How Do You Secure An Environment Without a Perimeter?

How Do You Secure An Environment Without a Perimeter? Using Emerging Technology Processes to Support InfoSec Efforts in an Agile Data Center PTC Briefing January 18, 2015

About the Presenters CHARLA GRIFFY-BROWN Professor, Information Systems and Tech Mgt Director, Center for Teaching & Learning Excellence Graziadio School of Business and Management, Pepperdine University, USA DEMETRIOS LAZARIKOS (LAZ) CISA, CISM, CRISC, CSSLP, MBA, MCIS IT Security Strategist and Two Time Former CISO Blue Lava Consulting MARK CHUN Associate Professor, Information Systems & Technology Management, Graziadio School of Business and Management, Pepperdine University, USA 2

Agenda Results and Methodology InfoSec Maturity Model Evolution How Did We Get Here? What Organizations Are Doing to Prepare for The Catastrophic Event Resources 3

Quan3ta3ve Methodology Visited 27 ci3es throughout the world Mee3ngs with 204 individuals in mul3ple ver3cals Total of 80 organiza3ons Board of Directors and Execu3ve Leadership Teams Industry Prac33oners and Engineers Top Items Emerged The InfoSec Maturity Model How the perimeter doesn t exist anymore Internet of Things (IoT) Big data and analy3cs 4

Results The InfoSec security model developed describes the companies examined but only a small percent are taking a risk- based approach and are therefore 3ed to a world with corporate perimeters Current architecture in most firms is a hot mess lacking any perimeter BY DESIGN Cybercriminals bypass tradi3onal security systems easily Firms need a way to put together processes and tools for coordina3on and alignment to business to support hyper growth of emerging technologies and agile environments Using the InfoSec security model approaches and tools were iden3fied and discussed 5

InfoSec Maturity Model Reac%ve Blocking & Tackling Lack of Execu3ve support Underfunded Understaffed Lack of metrics for repor3ng Set up for failure Compliance Driven Control- based security approach Align to mandatory regula3ons ISO 2700x FFIEC PCI HIPAA EU/PII Data protec3on NCUA Proac%ve Risk- Based Approach Mul3- layered security and risk- based approach Using behavior analy3cs Linking events across mul3ple disciplines Using dynamic InfoSec and IT Audit controls in the environment* Source: Blue Lava Consul3ng 6

Results 160 140 120 100 80 60 156 156 144 40 20 0 43 31 17 31 17 17 Blocking/Tackling Compliance Driven Risk- Based Approach Source: Blue Lava Consul3ng 7

How Did We Get Here? Third Party Vendor N Web Traffic Apps S DBs 8

Evolu3on The Agile Data Center IoT - Third Par3es - Cloud Limited Visibility Web No Visibility to Internal Traffic App DB 9

Evolu3on The Agile Data Center IoT - Third Par3es - Cloud Limited Visibility Web No Visibility to Internal Traffic App DB 10

Evolu3on The Agile Data Center Ignored AppSec Vulns IoT - Third Par3es - Cloud Limited Visibility Third Party Vendor Web Limited Visibility No Visibility to Internal Traffic No Visibility to Internal Traffic App DB East- West Traffic East- West Traffic Gartner es)mates that East- West traffic will increase by 80% through 2016 11

Evolu3on The Agile Data Center Ignored AppSec Vulns IoT - Third Par3es - Cloud Limited Visibility Third Party Vendor Web Limited Visibility No Visibility to Internal Traffic No Visibility to Internal Traffic App DB East/West Traffic East/West Traffic Gartner es)mates that East- West traffic will increase by 80% through 2016 12

What Organiza3ons Are Doing Board of Directors and Execu3ves are more involved with Informa3on Security and IT Audit budgets are approved faster Embracing mul3ple InfoSec and monitoring solu3ons for Internet of Things (IoT) Moving towards agile frameworks with exit criteria embedded through the idea, development, and support processes Inves3ng in Big Data and User Behavior Analy3cs (UBA) solu3ons Evalua3ng cyber liability insurance There is no silver- bullet to solving these complex issues 13

Aligning Informa3on Security with the Business and PMO Idea Dev What data will this applica3on store, process, or transmit? Is this a mobile or Internet- facing applica3on? Security framework and standards review Peer review / source code review* Test Internal scans 24x7x365 (network, OS, and applica3on)* Prod Maint External scans 24x7x365 (network, OS, and applica3on)* What new func3onality will be supported? How will monitoring (external and internal) be incorporated?* *Using dynamic InfoSec and IT Audit controls in the environment 14

Dashboards and Repor3ng Create an inventory of issues and solu3ons within your environment Iden3fy the risks, gaps, observa3ons, and what you need to be successful with your program Generate reports in terms the business understands Build rela3onships with internal stakeholders to achieve these goals 15

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Network/OS/ Systems PCI 3.0 states that virtualized environments are in scope. The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers, zones, supporting networks, and cloud integration. 1. Elas3city and agility to spin up/down environments (varmour) 2. Network and OS scanner (Nessus) 3. PCI 3.0 management of physical and virtualized environments (varmour) 4. File integrity monitoring (OSSEC agents) 5. Monitoring internal (east/west) malicious traffic (varmour) 1. PCI 3.0 states that all virtualized environments that store, process, and transmit cardholder data are in scope. 2. varmour allows you to manage both physical and virtual PCI environments under one policy and one enterprise soqware solu%on. 3. OSSEC agents are not being used and configured properly. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research results will be Available in Q1, 2015 16

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research results will be Available in Q1, 2015 17

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application Security Web application vulnerabilities lead to significant issues when P1s aren t resolved with current SLAs. 1. Training for developers (internal and third par3es) 2. External and internal scans 24x7x365 (WhiteHat) 3. Penetra3on tes3ng (3 rd party quarterly tests) 4. Source code analysis (WhiteHat SCA) 5. Behavior analy3cs (RSA and Shape Security) 6. WAF (Integrate with WhiteHat rules) 1. There is 14% aeri%on with the developers. 2. P1 appsec vulns are increasing by 12% a week. 3. Integrate WhiteHat vulns with the WAF for automa%on. Innovation Automobiles Bitcoin Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC, Garage Doors) Virtualization 1. Partner with manufacturers insert InfoSec legal requirements into contract agreements 2. Applica3on scanning 24x7x365 (WhiteHat) 3. Cloud integra3on (varmour) 4. IoT (WhiteHat and varmour) 5. Physical and virtualized management (varmour) 1. System of systems* will be in scope for PCI, HIPAA, GLBA, PII, Privacy, EU Data Protec%on. Network/OS/ Systems PCI 3.0 states that virtualized environments are in scope. The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers, zones, supporting networks, and cloud integration. 1. Elas3city and agility to spin up/down environments (varmour) 2. Network and OS scanner (Nessus) 3. PCI 3.0 management of physical and virtualized environments (varmour) 4. File integrity monitoring (OSSEC agents) 5. Monitoring internal (east/west) malicious traffic (varmour) 1. PCI 3.0 states that all virtualized environments that store, process, and transmit cardholder data are in scope. 2. varmour allows you to manage both physical and virtual PCI environments under one policy and one enterprise soqware solu%on. 3. OSSEC agents are not being used and configured properly. Emerging Threats (Internal) The company needs a ways to identify, monitor, and combat emerging threats once cyber criminals break the perimeter. 1. Monitoring east / west traffic (varmour) 1. Internal traffic anomalies are increasing by 15% per month. Anomalous traffic paeerns are moving between Zone X and Y and four data centers at 2:21am daily. External Mobile Security Applications Mobile device usage is increasing by 54% year over year. 15 mobile applications are being developed by external teams that are out of corporate compliance and do not meet mandatory industry regulations. 1. Behavior analy3cs sooware (RSA) 2. Monitoring mobile app stores (Risk I/Q) 3. WhiteHat source code analysis (SCA) 4. Cyber threat research (FOX- IT) 1. Mobile source code being developed by third party organiza3ons is not compliant with corporate InfoSec policies and industry regula3ons. Mobile Security (Internal/BYOD) The company needs to support the BYOD policy. 1. Access controls (LDAP/AD) 2. MDM (Good Technology) 1. Need to determine how the MDM solu3on will scale over the next 12 months. Source: Blue Lava Consul3ng *Blue Lava Consul3ng System of Systems research will be made available in Q1, 2015 18

Addressing the Issues IoT WAF Complete Visibility Third Party Vendor Web Complete Visibility Complete Visibility App DB East/West Traffic East/West Traffic Gartner es)mates that East- West traffic will increase by 80% through 2016 19

Risk Frameworks CMM COBIT CVSS Home Grown ISO NIST OCTAVE RiskCalibrator RiskIT TARA Ensure risk frameworks can be dynamic in your environment 20

Repor3ng in Business Terms Low Risk High Risk Cri3cal Risk Source: CXOWare, WhiteHat Security, and Blue Lava Consul3ng 21

Where Do We Go from Here Informa3on Security must be part of the culture driven by the Board of Directors and Execu3ves throughout the organiza3on Cyber criminals are evolving we must as well It s not if the cyber criminal will access your environment it s when invest in current technologies and have a plan to address the issue User behavior analy3cs (UBA) is cri3cal Evaluate your InfoSec and IT Audit programs frequently ensure part of the program is to evaluate emerging technology Be flexible introduce dynamic InfoSec and IT Audit controls in the environment 22

Resources Con3nued WhiteHat Security WhiteHat Security Blog: hrps://blog.whitehatsec.com Website Security for Dummies: hrps://info.whitehatsec.com/cont- Synd- ISACA- Website- Security- Dummies- LP.html Securing the SDLC for Dummies: hrps://info.whitehatsec.com/cont- Synd- ISACA- SDLC- Dummies- LP.html ISACA COBIT 5 Framework hrp://www.isaca.org/cobit/pages/default.aspx?cid=1003566&appeal=pr varmour www.varmour.com Verizon 2014 Data Breach Inves3ga3ons Report 23

Resources Con3nued Andy Hoernecke, Applica3on Security, Data Visualiza3on Expert, and Inventor of D3Dash www.d3dash.com Avivah Litan, VP and Dis3nguished Analyst, Gartner Market Guide for User Behavior Analy3cs (UBA), G00260457, August 2014 How to Measure Anything, Douglas W. Hubbard ISBN- 13: 978-0470539392 Iron- Clad Java: Building Secure Web Applica3ons, Jim Manico and August Detlefsen ISBN- 13: 978-0071835886 Measuring and Managing Informa3on Risk: A FAIR Approach, by Jack Freund and Jack Jones ISBN- 13: 978-0124202313 Perceptual Edge www.perceptualedge.com Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith ISBN- 13: 978-0321349989 24