security models for security architecture
DESCRIPTION
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.The presentation was given at BrighTalkTRANSCRIPT
SECURITY MODELS FOR IMPROVING YOUR ORGANIZATION’S DEFENCE POSTURE AND STRATEGY
Vladimir Jirasek
Blog: JirasekOnSecurity.com
Bio: About.me/jirasek
9th Nov 2011
About me• Security professional (11 years)• Founding member and steering group member of
(Common Assurance Maturity Model) CAMM (common-assurance.com)
• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cussler) and
business management (Jo Owen)
I will cover topics today• Security model for information security• Security policy structure• Security processes• Security technology stack• Security metrics for organisations
Security model – business drives security
Information Security policies
Business objectives
Compliancerequirements
Laws & Regulations
Define
Security threats
International security
standards
Information Security
standards
Information Security Artefacts
Security intelligence
Line Management
Auditors
Risk & Compliance
Governance
Product Management
Program Management
Security Professionals
Security Metrics Portal
Information Security
Processes
Tech
nolo
gy
Policy framework
Security management
Peo
ple
Define security controls
Execute security controls
Information Security Metrics
objectives
Metrics framework
Measure security controls maturity
External security metrics
Rules Measure
Correction of security processes
Process framework
Inform
CEO & Board
Drivers
Information Security Policy framework
Information Security Policy
Information Technology Security Policy
IT security standards
[reuse internationally
accepted controls]
Security architecturerepository
Security guidelines
Technology
Processes
CISO
CIO
IT Security
Architecture
Technical teams
Business and Security
objectives
Security objectives
Controls and processes
Data classification policy
Employee Acceptable Use Policy
Security
Process P2
Security Process P4
Security
Process P3
Security
Process P1Business objective
BO1
Business objective
BO2
Business objective
BO3
Security Objective
SO1
Security Objective
SO2
Security Objective
SO3
Security Objective
SO4
Security Objective
SO5
Control C1
Control C2
Control C3
Control C4
Control C5
Control C6
Control C7
Control C8
Control C9
Control C10
Control C11
Relationship between business objectives and security processes
Provides response to “Do we have all business risks covered?”
Provides response to “Why are we doing this?”
Busine
ss process B1
Busine
ss process B2
Busine
ss process B3
International standards
Sources of security controls• ISO 27000 series• ISF Standard of Good Practice 2011• PCI DSS• NIST SP 800-53• CObIT 4• SANS 20 critical controls
Security technology stackGRC
Information & Event Mgmt
Iden
tity,
Ent
itlem
ent,
Acc
ess
Cry
ptog
raph
yData Security
Application Security
Host Security
Network Security
Physical Security
Organise security reporting around the stack
For each prepare current, target state analysis and roadmap
Security stack::Network• Network firewalls• VPN gateways• Network Intrusion Detection/Prevention • DDoS • WiFi security • Network Access Control • DNS Security• Web, Email & IM filtering
GRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Application Security
Host Security
Physical Security
Network Security
Network security relationshipsGRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Application Security
Host Security
Physical Security
Network Security
Security stack::Host• Configuration compliance• Patch management• Vulnerability scanning• Anti-malware• Application control• Location awareness• Device control• Trusted execution protection
GRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Application Security
Network Security
Physical Security
Host Security
Host security relationshipsGRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Application Security
Network Security
Physical Security
Host Security
Security stack::Application• Code reviews/scanning – binary and source• Security sensors (AppSensor)• Web application scanning• Penetration testing• Web protection (WAF)
GRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Network Security
Physical Security
Host Security
Application Security
Application security relationshipsGRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
yData Security
Network Security
Physical Security
Host Security
Application Security
Security stack::Data• Data classification• Email encryption• File encryption• Document Rights Management• Data Leakage protection• Watermarking• End point encryption• Database security
GRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Network Security
Physical Security
Host Security
Application Security
Data Security
Data security relationshipsGRC
Information & Event Mgmt
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Network Security
Physical Security
Host Security
Application Security
Data Security
Security stack::IAEM• Principal management• Account provisioning• Rights management• Directories• Single sign on and Federation• Authorisation• Role and rights auditing• 2nd factor authentication
GRC
Information & Event Mgmt
Cry
pto
gra
ph
y
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
IAEM relationshipsGRC
Information & Event Mgmt
Cry
pto
gra
ph
y
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
Security stack::Cryptography• Key generation• Key escrow• Host and Network HSM• Certificate management & PKI
GRC
Information & Event Mgmt
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Cryptography relationshipsGRC
Information & Event Mgmt
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Security stack::SIEM• Collection of security relevant logs• Archiving – retention• Correlation with other data sources• Acting on security information• Ideal to use MSSP
GRC
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Information & Event Mgmt
SIEM relationshipsGRC
Network Security
Physical Security
Host Security
Application Security
Data Security
Ide
ntity
, En
title
me
nt,
Acc
ess
Cry
pto
gra
ph
y
Information & Event Mgmt
Security metrics characteristics• Measurable• Objective• Quantitative (ideally)• Meaningful• With KPIs attached – know what is good and bad• Linked to business objectives – money speaks
Metrics for CIO – Policy compliance and control maturity
Policy statement
IT Unit A IT Unit B IT Unit C Overall IT
Governance 3 3.5 2 3
Awareness 3 4 3 3.5
Development N/A 2 1 1.5
Hardening 4 N/A 2 3
Network N/A N/A 3 3
End devices 2 2 3 2
Overall 3 (£3m) 3 (100k) 2 (£10m) 3 (£13.1m)
Metrics for CIO – Maturity of controls for business processes/services
IT Service\Business process
Maturity VaR for Process A
VaR for Process B
VaR for Process C
VaR for IT service
IT Service 1 2 £1m £2m £1m £4m
Infrastructure 3 £1m £3m £10m £14m
IT Service 2 3 £0.5m N/A £20m £20.5m
IT Service 3 4 N/A £100k £500k £600k
Overall £2.5m £5.1k £31.5m £39.1m
Invest in IT service to lower the VaR
Summary• Business drives security• Reuse good content from information security community• Security policy framework – target audience, think of
implementation• Link security metrics to policy which is linked to business
objectives• All rounded security controls – good prevention against
cyber threats