Creating Effective Security Controls: A Ten Year Study of High Performing IT Security

Similar documents
Seven Practical Steps for Federal Cyber Security and FISMA Compliance

IT Service Management Metrics that Matter. Reason to Improve: Unintended Consequences of Low Performance

IT Service Management Metrics Metrics that Matter

Configuration Audit & Control

Dynamic Data Center Compliance with Tripwire and Microsoft

Enforcing IT Change Management Policy

Proving Control of the Infrastructure

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Reining in the Effects of Uncontrolled Change

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Beyond PCI Checklists:

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

TRIPWIRE NERC SOLUTION SUITE

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

The Value of Vulnerability Management*

WHITE PAPER. iet ITSM Enables Enhanced Service Management

NetIQ FISMA Compliance & Risk Management Solutions

PCI Compliance for Cloud Applications

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

File Integrity Monitoring:

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Change, Configuration, and Release: What s Really Driving Top Performance?

HP Server Automation Standard

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Real-Time Security for Active Directory

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Leveraging ITIL Foundational Controls to Achieve SOX Compliance. ISACA San Francisco Fall Conference September 17 th, 2007

Achieving Regulatory Compliance through Security Information Management

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Achieving Compliance in a Virtualized Environment WHITE PAPER

SecureVue Product Brochure

Network Test Labs (NTL) Software Testing Services for igaming

How to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices.

Defending the Database Techniques and best practices

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

How to Deliver Measurable Business Value with the Enterprise CMDB

How to Achieve Operational Assurance in Your Private Cloud

Ten Reasons Why Microsoft Excel Should Not Be Your Documentation Tool

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Copyright 11/1/2010 BMC Software, Inc 1

TRIPWIRE CUSTOMER SUCCESS STORIES: PCI PARTNERSHIPS FOR RAPID COMPLIANCE SUCCESS

Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Published April Executive Summary

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM

McAfee Database Security. Dan Sarel, VP Database Security Products

The Benefits of VMware s vcenter Operations Management Suite:

External Penetration Assessment and Database Access Review

Making Database Security an IT Security Priority

PCI Data Security Standards (DSS)

managing the risks of virtualization

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Self-Service SOX Auditing With S3 Control

How To Ensure Financial Compliance

Windows XP End-of-Life Handbook for Upgrade Latecomers

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Vulnerability Management

Leveraging ITIL to Manage Your Virtual Environment. Laurent Mandorla, Manager Fredrik Hallgårde, Consultant BearingPoint, Inc.

Network Configuration Management

Windows Least Privilege Management and Beyond

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

IT Security & Compliance. On Time. On Budget. On Demand.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

WHITEPAPER. Compliance: what it means for databases

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

WHITE PAPER Configuration and Change Management for IT Compliance and Risk Management: The Tripwire Approach

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Applying ITIL v3 Best Practices

Compliance Management, made easy

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Real-Time Database Protection and. Overview IBM Corporation

Best Practices for PCI DSS V3.0 Network Security Compliance

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

CMDB Essential to Service Management Strategy. All rights reserved 2007

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Security Trends and Client Approaches

Best Practices in File Integrity Monitoring. Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc.

Continuous IT Compliance: A Stepwise Approach to Effective Assurance BEST PRACTICES WHITE PAPER

Virtualization Impact on Compliance and Audit

SECURITY. Risk & Compliance Services

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

The CIO s Guide to HIPAA Compliant Text Messaging

Leveraging a Maturity Model to Achieve Proactive Compliance

WHITEPAPER. 10 Simple Steps to ITIL Network Compliance

Bridging the HIPAA/HITECH Compliance Gap

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

HITRUST CSF Assurance Program

Service Asset & Configuration Management PinkVERIFY

Transcription:

Configuration Assessment & & Change Auditing Solutions COMPLIANCE SECURITY CONTROL Creating Effective Security Controls: A Ten Year Study of High Performing IT Security Gene Kim, CISA CTO and Co-Founder (Twitter: @RealGeneKim) VA-SCAN 10/5/2009

Where Did The High Performers Come From? 2

Agenda An uncomfortable question about information security effectiveness How does information security integrate effectively into daily operations? How did the high performing IT organizations make their good to great transformations? Seven practical steps to go from good to great How does going from good to great feel? Additional resources 3

What s the Problem? COMPLIANCE SECURITY CONTROL 4

Information Security and Compliance Risks Information security practitioners are always one change away from a security breach Front page news Regulatory fines Brand damage High profile security failures are increasing external pressures for security and compliance Sarbanes-Oxley (SOX) Act of 2002, the Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS) 5

Luck Is Not A Strategy 6

The Dark Side Of Virtualization Virtualization enables organizations to deploy changes and releases more quickly than ever What works at 60 mph may not work at 200 mph Certain required activities in the physical world made it easier to prevent and detect release risks Watching for servers on the loading dock Budgeting and procurement activities Physical data center access Network cabling What happens when these activities are no longer required to deploy major releases? And when it is easy to download VMplayer, copy virtual machines, etc And what could go wrong? 7

Virtualization Is Here 85% of 219 IT organizations are already using virtualization and half are planning to. 2008 Tripwire Customer Survey 85% of customers are already using virtualization for mission-critical production services. VMware Through 2009, 60% of virtual servers will be less secure than their physical counterparts, and 30% of virtualized servers will be associated with a security incident. Gartner 8

Operations And Security Already Don t Get Along Operations Hinders Security Deploys insecure components into production Creates production IT infrastructure hard to understand Has no information security standard Creates self-inflicted outages Uses shared privileged accounts Can t quickly address known security vulnerabilities Security Hinders Operations Creates bureaucracy Generates risky, low value IT operations work Generates large backlog of reviews Creates delays through information security requirements Brings up project issues that cost too much, takes too long, & reduces feature set Words often used to describe information security: hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with 9 the business, immature, shrill, perpetually focused on irrelevant technical minutiae

Going from Good to Great COMPLIANCE SECURITY CONTROL 10

# Servers Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization 10,000 1000 100 10 1 Size of Operation 0 20 40 60 80 100 120 140 Operations Metrics Benchmarks: Best in Class: Server/sysadmin ratios Efficiency of Operation Server/sysadmin ratio Best in Class Ops and Security Source: IT Process Institute (2001) Highest ratio of staff for pre-production processes Lowest amount of unplanned work Highest change success rate Best posture of compliance Lowest cost of compliance 11

Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 12 Source: IT Process Institute, May 2006

Birth Of Epidemiology: Dr. John Snow: 1853 13

Culture Of Change Management High change rate High change success rate 14

Culture Of Causality Low MTTR High first fix rate 16

Culture Of Planned Work Low unplanned work High project date performance 17

Visible Ops: Playbook of High Performers The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high performers? What is different between them and average and low performers? How did they become great? Answers have been codified in the Visible Ops Methodology www.itpi.org 19

Over Ten Years, We Benchmarked 1500+ IT Orgs 20

Surprise #2: What The High Performers Do Differently Top Two Differentiators between Good and Great 1. Systems are monitored for unauthorized changes 2. Consequences are defined for intentional unauthorized changes Foundational Controls: Medium vs Low Foundational Controls: High vs Medium 21 Source: IT Process Institute, May 2006

2007: Three Controls Predict 60% Of Performance To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems 23 Source: IT Process Institute, May 2006

High Performers Can Bound Maximum MTTR But look at the huge differences for large outages! Large outages required 25-50 people to fix!) 24 Source: IT Process Institute, May 2006

Seven Practical Steps COMPLIANCE SECURITY CONTROL 25

The Seven Practical Steps To Integrate Information Security Into Daily Operations Step 1: Gain situational awareness Step 2: Reduce and monitor privileged access Step 3: Define and enforce VMM configuration standards Step 4: Integrate and help enforce change management processes Step 5: Create library of trusted virtualized builds Step 6: Integrate into release management Step 7: Ensure that all activities go through change management 26

Step 1: Gain Situational Awareness Situational awareness: the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission. Questions we want to answer: What IT services are being provided? e.g. power generation, distribution, financial reporting, etc. Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.) What are the relevant regulatory and contractual requirements for the business process e.g., SOX-404, PCI DSS, FISMA, NERC, etc. Where is reliance being placed and what are critical functionalities? What are the technologies and IT processes being run on? e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc. Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.) 27

Step 2: Reduce And Monitor Privileged Access Know where infrastructure that poses the largest risk to business objectives are. Ensure that access is properly restricted Look for administrators who have high levels of privilege Reduce access They can introduce likelihood of errors, downtime, fraud and security incidents Can affect mission critical IT services Can modify logical security settings Can add, remove and modify VMs To err is human. To really screw up requires the root password. Unknown 28

Step 2: Reduce And Monitor Privileged Access Implement preventive controls: Reconcile admins to authorized staff and delete any ghost accounts Ensure reasonable number of admins Issue and revoke accounts upon hiring, firing, reassignment Implement detective controls: Monitor privileged user account adds, removes and changes Reconcile each user account change to an authorized work order Reconcile each user account to an HR record Implement account re-accreditation procedures Hope is not a strategy. Trust is not a control. 29

Step 3: Define And Enforce Configuration Standards The goal is to create known, trusted, stable, secure and riskreduced configuration states External configuration guides include: Center for Internet Security (CIS) VMWare: VMware Infrastructure 3, Security Hardening Defense Information Systems Agency (DISA) STIGs Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized. 30 Source: Gartner, Inc. Security Considerations and Best Practices for Securing Virtual Machines by Neil MacDonald, March 2007.

Step 4: Help Enforce Change Management Processes Information security needs change management Gain situational awareness of production changes Influence decisions and outcomes. Add value in the change management process by: Assessing the potential information security and operational impact of changes Improving procedures for change authorisation, scheduling, implementation and substantiation Ensuring that change requests comply with information security requirements, corporate policy, and industry standards 31

Step 4: Help Enforce Change Management Processes Implement preventive controls Get invited to the Change Advisory Board (CAB) meetings Ensure tone at the top and help define consequences Implement detective controls Build and electrify the fence Substantiate that all changes are authorised Look for red flags and indicators [As auditors,] the top leading indicators of risk when we look at an IT operation are poor service levels and unusual rates of changes. Bill Philhower 32

Step 5: Create A Library Of Trusted Builds Our goal is to make it easier to use known, stable and secure builds than unauthorised and insecure builds Implement preventive controls: Defined process of how to assemble hardened and stable builds Work with any existing server provisioning teams to add any standard monitoring agents Ensure that application and service account passwords are changed before deployment 33

Step 5: Create A Library Of Trusted Builds Implement detective controls: Verify that deployed infrastructure matches known good states Verify that virtual image configurations against internal and external configuration standards Monitor the approved virtual image library to ensure for all adds, removes and changes Reconcile all adds, removes and changes to an authorised change order. 34

Step 6: Integrate Into The Release Management Processes Release management and information security both require standardisation and documentation Checklists Detections and reduction of variance Implement preventive and detective controls: Develop shared templates with release management, QA and project management and integrate into their checkpoints Integrate automated security testing tools Compare preproduction and production images, and reduce any variance 35

Step 7: Ensure All Activities Go Through Change Management Ensure that only acceptable number of unauthorized changes is zero Infrastructure Application releases Security patches Break/fix activities 36

What Does Transformation Feel Like? COMPLIANCE SECURITY CONTROL 37

Find What s Most Important First 38

Quickly Find What Is Different 39

Before Something Bad Happens 40

Find Risk Early 41

Communicate It Effectively To Peers 42

Hold People Accountable 43

Based On Objective Evidence 44

Answer Important Questions 45

Ever Increasing Situational Mastery 46

Show Value To The Business 47

Be Recognized For Contribution 48

And Do More With Less 49

Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the change failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 50 Source: IT Process Institute, May 2006

Where Tripwire Fits Achieve & Maintain Configuration Control Achieve Known and Trusted State Proactively assess configuration settings against internal & external standards Identify risks & remediate to ensure policy compliance Maintain Known and Trusted State Detect all changes across the IT infrastructure Gain visibility & control through actionable reports, reconciliation and remediation Attain Compliance Mitigate Security Risk Increase Operational Efficiency 54

Resources: Tripwire ConfigCheck Simple to use, free utility holding the best-practices knowledge of experts at VMware & Tripwire Easily and rapidly analyzes & validates VMware ESX servers configurations according to VMware hardening guidelines Generates actionable results showing compliance and non-compliance for all guideline tests Provides links to virtualization security resource center that provides remediation guidance for any failed test www.tripwire.com/configcheck 55

Resources Ο From the IT Process Institute www.itpi.org Both Visible Ops Handbooks ITPI IT Controls Performance Study Compliance Resource Center on www.tripwire.com Stop by the Tripwire booth for a copy of Visible Ops Security Gene Kim s Practical Steps To Ensure Federal Cybersecurity And FISMA Compliance white paper Follow Gene Kim On Twitter: @RealGeneKim genek@tripwire.com Blog: http://www.tripwire.com/blog/?cat=34 56

Key Takeaways Virtualization amplifies weaknesses and risks in enterprise IT processes and policies 60 percent of production virtual machines will be less secure than their physical counterparts through 2009 (Gartner) Addressing these risks is a must have Auditors require the same IT controls across the data center Mitigating risk Tripwire delivers a unified solution for your physical and virtual environments Configuration Assessment Change Auditing Achieve & Maintain A Known and Trusted State 57

Resources COMPLIANCE SECURITY CONTROL 58

Company Background Recognized Leader of Configuration Audit & Control Award-Winning, Patented Technology for Configuration Assessment & Change Auditing Over 6,000 customers worldwide Pioneer in Change Detection and File Integrity Monitoring IT Best Practice Thought Leaders: Visible Ops Handbook, ITIL v3 contributor, Visible Ops Security 59

Visible Ops Security: Linking Security and IT Operations Objectives In 4 Practical Steps Service Design & Management Security Management Service Level Management Capacity Management Availability & Contingency Service Reporting Financial Management Phase 3 Implement development & release controls Management Release Processes Release Management Control Processes Asset & Configuration Management Change Management Resolution Processes Incident Management Problem Management Automation Supplier Processes Customer Relationship Management Supplier Management Phase 2 Find fragile artifacts, and identify meaningful business and technology risks Phase 4 Continually improve Phase 1 Stabilize the patient, modify first response and get plugged into production Sources: ITPI Visible Ops & IT Infrastructure Library (ITIL) / BS 15000 60

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information