Leveraging SANS Top 20 to develop a Security Engineering ... · Leveraging SANS Top 20 to develop a...
Transcript of Leveraging SANS Top 20 to develop a Security Engineering ... · Leveraging SANS Top 20 to develop a...
2
• My personal experience, opinions and guidance
• Not endorsed by, approved by, or the opinion of Dignity Health, nor any of its leadership or business units
• Discussion of historical issues and concerns, may not reflect current security practices or concerns
• Your individual mileage may vary
• Talk to your Doctor to see if SANS Top 20 is right for you
DISCLAIMER
3
• Reflection(s), Speaker
• Intro and Methodology
• Top 20 Critical Controls
– Individual Control formatting
– Critical First Five
• Call to action, Implementation
Outline:
4
• "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk."
– Bruce Schneier
• "The secret to getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into small manageable tasks, and then starting on the first one."
– Mark Twain
Reflections
5
Speaker Bio (and every credential I could think of)
Glen G. Walker Security Engineering and Operations Manager Dignity Health MS Information Management, ASU, W. P. Carey School of Business BA Psychology, University of Arizona
• CISSP • GCIA (GIAC Certified Intrusion Analyst) • GCIH (GIAC Certified Incident Handler) • ITIL v3 Foundation • CompTIA Security+ • CCNA (Expired 2003) • PADI Advanced Open Water Diver • Senior Member, United States Fencing Association, (Foil E07) • BJCP Apprentice Beer Judge • Recipient of the “I Ate Rattlesnake” certificate, Rawhide theme park
6
• Security admin function
• Reactive, Audit-driven Strategy
• Limited controls, implementation
• Regulatory and Business concern
• Morale and Purpose
The Problem
7
• Evaluate and Secure
• Protect Patients, Business, Brand
• Reduce Audit Concerns
• HIPAA, PCI, etc
• Start Looking at Frameworks
• ISO? COBIT?
• “Can we do, like, SANS and OWASP stuff?”
The Direction
8
The Critical Security Controls for Effective Cyber Defense
– NSA, SANS, now “Council on CyberSecurity”
– Best practice guidelines for computer security
– Threat and attack based (as opposed to compliance and audit)
– Fits our Defense in Depth strategy
– 100+ Government and Private sector contributing agencies
– Mapped to NIST SP 800-53 r3
– http://www.sans.org/critical-security-controls/
Methodology: Top 20 Critical Controls
US Dept of State began implementation in 2009, reported “a more than 88% reduction in vulnerability-based risk across 85,000 systems” within the first year
9
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation
• Malware Defenses
• Application Software Security
• Wireless Access Control
• Data Recovery Capability
• Security Skills Assessment and Appropriate Training to Fill Gaps
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Top 20 Critical Controls (1-10)
10
• Limitation and Control of Network Ports, Protocols, and Services
• Controlled Use of Administrative Privileges
• Boundary Defense
• Maintenance, Monitoring, and Analysis of Audit Logs
• Controlled Access Based on the Need to Know
• Account Monitoring and Control
• Data Protection
• Incident Response and Management
• Secure Network Engineering
• Penetration Tests and Red Team Exercises
Top 20 Critical Controls (11-20)
11
• Justification for criticality
• Sub-controls
– Implementation guidance
– Categories
• Procedures and Tools
• Effectiveness Metrics
• Effectiveness Test
• System Entity Relationship Diagram
Individual Controls
12
CSC 5: Malware Defenses
Sample subtasks: CSC 5: Malware Defenses
CSC 5-1 Employ automated malware detection tools to continuously monitor all nodes, log centrally
Quick win
CSC 5-2 Use remotely managed, centralized anti-malware infrastructure Quick win
CSC 5-3 Turn off auto-run Quick win
CSC 5-4 Automatically scan removable media Quick win
CSC 5-5 E-mail content and web content filtering. Quick win
CSC 5-6 Enable anti-exploitation countermeasures (DEP, ASLR, EMET) Quick win
CSC 5-7 Limit external devices to business need Quick win
CSC 5-8 Behavior-based anomaly detection monitoring tools Visibility/Attribution
CSC 5-9 Network-based anti-malware tools Visibility/Attribution
CSC 5-10 Implement an incident response process (IT to InfoSec) Advanced
CSC 5-11 Enable domain name system (DNS) query logging Advanced
13
• Quick wins
–“Critical First Five” (most immediate impact on preventing attacks)
• Visibility and attribution measures
• Improved information security configuration and hygiene
• Advanced sub-controls
Categories
14
• CSC 2-1: Deploy application whitelisting technology
• CSC 3-1: Establish and ensure the use of standard secure configurations of your operating systems
• CSC 3-2: Automate patching for applications and operating systems (within 48h)
• CSC 3-3 and CSC 12-1: Limit and audit administrative privileges (Least Privilege)
• CSC 4-1: Run automated vulnerability scanning
Critical First Five
15
1. Perform initial gap assessment
2. Feasibility study: contextualize for your business and maturity
3. Short term: Implement Quick Wins and First Five
4. Mid term: define projects for deploying appropriate "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls
5. Long term: define projects for deploying appropriate "advanced controls" over the longer term.
Suggested Implementation
16
Top 20 Critical Controls, Initial Priority
• High Priority • Controlled Use of Administrative Privileges • Security Skills Assessment and Appropriate
Training to Fill Gaps • Wireless Device Control • Inventory of Authorized and Unauthorized
Devices • Continuous Vulnerability Assessment and
Remediation • Secure Network Engineering • Secure Configurations for Hardware and
Software on Mobile Devices, Laptops, Workstations, and Servers
• Deferred Priority • Application Software Security • Inventory of Authorized and Unauthorized
Software • Data Recovery Capability • Penetration Tests and Red Team Exercises
• Immediate Priority
• Boundary Defense
• Limitation and Control of Network
Ports, Protocols, and Services
• Maintenance, Monitoring, and
Analysis of Audit Logs
• Malware Defenses
• Secure Configurations for Network
Devices
• Controlled Access Based on the
Need to Know
• Account Monitoring and Control
• Data Loss Prevention
• Incident Response and
Management
17
Initial Survey
In Production
20%
In Progress 40%
Requested 20%
Not planned
20%
Critical First Five
In Production
23%
In Progress 20%
Purchased not installed
6%
Requested 30%
Not planned
10%
Declined 1%
Unknown 10%
Quick Wins
• Stakeholder survey
• Architecture, Engineering, Operations
• InfoSec, Network, Server, Desktop
• Operational analysis
• Critical First Five
• Quick Wins
20
• Specific concern
• Qualitative Impact Estimate
• Averaged score
• Control/Headcount needed
Control risk matrix
21
• Contextualized as a function of
– Risk: impact, probability
– Roadmap and strategy
– Current trends and known evil
• “OMG Target!”
• “OMG Heartbleed!”
• “OMG Community Health!”
• “OMG ShellShock!”
• “OMG Home Depot!”
• “OMG Poodle!”
Call to Action: Followup
22
• Current Defenses
– Establishes baseline, relieves panic, acknowledges progress, creates continuity and sense of achievability
• Short-term Efforts Needed
– Projects in progress, Quick Wins, First Five, etc
– Low-hanging fruit (easy POC wins)
• Longer-term Efforts Needed
– Projects in progress but at risk
– Purchased, not yet staffed for configuration or integration
– Not yet staffed for development
– Not yet funded or staffed
Action Plan
23
Sample Plan (Achieved! Mostly!)
CSC-18 Incident Response and Management
• Current Defenses • SIEM, IDS/IPS, FW logging, IDM logging, CSIRT
• Short-term Efforts Needed • Ownership
• CSC 18-2 Assign CSIRT operational roles to specific people • CSC 18-3 Assign CSIRT management roles to specific people
• Longer-term Efforts Needed • SIEM operationalization and optimization • ISIRT Development
• CSC 18-1 Incident response plan (CSIRT) • CSC 18-4 Establish CSIRT reporting process and timeframes • CSC 18-5 Establish CSIRT contact info for external resources
• Security Operations Center: 24x7 alert monitoring and triage • KPI and metrics
24
• “First Five” all either in production or in progress
• Operationalized SIEM, IDS/IPS,
• SOC staffed
• CSIRT => ISIRT (NIST SP 800-61 r2)
• Vulnerability Management function (NIST SP 800-40 v2)
• Actual roadmap!
• Leadership trust and support!
• Funding, staffing!
Results