Leveraging SANS Top 20 to develop a Security Engineering roadmap. Glen G. Walker 23 August 2014

Similar documents
An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Defending Against Data Beaches: Internal Controls for Cybersecurity

Looking at the SANS 20 Critical Security Controls

Critical Controls for Cyber Security.

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Critical Security Controls

Jumpstarting Your Security Awareness Program

Top 20 Critical Security Controls

Leveraging SANS and NIST to Evaluate New Security Tools

SANS Top 20 Critical Controls for Effective Cyber Defense

THE TOP 4 CONTROLS.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Assessing the Effectiveness of a Cybersecurity Program

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

The Protection Mission a constant endeavor

The Role of Security Monitoring & SIEM in Risk Management

Cybersecurity Health Check At A Glance

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Security Management. Keeping the IT Security Administrator Busy

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Information Technology Risk Management

Professional Services Overview

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Security Controls in Service Management

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Altius IT Policy Collection Compliance and Standards Matrix

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Department of Management Services. Request for Information

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

One-Man Shop. How to build a functional security program with limited resources DEF CON 22

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

An enterprise grade information security & forensic technical team

SECURITY. Risk & Compliance Services

Industrial Security for Process Automation

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

5 Steps to Advanced Threat Protection

White Paper: Consensus Audit Guidelines and Symantec RAS

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Defending against Cyber Attacks

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

PCI Compliance for Cloud Applications

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Cyber Education triangle clarifying the fog of cyber security through targeted training

Vulnerability Management

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The Critical Security Controls: What s NAC Got to Do with IT?

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

NERC CIP VERSION 5 COMPLIANCE

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Caretower s SIEM Managed Security Services

Management (CSM) Capability

Defining, building, and making use cases work

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Cybersecurity: What CFO s Need to Know

Chapter 1 The Principles of Auditing 1

Presented by Evan Sylvester, CISSP

Think like an MBA not a CISSP

GoodData Corporation Security White Paper

Payment Card Industry Data Security Standard

Ecom Infotech. Page 1 of 6

Network and Security Controls

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

State of Oregon. State of Oregon 1

Enterprise Cybersecurity: Building an Effective Defense

Security Controls Implementation Plan

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Lot 1 Service Specification MANAGED SECURITY SERVICES

Intelligence Driven Security

Network Security Administrator

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Click here to submit your resume

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Concierge SIEM Reporting Overview

Presented by Brian Woodward

SCAC Annual Conference. Cybersecurity Demystified

Improving Application and Privilege Management: Critical Security Controls Update

Transcription:

Leveraging SANS Top 20 to develop a Security Engineering roadmap Glen G. Walker 23 August 2014

DISCLAIMER My personal experience, opinions and guidance Not endorsed by, approved by, or the opinion of Dignity Health, nor any of its leadership or business units Discussion of historical issues and concerns, may not reflect current security practices or concerns Your individual mileage may vary Talk to your Doctor to see if SANS Top 20 is right for you 2

Outline: Reflection(s), Speaker Intro and Methodology Top 20 Critical Controls Individual Control formatting Critical First Five Call to action, Implementation 3

Reflections "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." Bruce Schneier "The secret to getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into small manageable tasks, and then starting on the first one." Mark Twain 4

Speaker Bio (and every credential I could think of) Glen G. Walker Security Engineering and Operations Manager Dignity Health MS Information Management, ASU, W. P. Carey School of Business BA Psychology, University of Arizona CISSP GCIA (GIAC Certified Intrusion Analyst) GCIH (GIAC Certified Incident Handler) ITIL v3 Foundation CompTIA Security+ CCNA (Expired 2003) PADI Advanced Open Water Diver Senior Member, United States Fencing Association, (Foil E07) BJCP Apprentice Beer Judge Recipient of the I Ate Rattlesnake certificate, Rawhide theme park 5

The Problem Security admin function Reactive, Audit-driven Strategy Limited controls, implementation Regulatory and Business concern Morale and Purpose 6

The Direction Evaluate and Secure Protect Patients, Business, Brand Reduce Audit Concerns HIPAA, PCI, etc Start Looking at Frameworks ISO? COBIT? Can we do, like, SANS and OWASP stuff? 7

Methodology: Top 20 Critical Controls The Critical Security Controls for Effective Cyber Defense NSA, SANS, now Council on CyberSecurity Best practice guidelines for computer security Threat and attack based (as opposed to compliance and audit) Fits our Defense in Depth strategy 100+ Government and Private sector contributing agencies Mapped to NIST SP 800-53 r3 http://www.sans.org/critical-security-controls/ US Dept of State began implementation in 2009, reported a more than 88% reduction in vulnerability-based risk across 85,000 systems within the first year 8

Top 20 Critical Controls (1-10) Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Access Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 9

Top 20 Critical Controls (11-20) Limitation and Control of Network Ports, Protocols, and Services Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring, and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Protection Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 10

Individual Controls Justification for criticality Sub-controls Implementation guidance Categories Procedures and Tools Effectiveness Metrics Effectiveness Test System Entity Relationship Diagram 11

Sample subtasks: CSC 5: Malware Defenses CSC 5: Malware Defenses CSC 5-1 Employ automated malware detection tools to continuously monitor all nodes, log centrally Quick win CSC 5-2 Use remotely managed, centralized anti-malware infrastructure Quick win CSC 5-3 Turn off auto-run Quick win CSC 5-4 Automatically scan removable media Quick win CSC 5-5 E-mail content and web content filtering. Quick win CSC 5-6 Enable anti-exploitation countermeasures (DEP, ASLR, EMET) Quick win CSC 5-7 Limit external devices to business need Quick win CSC 5-8 Behavior-based anomaly detection monitoring tools Visibility/Attribution CSC 5-9 Network-based anti-malware tools Visibility/Attribution CSC 5-10 Implement an incident response process (IT to InfoSec) Advanced CSC 5-11 Enable domain name system (DNS) query logging Advanced 12

Categories Quick wins Critical First Five (most immediate impact on preventing attacks) Visibility and attribution measures Improved information security configuration and hygiene Advanced sub-controls 13

Critical First Five CSC 2-1: Deploy application whitelisting technology CSC 3-1: Establish and ensure the use of standard secure configurations of your operating systems CSC 3-2: Automate patching for applications and operating systems (within 48h) CSC 3-3 and CSC 12-1: Limit and audit administrative privileges (Least Privilege) CSC 4-1: Run automated vulnerability scanning 14

Suggested Implementation 1. Perform initial gap assessment 2. Feasibility study: contextualize for your business and maturity 3. Short term: Implement Quick Wins and First Five 4. Mid term: define projects for deploying appropriate "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls 5. Long term: define projects for deploying appropriate "advanced controls" over the longer term. 15

Top 20 Critical Controls, Initial Priority Immediate Priority Boundary Defense Limitation and Control of Network Ports, Protocols, and Services Maintenance, Monitoring, and Analysis of Audit Logs Malware Defenses Secure Configurations for Network Devices Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management High Priority Controlled Use of Administrative Privileges Security Skills Assessment and Appropriate Training to Fill Gaps Wireless Device Control Inventory of Authorized and Unauthorized Devices Continuous Vulnerability Assessment and Remediation Secure Network Engineering Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Deferred Priority Application Software Security Inventory of Authorized and Unauthorized Software Data Recovery Capability Penetration Tests and Red Team Exercises 16

Initial Survey Stakeholder survey Architecture, Engineering, Operations InfoSec, Network, Server, Desktop Operational analysis Critical First Five Quick Wins Unknown 10% Declined 1% Not planned 10% Critical First Five Not planned 20% Requested 20% In Production 20% In Progress 40% Quick Wins In Production 23% Requested 30% In Progress 20% Purchased not installed 6% 17

Call to Action: Initial Management engagement 18

Call To Action: Leadership Response (Context and quantifiable risk was requested) 19

Control risk matrix Specific concern Qualitative Impact Estimate Averaged score Control/Headcount needed 20

Call to Action: Followup Contextualized as a function of Risk: impact, probability Roadmap and strategy Current trends and known evil OMG Target! OMG Heartbleed! OMG Community Health! OMG ShellShock! OMG Home Depot! OMG Poodle! 21

Action Plan Current Defenses Establishes baseline, relieves panic, acknowledges progress, creates continuity and sense of achievability Short-term Efforts Needed Projects in progress, Quick Wins, First Five, etc Low-hanging fruit (easy POC wins) Longer-term Efforts Needed Projects in progress but at risk Purchased, not yet staffed for configuration or integration Not yet staffed for development Not yet funded or staffed 22

Sample Plan (Achieved! Mostly!) CSC-18 Incident Response and Management Current Defenses SIEM, IDS/IPS, FW logging, IDM logging, CSIRT Short-term Efforts Needed Ownership CSC 18-2 Assign CSIRT operational roles to specific people CSC 18-3 Assign CSIRT management roles to specific people Longer-term Efforts Needed SIEM operationalization and optimization ISIRT Development CSC 18-1 Incident response plan (CSIRT) CSC 18-4 Establish CSIRT reporting process and timeframes CSC 18-5 Establish CSIRT contact info for external resources Security Operations Center: 24x7 alert monitoring and triage KPI and metrics 23

Results First Five all either in production or in progress Operationalized SIEM, IDS/IPS, SOC staffed CSIRT => ISIRT (NIST SP 800-61 r2) Vulnerability Management function (NIST SP 800-40 v2) Actual roadmap! Leadership trust and support! Funding, staffing! 24

Thank You

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information