Creating effective security controls

Creating Effective Security Controls: A Ten Year Study of High Performing

Security

Speaker: Gene Kim, Founder and CTO, Tripwire

compliance | security | control 2 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION

Where Did The High Performers Come From?


Agenda

An uncomfortable question about information security

effectiveness

How does information security integrate effectively into daily

operations?

How did the high performing IT organizations make their

“good to great” transformations?

Seven practical steps to go from “good to great”

How does going from good to great feel?

Additional resources


Information Security and Compliance Risks

Information security practitioners are always one

change away from a security breach

Front page news

Regulatory fines

Brand damage

High profile security failures are

increasing external pressures for security and

compliance

Sarbanes-Oxley (SOX) Act of 2002, the Gramm-

Leach-Bliley Act, Health Insurance Portability and

Accountability Act (HIPAA), emerging privacy laws,

and the Payment Card Industry Data Security

Standard (PCI DSS)


The Dark Side Of Virtualization

Virtualization enables organizations to deploy changes and

releases more quickly than ever

“What works at 60 mph may not work at 200 mph…”

Certain required activities in the physical world made it easier

to prevent and detect release risks

Watching for servers on the loading dock

Budgeting and procurement activities

Physical data center access

Network cabling

What happens when these activities are no longer required to deploy major releases?

• And when it is easy to download VMplayer, copy virtual machines, etc…

• And what could go wrong?


Operations And Security Already Don’t Get Along

Operations Hinders Security…

Deploys insecure components into production

Creates production IT infrastructure hard to understand

Has no information security standard

Creates self-inflicted outages

Uses shared privileged accounts

Can’t quickly address known security vulnerabilities

Security Hinders Operations…

Creates bureaucracy

Security changes break production systems

Generates risky, low value IT operations work

Generates large backlog of reviews

Creates delays through information security requirements

Brings up project issues that cost too much, takes too long, & reduces feature set

Words often used to describe information security:

―hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with

the business, immature, shrill, perpetually focused on irrelevant technical minutiae…‖

7

COMPLIANCE

SECURITY

CONTROL

Going from Good to Great


Desired Outcome: Create A Higher Performing,

More Nimble and More Secure IT Organization

1

10

100

1000

10,000

0 20 40 60 80 100 120 140

Operations Metrics Benchmarks:

Best in Class: Server/sysadmin ratios

# S

erv

ers

Server/sysadmin ratio

Siz

e o

f O

pera

tion

Efficiency of Operation

• Highest ratio of staff

for pre-production

processes

• Lowest amount of

unplanned work

• Highest change

success rate

• Best posture of

compliance

• Lowest cost of

compliance

Source: IT Process Institute (2001)

Best in Class

Ops and Security


Higher Performing IT Organizations Are More Stable,

Nimble, Compliant And Secure

High performers maintain a posture of compliance

Fewest number of repeat audit findings

One-third amount of audit preparation effort

High performers find and fix security breaches faster

5 times more likely to detect breaches by automated control

5 times less likely to have breaches result in a loss event

When high performers implement changes…

14 times more changes

One-half the change failure rate

One-quarter the first fix failure rate

10x faster MTTR for Sev 1 outages

When high performers manage IT resources…

One-third the amount of unplanned work

8 times more projects and IT services

6 times more applicationsSource: IT Process Institute, May 2008


Common Traits of the Highest Performers

Source: IT Process Institute

Change management

Causality

Compliance and continual reduction of

operational variance

Culture of…

Integration of IT operations/security via problem/change management

Processes that serve both organizational needs and business objectives

Highest rate of effective change

Highest service levels (MTTR, MTBF)

Highest first fix rate (unneeded rework)

Production configurations

Highest level of pre-production staffing

Effective pre-production controls

Effective pairing of preventive and detective controls


Visible Ops: Playbook of High Performers

The IT Process Institute has been

studying high-performing organizations

since 1999

What is common to all the high

performers?

What is different between them and

average and low performers?

How did they become great?

Answers have been codified in the

Visible Ops Methodology


Over Ten Years, We Benchmarked 1500+ IT Orgs

Source: IT Process Institute (2008)

Source: EMA (2009)


2007: Three Controls Predict 60% Of Performance

To what extent does an organization define, monitor and

enforce the following?

Standardized configuration strategy

Process discipline

Controlled access to production systems

Source: IT Process Institute, May 2008


High Performers Can Bound Maximum MTTR

Source: IT Process Institute, May 2006

But look at the

huge differences

for large outages!

Large outages

required 25-50

people to fix!)

15

COMPLIANCE

SECURITY

CONTROL

Seven Practical Steps


The Seven Practical Steps To Integrate Information

Security Into Daily Operations

Step 1: Gain situational awareness

Step 2: Reduce and monitor privileged access

Step 3: Define and enforce VMM configuration standards

Step 4: Integrate and help enforce change management

processes

Step 5: Create library of trusted virtualized builds

Step 6: Integrate into release management

Step 7: Ensure that all activities go through change

management


Step 1: Gain Situational Awareness

Situational awareness: “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission.”

Questions we want to answer:

What IT services are being provided?

• e.g. power generation, distribution, financial reporting, etc.

Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.)

What are the relevant regulatory and contractual requirements for the business process

• e.g., SOX-404, PCI DSS, FISMA, NERC, etc.

• Where is reliance being placed and what are critical functionalities?

What are the technologies and IT processes being run on?

• e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc.

Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.)


Step 2: Reduce And Monitor Privileged Access

Know where infrastructure that poses the largest risk to

business objectives are.

Ensure that access is properly restricted

Look for administrators who have high levels of privilege

Reduce access

They can introduce likelihood of errors, downtime, fraud and

security incidents

Can affect mission critical IT services

Can modify logical security settings

Can add, remove and modify VMs

―To err is human. To really screw up requires the root password.‖—Unknown


Step 2: Reduce And Monitor Privileged Access

Implement preventive controls:

Reconcile admins to authorized staff and delete any ghost accounts

Ensure reasonable number of admins

Issue and revoke accounts upon hiring, firing, reassignment

Implement detective controls:

Monitor privileged user account adds, removes and changes

Reconcile each user account change to an authorized work order

Reconcile each user account to an HR record

Implement account re-accreditation procedures

―Hope is not a strategy. Trust is not a control.‖


Step 3: Define And Enforce Configuration Standards

The goal is to create known, trusted, stable, secure and risk-

reduced configuration states

External configuration guides include:

Center for Internet Security (CIS)

VMWare: “VMware Infrastructure 3, Security Hardening”

Defense Information Systems Agency (DISA) STIGs

―Like their physical counterparts, most security vulnerabilities will be introduced through

misconfiguration and mismanagement. The security issues related to vulnerability and

configuration management get worse, not better, when virtualized. Source: Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” by Neil MacDonald, March 2007.


Step 4: Help Enforce Change Management Processes

Information security needs change management

Gain situational awareness of production changes

Influence decisions and outcomes.

Add value in the change management process by:

Assessing the potential information security and operational impact of changes

Improving procedures for change authorisation, scheduling, implementation and substantiation

Ensuring that change requests comply with information security requirements, corporate policy, and industry standards


Step 4: Help Enforce Change Management Processes

Implement preventive controls

Get invited to the Change Advisory Board (CAB) meetings

Ensure “tone at the top” and help define consequences

Implement detective controls

Build and electrify the fence

Substantiate that all changes are authorised

Look for red flags and indicators

―[As auditors,] the top leading indicators of risk when we look at an IT operation are poor

service levels and unusual rates of changes.‖ – Bill Philhower


Step 5: Create A Library Of Trusted Builds

Our goal is to make it easier to use known, stable and secure

builds than unauthorised and insecure builds

Implement preventive controls:

Defined process of how to assemble hardened and stable builds

Work with any existing server provisioning teams to add any

standard monitoring agents

Ensure that application and service account passwords are

changed before deployment


Step 5: Create A Library Of Trusted Builds

Implement detective controls:

Verify that deployed infrastructure matches known good states

Verify that virtual image configurations against internal and external

configuration standards

Monitor the approved virtual image library to ensure for all adds,

removes and changes

Reconcile all adds, removes and changes to an authorised change

order.


Step 6: Integrate Into The Release Management Processes

Release management and information security both require standardisation and documentation

Checklists

Detections and reduction of variance

Implement preventive and detective controls:

Develop shared templates with release management, QA and project management and integrate into their checkpoints

Integrate automated security testing tools

Compare preproduction and production images, and reduce any variance


Step 7: Ensure All Activities Go Through Change

Management

Ensure that “only acceptable number of unauthorized

changes is zero”

Infrastructure

Application releases

Security patches

Break/fix activities

27

COMPLIANCE

SECURITY

CONTROL

What Does Transformation Feel

Like?


Find What’s Most Important First


Quickly Find What Is Different…


Before Something Bad Happens…


Find Risk Early…


Communicate It Effectively To Peers…


Hold People Accountable…


Based On Objective Evidence…


Answer Important Questions…


Ever Increasing Situational Mastery…


Do Root Cause Analysis…


Helping The Organization To More


Show Value To The Business…


Be Recognized For Contribution…


And Do More With Less…


Higher Performing IT Organizations Are More Stable,

Nimble, Compliant And Secure

High performers maintain a posture of compliance

Fewest number of repeat audit findings

One-third amount of audit preparation effort

High performers find and fix security breaches faster

5 times more likely to detect breaches by automated control

5 times less likely to have breaches result in a loss event

When high performers implement changes…

14 times more changes

One-half the change failure rate

One-quarter the first fix failure rate

10x faster MTTR for Sev 1 outages

When high performers manage IT resources…

One-third the amount of unplanned work

8 times more projects and IT services

6 times more applicationsSource: IT Process Institute, May 2008


Resources

Ο From the IT Process Institute www.itpi.org Both Visible Ops Handbooks

ITPI IT Controls Performance Study

Stop by the Tripwire booth for a copy of Visible Ops Security

“Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks ” white paper

Follow Gene Kim On Twitter: @RealGeneKim

[email protected]

Blog: http://www.tripwire.com/blog/?cat=34

Creating effective security controls

Education

Transcript of Creating effective security controls