Leveraging SANS Top 20 to develop a Security Engineering roadmap Glen G. Walker 23 August 2014
DISCLAIMER My personal experience, opinions and guidance Not endorsed by, approved by, or the opinion of Dignity Health, nor any of its leadership or business units Discussion of historical issues and concerns, may not reflect current security practices or concerns Your individual mileage may vary Talk to your Doctor to see if SANS Top 20 is right for you 2
Outline: Reflection(s), Speaker Intro and Methodology Top 20 Critical Controls Individual Control formatting Critical First Five Call to action, Implementation 3
Reflections "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." Bruce Schneier "The secret to getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into small manageable tasks, and then starting on the first one." Mark Twain 4
Speaker Bio (and every credential I could think of) Glen G. Walker Security Engineering and Operations Manager Dignity Health MS Information Management, ASU, W. P. Carey School of Business BA Psychology, University of Arizona CISSP GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) ITIL v3 Foundation CompTIA Security+ CCNA (Expired 2003) PADI Advanced Open Water Diver Senior Member, United States Fencing Association, (Foil E07) BJCP Apprentice Beer Judge Recipient of the I Ate Rattlesnake certificate, Rawhide theme park 5
The Problem Security admin function Reactive, Audit-driven Strategy Limited controls, implementation Regulatory and Business concern Morale and Purpose 6
The Direction Evaluate and Secure Protect Patients, Business, Brand Reduce Audit Concerns HIPAA, PCI, etc Start Looking at Frameworks ISO? COBIT? Can we do, like, SANS and OWASP stuff? 7
Methodology: Top 20 Critical Controls The Critical Security Controls for Effective Cyber Defense NSA, SANS, now Council on CyberSecurity Best practice guidelines for computer security Threat and attack based (as opposed to compliance and audit) Fits our Defense in Depth strategy 100+ Government and Private sector contributing agencies Mapped to NIST SP 800-53 r3 http://www.sans.org/critical-security-controls/ US Dept of State began implementation in 2009, reported a more than 88% reduction in vulnerability-based risk across 85,000 systems within the first year 8
Top 20 Critical Controls (1-10) Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Access Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 9
Top 20 Critical Controls (11-20) Limitation and Control of Network Ports, Protocols, and Services Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring, and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Protection Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 10
Individual Controls Justification for criticality Sub-controls Implementation guidance Categories Procedures and Tools Effectiveness Metrics Effectiveness Test System Entity Relationship Diagram 11
Sample subtasks: CSC 5: Malware Defenses CSC 5: Malware Defenses CSC 5-1 Employ automated malware detection tools to continuously monitor all nodes, log centrally Quick win CSC 5-2 Use remotely managed, centralized anti-malware infrastructure Quick win CSC 5-3 Turn off auto-run Quick win CSC 5-4 Automatically scan removable media Quick win CSC 5-5 E-mail content and web content filtering. Quick win CSC 5-6 Enable anti-exploitation countermeasures (DEP, ASLR, EMET) Quick win CSC 5-7 Limit external devices to business need Quick win CSC 5-8 Behavior-based anomaly detection monitoring tools Visibility/Attribution CSC 5-9 Network-based anti-malware tools Visibility/Attribution CSC 5-10 Implement an incident response process (IT to InfoSec) Advanced CSC 5-11 Enable domain name system (DNS) query logging Advanced 12
Categories Quick wins Critical First Five (most immediate impact on preventing attacks) Visibility and attribution measures Improved information security configuration and hygiene Advanced sub-controls 13
Critical First Five CSC 2-1: Deploy application whitelisting technology CSC 3-1: Establish and ensure the use of standard secure configurations of your operating systems CSC 3-2: Automate patching for applications and operating systems (within 48h) CSC 3-3 and CSC 12-1: Limit and audit administrative privileges (Least Privilege) CSC 4-1: Run automated vulnerability scanning 14
Suggested Implementation 1. Perform initial gap assessment 2. Feasibility study: contextualize for your business and maturity 3. Short term: Implement Quick Wins and First Five 4. Mid term: define projects for deploying appropriate "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls 5. Long term: define projects for deploying appropriate "advanced controls" over the longer term. 15
Top 20 Critical Controls, Initial Priority Immediate Priority Boundary Defense Limitation and Control of Network Ports, Protocols, and Services Maintenance, Monitoring, and Analysis of Audit Logs Malware Defenses Secure Configurations for Network Devices Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management High Priority Controlled Use of Administrative Privileges Security Skills Assessment and Appropriate Training to Fill Gaps Wireless Device Control Inventory of Authorized and Unauthorized Devices Continuous Vulnerability Assessment and Remediation Secure Network Engineering Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Deferred Priority Application Software Security Inventory of Authorized and Unauthorized Software Data Recovery Capability Penetration Tests and Red Team Exercises 16
Initial Survey Stakeholder survey Architecture, Engineering, Operations InfoSec, Network, Server, Desktop Operational analysis Critical First Five Quick Wins Unknown 10% Declined 1% Not planned 10% Critical First Five Not planned 20% Requested 20% In Production 20% In Progress 40% Quick Wins In Production 23% Requested 30% In Progress 20% Purchased not installed 6% 17
Call to Action: Initial Management engagement 18
Call To Action: Leadership Response (Context and quantifiable risk was requested) 19
Control risk matrix Specific concern Qualitative Impact Estimate Averaged score Control/Headcount needed 20
Call to Action: Followup Contextualized as a function of Risk: impact, probability Roadmap and strategy Current trends and known evil OMG Target! OMG Heartbleed! OMG Community Health! OMG ShellShock! OMG Home Depot! OMG Poodle! 21
Action Plan Current Defenses Establishes baseline, relieves panic, acknowledges progress, creates continuity and sense of achievability Short-term Efforts Needed Projects in progress, Quick Wins, First Five, etc Low-hanging fruit (easy POC wins) Longer-term Efforts Needed Projects in progress but at risk Purchased, not yet staffed for configuration or integration Not yet staffed for development Not yet funded or staffed 22
Sample Plan (Achieved! Mostly!) CSC-18 Incident Response and Management Current Defenses SIEM, IDS/IPS, FW logging, IDM logging, CSIRT Short-term Efforts Needed Ownership CSC 18-2 Assign CSIRT operational roles to specific people CSC 18-3 Assign CSIRT management roles to specific people Longer-term Efforts Needed SIEM operationalization and optimization ISIRT Development CSC 18-1 Incident response plan (CSIRT) CSC 18-4 Establish CSIRT reporting process and timeframes CSC 18-5 Establish CSIRT contact info for external resources Security Operations Center: 24x7 alert monitoring and triage KPI and metrics 23
Results First Five all either in production or in progress Operationalized SIEM, IDS/IPS, SOC staffed CSIRT => ISIRT (NIST SP 800-61 r2) Vulnerability Management function (NIST SP 800-40 v2) Actual roadmap! Leadership trust and support! Funding, staffing! 24
Thank You