Layered Security Overview for NTX ISSA Conference

@NTXISSA #NTXISSACSC4Dell - Internal Use - Confidential
Layered Security/Defense In
Depth
Nathan Shepard
Customer Information Security Manager
Dell Services
October 7-8, 2016

Bio
• Customer Information Security Manager
• Currently on a financial customer
• Serviced over 20 customers in my 17 years with Perot/Dell
• Healthcare
• Power
• Finance
• Others
• Corporate level consulting
• Information Security Management
• CISSP
• CISM
• CISA
• CRISK
• 33 Years in IT
• 21 Years in InfoSec
• Veteran, U.S. Army, U.S. Coast Guard
NTX ISSA Cyber Security Conference – October 7-8, 2016 2

This Presentation
• Is based on Information Security best practices (a conglomeration of practices
derived from regulatory requirements and published industry standards) and is
meant to give a general overview of what a comprehensive Information Security
program should look like in any given industry.
• Is high level, my objective is to outline the scope of an entire Information
Security program, not provide precise details on each and every aspect.
• Is not a sales presentation. I have nothing to sell you.
• Isn’t meant to scare you, but it might.
• Isn’t meant to dissuade you from following an InfoSec career, but it might.
• Don’t ask me detailed in depth questions about the controls, I’m a generalist. I
point to the correct subject matter experts for the controls.

Why this presentation?
• In many of the presentations you will see this weekend, or at other venues, you will
receive an in depth analysis of a problem, or a process, or a tool, or a control.
• While these are excellent, I have seen no presentations on how it all fits together.
• In my role, I frequently have to interview individuals for the same or similar positions
as the one I occupy and enjoy.
• I ask each one of them to explain to me “Defense in Depth” or “Layered Security”.
Maybe 1 in 5 can give a good answer. And these are all seasoned security
professionals.
• May of us have tunnel vision, knowing a LOT about specific aspects of security, but
lacking an overview of the entire process.
• Today, I want to remedy that situation.

Confusion! So many vendors, so little time.
Alert
Logic
SecurIS
SafeNet
Sentinel IPS
Shavlik
Solutionary
VeloCloud
Vipre
SourceFire
Niksun
Varonis
Cylance
Tempered
ThreatTrack
Cadre
SecureData Vormetric
VisualClick
Wild Packets
ZixCorp
Attivo
ProtectWise
iScanOnLine
PaloAlto
NSFocus
UDI
SentinalOne
Data Solutions
LightCyber
LogRhythm
Lumeta
LanDesk
NexusGuard
Kasperskey
JumpCloud
IXIA
InNet
Hytrust
Gigamon
eSkyCity
InfoBlox
F5
Fortinet
Future
Com
Genalto
GlobalScape
Interface
Masters
Preferred Technology SkyPort Systems
NetBoundry
Observable
Networks
OpenDNS
Dell Secure
Works
Sumologic
Unique Digital
Cyber Reason
Juniper
egress
Druva
DarkTrace
Cumulus
Symantec
Microsoft
McAfee
Nessus
Qualys
A10
Above Security
AccuData
Barracuda
Beyond
Security
BlueCoat
Cleo
CheckPoint
Cisco
Critical Start
Critical Watch
BitDefender
Sophos
TrendMicro
eset
BAE
Systems
Clearswift
RedSeal
F-Secure
Stormshield
Webroot
Panda
IBM
Bit9
SnoopWall
InfoDefense
iNetU
Apcon Packetviper
SIMS
Tiepoint
Synack
Caliber
DirectDefense
AVI
Networks
Forrester
Duo
SecureAuth
Stealthbits
Fidelis
Venafi
ForeScout
Xirrus
BeyondTrust
BluVector
Illumio
MaxNet
Aerohive
invincea
Centrify
Cyber-Ark
Axway
WatchGuard
iMPERVA
RSA
Riverbed
Tripwire
FireEye
Intelisecure
NetSpi
Accenture
TippingPoint
Aruba
Networks
Extreme Networks

Layered Security

By Layer

Personnel

HR
• Right to work
• Background Checks
• Resume Checks
• On-Boarding
• Off-Boarding
• Corrective Action
• PIP (Performance Improvement Process)

Awareness
• People are our biggest threat
• Annual Awareness
• Routine Awareness
• Group On-Boarding Awareness
• Active Issue Awareness
• Social Engineering
• Phishing
• Avoiding communications overload
• Lack of sensitivity towards confidentiality
• Data Handling Procedures

Physical

Facilities
• Location Considerations
• Flood, Crime, Earthquake, Industrial, Railroad, Hurricanes, Tornados, Snow
• Perimeter Controls
• Guards
• Vehicle Barriers
• Fencing
• Lighting
• CCTV
• Sensors
• Access Controls
• Card Keys/Badge Readers
• Man Traps
• Internal Controls
• Internal zone segmentation
• Card Keys/Badge Readers
• Motion Sensors
• CCTV
• Wiring closet controls (restricted access)
• Physical Security Auditing and Penetration Testing

Data Centers
• Redundancy:
• Locations Power suppliers Off line power (generators)
• Fuel for off line power Telecommunications Networking
• Air Conditioning Water
• Capacity Planning
• Access
• Highly Restricted Card Keys Locked cabinets
• Segregated areas (fencing/locks) Tied to change management Controlled by DC Ops
• Detection
• Fire/Smoke Water Temperature
• Humidity CCTV Intrusion (Doors)
• Fire Suppression
• Change Procedures
• Cleaning and Maintenance
• Hard drive retention/disposal

Internal

Network
• Segmentation
• Avoiding flat networks
• VLANs for separation
• Avoiding any-any rules
• Separate Users from Infrastructure
• Separate Development, Test, Q/A, UAT, Production
• Separate regulated areas such as for PCI compliance
• Separate other high risk departments (medial records, finance, HR)
• Separate by major Departments
• Separate by geographically
• Separate by function (such as administrator access on a separate VLAN)
• Admin access
• Strict controls over modify access
• Ensure all of your eggs are NOT in one basket (San Francisco, 2008,
http://www.infoworld.com/article/2653004/misadventures/why-san-francisco-s-network-admin-
went-rogue.html)
• Network Intrusion Prevention/Detection
• On internal segments, not just ingress/egress

Network (cont)
• Internal Transmission Encryption
• Password transmission
• General internal transmission encryption is not mandated (that I know of), but should be
considered
• NAC (Network Access Controls)
• Server registration
• End point device registration and mandatory controls.
• Non-compliant isolation
• Rogue Wireless Access Points

Servers/Databases
• Asset Management
• If you don’t know what you have, how can you protect it.
• Business Ownership
• What servers, DBs, support what applications
• File Integrity Monitoring
• HIDS
• Crown Jewels (PII, PHI, PCI, DC, Key Manager, Finance)
• Backups
• Backup Encryption
• OS Patching
• DB Patching
• Encryption at Rest
• Access Control
• Provisioning/De-Provisioning
• Separation of duties
• RBAC
• Auditing
• Identity Management (IDM)

Servers/Databases (cont)
• Admin Access
• Unique UserID (no generic) access
• Don’t use the same UserID as their normal network/workstation access.
• Minimize domain and server admin access
• Log actions taken
• Encrypted access (no Telnet)
• Change Controls
• Post deployment changes (applications, databases, etc)
• Vulnerability Scanning
• Promotion to use (Dev/Test/Prod)

Servers/Databases (cont)
• Secure Configuration
• Industry standard controls (vendor, NIST, customized) Gold images
• Standardized configurations per OS, per use, per zone Vulnerability scanned images
• Supported OS (n-1); Documentation (run documents) Log Settings
• Centralized Logging Anti-Virus
• Removal of un-needed services/software Asset Management
• Patching Asset Management Agent
• Monitoring File integrity monitoring
• Authentication credential controls Encryption at Rest
• Encryption in transit Auto-logoff
• Default UserIDs Default Passwords
• No dual-homed More

Applications
• Asset Management
• Naming Standards; Ownership; Licensing; Source Code Escrow.
• Authentication/Authorization
• Application firewalls
• Application vulnerability scanning
• Secure Coding Processes
• Documentation
• Servers; Network Segments; Databases; Interactions; Data Flow; Data Classification
• Monitoring; Logging; Patching; Encryption; Network Segment;

Applications (cont)
• SDLC (Software Development Lifecycle)
• Code change controls
• Separation of duties
• Libraries access
• Development environment controls
• Equal security controls
• Live data use restrictions (ePHI De-Identification)
• Network segregation
• No development on production systems
• Integrity controls
• Input/output verification Error handling Incomplete data
• Missing field required Data field Limit Balancing controls
• Duplicate records processing Data buffer overrun Check digit validation
• Data field combination or correlation tests
• Scripting vulnerabilities identification and remediation prior to publication
• Restrict stored data changes to the application interface only

EndPoint
• Desktop admin access
• Anti-Virus
• Local Firewall
• Media Controls
• Application Controls
• Host Data Loss Prevention
• Host Intrusion Prevention
• Disk/File Encryption
• Patching
• Mobile devices
• BYOD
• Monitored 24x7

Vulnerability Scanning
• Asset identification
• Vulnerability assessment
• Authenticated, Un-Authenticated
• Frequency
• Impact
• External/Internal
• Workstations
• Remediation

Virtualized Environment
• Tools may differ from the ‘physical’ devices
• Consistency of controls across all guests
• Hardening of the host virtualization environment
• Ensuring resource allocation has accounted for security control overhead (such
as AV scanning which can be resource intensive)
• Patching and Vulnerability Scanning at the HV Level
• AV needs to have resource utilization leveling to ensure that simultaneous scans
or updates won't impact the performance of virtual environments
• May require a different product
• Randomize when scans and updates take place, preventing resource
contention and leveling CPU resources
• IO aware Scan Tuning, and multithreading for optimal performance

External

Penetration Testing
• Done by an internal party (pre-testing)
• Done by an external party (Compliance
Certification such as PCI)
• Proactive identification of weak controls
• Remediation
• Re-scanning

DOS Front End
• Denial of Service (DOS), Distributed Denial of Service (DDOS)
• In front of the internet router
• 3d party or ISP provided services
• Monitoring
• Incoming data re-direct and filtering

Firewalls
• Traditional Firewalls
• NexGen Firewalls
• At the parameter
• Segmenting
• Internal/External
• External/DMZ
• DMZ/Internal
• Internal/Internal
• Critical Rules
• Deny by Default
• Elimination of any-any
• Restricting rules to specific IPs, ranges, ports
• Geo Blocking
• Maintenance
• Reporting; Alerting; Logs
• Rule Tracking
• Auditing
• Critical to have a periodic 3d party rules/configuration review

NIPS/NIDS
• NIDS (Passive)/NIPS (Active)
• Positioning is critical.
• Internal/External
• Between Zones
• Centralization of logs
• SIEM
• SOC

DMZ
• All external access terminates in a DMZ
• Site 2 Site VPNs
• Client 2 Site VPNs
• Web Servers
• E-mail
• Internet
• Strict controls over access between DMZ and internal zones.
• Can have multiple DMZ Zones such as a separate zone for vendor or 3d party
interaction.

E-Mail Gateway
• Anti-Spam
• Anti-Virus
• Secure E-Mail Delivery
• Compliance Filtering

Internet Gateway
• Internet Content Filter
• Web surfing Web threats Social media use
• Instant messaging Web based e-mail use Live Stream
• Reputational blocking Lexical and a scoring systems
• ‘Break-the-glass’
• Can be used for compliance monitoring and remediation
• Can be tied to AD/LDAP for positive identification of the individual

Transmission Encryption
• All transmission of sensitive or regulated data over open networks (the Internet)
• All transmission of passwords
• All administrator access sessions (no Telnet or FTP)

Data Loss Prevention
• Addresses accidental or intentional disclosure of data and data theft
• Network-based
• Scan and report

Cloud Computing
• May add multiple layers to Information Security
• How has your data?
• The 3d party you contracted with?
• The DC they outsourced to?
• 3d Parties the DC has outsourced to?
• Contract Criticality
• Vendor vetting Data ownership Data access
• Data retention Data restoration SLAs
• Geographical Locations HR Processes/Employee Vetting
• You are not relieved of responsibility
• Security Controls
• Leveraged Firewalls Leveraged IPS Leveraged Physical Hdw
• Access Management Centralized logging Data Flow

By Cross
Functional

Policies, Standards and Procedures
• Core of the Information Security cyclical process
• ISO9001: “Document what you do, do what you document”
• Used to educate and direct the end users as well as IT staff, vendors, etc
• Used to enforce compliance, consistent configurations and practices
• Used to force formal exceptions for bad practices
• Regulatory required
• Audit required
• Establish a process for documentation review and approval
• Establish document templates for policies, standards and procedures
• Establish a numbering system to ensure a logical order to documentation
• Establish a desired documentation matrix (next slide)

My Standard Structure

BCP/DR
• Critical part, frequently not see as ‘security’
• BC
• Where will an employee work?
• How will the employee connect?
• Are there ‘off line’ processes?
• What services are mandatory? Not?
• Exercises
• DR
• Planning
• Criticality
• Recovery Point
• Recovery Time
• Hot, Warm, Cold Sites
• Exercises

Audits
• Compliance
• HIPAA, HITECH, PCI, FERC/NERC, SEC, GLBA, SOX
• Self Auditing
• Keep your controls under control.
• Access, Incidents, Tasks
• Internal Audit
• Your best friend. Helps you to find issues first.
• External ‘Prep’ Audit
• Your best friend. Helps you to find issues first.
• External Formal Audit
• Good time to take a vacation.

Logging, SIEM, SOC
• Have an audit trail.
• Anti-Forensic resistant.
• Determine what must be logged by IPS, DLP, Firewalls, Servers, Applications, AV,
etc.
• React at the earliest possible time to reduce impact
• 24x7 or via report and request
• Expert review and analysis (if using a managed SOC)
• Minimize false positives through analysis and tuning

Event Analysis
4,159,085,410,119 - Total Events
157,202,478,589
Total Security Events
4,216,300,021
Advance Correlated
Events
15,137,697
Analyst Events
321,290
Tickets Escalated
Event Filters
Automated Correlation (MPLE)
Expert Analysis & Investigation
Client Escalations
Technology
People &
Process
Escalations is 0.000008% of Total Events

CSIRT

ITIL Processes
• Information Technology Infrastructure Library
• ITIL processes are used throughout the Information Security program to ensure
integration with the rest of IT operations
• Request Management
• Incident Management
• Change Management
• Problem Management
• Configuration Management Data Base (CMDB) for asset tracking

Governance

How do you stack up?

Question
and
Answer

@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 48
Thank you

Layered Security Overview for NTX ISSA Conference

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Layered Security Overview for NTX ISSA Conference

Similar a Layered Security Overview for NTX ISSA Conference (20)

Más de North Texas Chapter of the ISSA

Más de North Texas Chapter of the ISSA (20)

Último

Último (20)

Layered Security Overview for NTX ISSA Conference