Leveraging SANS Top 20 to develop a Security Engineering roadmap

Glen G. Walker 23 August 2014

2

• My personal experience, opinions and guidance

• Not endorsed by, approved by, or the opinion of Dignity Health, nor any of its leadership or business units

• Discussion of historical issues and concerns, may not reflect current security practices or concerns

• Your individual mileage may vary

• Talk to your Doctor to see if SANS Top 20 is right for you

DISCLAIMER

3

• Reflection(s), Speaker

• Intro and Methodology

• Top 20 Critical Controls

– Individual Control formatting

– Critical First Five

• Call to action, Implementation

Outline:

4

• "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk."

– Bruce Schneier

• "The secret to getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into small manageable tasks, and then starting on the first one."

– Mark Twain

Reflections

5

Speaker Bio (and every credential I could think of)

Glen G. Walker Security Engineering and Operations Manager Dignity Health MS Information Management, ASU, W. P. Carey School of Business BA Psychology, University of Arizona

• CISSP • GCIA (GIAC Certified Intrusion Analyst) • GCIH (GIAC Certified Incident Handler) • ITIL v3 Foundation • CompTIA Security+ • CCNA (Expired 2003) • PADI Advanced Open Water Diver • Senior Member, United States Fencing Association, (Foil E07) • BJCP Apprentice Beer Judge • Recipient of the “I Ate Rattlesnake” certificate, Rawhide theme park

6

• Security admin function

• Reactive, Audit-driven Strategy

• Limited controls, implementation

• Regulatory and Business concern

• Morale and Purpose

The Problem

7

• Evaluate and Secure

• Protect Patients, Business, Brand

• Reduce Audit Concerns

• HIPAA, PCI, etc

• Start Looking at Frameworks

• ISO? COBIT?

• “Can we do, like, SANS and OWASP stuff?”

The Direction

8

The Critical Security Controls for Effective Cyber Defense

– NSA, SANS, now “Council on CyberSecurity”

– Best practice guidelines for computer security

– Threat and attack based (as opposed to compliance and audit)

– Fits our Defense in Depth strategy

– 100+ Government and Private sector contributing agencies

– Mapped to NIST SP 800-53 r3

– http://www.sans.org/critical-security-controls/

Methodology: Top 20 Critical Controls

US Dept of State began implementation in 2009, reported “a more than 88% reduction in vulnerability-based risk across 85,000 systems” within the first year

9

• Inventory of Authorized and Unauthorized Devices

• Inventory of Authorized and Unauthorized Software

• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

• Continuous Vulnerability Assessment and Remediation

• Malware Defenses

• Application Software Security

• Wireless Access Control

• Data Recovery Capability

• Security Skills Assessment and Appropriate Training to Fill Gaps

• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Top 20 Critical Controls (1-10)

10

• Limitation and Control of Network Ports, Protocols, and Services

• Controlled Use of Administrative Privileges

• Boundary Defense

• Maintenance, Monitoring, and Analysis of Audit Logs

• Controlled Access Based on the Need to Know

• Account Monitoring and Control

• Data Protection

• Incident Response and Management

• Secure Network Engineering

• Penetration Tests and Red Team Exercises

Top 20 Critical Controls (11-20)

11

• Justification for criticality

• Sub-controls

– Implementation guidance

– Categories

• Procedures and Tools

• Effectiveness Metrics

• Effectiveness Test

• System Entity Relationship Diagram

Individual Controls

12

CSC 5: Malware Defenses

Sample subtasks: CSC 5: Malware Defenses

CSC 5-1 Employ automated malware detection tools to continuously monitor all nodes, log centrally

Quick win

CSC 5-2 Use remotely managed, centralized anti-malware infrastructure Quick win

CSC 5-3 Turn off auto-run Quick win

CSC 5-4 Automatically scan removable media Quick win

CSC 5-5 E-mail content and web content filtering. Quick win

CSC 5-6 Enable anti-exploitation countermeasures (DEP, ASLR, EMET) Quick win

CSC 5-7 Limit external devices to business need Quick win

CSC 5-8 Behavior-based anomaly detection monitoring tools Visibility/Attribution

CSC 5-9 Network-based anti-malware tools Visibility/Attribution

CSC 5-10 Implement an incident response process (IT to InfoSec) Advanced

CSC 5-11 Enable domain name system (DNS) query logging Advanced

13

• Quick wins

–“Critical First Five” (most immediate impact on preventing attacks)

• Visibility and attribution measures

• Improved information security configuration and hygiene

• Advanced sub-controls

Categories

14

• CSC 2-1: Deploy application whitelisting technology

• CSC 3-1: Establish and ensure the use of standard secure configurations of your operating systems

• CSC 3-2: Automate patching for applications and operating systems (within 48h)

• CSC 3-3 and CSC 12-1: Limit and audit administrative privileges (Least Privilege)

• CSC 4-1: Run automated vulnerability scanning

Critical First Five

15

1. Perform initial gap assessment

2. Feasibility study: contextualize for your business and maturity

3. Short term: Implement Quick Wins and First Five

4. Mid term: define projects for deploying appropriate "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls

5. Long term: define projects for deploying appropriate "advanced controls" over the longer term.

Suggested Implementation

16

Top 20 Critical Controls, Initial Priority

• High Priority • Controlled Use of Administrative Privileges • Security Skills Assessment and Appropriate

Training to Fill Gaps • Wireless Device Control • Inventory of Authorized and Unauthorized

Devices • Continuous Vulnerability Assessment and

Remediation • Secure Network Engineering • Secure Configurations for Hardware and

Software on Mobile Devices, Laptops, Workstations, and Servers

• Deferred Priority • Application Software Security • Inventory of Authorized and Unauthorized

Software • Data Recovery Capability • Penetration Tests and Red Team Exercises

• Immediate Priority

• Boundary Defense

• Limitation and Control of Network

Ports, Protocols, and Services

• Maintenance, Monitoring, and

Analysis of Audit Logs

• Malware Defenses

• Secure Configurations for Network

Devices

• Controlled Access Based on the

Need to Know

• Account Monitoring and Control

• Data Loss Prevention

• Incident Response and

Management

17

Initial Survey

In Production

20%

In Progress 40%

Requested 20%

Not planned

20%

Critical First Five

In Production

23%

In Progress 20%

Purchased not installed

6%

Requested 30%

Not planned

10%

Declined 1%

Unknown 10%

Quick Wins

• Stakeholder survey

• Architecture, Engineering, Operations

• InfoSec, Network, Server, Desktop

• Operational analysis

• Critical First Five

• Quick Wins

18

Call to Action: Initial Management engagement

19

Call To Action: Leadership Response

(Context and quantifiable risk was requested)

20

• Specific concern

• Qualitative Impact Estimate

• Averaged score

• Control/Headcount needed

Control risk matrix

21

• Contextualized as a function of

– Risk: impact, probability

– Roadmap and strategy

– Current trends and known evil

• “OMG Target!”

• “OMG Heartbleed!”

• “OMG Community Health!”

• “OMG ShellShock!”

• “OMG Home Depot!”

• “OMG Poodle!”

Call to Action: Followup

22

• Current Defenses

– Establishes baseline, relieves panic, acknowledges progress, creates continuity and sense of achievability

• Short-term Efforts Needed

– Projects in progress, Quick Wins, First Five, etc

– Low-hanging fruit (easy POC wins)

• Longer-term Efforts Needed

– Projects in progress but at risk

– Purchased, not yet staffed for configuration or integration

– Not yet staffed for development

– Not yet funded or staffed

Action Plan

23

Sample Plan (Achieved! Mostly!)

CSC-18 Incident Response and Management

• Current Defenses • SIEM, IDS/IPS, FW logging, IDM logging, CSIRT

• Short-term Efforts Needed • Ownership

• CSC 18-2 Assign CSIRT operational roles to specific people • CSC 18-3 Assign CSIRT management roles to specific people

• Longer-term Efforts Needed • SIEM operationalization and optimization • ISIRT Development

• CSC 18-1 Incident response plan (CSIRT) • CSC 18-4 Establish CSIRT reporting process and timeframes • CSC 18-5 Establish CSIRT contact info for external resources

• Security Operations Center: 24x7 alert monitoring and triage • KPI and metrics

24

• “First Five” all either in production or in progress

• Operationalized SIEM, IDS/IPS,

• SOC staffed

• CSIRT => ISIRT (NIST SP 800-61 r2)

• Vulnerability Management function (NIST SP 800-40 v2)

• Actual roadmap!

• Leadership trust and support!

• Funding, staffing!

Results

Thank You