ntxissacsc4 - layered security / defense in depth
TRANSCRIPT
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
LayeredSecurity/DefenseInDepth
NathanShepardCustomerInformationSecurityManager
DellServicesOctober7-8,2016
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Bio• CustomerInformationSecurityManager• Currentlyonafinancialcustomer• Servicedover20customersinmy17yearswithPerot/Dell
• Healthcare• Power• Finance• Others
• Corporatelevelconsulting• InformationSecurityManagement• CISSP• CISM• CISA• CRISK• 33YearsinIT• 21YearsinInfoSec• Veteran,U.S.Army,U.S.CoastGuard
NTXISSACyberSecurityConference– October7-8,2016 2
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
ThisPresentation• IsbasedonInformationSecuritybestpractices(aconglomerationofpractices
derivedfromregulatoryrequirementsandpublishedindustrystandards)andismeanttogiveageneraloverviewofwhatacomprehensiveInformationSecurityprogramshouldlooklikeinanygivenindustry.
• Ishighlevel,myobjectiveistooutlinethescopeofanentireInformationSecurityprogram,notprovideprecisedetailsoneachandeveryaspect.
• Isnotasalespresentation.Ihavenothingtosellyou.• Isn’tmeanttoscareyou,butitmight.• Isn’tmeanttodissuadeyoufromfollowinganInfoSeccareer,butitmight.• Don’taskmedetailedindepthquestionsaboutthecontrols,I’mageneralist.I
pointtothecorrectsubjectmatterexpertsforthecontrols.
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Whythispresentation?• Inmanyofthepresentationsyouwillseethisweekend,oratothervenues,youwill
receiveanindepthanalysisofaproblem,oraprocess,oratool,oracontrol.• Whiletheseareexcellent,Ihaveseennopresentationsonhowitallfitstogether.• Inmyrole,Ifrequentlyhavetointerviewindividualsforthesameorsimilarpositions
astheoneIoccupyandenjoy.• Iaskeachoneofthemtoexplaintome“DefenseinDepth”or“LayeredSecurity”.
Maybe1in5cangiveagoodanswer.Andtheseareallseasonedsecurityprofessionals.
• Mayofushavetunnelvision,knowingaLOTaboutspecificaspectsofsecurity,butlackinganoverviewoftheentireprocess.
• Today,Iwanttoremedythatsituation.
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Confusion!Somanyvendors,solittletime.
AlertLogic
SecurIS
SafeNet
SentinelIPS
Shavlik
Solutionary
VeloCloud
Vipre
SourceFire
Niksun
Varonis
Cylance
Tempered
ThreatTrack
Cadre
SecureData Vormetric
VisualClick
WildPackets
ZixCorp
Attivo
ProtectWise
iScanOnLine
PaloAlto
NSFocus
UDI
SentinalOne
DataSolutions
LightCyber
LogRhythm
Lumeta
LanDesk
NexusGuard
Kasperskey
JumpCloud
IXIA
InNet
Hytrust
Gigamon
eSkyCity
InfoBlox
F5
Fortinet
FutureCom
Genalto
GlobalScape
InterfaceMasters
PreferredTechnology SkyPortSystems
NetBoundry
ObservableNetworks
OpenDNS
DellSecureWorks
Sumologic
UniqueDigital
CyberReason
Juniper
egress
Druva
DarkTrace
Cumulus
Symantec
Microsoft
McAfee
Nessus
Qualys
A10
AboveSecurity
AccuData
Barracuda
BeyondSecurity
BlueCoat
Cleo
CheckPoint
Cisco
CriticalStart
CriticalWatch
BitDefender
Sophos
TrendMicro
eset
BAESystems
Clearswift
RedSeal
F-Secure
Stormshield
Webroot
Panda
IBM
Bit9
SnoopWall
InfoDefense
iNetU
Apcon Packetviper
SIMS
Tiepoint
Synack
Caliber
DirectDefense
AVINetworks
Forrester
Duo
SecureAuth
Stealthbits
Fidelis
Venafi
ForeScout
Xirrus
BeyondTrust
BluVector
Illumio
MaxNet
Aerohive
invincea
Centrify
Cyber-Ark
Axway
WatchGuard
iMPERVA
RSA
Riverbed
Tripwire
FireEye
Intelisecure
NetSpi
Accenture
TippingPoint
ArubaNetworks
ExtremeNetworks
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
LayeredSecurity
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
By Layer
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Personnel
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
HR• Righttowork• BackgroundChecks• ResumeChecks• On-Boarding• Off-Boarding• CorrectiveAction
• PIP(PerformanceImprovementProcess)
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Awareness• Peopleareourbiggestthreat• AnnualAwareness• RoutineAwareness• GroupOn-BoardingAwareness• ActiveIssueAwareness• SocialEngineering• Phishing• Avoidingcommunicationsoverload• Lackofsensitivitytowardsconfidentiality• DataHandlingProcedures
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Physical
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Facilities• LocationConsiderations
• Flood,Crime,Earthquake,Industrial,Railroad,Hurricanes,Tornados,Snow• PerimeterControls
• Guards• VehicleBarriers• Fencing• Lighting• CCTV• Sensors
• AccessControls• CardKeys/BadgeReaders• ManTraps
• InternalControls• Internalzonesegmentation• CardKeys/BadgeReaders• MotionSensors• CCTV
• Wiringclosetcontrols(restrictedaccess)• PhysicalSecurityAuditingandPenetrationTesting
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
DataCenters• Redundancy:
• Locations Powersuppliers Offlinepower(generators)• Fuelforofflinepower Telecommunications Networking• AirConditioning Water
• CapacityPlanning• Access
• HighlyRestricted CardKeys Lockedcabinets• Segregatedareas(fencing/locks) Tiedtochangemanagement ControlledbyDCOps
• Detection• Fire/Smoke Water Temperature• Humidity CCTV Intrusion(Doors)
• FireSuppression• ChangeProcedures• CleaningandMaintenance• Harddriveretention/disposal
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Internal
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Network• Segmentation
• Avoidingflatnetworks• VLANsforseparation• Avoidingany-anyrules• SeparateUsersfromInfrastructure• SeparateDevelopment,Test,Q/A,UAT,Production• SeparateregulatedareassuchasforPCIcompliance• Separateotherhighriskdepartments(medialrecords,finance,HR)• SeparatebymajorDepartments• Separatebygeographically• Separatebyfunction(suchasadministratoraccessonaseparateVLAN)
• Adminaccess• Strictcontrolsovermodifyaccess• EnsureallofyoureggsareNOTinonebasket(SanFrancisco,2008,
http://www.infoworld.com/article/2653004/misadventures/why-san-francisco-s-network-admin-went-rogue.html)
• NetworkIntrusionPrevention/Detection• Oninternalsegments,notjustingress/egress
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Network(cont)• InternalTransmissionEncryption
• Passwordtransmission• Generalinternaltransmissionencryptionisnotmandated(thatIknowof),butshouldbe
considered
• NAC(NetworkAccessControls)• Serverregistration• Endpointdeviceregistrationandmandatorycontrols.• Non-compliantisolation• RogueWirelessAccessPoints
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases• AssetManagement
• Ifyoudon’tknowwhatyouhave,howcanyouprotectit.• BusinessOwnership• Whatservers,DBs,supportwhatapplications
• FileIntegrityMonitoring• HIDS
• CrownJewels(PII,PHI,PCI,DC,KeyManager,Finance)• Backups
• BackupEncryption• OSPatching• DBPatching• EncryptionatRest• AccessControl
• Provisioning/De-Provisioning• Separationofduties• RBAC• Auditing• IdentityManagement(IDM)
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases(cont)• AdminAccess
• UniqueUserID(nogeneric)access• Don’tusethesameUserIDastheirnormalnetwork/workstationaccess.• Minimizedomainandserveradminaccess• Logactionstaken• Encryptedaccess(noTelnet)
• ChangeControls• Postdeploymentchanges(applications,databases,etc)• VulnerabilityScanning• Promotiontouse(Dev/Test/Prod)
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases(cont)• SecureConfiguration
• Industrystandardcontrols(vendor,NIST,customized) Goldimages• StandardizedconfigurationsperOS,peruse,perzone Vulnerabilityscannedimages• SupportedOS(n-1);Documentation(rundocuments) LogSettings• CentralizedLogging Anti-Virus• Removalofun-neededservices/software AssetManagement• Patching AssetManagementAgent• Monitoring Fileintegritymonitoring• Authenticationcredentialcontrols EncryptionatRest• Encryptionintransit Auto-logoff• DefaultUserIDs DefaultPasswords• Nodual-homed More
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Applications• AssetManagement
• NamingStandards;Ownership;Licensing;SourceCodeEscrow.
• Authentication/Authorization• Applicationfirewalls• Applicationvulnerabilityscanning• SecureCodingProcesses• Documentation
• Servers;NetworkSegments;Databases;Interactions;DataFlow;DataClassification
• SecureConfiguration• Monitoring;Logging;Patching;Encryption;NetworkSegment;
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Applications(cont)• SDLC(SoftwareDevelopmentLifecycle)
• Codechangecontrols• Separationofduties• Librariesaccess
• Developmentenvironmentcontrols• Equalsecuritycontrols• Livedatauserestrictions(ePHIDe-Identification)• Networksegregation• Nodevelopmentonproductionsystems
• Integritycontrols• Input/outputverification Errorhandling Incompletedata• Missingfieldrequired DatafieldLimit Balancingcontrols• Duplicaterecordsprocessing Databufferoverrun Checkdigitvalidation• Datafieldcombinationorcorrelationtests• Scriptingvulnerabilitiesidentificationandremediationpriortopublication• Restrictstoreddatachangestotheapplicationinterfaceonly
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
EndPoint• Desktopadminaccess• SecureConfiguration• Anti-Virus• LocalFirewall• MediaControls• ApplicationControls• HostDataLossPrevention• HostIntrusionPrevention• Disk/FileEncryption• Patching• Mobiledevices• BYOD• Monitored24x7
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
VulnerabilityScanning
• Assetidentification• Vulnerabilityassessment• Authenticated,Un-Authenticated
• Frequency• Impact• External/Internal• Workstations• Remediation
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
VirtualizedEnvironment• Toolsmaydifferfromthe‘physical’devices• Consistencyofcontrolsacrossallguests• Hardeningofthehostvirtualizationenvironment• Ensuringresourceallocationhasaccountedforsecuritycontroloverhead(such
asAVscanningwhichcanberesourceintensive)• PatchingandVulnerabilityScanningattheHVLevel• AVneedstohaveresourceutilizationlevelingtoensurethatsimultaneousscans
orupdateswon'timpacttheperformanceofvirtualenvironments• Mayrequireadifferentproduct• Randomizewhenscansandupdatestakeplace,preventingresource
contentionandlevelingCPUresources• IOawareScanTuning,andmultithreadingforoptimalperformance
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
External
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
PenetrationTesting
• Donebyaninternalparty(pre-testing)• Donebyanexternalparty(ComplianceCertificationsuchasPCI)• Proactiveidentificationofweakcontrols• Remediation• Re-scanning
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
DOSFrontEnd• DenialofService(DOS),DistributedDenialofService(DDOS)• Infrontoftheinternetrouter• 3dpartyorISPprovidedservices• Monitoring• Incomingdatare-directandfiltering
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Firewalls• TraditionalFirewalls• NexGenFirewalls• Attheparameter• Segmenting
• Internal/External• External/DMZ• DMZ/Internal• Internal/Internal
• CriticalRules• DenybyDefault• Eliminationofany-any• RestrictingrulestospecificIPs,ranges,ports• GeoBlocking
• Maintenance• Reporting;Alerting;Logs
• RuleTracking• Auditing
• Criticaltohaveaperiodic3dpartyrules/configurationreview
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
NIPS/NIDS• NIDS(Passive)/NIPS(Active)• Positioningiscritical.• Internal/External• BetweenZones• Centralizationoflogs• SIEM• SOC
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
DMZ• AllexternalaccessterminatesinaDMZ• Site2SiteVPNs• Client2SiteVPNs• WebServers• E-mail• Internet• StrictcontrolsoveraccessbetweenDMZandinternalzones.• CanhavemultipleDMZZonessuchasaseparatezoneforvendoror3dparty
interaction.
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
E-MailGateway
• Anti-Spam• Anti-Virus• SecureE-MailDelivery• ComplianceFiltering
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
InternetGateway• InternetContentFilter
• Websurfing Webthreats Socialmediause• Instantmessaging Webbasede-mailuse LiveStream• Reputationalblocking Lexicalandascoringsystems• ‘Break-the-glass’• Canbeusedforcompliancemonitoringandremediation• CanbetiedtoAD/LDAPforpositiveidentificationoftheindividual
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
TransmissionEncryption• Alltransmissionofsensitiveorregulateddataoveropennetworks(theInternet)• Alltransmissionofpasswords• Alladministratoraccesssessions(noTelnetorFTP)
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
DataLossPrevention• Addressesaccidentalorintentionaldisclosureofdataanddatatheft• Network-based• Scanandreport
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
CloudComputing• MayaddmultiplelayerstoInformationSecurity• Howhasyourdata?
• The3dpartyyoucontractedwith?• TheDCtheyoutsourcedto?• 3dPartiestheDChasoutsourcedto?
• ContractCriticality• Vendorvetting Dataownership Dataaccess• Dataretention Datarestoration SLAs• GeographicalLocations HRProcesses/EmployeeVetting
• Youarenotrelievedofresponsibility• SecurityControls
• LeveragedFirewalls LeveragedIPS LeveragedPhysicalHdw• AccessManagement Centralizedlogging DataFlow
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
By Cross Functional
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Policies,StandardsandProcedures• CoreoftheInformationSecuritycyclicalprocess• ISO9001:“Documentwhatyoudo,dowhatyoudocument”• UsedtoeducateanddirecttheendusersaswellasITstaff,vendors,etc• Usedtoenforcecompliance,consistentconfigurationsandpractices• Usedtoforceformalexceptionsforbadpractices• Regulatoryrequired• Auditrequired• Establishaprocessfordocumentationreviewandapproval• Establishdocumenttemplatesforpolicies,standardsandprocedures• Establishanumberingsystemtoensurealogicalordertodocumentation• Establishadesireddocumentationmatrix(nextslide)
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
MyStandardStructure
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
BCP/DR
• Criticalpart,frequentlynotseeas‘security’• BC
• Wherewillanemployeework?• Howwilltheemployeeconnect?• Arethere‘offline’processes?• Whatservicesaremandatory?Not?• Exercises
• DR• Planning• Criticality• RecoveryPoint• RecoveryTime• Hot,Warm,ColdSites• Exercises
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Audits• Compliance
• HIPAA,HITECH,PCI,FERC/NERC,SEC,GLBA,SOX
• SelfAuditing• Keepyourcontrolsundercontrol.• Access,Incidents,Tasks
• InternalAudit• Yourbestfriend.Helpsyoutofindissuesfirst.
• External‘Prep’Audit• Yourbestfriend.Helpsyoutofindissuesfirst.
• ExternalFormalAudit• Goodtimetotakeavacation.
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Logging,SIEM,SOC• Haveanaudittrail.• Anti-Forensicresistant.• DeterminewhatmustbeloggedbyIPS,DLP,Firewalls,Servers,Applications,AV,
etc.• Reactattheearliestpossibletimetoreduceimpact• 24x7orviareportandrequest• Expertreviewandanalysis(ifusingamanagedSOC)• Minimizefalsepositivesthroughanalysisandtuning
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
EventAnalysis
4,159,085,410,119 - TotalEvents
157,202,478,589TotalSecurityEvents
4,216,300,021AdvanceCorrelated
Events
15,137,697AnalystEvents
321,290TicketsEscalated
EventFilters
AutomatedCorrelation(MPLE)
ExpertAnalysis&Investigation
ClientEscalations
Technology
People&Process
Escalationsis0.000008%ofTotalEvents
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
CSIRT
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
ITILProcesses• InformationTechnologyInfrastructureLibrary• ITILprocessesareusedthroughouttheInformationSecurityprogramtoensure
integrationwiththerestofIToperations• RequestManagement• IncidentManagement• ChangeManagement• ProblemManagement
• ConfigurationManagementDataBase(CMDB)forassettracking
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Governance
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Howdoyoustackup?
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential
Question and
Answer
@NTXISSA#NTXISSACSC4Dell - Internal Use - Confidential @NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 48
Thankyou