One-Man Shop. How to build a functional security program with limited resources DEF CON 22



Similar documents
Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SANS Top 20 Critical Controls for Effective Cyber Defense

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Security Management. Keeping the IT Security Administrator Busy

The Protection Mission a constant endeavor

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

INCIDENT RESPONSE CHECKLIST

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

How To Protect A Network From Attack From A Hacker (Hbss)

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Critical Security Controls

Supplier Information Security Addendum for GE Restricted Data

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Top 20 Critical Security Controls

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Securing Web Applications...at the Network Layer

Concierge SIEM Reporting Overview

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Critical Controls for Cyber Security.

FISMA / NIST REVISION 3 COMPLIANCE

THE TOP 4 CONTROLS.

Data Security and Healthcare

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Chapter 9 Firewalls and Intrusion Prevention Systems

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

Connect with Addressing Intelligence to Automate IPv6 Planning, Transition & Cyber Security

SonicWALL PCI 1.1 Implementation Guide

How To Manage Security On A Networked Computer System

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Chapter 1 The Principles of Auditing 1

Netzwerkvirtualisierung? Aber mit Sicherheit!

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

All Information is derived from Mandiant consulting in a non-classified environment.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Network Segmentation

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Looking at the SANS 20 Critical Security Controls

Industrial Security for Process Automation

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

ΕΠΛ 674: Εργαστήριο 5 Firewalls

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

8. Firewall Design & Implementation

Network Security Administrator

Client Security Risk Assessment Questionnaire

North American Electric Reliability Corporation (NERC) Cyber Security Standard

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

How To Protect Your Network From Attack From Outside From Inside And Outside

5 Steps to Advanced Threat Protection

How To Protect Your Data From Being Stolen

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

IT Security and OT Security. Understanding the Challenges

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

March

AppGuard. Defeats Malware

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

ADM:49 DPS POLICY MANUAL Page 1 of 5

Defending Against Data Beaches: Internal Controls for Cybersecurity

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Requirements Coverage Summary Table

Intelligence Driven Security

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

74% 96 Action Items. Compliance

Emerson Smart Firewall

Ovation Security Center Data Sheet

Sygate Secure Enterprise and Alcatel

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

Open Source Security Tool Overview

Detecting rogue systems

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Security Event Monitoring (SEM) Working Group

D. Grzetich 6/26/2013. The Problem We Face Today

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Best Practices for PCI DSS V3.0 Network Security Compliance

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Next Generation Network Firewall

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

How to Secure Your Environment

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Cybersecurity Health Check At A Glance

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI DSS Compliance the Rocky Road. Colin Dixon Head of Risk and Compliance

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Missing the Obvious: Network Security Monitoring for ICS

Transcription:

One-Man Shop How to build a functional security program with limited resources DEF CON 22

One-Man Shop Agenda Caveats & Considerations People and Processes Network Architecture System Design Continuous Monitoring External Validation Compliance

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

Caveats and Considerations This is going to take Organizational Support Security still answers to The Business Security cannot mature past the Organization Be realistic. The sky isn t falling. Schedule time to stop firefighting Just do the right thing

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

People and Processes People within the organization Identify who they are and what roles they play Negotiate sole ownership of systems and processes even better - RACI Matrix Most people take accountability seriously Set and communicate expectations The Business owns the data owns compliance will get the fines and have charges pressed

People and Processes People within IT Recruit help. Make them aware of your plans A good sysadmin or network person will make a good security liason. That may be you.

People and Processes "Security needs to be embedded." "Security is (part of) a process" Consistency through Automation... and Security through Consistency Here's where your help comes in...

People and Processes Identify and document processes As simple as a check list "Swim lanes" flow chart to show handoffs Identify where security can fit in best Doesn't necessarily require security staff review Can be a checklist or guideline for department Examples: Purchasing Standardized Equipment Server and Workstation Management Inventory

People and Processes Speaking of Inventory: KNOW YOUR ENVIRONMENT Identify devices on your network and what roles they play Make network maps This means physical and logical network Endpoints and their uses. Servers, Workstations, Phones, Printers, etc Users and their business functions Sensitive data and where business processes occur Automate inventory and alert on differences

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

Secure Network Architecture 1. Divide network endpoints into groups based on roles, risks, exposures, trust level, etc. 2. Create network zones based on roles 3. Identify risks each zone faces 4. Deny all traffic by default 5. Place security controls at zone boundaries for traffic that can t be denied

Secure Network Architecture *Deny all traffic by default All traffic should pass through a control Allow only what s necessary for proper function Deep Packet Inspect everything you can't deny Log everything you can't inspect exceptions should be approved and documented

Secure Network Architecture Possible Security Controls depending on risks Firewalls Protocol Enforcement IDS/IPS Netflow Information Deep Packet Inspection File Extraction and Analysis Log all alerts centrally for easy correlation

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

Secure System Design for Servers Systems should cross as few security zones as necessary Traffic within a security zone should be as segmented as possible (Host Based Firewalls) Centralized Logging Backups! Virtualized? Take Snapshots Automate Account Provisioning Aim for Single Sign On Disable Once, Disable Everywhere Allows for centralized Auth and Access Control

Secure System Design for Workstations Design a standardized desktop image Least Privilege. No local admins Centralize workstation administration Enable Automatic Updates OS Killing patches are rare AV is dead, but its still a layer of protection EMET for additional defense MAC filtering at switchports

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

Continuous Monitoring Host Monitoring Periodic IP/Port Scans Periodic Vulnerability Scans Automated Log Review VPN Access by IP/Region Dropped Packets sourced from DMZ Event logs of privileged accounts New users and group memberships Netflow anomalies

Continuous Monitoring Forensics and Incident Response Snort with ETPro ruleset for IDS urlsnarf from the dsniff suite tcpdump internal span ports for DNS traffic execap for capturing windows binaries off the wire Cuckoo Sandbox for analysis Immunity s El Jefe for process monitoring

Continuous Monitoring Forensics and Incident Response If a user isn t admin, process hiding is hard Most malware contained to user s profile Use WMI for Remote Windows IR wmic /node: x.x.x.x process get commandline wmic /node: x.x.x.x process where name = winlogon.exe delete wmic /node: x.x.x.x process call create process.exe Free / Open Source DFIR Tools Mandiant Redline, FTK Imager, Autopsy

Continuous Monitoring Just when you think you re bored Introduce a new monitoring tool. You ll find new problems that need to be fixed. Get Bored Fix Problems Introduce New Monitoring Identify New Problems

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

External Validation Consider an external auditor to review your environment At least verify against others in your industry Consider external penetration testing

Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes

Compliance To be honest, It s not worth talking about shouldn t be a driver a byproduct of a good security program Most auditors will accept a remediation plan, even if it takes multiple years Slow progress is still progress

Let s compare to SANS Top 20 1. Device Inventory 11. Account Monitoring and Control 2. Software Inventory 12. Malware Defenses 3. Secure Hardware and Software Configs 13. Limitation of Network Ports, Protocols 4. Secure Network Device Config 14. Wireless Device Control 5. Boundary Defense 15. Data Loss Prevention 6. Security Audit Log Analysis 16. Secure Network Engineering 7. Application Software Security 17. Penetration Test and Red Team 8. Controlled use of Admin Privs 18. Incident Response Capability 9. Need to Know Data Access 19. Data Recovery Capability 10. Continuous Vulnerability Assessment 20. Security Skills Assessment and Training

Questions? Automate Centralize Simplify Standardize

Contact Information Tim McGuffin tim@mcguffin.org Updated slides available at http://tinyurl.com/one-man-shop

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information