Building A Security Program From The Ground Up: Crawl, Walk, Run!
-
Upload
security-weekly -
Category
Technology
-
view
515 -
download
4
description
Transcript of Building A Security Program From The Ground Up: Crawl, Walk, Run!
Building A Security Program From The Ground Up
Joff ThyerBlack Hills Information Security
Paul AsadoorianSecurity Weekly / Tenable Network Security
Why this talk?
My Wife Had A Baby
Pretty sure its mine, though older one
blames the mailman...
My 10 Month Old Just Started Walking
More like falling with style....
http://securityweekly.com Copyright 2014
About Me
• Day Job: Tenable Network Security Product Evangelist (Primarily Nessus)
• Founder of Security Weekly (weekly podcast, Internet TV)
• Gets hands (and other parts) dirty on penetration tests at Black Hills Information Security
• Loves family, embedded devices, beer, cigars, fishing, freedom & Kung Fu movies
Hail Nessus... <3 Beer Beer+Cigars = Fishing
http://securityweekly.com Copyright 2014
About Joff
• Security Consultant and Security Solutions Developer at Black Hills Information Security
• Remember Derbycon 2011? (“Covert Channels using IP Packet Headers”
• Packet Ninja ----------------------->
• Teaches for SANS
• Helps out with Security Weekly
http://securityweekly.com Copyright 2014
Crawl, Walk, Run
• Crawl - Know your network & systems, establish policies and procedures, have relations with network/sysadmins, define “secure”, awareness
• Walk - Implement patch management, vulnerability management, change control, hardening, IPS/Firewall/Anti-Virus, SDLC
• Run - Active defense, advanced roll-back/leap forward, cloud integration, threat & risk intelligence, advanced monitoring & event management
http://securityweekly.com Copyright 2014
Policy & Procedures
• Policy = Who, What, Where, Why
• Procedures = How
• Policy must be signed off
• Procedures must be integrated
• Network & Systems Admins
• Help Desk & Desktop IT
• Operations
• Software Development
• Physical Security
http://securityweekly.com Copyright 2014
Knowing Your Network
• Identifying new hosts
• Sniffing
• Logs
• Virtualization
• Keeping a Software Inventory
• Tracking infrastructure (switches, routers, storage)
• Getting ahead of new projects & software
http://securityweekly.com Copyright 2014
Segment Your Network?
• Trusted vs. Untrusted
• Segment properly
• Not an excuse for poor security
http://securityweekly.com Copyright 2014
Relations
• Develop a good great relationship with all systems administrators
• You are there to help
• This goes for developers too
• Do’s and Don’ts:
• Do bring them donuts
• Don’t go over their heads
• Do use positive re-enforcement
• Do not beat them with sticks
http://securityweekly.com Copyright 2014
User Awareness
• Create a security-minded culture
• Again, positive re-enforcement
• Computers are smarter than people?
• Basic user awareness can be automated, run constantly, and effective
http://securityweekly.com Copyright 2014
Patch Management
• MUST:
• Make effort to patch everything
• Have prioritization factors
• Use tools and automation
• Have nots:
• A 90-day patch window for ALL
• Only include Windows/UNIX/LINUX
• Leave patching to users
http://securityweekly.com Copyright 2014
Vulnerability Management
• Find all of your vulnerabilities
• Vuln management does not come with a bucket of sand
• Do the full spectrum:
• Network scanning
• Credentialed patch auditing
• Configuration Auditing
• Passive Scanning
• Send the results to the right people!
http://securityweekly.com Copyright 2014
Hardening & Change Control
• Do have a plan to configure, harden and keep systems secure
• “Only enable stuff you need”
• Balance: System has to be usable
• Real Problem: Keeping “secure”
• Constant process, change control
http://securityweekly.com Copyright 2014
IPS/Firewall/Anti-Virus
• These things are “good” (not great)
• They are like a flu shot:
• There is a known threat
• Generally you know how to remediate
• You vaccinate, little impact to user
• It can stop known threats
• Should not cost a lot
http://securityweekly.com Copyright 2014
SDLC
• Get ahead of the process
• Interview developers and project leaders (what does the stuff DO?)
• Use secure libraries
• Build security into all phases:
• Planning
• Development
• QA
• Post-Production scanning (pen testing)
http://securityweekly.com Copyright 2014
802.1x / NAC
• Prevent “bad” things from getting on the network in the
first place
• If “bad” things happen, put them in a different network for
a while and remediate
• Control new systems and software to avoid surprise!
http://securityweekly.com Copyright 2014
Keep Em’ Rollin’
• If When compromise happens
• Understand how/why
• Build a new image with remediation
• Rollout new system
http://securityweekly.com Copyright 2014
Application Whitelisting
• Yep, its hard.
• Yep, we’ve talked about it before
• However:
• It can be an effective mechanism for defeating malware
• You have to really know your systems
• We did a whole webcast on it “Fighting Malware: Taking Back The Endpoint”
• I am working on posting the video/slides, check securityweekly.com/webcasts
• (oh and computers are smarter than people)
http://securityweekly.com Copyright 2014
Advanced Security Event Mgt
• Take logs from lots of things:
• Systems, Network, Applications, Databases, security devices
• And Do “Stuff” with them:
• Who is attacking me and how?
• Intrusion analysis and attack paths
• Find compromised systems
• Detect behavior that requires action
For Slides Join Our Mailing List:
http://securityweekly.com/insider
Podcast/Blog/Videos: http://securityweekly.com
Contact Me: [email protected]
http://tenable.com/careershttp://www.blackhillsinfosec.com