Creating effective security controls
description
Transcript of Creating effective security controls
Creating Effective Security Controls: A Ten Year Study of High Performing
Security
Speaker: Gene Kim, Founder and CTO, Tripwire
compliance | security | control 2 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Where Did The High Performers Come From?
compliance | security | control 3 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Agenda
An uncomfortable question about information security
effectiveness
How does information security integrate effectively into daily
operations?
How did the high performing IT organizations make their
“good to great” transformations?
Seven practical steps to go from “good to great”
How does going from good to great feel?
Additional resources
compliance | security | control 4 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Information Security and Compliance Risks
Information security practitioners are always one
change away from a security breach
Front page news
Regulatory fines
Brand damage
High profile security failures are
increasing external pressures for security and
compliance
Sarbanes-Oxley (SOX) Act of 2002, the Gramm-
Leach-Bliley Act, Health Insurance Portability and
Accountability Act (HIPAA), emerging privacy laws,
and the Payment Card Industry Data Security
Standard (PCI DSS)
compliance | security | control 5 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
The Dark Side Of Virtualization
Virtualization enables organizations to deploy changes and
releases more quickly than ever
“What works at 60 mph may not work at 200 mph…”
Certain required activities in the physical world made it easier
to prevent and detect release risks
Watching for servers on the loading dock
Budgeting and procurement activities
Physical data center access
Network cabling
What happens when these activities are no longer required to deploy major releases?
• And when it is easy to download VMplayer, copy virtual machines, etc…
• And what could go wrong?
compliance | security | control 6 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Operations And Security Already Don’t Get Along
Operations Hinders Security…
Deploys insecure components into production
Creates production IT infrastructure hard to understand
Has no information security standard
Creates self-inflicted outages
Uses shared privileged accounts
Can’t quickly address known security vulnerabilities
Security Hinders Operations…
Creates bureaucracy
Security changes break production systems
Generates risky, low value IT operations work
Generates large backlog of reviews
Creates delays through information security requirements
Brings up project issues that cost too much, takes too long, & reduces feature set
Words often used to describe information security:
―hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with
the business, immature, shrill, perpetually focused on irrelevant technical minutiae…‖
7
COMPLIANCE
SECURITY
CONTROL
Going from Good to Great
compliance | security | control 8 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Desired Outcome: Create A Higher Performing,
More Nimble and More Secure IT Organization
1
10
100
1000
10,000
0 20 40 60 80 100 120 140
Operations Metrics Benchmarks:
Best in Class: Server/sysadmin ratios
# S
erv
ers
Server/sysadmin ratio
Siz
e o
f O
pera
tion
Efficiency of Operation
• Highest ratio of staff
for pre-production
processes
• Lowest amount of
unplanned work
• Highest change
success rate
• Best posture of
compliance
• Lowest cost of
compliance
Source: IT Process Institute (2001)
Best in Class
Ops and Security
compliance | security | control 9 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Higher Performing IT Organizations Are More Stable,
Nimble, Compliant And Secure
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applicationsSource: IT Process Institute, May 2008
compliance | security | control 10 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Common Traits of the Highest Performers
Source: IT Process Institute
Change management
Causality
Compliance and continual reduction of
operational variance
Culture of…
Integration of IT operations/security via problem/change management
Processes that serve both organizational needs and business objectives
Highest rate of effective change
Highest service levels (MTTR, MTBF)
Highest first fix rate (unneeded rework)
Production configurations
Highest level of pre-production staffing
Effective pre-production controls
Effective pairing of preventive and detective controls
compliance | security | control 11 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Visible Ops: Playbook of High Performers
The IT Process Institute has been
studying high-performing organizations
since 1999
What is common to all the high
performers?
What is different between them and
average and low performers?
How did they become great?
Answers have been codified in the
Visible Ops Methodology
compliance | security | control 12 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Over Ten Years, We Benchmarked 1500+ IT Orgs
Source: IT Process Institute (2008)
Source: EMA (2009)
compliance | security | control 13 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
2007: Three Controls Predict 60% Of Performance
To what extent does an organization define, monitor and
enforce the following?
Standardized configuration strategy
Process discipline
Controlled access to production systems
Source: IT Process Institute, May 2008
compliance | security | control 14 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
High Performers Can Bound Maximum MTTR
Source: IT Process Institute, May 2006
But look at the
huge differences
for large outages!
Large outages
required 25-50
people to fix!)
15
COMPLIANCE
SECURITY
CONTROL
Seven Practical Steps
compliance | security | control 16 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
The Seven Practical Steps To Integrate Information
Security Into Daily Operations
Step 1: Gain situational awareness
Step 2: Reduce and monitor privileged access
Step 3: Define and enforce VMM configuration standards
Step 4: Integrate and help enforce change management
processes
Step 5: Create library of trusted virtualized builds
Step 6: Integrate into release management
Step 7: Ensure that all activities go through change
management
compliance | security | control 17 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 1: Gain Situational Awareness
Situational awareness: “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission.”
Questions we want to answer:
What IT services are being provided?
• e.g. power generation, distribution, financial reporting, etc.
Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.)
What are the relevant regulatory and contractual requirements for the business process
• e.g., SOX-404, PCI DSS, FISMA, NERC, etc.
• Where is reliance being placed and what are critical functionalities?
What are the technologies and IT processes being run on?
• e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc.
Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.)
compliance | security | control 18 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 2: Reduce And Monitor Privileged Access
Know where infrastructure that poses the largest risk to
business objectives are.
Ensure that access is properly restricted
Look for administrators who have high levels of privilege
Reduce access
They can introduce likelihood of errors, downtime, fraud and
security incidents
Can affect mission critical IT services
Can modify logical security settings
Can add, remove and modify VMs
―To err is human. To really screw up requires the root password.‖—Unknown
compliance | security | control 19 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 2: Reduce And Monitor Privileged Access
Implement preventive controls:
Reconcile admins to authorized staff and delete any ghost accounts
Ensure reasonable number of admins
Issue and revoke accounts upon hiring, firing, reassignment
Implement detective controls:
Monitor privileged user account adds, removes and changes
Reconcile each user account change to an authorized work order
Reconcile each user account to an HR record
Implement account re-accreditation procedures
―Hope is not a strategy. Trust is not a control.‖
compliance | security | control 20 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 3: Define And Enforce Configuration Standards
The goal is to create known, trusted, stable, secure and risk-
reduced configuration states
External configuration guides include:
Center for Internet Security (CIS)
VMWare: “VMware Infrastructure 3, Security Hardening”
Defense Information Systems Agency (DISA) STIGs
―Like their physical counterparts, most security vulnerabilities will be introduced through
misconfiguration and mismanagement. The security issues related to vulnerability and
configuration management get worse, not better, when virtualized. Source: Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” by Neil MacDonald, March 2007.
compliance | security | control 21 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 4: Help Enforce Change Management Processes
Information security needs change management
Gain situational awareness of production changes
Influence decisions and outcomes.
Add value in the change management process by:
Assessing the potential information security and operational impact of changes
Improving procedures for change authorisation, scheduling, implementation and substantiation
Ensuring that change requests comply with information security requirements, corporate policy, and industry standards
compliance | security | control 22 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 4: Help Enforce Change Management Processes
Implement preventive controls
Get invited to the Change Advisory Board (CAB) meetings
Ensure “tone at the top” and help define consequences
Implement detective controls
Build and electrify the fence
Substantiate that all changes are authorised
Look for red flags and indicators
―[As auditors,] the top leading indicators of risk when we look at an IT operation are poor
service levels and unusual rates of changes.‖ – Bill Philhower
compliance | security | control 23 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 5: Create A Library Of Trusted Builds
Our goal is to make it easier to use known, stable and secure
builds than unauthorised and insecure builds
Implement preventive controls:
Defined process of how to assemble hardened and stable builds
Work with any existing server provisioning teams to add any
standard monitoring agents
Ensure that application and service account passwords are
changed before deployment
compliance | security | control 24 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 5: Create A Library Of Trusted Builds
Implement detective controls:
Verify that deployed infrastructure matches known good states
Verify that virtual image configurations against internal and external
configuration standards
Monitor the approved virtual image library to ensure for all adds,
removes and changes
Reconcile all adds, removes and changes to an authorised change
order.
compliance | security | control 25 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 6: Integrate Into The Release Management Processes
Release management and information security both require standardisation and documentation
Checklists
Detections and reduction of variance
Implement preventive and detective controls:
Develop shared templates with release management, QA and project management and integrate into their checkpoints
Integrate automated security testing tools
Compare preproduction and production images, and reduce any variance
compliance | security | control 26 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Step 7: Ensure All Activities Go Through Change
Management
Ensure that “only acceptable number of unauthorized
changes is zero”
Infrastructure
Application releases
Security patches
Break/fix activities
27
COMPLIANCE
SECURITY
CONTROL
What Does Transformation Feel
Like?
compliance | security | control 28 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Find What’s Most Important First
compliance | security | control 29 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Quickly Find What Is Different…
compliance | security | control 30 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Before Something Bad Happens…
compliance | security | control 31 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Find Risk Early…
compliance | security | control 32 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Communicate It Effectively To Peers…
compliance | security | control 33 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Hold People Accountable…
compliance | security | control 34 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Based On Objective Evidence…
compliance | security | control 35 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Answer Important Questions…
compliance | security | control 36 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Ever Increasing Situational Mastery…
compliance | security | control 37 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Do Root Cause Analysis…
compliance | security | control 38 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Helping The Organization To More
compliance | security | control 39 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Show Value To The Business…
compliance | security | control 40 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Be Recognized For Contribution…
compliance | security | control 41 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
And Do More With Less…
compliance | security | control 42 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Higher Performing IT Organizations Are More Stable,
Nimble, Compliant And Secure
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applicationsSource: IT Process Institute, May 2008
compliance | security | control 43 Don’t Take Chances. TAKE CONTROL.IT SECURITY & COMPLIANCE AUTOMATION
Resources
Ο From the IT Process Institute www.itpi.org Both Visible Ops Handbooks
ITPI IT Controls Performance Study
Stop by the Tripwire booth for a copy of Visible Ops Security
“Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks ” white paper
Follow Gene Kim On Twitter: @RealGeneKim
Blog: http://www.tripwire.com/blog/?cat=34