sacon - enterprise security architecture (bikash barai)
TRANSCRIPT
SACON
SACONInternational2017India|Bangalore|November10– 11|HotelLalit Ashok
EnterpriseSecurityArchitecture
SACON
EnterpriseArchitecture
• Afieldbornabout30yearsago• Initiallytargetedtoaddresstwoproblems• Systemcomplexity• Inadequatebusinessalignment• Resultinginto
• MoreCost,LessValue
SACON
EnterpriseArchitecturalMethodologies• Consortia-developedFrameworks
• ISO19439• RM-ODP(ITU-TX.901-904)• TOGAF
• DefenseIndustryFramework• DoDAF• MODAF• NAF
• GovernmentFramework• ESAAF• FEAF• NISTEnterpriseArchitectureModel
• OpenSourceFrameworks• TRAK• SABSA
• ProprietaryFrameworks• Zachman Frameworks• IAF(Capgemini,1993)
SACON
Zachman Framework(4)
Source:zachmaninternational.com
[ExecutiveMgmtPerspective]
[BusinessMgmtPerspective]
[Architect’sPerspective]
[Engineer’sPerspective]
[Technician’sPerspective]
SACON
SABSA
SACON
Challengeswithexistingmodels
• Tooheavytobeintimidating- Toomanysteps• Cannotbedoneincrementally– Needsbigbangapproach• VeryfewSABSAprofessionalsandveryfewimplementation• Doesnotproduceaprioritizedlistofsecurityactivities
SACON
GoodnessCriteria
• Shouldhelptoeliminate• Shouldhelptofocus• Shouldbesimple• Shouldbeeasytoremember
SACON
IntroducingCP-SSM
SACON
GoalsofCP-SSM
• Light• Minimalist• Focused
SACON
Steps
• CreateBusinessArchitecture(HighLevel)• StrategicThreatModeling• Elimination:BucketandPrune• Mapping:Threatsto4typesofcontrols• PriorityBucketingofActivities
SACON
KeyElements
• CP- ThreatRepository• ThreatPrioritizationGuideline– Available• Benchmark,RiskManagementModel
• CP- ControlRepository– Notavailable• CP- ThreattoControlMap– Notavailable• CP- Activity/ControlPriorityMap
SACON
ThreatRepository
• Taxonomy• Software(26subclass)• Hardware(3)• PhysicalSecurity(3)• SupplyChain(2)• Human(3)
• IndustryorverticalspecifictopNlisting
SACON
CISOPlatformThreat– ControlMap
• Threat:SQLInjectionAttack• Detection:WAF,SAST,DAST,IAST,RASP• Prevention:SecureCoding,WAF,RASP• Response:SIEM,SOCResponseProcess• Prediction:TI(ExternalandInternal)
SACON
PrioritizationMatrixPrevention Detection Response Prediction
HighRisk 1 1 2 3
MediumRisk
2 2 2 3
LowRisk 3 3 3 3
SACON
NextSteps
• Utilizethemodel(loosely)forbuildinganAppsec Program- PostLunch• CreateCommunityProjects• ThreatRepository(Comprehensive+TopN)• ThreatControl
SACON
SACONInternational2017India|Bangalore|November10– 11|HotelLalit Ashok
NISTCSF
SACON
ObjectivesofCSFinaNutshell
DescribeCurrentSecurityPosture
DescribeTargetSecurityPosture
ContinuousImprovement
AssessProgresstowardsTargetPosture
CommunicateRisk
SACON
FrameworkProfile(Whereyouareandwhereyou
wanttogo)
FrameworkImplementationTiers(How youviewcybersecurity)
FrameworkCore
(Whatitdoes)
•Defines(measures) currentstate•Defines(measures)desiredstate
•Tiers(4)thatshowhowcybersecurityrisksandprocessesareviewedwithinanorganization•RequiredTierbasedonperceivedrisk/benefitanalysis
•Identify•Protect•Detect•Restore•Recover
HighLeveloverviewoftheframework
SACON
FrameworkCore
Identify
Detect
RespondRecover
Protect
TheFrameworkCore
SACON
Structure
Microsoft Excel Worksheet
SACON
FunctionUniqueIdentifier
Function Category UniqueIdentifier Category Subcategory Informative
References
ID Identify
ID.AM-1 AssetManagement
Physicaldeviceswithin the
organizationareinventoried
• CCS-CSC1• COBIT5• ISA-62443-2-
1:2009
ID.AM-2 AssetManagement
SoftwarePlatformsandApplicationswithintheorganization areinventoried
• CCS-CSC1• COBIT5• ISA-62443-2-
1:2009
Structuredexample
SACON
FrameworkImplementationTiers
• Howcybersecurityrisksandprocessesareviewedwithinorganization
PartialRiskInformed
RepeatableAdaptable
Soph
istication
SACON
Maturitylevels– BasedonNISTCSF
• Tier1– Partial• Cybersecurityriskmanagementpracticesarenotformalized,andriskismanagedinanadhocandsometimesreactivemanner.• Prioritizationofcybersecurityactivitiesmaynotbedirectlyinformedbyorganizationalriskobjectives,thethreatenvironment,or
business/missionrequirements.
• Tier2– RiskInformed• Riskmanagementpracticesareapprovedbymanagementbutmaynotbeestablishedasorganizational-widepolicy.• Prioritizationofcybersecurityactivitiesisdirectlyinformedbyorganizationalriskobjectives,thethreatenvironment,or business/mission
requirements.
• Tier3– Repeatable• Riskmanagementpracticesareformallyapprovedandexpressedaspolicy.Organizationalcybersecuritypracticesareregularly updated
basedontheapplicationofriskmanagementprocessestochangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.
• Tier4– Adaptive• Adaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicatorsderivedfrompreviousandcurrentcybersecurity
activities.• Throughaprocessofcontinuousimprovementincorporatingadvancedcybersecuritytechnologiesandpractices,theorganization actively
adaptstoachangingcybersecuritylandscapeandrespondstoevolvingandsophisticatedthreatsinatimelymanner.
Private&Confidential
SACON
Frameworkprofile• Presentsoverviewofpresentandfuturecybersecurityposture• BusinessRequirements• RiskTolerance• Resources
• Usedtodefinecurrentstateanddesiredstate• Canhelpmeasureprogress...
SACON
CDMFramework
Private&Confidential
Source:CyberDefenseMatrix
SACON
CDMMapping
Credit:Sounil Yu
SACON
FireCompassScore(34/100)- SampleMaturitylevels
• Tier4:Adaptive
• Tier3:Repeatable
• Tier2:RiskInformed
• Tier1:Partial
Identify Protect Detect Respond Recover
Devices Tier2 Tier2 Tier2 Tier2 Tier1
Applications Tier2 Tier2 Tier1 Tier1 Tier1
Networks Tier1 Tier1 Tier1 Tier1 Tier1
Data Tier1 Tier2 Tier1 Tier1 Tier1
Users Tier1 Tier1 Tier1 Tier1 Tier1
Private&Confidential
SACON
FireCompassScoresForIndianIndustry
Private&Confidential
8%
43%
45%
51%
52%
58%
61%
61%
Startups+FinTech
SmallBanks
Insurance
Manufacturing
IT/ITeS
FinancialServices
Telco
LargeBanks
SACON
BeyondCorp
SACON
SACONInternational2017India|Bangalore|November10– 11|HotelLalit Ashok
Thankyou