables

ReceivingReceiving

Collaborative CommerceCollaborative CommerceIntellectual PropertyIntellectual Property

Search, Discovery, OfferingSearch, Discovery, OfferingReputationReputation

Trusted TransactionsTrusted TransactionsIntegrityIntegrity

Electronic Funds TransferElectronic Funds TransferValueValue

Logistics/Supply Chain ManagementLogistics/Supply Chain ManagementTheftTheft

Customer Relationship ManagementCustomer Relationship ManagementPrivacyPrivacy


• Where security programs often go wrong– Flawed understanding environmental conditions

• Why are so many security products ineffective? Asymmetric information favors attacker

• Failure to recognize that: – Trust management is an arms race, risk management is manageable

(and manageable at a profit)– Risk control encapsulates trust

– Flawed understanding security system requirements

• Primary system requirements are always security, scalability and integration

• Only platform vendors can deliver security that is integrated enough to scale and invisible enough to ignore

– Flawed understanding of process

• Security is a means and not an end


Market Environment – Threat evolution


Examples:

Trends:

=> Attackers focus on the network layer=> Proliferation of worms

=> Dissolving network perimeter=> Attackers focus on the application layer

=> Attackers shift to client side attacks

Market Environment – Threat Economy


Writers Middle Men Second Stage Abusers

Bot-Net Management:

For Rent, for Lease, for Sale

Bot-Net Creation

Personal Information

Electronic IP Leakage

Worms

Spyware

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

First Stage Abusers

Machine Harvesting

Information Harvesting

Hacker/Direct Attack

Internal Theft: Abuse of Privilege

Information Brokerage

Spammer

Phisher

Extortionist/ DDoS-for-Hire

Pharmer/DNS Poisoning

Identity Theft

Compromised Host and

Application

End Value

Financial Fraud

Commercial Sales

Fraudulent Sales

Advertising Revenue

Espionage (Corporate/

Government)

Fame

Extorted Pay-Offs

Theft

Market Environment – Compliance Structure


Risk Management , Policy, Controls and Configuration Guidance

FISMA HIPAA SOX GLB INTEL COMSEC DoD ISO PCI

SP 800-53 DCID NSA Req DoD IA Controls

17799/27001

DSS GuideSP 800-68 DISA STIGSNSA

Guides


– Threat landscape• Cybercrime• Internal malicious activity• Business partners

– Key concerns• Brand protection• Risk reduction• Service availability• Employee productivity• Regulatory fines• Reputational damage


Market Environment -The customer security system: product and service categories

Security Products

Risk management

Policy management

Business continuity

Application security

Data security

Encryption

Endpoint and network enforcement

SEIM/monitoring

Security services

Risk management

Policy development

Assessment

Compliance

Audit

Architecture

Implementation


Market Environment – Representative Security Framework (NIST)


Security Life CycleSP 800-39

Determine security control effectiveness

(i.e., controls implemented correctly, operating as intended, meeting

security requirements for information system).

SP 800-53A

ASSESSSecurity Controls

Define criticality/sensitivity of information system according

to potential worst-case, adverse impact to mission/business.

FIPS 199 / SP 800-60

CATEGORIZE Information System

Continuously track changes to the information system that may

affect security controls and reassess control effectiveness.

SP 800-37 / SP 800-53A

MONITORSecurity State

SP 800-37

AUTHORIZE Information System

Determine risk to organizational operations and assets,

individuals, other organizations, and the Nation;

if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound systems engineering

practices; apply security configuration settings.

IMPLEMENT Security Controls

SP 800-70

FIPS 200 / SP 800-53

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

ASSESSSecurity Controls

CATEGORIZE Information System

MONITORSecurity State

AUTHORIZE Information System

IMPLEMENT Security Controls

Market Environment – Security and Compliance Best Practices

• Assure appropriate management structure is in place to oversee security

and compliance

• Establish policies, procedures and standards

• Communicate policies and procedures to all stakeholders

• Ensure security and compliance policies and procedures are being

executed

• Enforce the policies, standards, and procedures consistently through

appropriate process, controls and automation

• Implement a feedback loop to enable monitoring and modifications

– Establish that due diligence is made to provide appropriate

security and compliance


Making Decisions

• Decision making process– Understand the business conditions

• Team capability, operating environment, threat model, business drivers, etc.

– Determine the requirements for success• Business goals, security requirements, operational metrics

– Identify potential solutions• Usually three or four reasonable choices

– Quantitatively model the business impact of each solution• Need to account for uncertainty associated with each choice

– Choose the optimal solution


Making Decisions

• Illustrating the decision making process through an example– Company

• Major storage equipment supplier– Organization

• Information technology and security operations– Problem

• Save 25% in annual operating costs achieving compliance• Measure the business value of the project


Making Decisions

• Business conditions– IT and security organization

• General reputation for technical excellence• Cost reduction for compliance identified as key project for

overall organization savings• Project plan in process with TCO and ROI as key metrics

– Issues• Was the proposed project plan the most effective?• Were there more effective and efficient alternatives?• What was the value contributed to the business by doing the

project?


Making Decisions

• Current conditions– Status quo approach to the problem

• Reduce costs through headcount reductions• Meet ROI and TCO goals

– Issues• No systematic measure of business value• Lacking ability to quantitatively predict whether cost

reduction targets could be met


Making Decisions

• Decision making approach – Understand current system characteristics– Acquire qualitative and quantitative data– Develop model of operational cost over a three year time period

considering viable options– Develop model of business value and drivers over three years

considering viable options– Evaluate NPV, ROI and TCO of viable plans– Move forward with actions required to meet goals and best

practices to be applied


Information Security Technology Review

• Discussion around the following areas


Risk Management Policy Management Business Continuity

Application Security Compliance Internal Auditing

Identity and Access Management

Encryption/Key Management

Data Loss Prevention

Network Monitoring SEIMEndpoint Enforcement

Information Security Technology Review

• Discussion topics– Best practices– Business impact– Process– Scalability– Integration– Product vendors– Service vendors


Resources

• Threat environment– OSF Dataloss DB– Symantec Internet threat report

• Security practices– CSI

– Verizon Business

• Business Impact– Ponemon Institute

• Process guidelines– NIST– ISO 17799

• Application security– OWASP– WASC


information security gm aug09

Documents