ntxissacsc4 - layered security / defense in depth

@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential

LayeredSecurity/DefenseInDepth

NathanShepardCustomerInformationSecurityManager

DellServicesOctober7-8,2016


Bio• CustomerInformationSecurityManager• Currentlyonafinancialcustomer• Servicedover20customersinmy17yearswithPerot/Dell

• Healthcare• Power• Finance• Others

• Corporatelevelconsulting• InformationSecurityManagement• CISSP• CISM• CISA• CRISK• 33YearsinIT• 21YearsinInfoSec• Veteran,U.S.Army,U.S.CoastGuard

NTXISSACyberSecurityConference– October7-8,2016 2


ThisPresentation• IsbasedonInformationSecuritybestpractices(aconglomerationofpractices

derivedfromregulatoryrequirementsandpublishedindustrystandards)andismeanttogiveageneraloverviewofwhatacomprehensiveInformationSecurityprogramshouldlooklikeinanygivenindustry.

• Ishighlevel,myobjectiveistooutlinethescopeofanentireInformationSecurityprogram,notprovideprecisedetailsoneachandeveryaspect.

• Isnotasalespresentation.Ihavenothingtosellyou.• Isn’tmeanttoscareyou,butitmight.• Isn’tmeanttodissuadeyoufromfollowinganInfoSeccareer,butitmight.• Don’taskmedetailedindepthquestionsaboutthecontrols,I’mageneralist.I

pointtothecorrectsubjectmatterexpertsforthecontrols.


Whythispresentation?• Inmanyofthepresentationsyouwillseethisweekend,oratothervenues,youwill

receiveanindepthanalysisofaproblem,oraprocess,oratool,oracontrol.• Whiletheseareexcellent,Ihaveseennopresentationsonhowitallfitstogether.• Inmyrole,Ifrequentlyhavetointerviewindividualsforthesameorsimilarpositions

astheoneIoccupyandenjoy.• Iaskeachoneofthemtoexplaintome“DefenseinDepth”or“LayeredSecurity”.

Maybe1in5cangiveagoodanswer.Andtheseareallseasonedsecurityprofessionals.

• Mayofushavetunnelvision,knowingaLOTaboutspecificaspectsofsecurity,butlackinganoverviewoftheentireprocess.

• Today,Iwanttoremedythatsituation.


Confusion!Somanyvendors,solittletime.

AlertLogic

SecurIS

SafeNet

SentinelIPS

Shavlik

Solutionary

VeloCloud

Vipre

SourceFire

Niksun

Varonis

Cylance

Tempered

ThreatTrack

Cadre

SecureData Vormetric

VisualClick

WildPackets

ZixCorp

Attivo

ProtectWise

iScanOnLine

PaloAlto

NSFocus

UDI

SentinalOne

DataSolutions

LightCyber

LogRhythm

Lumeta

LanDesk

NexusGuard

Kasperskey

JumpCloud

IXIA

InNet

Hytrust

Gigamon

eSkyCity

InfoBlox

F5

Fortinet

FutureCom

Genalto

GlobalScape

InterfaceMasters

PreferredTechnology SkyPortSystems

NetBoundry

ObservableNetworks

OpenDNS

DellSecureWorks

Sumologic

UniqueDigital

CyberReason

Juniper

egress

Druva

DarkTrace

Cumulus

Symantec

Microsoft

McAfee

Nessus

Qualys

A10

AboveSecurity

AccuData

Barracuda

BeyondSecurity

BlueCoat

Cleo

CheckPoint

Cisco

CriticalStart

CriticalWatch

BitDefender

Sophos

TrendMicro

eset

BAESystems

Clearswift

RedSeal

F-Secure

Stormshield

Webroot

Panda

IBM

Bit9

SnoopWall

InfoDefense

iNetU

Apcon Packetviper

SIMS

Tiepoint

Synack

Caliber

DirectDefense

AVINetworks

Forrester

Duo

SecureAuth

Stealthbits

Fidelis

Venafi

ForeScout

Xirrus

BeyondTrust

BluVector

Illumio

MaxNet

Aerohive

invincea

Centrify

Cyber-Ark

Axway

WatchGuard

iMPERVA

RSA

Riverbed

Tripwire

FireEye

Intelisecure

NetSpi

Accenture

TippingPoint

ArubaNetworks

ExtremeNetworks


LayeredSecurity


By Layer


Personnel


HR• Righttowork• BackgroundChecks• ResumeChecks• On-Boarding• Off-Boarding• CorrectiveAction

• PIP(PerformanceImprovementProcess)


Awareness• Peopleareourbiggestthreat• AnnualAwareness• RoutineAwareness• GroupOn-BoardingAwareness• ActiveIssueAwareness• SocialEngineering• Phishing• Avoidingcommunicationsoverload• Lackofsensitivitytowardsconfidentiality• DataHandlingProcedures


Physical


Facilities• LocationConsiderations

• Flood,Crime,Earthquake,Industrial,Railroad,Hurricanes,Tornados,Snow• PerimeterControls

• Guards• VehicleBarriers• Fencing• Lighting• CCTV• Sensors

• AccessControls• CardKeys/BadgeReaders• ManTraps

• InternalControls• Internalzonesegmentation• CardKeys/BadgeReaders• MotionSensors• CCTV

• Wiringclosetcontrols(restrictedaccess)• PhysicalSecurityAuditingandPenetrationTesting


DataCenters• Redundancy:

• Locations Powersuppliers Offlinepower(generators)• Fuelforofflinepower Telecommunications Networking• AirConditioning Water

• CapacityPlanning• Access

• HighlyRestricted CardKeys Lockedcabinets• Segregatedareas(fencing/locks) Tiedtochangemanagement ControlledbyDCOps

• Detection• Fire/Smoke Water Temperature• Humidity CCTV Intrusion(Doors)

• FireSuppression• ChangeProcedures• CleaningandMaintenance• Harddriveretention/disposal


Internal


Network• Segmentation

• Avoidingflatnetworks• VLANsforseparation• Avoidingany-anyrules• SeparateUsersfromInfrastructure• SeparateDevelopment,Test,Q/A,UAT,Production• SeparateregulatedareassuchasforPCIcompliance• Separateotherhighriskdepartments(medialrecords,finance,HR)• SeparatebymajorDepartments• Separatebygeographically• Separatebyfunction(suchasadministratoraccessonaseparateVLAN)

• Adminaccess• Strictcontrolsovermodifyaccess• EnsureallofyoureggsareNOTinonebasket(SanFrancisco,2008,

http://www.infoworld.com/article/2653004/misadventures/why-san-francisco-s-network-admin-went-rogue.html)

• NetworkIntrusionPrevention/Detection• Oninternalsegments,notjustingress/egress


Network(cont)• InternalTransmissionEncryption

• Passwordtransmission• Generalinternaltransmissionencryptionisnotmandated(thatIknowof),butshouldbe

considered

• NAC(NetworkAccessControls)• Serverregistration• Endpointdeviceregistrationandmandatorycontrols.• Non-compliantisolation• RogueWirelessAccessPoints


Servers/Databases• AssetManagement

• Ifyoudon’tknowwhatyouhave,howcanyouprotectit.• BusinessOwnership• Whatservers,DBs,supportwhatapplications

• FileIntegrityMonitoring• HIDS

• CrownJewels(PII,PHI,PCI,DC,KeyManager,Finance)• Backups

• BackupEncryption• OSPatching• DBPatching• EncryptionatRest• AccessControl

• Provisioning/De-Provisioning• Separationofduties• RBAC• Auditing• IdentityManagement(IDM)


Servers/Databases(cont)• AdminAccess

• UniqueUserID(nogeneric)access• Don’tusethesameUserIDastheirnormalnetwork/workstationaccess.• Minimizedomainandserveradminaccess• Logactionstaken• Encryptedaccess(noTelnet)

• ChangeControls• Postdeploymentchanges(applications,databases,etc)• VulnerabilityScanning• Promotiontouse(Dev/Test/Prod)


Servers/Databases(cont)• SecureConfiguration

• Industrystandardcontrols(vendor,NIST,customized) Goldimages• StandardizedconfigurationsperOS,peruse,perzone Vulnerabilityscannedimages• SupportedOS(n-1);Documentation(rundocuments) LogSettings• CentralizedLogging Anti-Virus• Removalofun-neededservices/software AssetManagement• Patching AssetManagementAgent• Monitoring Fileintegritymonitoring• Authenticationcredentialcontrols EncryptionatRest• Encryptionintransit Auto-logoff• DefaultUserIDs DefaultPasswords• Nodual-homed More


Applications• AssetManagement

• NamingStandards;Ownership;Licensing;SourceCodeEscrow.

• Authentication/Authorization• Applicationfirewalls• Applicationvulnerabilityscanning• SecureCodingProcesses• Documentation

• Servers;NetworkSegments;Databases;Interactions;DataFlow;DataClassification

• SecureConfiguration• Monitoring;Logging;Patching;Encryption;NetworkSegment;


Applications(cont)• SDLC(SoftwareDevelopmentLifecycle)

• Codechangecontrols• Separationofduties• Librariesaccess

• Developmentenvironmentcontrols• Equalsecuritycontrols• Livedatauserestrictions(ePHIDe-Identification)• Networksegregation• Nodevelopmentonproductionsystems

• Integritycontrols• Input/outputverification Errorhandling Incompletedata• Missingfieldrequired DatafieldLimit Balancingcontrols• Duplicaterecordsprocessing Databufferoverrun Checkdigitvalidation• Datafieldcombinationorcorrelationtests• Scriptingvulnerabilitiesidentificationandremediationpriortopublication• Restrictstoreddatachangestotheapplicationinterfaceonly


EndPoint• Desktopadminaccess• SecureConfiguration• Anti-Virus• LocalFirewall• MediaControls• ApplicationControls• HostDataLossPrevention• HostIntrusionPrevention• Disk/FileEncryption• Patching• Mobiledevices• BYOD• Monitored24x7


VulnerabilityScanning

• Assetidentification• Vulnerabilityassessment• Authenticated,Un-Authenticated

• Frequency• Impact• External/Internal• Workstations• Remediation


VirtualizedEnvironment• Toolsmaydifferfromthe‘physical’devices• Consistencyofcontrolsacrossallguests• Hardeningofthehostvirtualizationenvironment• Ensuringresourceallocationhasaccountedforsecuritycontroloverhead(such

asAVscanningwhichcanberesourceintensive)• PatchingandVulnerabilityScanningattheHVLevel• AVneedstohaveresourceutilizationlevelingtoensurethatsimultaneousscans

orupdateswon'timpacttheperformanceofvirtualenvironments• Mayrequireadifferentproduct• Randomizewhenscansandupdatestakeplace,preventingresource

contentionandlevelingCPUresources• IOawareScanTuning,andmultithreadingforoptimalperformance


External


PenetrationTesting

• Donebyaninternalparty(pre-testing)• Donebyanexternalparty(ComplianceCertificationsuchasPCI)• Proactiveidentificationofweakcontrols• Remediation• Re-scanning


DOSFrontEnd• DenialofService(DOS),DistributedDenialofService(DDOS)• Infrontoftheinternetrouter• 3dpartyorISPprovidedservices• Monitoring• Incomingdatare-directandfiltering


Firewalls• TraditionalFirewalls• NexGenFirewalls• Attheparameter• Segmenting

• Internal/External• External/DMZ• DMZ/Internal• Internal/Internal

• CriticalRules• DenybyDefault• Eliminationofany-any• RestrictingrulestospecificIPs,ranges,ports• GeoBlocking

• Maintenance• Reporting;Alerting;Logs

• RuleTracking• Auditing

• Criticaltohaveaperiodic3dpartyrules/configurationreview


NIPS/NIDS• NIDS(Passive)/NIPS(Active)• Positioningiscritical.• Internal/External• BetweenZones• Centralizationoflogs• SIEM• SOC


DMZ• AllexternalaccessterminatesinaDMZ• Site2SiteVPNs• Client2SiteVPNs• WebServers• E-mail• Internet• StrictcontrolsoveraccessbetweenDMZandinternalzones.• CanhavemultipleDMZZonessuchasaseparatezoneforvendoror3dparty

interaction.


E-MailGateway

• Anti-Spam• Anti-Virus• SecureE-MailDelivery• ComplianceFiltering


InternetGateway• InternetContentFilter

• Websurfing Webthreats Socialmediause• Instantmessaging Webbasede-mailuse LiveStream• Reputationalblocking Lexicalandascoringsystems• ‘Break-the-glass’• Canbeusedforcompliancemonitoringandremediation• CanbetiedtoAD/LDAPforpositiveidentificationoftheindividual


TransmissionEncryption• Alltransmissionofsensitiveorregulateddataoveropennetworks(theInternet)• Alltransmissionofpasswords• Alladministratoraccesssessions(noTelnetorFTP)


DataLossPrevention• Addressesaccidentalorintentionaldisclosureofdataanddatatheft• Network-based• Scanandreport


CloudComputing• MayaddmultiplelayerstoInformationSecurity• Howhasyourdata?

• The3dpartyyoucontractedwith?• TheDCtheyoutsourcedto?• 3dPartiestheDChasoutsourcedto?

• ContractCriticality• Vendorvetting Dataownership Dataaccess• Dataretention Datarestoration SLAs• GeographicalLocations HRProcesses/EmployeeVetting

• Youarenotrelievedofresponsibility• SecurityControls

• LeveragedFirewalls LeveragedIPS LeveragedPhysicalHdw• AccessManagement Centralizedlogging DataFlow


By Cross Functional


Policies,StandardsandProcedures• CoreoftheInformationSecuritycyclicalprocess• ISO9001:“Documentwhatyoudo,dowhatyoudocument”• UsedtoeducateanddirecttheendusersaswellasITstaff,vendors,etc• Usedtoenforcecompliance,consistentconfigurationsandpractices• Usedtoforceformalexceptionsforbadpractices• Regulatoryrequired• Auditrequired• Establishaprocessfordocumentationreviewandapproval• Establishdocumenttemplatesforpolicies,standardsandprocedures• Establishanumberingsystemtoensurealogicalordertodocumentation• Establishadesireddocumentationmatrix(nextslide)


MyStandardStructure


BCP/DR

• Criticalpart,frequentlynotseeas‘security’• BC

• Wherewillanemployeework?• Howwilltheemployeeconnect?• Arethere‘offline’processes?• Whatservicesaremandatory?Not?• Exercises

• DR• Planning• Criticality• RecoveryPoint• RecoveryTime• Hot,Warm,ColdSites• Exercises


Audits• Compliance

• HIPAA,HITECH,PCI,FERC/NERC,SEC,GLBA,SOX

• SelfAuditing• Keepyourcontrolsundercontrol.• Access,Incidents,Tasks

• InternalAudit• Yourbestfriend.Helpsyoutofindissuesfirst.

• External‘Prep’Audit• Yourbestfriend.Helpsyoutofindissuesfirst.

• ExternalFormalAudit• Goodtimetotakeavacation.


Logging,SIEM,SOC• Haveanaudittrail.• Anti-Forensicresistant.• DeterminewhatmustbeloggedbyIPS,DLP,Firewalls,Servers,Applications,AV,

etc.• Reactattheearliestpossibletimetoreduceimpact• 24x7orviareportandrequest• Expertreviewandanalysis(ifusingamanagedSOC)• Minimizefalsepositivesthroughanalysisandtuning


EventAnalysis

4,159,085,410,119 - TotalEvents

157,202,478,589TotalSecurityEvents

4,216,300,021AdvanceCorrelated

Events

15,137,697AnalystEvents

321,290TicketsEscalated

EventFilters

AutomatedCorrelation(MPLE)

ExpertAnalysis&Investigation

ClientEscalations

Technology

People&Process

Escalationsis0.000008%ofTotalEvents


CSIRT


ITILProcesses• InformationTechnologyInfrastructureLibrary• ITILprocessesareusedthroughouttheInformationSecurityprogramtoensure

integrationwiththerestofIToperations• RequestManagement• IncidentManagement• ChangeManagement• ProblemManagement

• ConfigurationManagementDataBase(CMDB)forassettracking


Governance


Howdoyoustackup?


Question and

Answer

@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential @NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

NTXISSACyberSecurityConference– October7-8,2016 48

Thankyou