Configuration Assessment & & Change Auditing Solutions COMPLIANCE SECURITY CONTROL Creating Effective Security Controls: A Ten Year Study of High Performing IT Security Gene Kim, CISA CTO and Co-Founder (Twitter: @RealGeneKim) VA-SCAN 10/5/2009
Where Did The High Performers Come From? 2
Agenda An uncomfortable question about information security effectiveness How does information security integrate effectively into daily operations? How did the high performing IT organizations make their good to great transformations? Seven practical steps to go from good to great How does going from good to great feel? Additional resources 3
What s the Problem? COMPLIANCE SECURITY CONTROL 4
Information Security and Compliance Risks Information security practitioners are always one change away from a security breach Front page news Regulatory fines Brand damage High profile security failures are increasing external pressures for security and compliance Sarbanes-Oxley (SOX) Act of 2002, the Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS) 5
Luck Is Not A Strategy 6
The Dark Side Of Virtualization Virtualization enables organizations to deploy changes and releases more quickly than ever What works at 60 mph may not work at 200 mph Certain required activities in the physical world made it easier to prevent and detect release risks Watching for servers on the loading dock Budgeting and procurement activities Physical data center access Network cabling What happens when these activities are no longer required to deploy major releases? And when it is easy to download VMplayer, copy virtual machines, etc And what could go wrong? 7
Virtualization Is Here 85% of 219 IT organizations are already using virtualization and half are planning to. 2008 Tripwire Customer Survey 85% of customers are already using virtualization for mission-critical production services. VMware Through 2009, 60% of virtual servers will be less secure than their physical counterparts, and 30% of virtualized servers will be associated with a security incident. Gartner 8
Operations And Security Already Don t Get Along Operations Hinders Security Deploys insecure components into production Creates production IT infrastructure hard to understand Has no information security standard Creates self-inflicted outages Uses shared privileged accounts Can t quickly address known security vulnerabilities Security Hinders Operations Creates bureaucracy Generates risky, low value IT operations work Generates large backlog of reviews Creates delays through information security requirements Brings up project issues that cost too much, takes too long, & reduces feature set Words often used to describe information security: hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with 9 the business, immature, shrill, perpetually focused on irrelevant technical minutiae
Going from Good to Great COMPLIANCE SECURITY CONTROL 10
# Servers Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization 10,000 1000 100 10 1 Size of Operation 0 20 40 60 80 100 120 140 Operations Metrics Benchmarks: Best in Class: Server/sysadmin ratios Efficiency of Operation Server/sysadmin ratio Best in Class Ops and Security Source: IT Process Institute (2001) Highest ratio of staff for pre-production processes Lowest amount of unplanned work Highest change success rate Best posture of compliance Lowest cost of compliance 11
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 12 Source: IT Process Institute, May 2006
Birth Of Epidemiology: Dr. John Snow: 1853 13
Culture Of Change Management High change rate High change success rate 14
Culture Of Causality Low MTTR High first fix rate 16
Culture Of Planned Work Low unplanned work High project date performance 17
Visible Ops: Playbook of High Performers The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high performers? What is different between them and average and low performers? How did they become great? Answers have been codified in the Visible Ops Methodology www.itpi.org 19
Over Ten Years, We Benchmarked 1500+ IT Orgs 20
Surprise #2: What The High Performers Do Differently Top Two Differentiators between Good and Great 1. Systems are monitored for unauthorized changes 2. Consequences are defined for intentional unauthorized changes Foundational Controls: Medium vs Low Foundational Controls: High vs Medium 21 Source: IT Process Institute, May 2006
2007: Three Controls Predict 60% Of Performance To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems 23 Source: IT Process Institute, May 2006
High Performers Can Bound Maximum MTTR But look at the huge differences for large outages! Large outages required 25-50 people to fix!) 24 Source: IT Process Institute, May 2006
Seven Practical Steps COMPLIANCE SECURITY CONTROL 25
The Seven Practical Steps To Integrate Information Security Into Daily Operations Step 1: Gain situational awareness Step 2: Reduce and monitor privileged access Step 3: Define and enforce VMM configuration standards Step 4: Integrate and help enforce change management processes Step 5: Create library of trusted virtualized builds Step 6: Integrate into release management Step 7: Ensure that all activities go through change management 26
Step 1: Gain Situational Awareness Situational awareness: the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission. Questions we want to answer: What IT services are being provided? e.g. power generation, distribution, financial reporting, etc. Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.) What are the relevant regulatory and contractual requirements for the business process e.g., SOX-404, PCI DSS, FISMA, NERC, etc. Where is reliance being placed and what are critical functionalities? What are the technologies and IT processes being run on? e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc. Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.) 27
Step 2: Reduce And Monitor Privileged Access Know where infrastructure that poses the largest risk to business objectives are. Ensure that access is properly restricted Look for administrators who have high levels of privilege Reduce access They can introduce likelihood of errors, downtime, fraud and security incidents Can affect mission critical IT services Can modify logical security settings Can add, remove and modify VMs To err is human. To really screw up requires the root password. Unknown 28
Step 2: Reduce And Monitor Privileged Access Implement preventive controls: Reconcile admins to authorized staff and delete any ghost accounts Ensure reasonable number of admins Issue and revoke accounts upon hiring, firing, reassignment Implement detective controls: Monitor privileged user account adds, removes and changes Reconcile each user account change to an authorized work order Reconcile each user account to an HR record Implement account re-accreditation procedures Hope is not a strategy. Trust is not a control. 29
Step 3: Define And Enforce Configuration Standards The goal is to create known, trusted, stable, secure and riskreduced configuration states External configuration guides include: Center for Internet Security (CIS) VMWare: VMware Infrastructure 3, Security Hardening Defense Information Systems Agency (DISA) STIGs Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized. 30 Source: Gartner, Inc. Security Considerations and Best Practices for Securing Virtual Machines by Neil MacDonald, March 2007.
Step 4: Help Enforce Change Management Processes Information security needs change management Gain situational awareness of production changes Influence decisions and outcomes. Add value in the change management process by: Assessing the potential information security and operational impact of changes Improving procedures for change authorisation, scheduling, implementation and substantiation Ensuring that change requests comply with information security requirements, corporate policy, and industry standards 31
Step 4: Help Enforce Change Management Processes Implement preventive controls Get invited to the Change Advisory Board (CAB) meetings Ensure tone at the top and help define consequences Implement detective controls Build and electrify the fence Substantiate that all changes are authorised Look for red flags and indicators [As auditors,] the top leading indicators of risk when we look at an IT operation are poor service levels and unusual rates of changes. Bill Philhower 32
Step 5: Create A Library Of Trusted Builds Our goal is to make it easier to use known, stable and secure builds than unauthorised and insecure builds Implement preventive controls: Defined process of how to assemble hardened and stable builds Work with any existing server provisioning teams to add any standard monitoring agents Ensure that application and service account passwords are changed before deployment 33
Step 5: Create A Library Of Trusted Builds Implement detective controls: Verify that deployed infrastructure matches known good states Verify that virtual image configurations against internal and external configuration standards Monitor the approved virtual image library to ensure for all adds, removes and changes Reconcile all adds, removes and changes to an authorised change order. 34
Step 6: Integrate Into The Release Management Processes Release management and information security both require standardisation and documentation Checklists Detections and reduction of variance Implement preventive and detective controls: Develop shared templates with release management, QA and project management and integrate into their checkpoints Integrate automated security testing tools Compare preproduction and production images, and reduce any variance 35
Step 7: Ensure All Activities Go Through Change Management Ensure that only acceptable number of unauthorized changes is zero Infrastructure Application releases Security patches Break/fix activities 36
What Does Transformation Feel Like? COMPLIANCE SECURITY CONTROL 37
Find What s Most Important First 38
Quickly Find What Is Different 39
Before Something Bad Happens 40
Find Risk Early 41
Communicate It Effectively To Peers 42
Hold People Accountable 43
Based On Objective Evidence 44
Answer Important Questions 45
Ever Increasing Situational Mastery 46
Show Value To The Business 47
Be Recognized For Contribution 48
And Do More With Less 49
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event When high performers implement changes 14 times more changes One-half the change failure rate One-quarter the change failure rate 10x faster MTTR for Sev 1 outages When high performers manage IT resources One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications 50 Source: IT Process Institute, May 2006
Where Tripwire Fits Achieve & Maintain Configuration Control Achieve Known and Trusted State Proactively assess configuration settings against internal & external standards Identify risks & remediate to ensure policy compliance Maintain Known and Trusted State Detect all changes across the IT infrastructure Gain visibility & control through actionable reports, reconciliation and remediation Attain Compliance Mitigate Security Risk Increase Operational Efficiency 54
Resources: Tripwire ConfigCheck Simple to use, free utility holding the best-practices knowledge of experts at VMware & Tripwire Easily and rapidly analyzes & validates VMware ESX servers configurations according to VMware hardening guidelines Generates actionable results showing compliance and non-compliance for all guideline tests Provides links to virtualization security resource center that provides remediation guidance for any failed test www.tripwire.com/configcheck 55
Resources Ο From the IT Process Institute www.itpi.org Both Visible Ops Handbooks ITPI IT Controls Performance Study Compliance Resource Center on www.tripwire.com Stop by the Tripwire booth for a copy of Visible Ops Security Gene Kim s Practical Steps To Ensure Federal Cybersecurity And FISMA Compliance white paper Follow Gene Kim On Twitter: @RealGeneKim genek@tripwire.com Blog: http://www.tripwire.com/blog/?cat=34 56
Key Takeaways Virtualization amplifies weaknesses and risks in enterprise IT processes and policies 60 percent of production virtual machines will be less secure than their physical counterparts through 2009 (Gartner) Addressing these risks is a must have Auditors require the same IT controls across the data center Mitigating risk Tripwire delivers a unified solution for your physical and virtual environments Configuration Assessment Change Auditing Achieve & Maintain A Known and Trusted State 57
Resources COMPLIANCE SECURITY CONTROL 58
Company Background Recognized Leader of Configuration Audit & Control Award-Winning, Patented Technology for Configuration Assessment & Change Auditing Over 6,000 customers worldwide Pioneer in Change Detection and File Integrity Monitoring IT Best Practice Thought Leaders: Visible Ops Handbook, ITIL v3 contributor, Visible Ops Security 59
Visible Ops Security: Linking Security and IT Operations Objectives In 4 Practical Steps Service Design & Management Security Management Service Level Management Capacity Management Availability & Contingency Service Reporting Financial Management Phase 3 Implement development & release controls Management Release Processes Release Management Control Processes Asset & Configuration Management Change Management Resolution Processes Incident Management Problem Management Automation Supplier Processes Customer Relationship Management Supplier Management Phase 2 Find fragile artifacts, and identify meaningful business and technology risks Phase 4 Continually improve Phase 1 Stabilize the patient, modify first response and get plugged into production Sources: ITPI Visible Ops & IT Infrastructure Library (ITIL) / BS 15000 60