Security Today

Shon Harris
Security consultant, educator, author

Presentation is Proprietary and Cannot be Reused without

360 Security Model

Holistic Approach to Security

 Every Organization has these
EXACT issues…
• The responsibility of securing an organization is falling into the laps of
individuals who are not security professionals.
• This is because security is no longer just a technology issue, but is now a business
issue that must be dealt with at all levels of an organization.

• The biggest hurdle is that the individuals in the industry have a

difficult time understanding the ultimate goals of a secure
enterprise architecture in a way that allows them to break them
down into achievable steps.
• This is not because they are ignorant or incapable, but every
organization is struggling with the exact same questions;
• How do we setup a security enterprise architecture?
• How do we setup an enterprise risk management model?
• How do we implement security governance?
• How do we know what “enough security” means?

• We are recognizing that more than technical people need to be

involved, but cannot figure out how to integrate security
into business process.
 Are There Gaps?
Do the departments responsible for these different types of
security communicate and work well together in your company?
 Most Organizations…
► Do not fully realize that there is a
structured way of rolling out and
maintaining a security program
► Organizations are bombarded with
products, consultants, too much
information, and service and product
companies with their own agendas
► By not following a structured approach,
organizations are wasting time, wasting
money, experiencing security compromises,
and failing audits
 Common Pain Points
Every organization is RECREATING THEIR OWN
WHEEL when it comes to developing a
secure enterprise architecture.

This only adds

layers of
confusion
because no one
fully
understands
the overall
goals or how to
accomplish
them.
No Enforcement – Just
Documents
 But We Have Models
► CobiT
► ISO 17799/BS 7799
► NIST documents
► SABSA
► Etc.
CobiT – Control Objectives
5.1 Management of IT Security
Manage IT Security at the highest appropriate
organizational level …
5.2 IT Security Plan
Translate business information requirements,
IT configuration, information risk action plans,
and information security culture …
5.3 Identity Management
All users (internal, external, and temporary)
and their activity on IT systems (business
application, system operation…)
5.4 User Account Management
Ensure that requesting, establishing, issuing,
suspending, modifying, and closing user
accounts and related user privileges …
5.5 Security Testing, Surveillance, and
Monitoring
Ensure that IT security implementation is
tested and monitored proactively. IT security
should be reaccredited periodically …
 Industry Best Practices
Standards
BS/ISO I7799
 Guidelines on range of controls for implementing security
 Best practices for security management
 Divided into 10 sections
 Security policy
 Security organization
 Assets classification and control
 Personnel security
 Physical and environmental security
 Computer and network management
 System access control
 System development and maintenance
 Business continuity planning
 Compliance
NIST Guidelines
 SABSA Model

http://www.sabsa-institute.org/UserFiles/Image/3-framework.png
Result of Trying to Understand
all Approaches
Exactly Where Are We Trying to
Go?
► Risk Management
► Enterprise Security Architecture
► Security Governance
► Security Legal and Regulatory
Compliance
► Staying out of the Headlines
Need Risk Management
Now?

Does your team know how to develop and role this

 Goal of Enterprise Security
Architecture = Security at All
Levels

Security is to be in alignment
with organization’s strategic
Enterprise Security Architecture
 Strategic alignment
 Business enablement
 Process enhancement
 Security effectiveness
 Without an Enterprise Security
Architecture
 Security only takes place at the technical
level
 Continual confusion and repeating
expensive mistakes
 Stovepipe solutions, which costs more
in maintenance and integration
►Depending upon point solutions, not
enterprise solutions
 Unable to use enterprise information to
make solid business decisions
 Continually putting out fires
►Reactive versus proactive
 Security Governance
“Security governance is the set of responsibilities and
practices exercised by the board and executive
management with the goal of providing strategic
direction, ensuring that objectives are achieved,
ascertaining that risks are managed
appropriately and verifying that the enterprise’s
resources are used responsibly.”

- IT Governance Institute
 Company A
Board members understand that
information security is critical to
the company and demand to be
updated quarterly on security
performance and breaches.
CEO, CFO, CIO and business unit
managers participate in a risk
management committee that
meets each month and information
security is always one topic on the
agenda to review.
Executive management sets an
acceptable risk level that is the
basis for the company’s security
policies and all security activities.
Executive management holds
business unit managers
responsible for carrying out risk
management activities for their
specific business units.
Company B
Board members do not understand
that information security is in their
realm of responsibility and focus
solely on corporate governance
and profits.
CEO, CFO and business unit
managers feel as though
information security is the
responsibility of the CIO, CISO and
IT department and do not get
involved.
CISO took some boilerplate
security policies, inserted his
company’s name, then had the
CEO sign them.
All security activity takes place
within the security department,
thus security works within a silo
and is not integrated throughout
the organization.
 Company A
Critical business processes are
documented along with the risks
that are inherent at the different
steps within the business
processes.
Employees are held accountable
for any security breaches they
participate in, either maliciously or
accidentally.
Security products, managed
services, and consultants are
purchased and deployed in an
informed manner. They are also
constantly reviewed to ensure they
are cost effective.
The organization is continuing to
review its business processes,
including security, with the goal of
continued improvement.
Company B
Business processes are not
documented and are not analyzed
for potential risks that can affect
operations, productivity, and
profitability.
Policies and standards are
developed, but no enforcement or
accountability practices have been
envisioned or deployed.
Security products, managed
services, and consultants are
purchased and deployed without
any real research or performance
metrics to be able to determine the
return on investment or
effectiveness. Company has a
false sense of security because it is
using products, consultants, and/or
managed services.
The organization does not analyze
its performance for improvement,
but does continually march forward
and makes the same mistakes over
and over again.
 Security Governance =
Managing Security at All Levels
After Looking at the Pretty
Graphics
 Information Security
Mantra
“Security needs to be a business
process”
Great strategic goal – but many organizations
will never get there under their current
approaches.
 What are We Doing Today?
► Lack of true understanding of overall goals
► Detailed structure is not fully developed first
► Bringing in expensive consultants
► Purchasing products
► Using managed security services
► Sending staff to technical security courses
CEO
and
Board

Consultants

Managed Services C-Level Individuals

Department Managers
Products

Generic Technology Training IT and technologists

Why Is Our Current Model
Dangerous?
► No real roadmap, so the team is not marching forward
 Continually chasing their own tails
► Not making educated and informed decisions
 Making the same expensive mistakes over and over
 Relying too heavily on vendors
► Lack of continual and useful communication between corporate levels
► Risk management is talked about, but not understood or implemented
► Accountability is not truly enforced
► Point solutions instead of enterprise solutions are rolled out
► Plans are built around technology and not solution processes
► People who are responsible for putting out fires are also trying to
develop strategy
Security Consulting Issues
COMMUNICATION
Knowledge Requirements and Communication
Channels
There Are Cookie Cutter
Approaches
 Break Your Three Year Plan
Down

Project
management
is required to
keep everyone
in step and on
track
Phases Need Useful Detail and
Goals
Mapping Requirements to
Security Processes
Security Program Components are the
Categories of Control Objectives
Security Program
Subcomponents
Defining the Surrounding
Process around Specific
Subcomponents
 Example
Vulnerability Management
Almost all regulations require
vulnerability management.
There are about 100 different ways that
vulnerability management is termed in
the various laws and regulations.

The difficulty is developing and implementing

a successful VM program and ensuring that it
maps to all compliancy requirements.
 You Need a Fully Functional
Program
Vulnerability Management Program Process
 Define roles and responsibilities
 Develop VM baselines and metrics
 Develop threat classifications (high, medium, low)
 Identify and inventory assets
 Create CSIRT
 Develop procedures for incident handling
 Develop communication channels for incident data dissemination
 Carry out vulnerability assessments
 Carry out penetration tests
 Receive vendor vulnerability alerts
 Validate vulnerability alerts against your inventory of assets
 Classify new vulnerability (high, medium, low)
 Test remediation (patches, hotfix) and deploy – patch management
 Implement preventive controls based on new vulnerability releases
 Audit vulnerability management processes and continually improve

Qualys, Foundstone Scanner, and ISS cannot do

all of this for you. The product is just one
component of the process.
 Another Example
Data Classification and Data Protection
Necessary steps of this process;
 Risk assessment of not protecting sensitive data
 Define sensitive data as it maps to business drivers
 Define classification criteria (determine value of data via business impact analysis)
 Define data owner and custodian responsibilities
 Develop the necessary policies, standards, guidelines and procedures for internal use
 Know how to detect “sensitive data” at rest and in transit
 Mitigating third party risks (they have copies of sensitive data your are responsible
for protecting)
 Response procedures when users attempt to release sensitive data and enforcement
tactics
 Document data classification process, which includes a risk matrix, and control
descriptions for auditors and compliance
 Know how to modify classification criteria based on business and regulatory needs
 Understanding data protection controls that should be in place;
► Access control
► User provisioning
► Encryption
► Digital rights management
► Monitoring
 Training on data classification program, processes, and product use
 Integrate data classification and data protection processes into internal auditing
practices
 Develop documentation and resources for external auditors for compliancy validation
This Level of Detail Per Program
Component

Program
Components
 When?
Do you have to accomplish all of this
today?
 In a week?
 In a year?
 In 2 years?

No, but you need a plan today and if it

is worthless you will not accomplish
this stuff in 10 years!
 3 Year Plan – Are Your Phases
Even Useful – or Too High Level?
 Security Programs…
Structure or Chaos – or In Between?

Swamp guides
become
more valuable than
security architects

If you don’t know where you are, you can’t get

to where you want to go.
All Organizations

We are currently around

here
 We Need to Evolve
► We need a new model to empower
organizations and allow them to understand
security in business terms
► We need a model that takes the theoretical
best practices and turns them into practical
action items
► Companies need to be able to take ownership
of their internal security program

The current approach will continue to provide a gap between what we preach
and what we practice.
Holistic, integrated security, that is integrated into business processes.
Security Maturity Evolution Assurance
Auditing, monitoring, and reporting
processes and controls in place to
ensure they are meeting standards and
that they are effective

Security
Organizational
Baseline Security
Structure
Individuals and organizations Standards
Documented assigned responsibility, Security controls defined to
Strategy, Principles, accountability, and authority to establish a consistent basis
support the infrastructure for managing risk
and Policy
Clearly defined set of
Security Metrics
Security Capability

Measure the efficiency, effectiveness,

technology-independent
value, and continuous performance
policies developed from the
improvement of the individual security
Initiate business strategy
process
Stakeholder
Security
Program
Stakeholder sponsored
program with Compliance and
responsibilities
assigned Certification
Establish compliance measurement
and reporting system

Security Security Technical

Architecture Framework
Architecture principles and Establishment of standards and
policies in place to define technologies to support stakeholder
core security functions interaction

Level 1 Defined

Level 2 Integrated

Level 3 Optimized
Evolution
 How to be Successful
► Gather much more data – do not work in a vacuum
► Break the pieces down into achievable goals that are inexpensive
 Quick wins will be much quicker
► Learn from each phase, improve, and incorporate knowledge into
next phase
► Phases will allow the group to understand more about the current
processes and business as a whole
► Use products that are currently in-house and in the market to
accomplish many of these tasks through automation
► Do not create metrics, baselines, processes “in the dark” – which
would waste a lot of money and be useless
► Provide a structured risk-based approach that is measurable and
controllable
► Understand how to incorporate security into business units and
processes
► Understand how to continually improve and be innovative in a
healthy manner
► Protect the company in a more effective and understandable
process
 Success of Failure
What will Allow this
Project to Succeed?
 Take the time to gather all of
the necessary data before
running forward
 Get feedback from all
departments that would be
involved and affected
 Provide real information for
decision makers and not
superficial data
 Solid and reasonable phased
approach
 Realize and communicate
the true benefit that this will
provide for ALL security
needs and departments
 Realize that this is a long
jog, not a short sprint
What will Cause this
Project to Fail?
 If necessary resources and
funds are not provided
through ALL PHASES
 Viewed as a bottleneck for
business expansion. Must
be enforced as a “must
have” not a “nice to have”
 If one person does not own
this process and keep
people on track
 More communication does
not take place
 Wrong people are on the
security committee
 Other projects take
precedence and motivation
fades
Improvement Will Not Happen
Accidentally
 Shon Harris

www.LogicalSecurity.com
(888) 373-5116
info@LogicalSecurity.com

Logical Security is on the GSA Schedule and is a woman-owned,

veteran owned company