Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Layered Security Overview for NTX ISSA Conference
1. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Layered Security/Defense In
Depth
Nathan Shepard
Customer Information Security Manager
Dell Services
October 7-8, 2016
2. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Bio
• Customer Information Security Manager
• Currently on a financial customer
• Serviced over 20 customers in my 17 years with Perot/Dell
• Healthcare
• Power
• Finance
• Others
• Corporate level consulting
• Information Security Management
• CISSP
• CISM
• CISA
• CRISK
• 33 Years in IT
• 21 Years in InfoSec
• Veteran, U.S. Army, U.S. Coast Guard
NTX ISSA Cyber Security Conference – October 7-8, 2016 2
3. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
This Presentation
• Is based on Information Security best practices (a conglomeration of practices
derived from regulatory requirements and published industry standards) and is
meant to give a general overview of what a comprehensive Information Security
program should look like in any given industry.
• Is high level, my objective is to outline the scope of an entire Information
Security program, not provide precise details on each and every aspect.
• Is not a sales presentation. I have nothing to sell you.
• Isn’t meant to scare you, but it might.
• Isn’t meant to dissuade you from following an InfoSec career, but it might.
• Don’t ask me detailed in depth questions about the controls, I’m a generalist. I
point to the correct subject matter experts for the controls.
4. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Why this presentation?
• In many of the presentations you will see this weekend, or at other venues, you will
receive an in depth analysis of a problem, or a process, or a tool, or a control.
• While these are excellent, I have seen no presentations on how it all fits together.
• In my role, I frequently have to interview individuals for the same or similar positions
as the one I occupy and enjoy.
• I ask each one of them to explain to me “Defense in Depth” or “Layered Security”.
Maybe 1 in 5 can give a good answer. And these are all seasoned security
professionals.
• May of us have tunnel vision, knowing a LOT about specific aspects of security, but
lacking an overview of the entire process.
• Today, I want to remedy that situation.
5. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Confusion! So many vendors, so little time.
Alert
Logic
SecurIS
SafeNet
Sentinel IPS
Shavlik
Solutionary
VeloCloud
Vipre
SourceFire
Niksun
Varonis
Cylance
Tempered
ThreatTrack
Cadre
SecureData Vormetric
VisualClick
Wild Packets
ZixCorp
Attivo
ProtectWise
iScanOnLine
PaloAlto
NSFocus
UDI
SentinalOne
Data Solutions
LightCyber
LogRhythm
Lumeta
LanDesk
NexusGuard
Kasperskey
JumpCloud
IXIA
InNet
Hytrust
Gigamon
eSkyCity
InfoBlox
F5
Fortinet
Future
Com
Genalto
GlobalScape
Interface
Masters
Preferred Technology SkyPort Systems
NetBoundry
Observable
Networks
OpenDNS
Dell Secure
Works
Sumologic
Unique Digital
Cyber Reason
Juniper
egress
Druva
DarkTrace
Cumulus
Symantec
Microsoft
McAfee
Nessus
Qualys
A10
Above Security
AccuData
Barracuda
Beyond
Security
BlueCoat
Cleo
CheckPoint
Cisco
Critical Start
Critical Watch
BitDefender
Sophos
TrendMicro
eset
BAE
Systems
Clearswift
RedSeal
F-Secure
Stormshield
Webroot
Panda
IBM
Bit9
SnoopWall
InfoDefense
iNetU
Apcon Packetviper
SIMS
Tiepoint
Synack
Caliber
DirectDefense
AVI
Networks
Forrester
Duo
SecureAuth
Stealthbits
Fidelis
Venafi
ForeScout
Xirrus
BeyondTrust
BluVector
Illumio
MaxNet
Aerohive
invincea
Centrify
Cyber-Ark
Axway
WatchGuard
iMPERVA
RSA
Riverbed
Tripwire
FireEye
Intelisecure
NetSpi
Accenture
TippingPoint
Aruba
Networks
Extreme Networks
13. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Data Centers
• Redundancy:
• Locations Power suppliers Off line power (generators)
• Fuel for off line power Telecommunications Networking
• Air Conditioning Water
• Capacity Planning
• Access
• Highly Restricted Card Keys Locked cabinets
• Segregated areas (fencing/locks) Tied to change management Controlled by DC Ops
• Detection
• Fire/Smoke Water Temperature
• Humidity CCTV Intrusion (Doors)
• Fire Suppression
• Change Procedures
• Cleaning and Maintenance
• Hard drive retention/disposal
15. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Network
• Segmentation
• Avoiding flat networks
• VLANs for separation
• Avoiding any-any rules
• Separate Users from Infrastructure
• Separate Development, Test, Q/A, UAT, Production
• Separate regulated areas such as for PCI compliance
• Separate other high risk departments (medial records, finance, HR)
• Separate by major Departments
• Separate by geographically
• Separate by function (such as administrator access on a separate VLAN)
• Admin access
• Strict controls over modify access
• Ensure all of your eggs are NOT in one basket (San Francisco, 2008,
http://www.infoworld.com/article/2653004/misadventures/why-san-francisco-s-network-admin-
went-rogue.html)
• Network Intrusion Prevention/Detection
• On internal segments, not just ingress/egress
16. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Network (cont)
• Internal Transmission Encryption
• Password transmission
• General internal transmission encryption is not mandated (that I know of), but should be
considered
• NAC (Network Access Controls)
• Server registration
• End point device registration and mandatory controls.
• Non-compliant isolation
• Rogue Wireless Access Points
17. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases
• Asset Management
• If you don’t know what you have, how can you protect it.
• Business Ownership
• What servers, DBs, support what applications
• File Integrity Monitoring
• HIDS
• Crown Jewels (PII, PHI, PCI, DC, Key Manager, Finance)
• Backups
• Backup Encryption
• OS Patching
• DB Patching
• Encryption at Rest
• Access Control
• Provisioning/De-Provisioning
• Separation of duties
• RBAC
• Auditing
• Identity Management (IDM)
18. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases (cont)
• Admin Access
• Unique UserID (no generic) access
• Don’t use the same UserID as their normal network/workstation access.
• Minimize domain and server admin access
• Log actions taken
• Encrypted access (no Telnet)
• Change Controls
• Post deployment changes (applications, databases, etc)
• Vulnerability Scanning
• Promotion to use (Dev/Test/Prod)
19. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Servers/Databases (cont)
• Secure Configuration
• Industry standard controls (vendor, NIST, customized) Gold images
• Standardized configurations per OS, per use, per zone Vulnerability scanned images
• Supported OS (n-1); Documentation (run documents) Log Settings
• Centralized Logging Anti-Virus
• Removal of un-needed services/software Asset Management
• Patching Asset Management Agent
• Monitoring File integrity monitoring
• Authentication credential controls Encryption at Rest
• Encryption in transit Auto-logoff
• Default UserIDs Default Passwords
• No dual-homed More
21. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Applications (cont)
• SDLC (Software Development Lifecycle)
• Code change controls
• Separation of duties
• Libraries access
• Development environment controls
• Equal security controls
• Live data use restrictions (ePHI De-Identification)
• Network segregation
• No development on production systems
• Integrity controls
• Input/output verification Error handling Incomplete data
• Missing field required Data field Limit Balancing controls
• Duplicate records processing Data buffer overrun Check digit validation
• Data field combination or correlation tests
• Scripting vulnerabilities identification and remediation prior to publication
• Restrict stored data changes to the application interface only
22. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
EndPoint
• Desktop admin access
• Secure Configuration
• Anti-Virus
• Local Firewall
• Media Controls
• Application Controls
• Host Data Loss Prevention
• Host Intrusion Prevention
• Disk/File Encryption
• Patching
• Mobile devices
• BYOD
• Monitored 24x7
24. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Virtualized Environment
• Tools may differ from the ‘physical’ devices
• Consistency of controls across all guests
• Hardening of the host virtualization environment
• Ensuring resource allocation has accounted for security control overhead (such
as AV scanning which can be resource intensive)
• Patching and Vulnerability Scanning at the HV Level
• AV needs to have resource utilization leveling to ensure that simultaneous scans
or updates won't impact the performance of virtual environments
• May require a different product
• Randomize when scans and updates take place, preventing resource
contention and leveling CPU resources
• IO aware Scan Tuning, and multithreading for optimal performance
26. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Penetration Testing
• Done by an internal party (pre-testing)
• Done by an external party (Compliance
Certification such as PCI)
• Proactive identification of weak controls
• Remediation
• Re-scanning
27. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
DOS Front End
• Denial of Service (DOS), Distributed Denial of Service (DDOS)
• In front of the internet router
• 3d party or ISP provided services
• Monitoring
• Incoming data re-direct and filtering
28. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Firewalls
• Traditional Firewalls
• NexGen Firewalls
• At the parameter
• Segmenting
• Internal/External
• External/DMZ
• DMZ/Internal
• Internal/Internal
• Critical Rules
• Deny by Default
• Elimination of any-any
• Restricting rules to specific IPs, ranges, ports
• Geo Blocking
• Maintenance
• Reporting; Alerting; Logs
• Rule Tracking
• Auditing
• Critical to have a periodic 3d party rules/configuration review
29. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
NIPS/NIDS
• NIDS (Passive)/NIPS (Active)
• Positioning is critical.
• Internal/External
• Between Zones
• Centralization of logs
• SIEM
• SOC
30. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
DMZ
• All external access terminates in a DMZ
• Site 2 Site VPNs
• Client 2 Site VPNs
• Web Servers
• E-mail
• Internet
• Strict controls over access between DMZ and internal zones.
• Can have multiple DMZ Zones such as a separate zone for vendor or 3d party
interaction.
32. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Internet Gateway
• Internet Content Filter
• Web surfing Web threats Social media use
• Instant messaging Web based e-mail use Live Stream
• Reputational blocking Lexical and a scoring systems
• ‘Break-the-glass’
• Can be used for compliance monitoring and remediation
• Can be tied to AD/LDAP for positive identification of the individual
33. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Transmission Encryption
• All transmission of sensitive or regulated data over open networks (the Internet)
• All transmission of passwords
• All administrator access sessions (no Telnet or FTP)
34. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Data Loss Prevention
• Addresses accidental or intentional disclosure of data and data theft
• Network-based
• Scan and report
35. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Cloud Computing
• May add multiple layers to Information Security
• How has your data?
• The 3d party you contracted with?
• The DC they outsourced to?
• 3d Parties the DC has outsourced to?
• Contract Criticality
• Vendor vetting Data ownership Data access
• Data retention Data restoration SLAs
• Geographical Locations HR Processes/Employee Vetting
• You are not relieved of responsibility
• Security Controls
• Leveraged Firewalls Leveraged IPS Leveraged Physical Hdw
• Access Management Centralized logging Data Flow
37. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Policies, Standards and Procedures
• Core of the Information Security cyclical process
• ISO9001: “Document what you do, do what you document”
• Used to educate and direct the end users as well as IT staff, vendors, etc
• Used to enforce compliance, consistent configurations and practices
• Used to force formal exceptions for bad practices
• Regulatory required
• Audit required
• Establish a process for documentation review and approval
• Establish document templates for policies, standards and procedures
• Establish a numbering system to ensure a logical order to documentation
• Establish a desired documentation matrix (next slide)
39. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
BCP/DR
• Critical part, frequently not see as ‘security’
• BC
• Where will an employee work?
• How will the employee connect?
• Are there ‘off line’ processes?
• What services are mandatory? Not?
• Exercises
• DR
• Planning
• Criticality
• Recovery Point
• Recovery Time
• Hot, Warm, Cold Sites
• Exercises
40. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Audits
• Compliance
• HIPAA, HITECH, PCI, FERC/NERC, SEC, GLBA, SOX
• Self Auditing
• Keep your controls under control.
• Access, Incidents, Tasks
• Internal Audit
• Your best friend. Helps you to find issues first.
• External ‘Prep’ Audit
• Your best friend. Helps you to find issues first.
• External Formal Audit
• Good time to take a vacation.
41. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Logging, SIEM, SOC
• Have an audit trail.
• Anti-Forensic resistant.
• Determine what must be logged by IPS, DLP, Firewalls, Servers, Applications, AV,
etc.
• React at the earliest possible time to reduce impact
• 24x7 or via report and request
• Expert review and analysis (if using a managed SOC)
• Minimize false positives through analysis and tuning
42. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Event Analysis
4,159,085,410,119 - Total Events
157,202,478,589
Total Security Events
4,216,300,021
Advance Correlated
Events
15,137,697
Analyst Events
321,290
Tickets Escalated
Event Filters
Automated Correlation (MPLE)
Expert Analysis & Investigation
Client Escalations
Technology
People &
Process
Escalations is 0.000008% of Total Events
44. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
ITIL Processes
• Information Technology Infrastructure Library
• ITIL processes are used throughout the Information Security program to ensure
integration with the rest of IT operations
• Request Management
• Incident Management
• Change Management
• Problem Management
• Configuration Management Data Base (CMDB) for asset tracking
48. @NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 48
Thank you