Assess Your Security Posture To Arm Your Defences


Published on

Assess your capabilities and security posture before arming your defences by SecureData's Head of Compliance & Pre-sales, Carl Shallow

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Introduce myself and my background of 30 years IT employment with the majority of it in IT security. When I started the new kid on the block was the VAX VMS which still relied on disk platters and tape backups. Access was granted through a Front End Processor and one of the primary concerns was to make sure that everything had been printed. It seemed to a naïve operator that the soul purpose of these “big” systems was to print, of course they were doing a lot more than that, processing and storing data via very specific applications. Nobody worked from home and BYOD was a Sony Walkman……Happy days.Our idea of Security and DR was to have a numeric keypad on the computer room door and to take one of the disk platters over to another building on a weekly basis!One job that we did then that shouldn’t have changed was to check the logs daily and look for any odd events.
  • So what has changed in all those years……. Well having decentralised everything and moved the processing power (and data) out to the end point we are now looking at ways to control the data and one of the options is to centralise the data and prevent it from ending up on the end point.We are achieving this by improving the way we deliver the data by implementing application acceleration systems , such as F5, Bluecoat, Netscaler etc. or as we used to call them “Front End Processors” and accessing the application and data through thin client. It is unlikely now that we will ever get away now from having data at the endpoint but as data connections and applications become faster it is becoming acceptable to keep critical and sensitive in one place and protect it from moving and we are becoming better at doing that.
  • DataIn my experience of performing security reviews and audits, most customers face the same problems. We try to focus on the data element as that tends to unearth all of the other areas. Our approach is to sit down with various representatives from the business and discuss what types of data they use , how often, where they think it is stored , the sensitivity of it now, next week and in the future. During this phase we also try and establish if there are any governing bodies or security frameworks that the customer has to adhere to.ApplicationsAn easily overlooked area but can be just as critical as the data if this is under valued. Our interests are in the availability, management and development of the applications.PhysicalOur main interests are around DR but quite often we find inadequate physical security, which, when companies have spent a lot of time and effort on securing the logical perimeter is disappointing to find the fire door wedged open.ConnectivityFalls under the availability , as we extend our usage of different devices we introduce additional risks associated with these devices and the methods they use to connect. The introduction of cloud services and storage brings greater flexibility and some additional compliance concerns (saviour or sinner?)
  • The threat landscape is continually changing, as we make positive steps and improvements other new risk and attack scenarios are developed. As it says here it is a moving target and our job is to prevent as much bad stuff as possible given both the budget and time constraints all companies face.We must work in partnership to sensibly assess the risks faced and prioritise our approach. It is perfectly acceptable to accept some risk but only after we have assessed the impact and likelihood of it occuring.
  • A solid security framework will ensure that you cover all of the obvious points. I’m not particularly interested in HVAC but unless I include it in my assessment I could be missing something that potentially could cause a problem in the future.If you don’t have an industry specific security framework, you aren’t a merchant, on the US Stock market , manufacture drugs or handle sensitive personal data then make up your own security framework to follow. Take something like ISO 27001 and edit it down to suit your needs and ability…….. Or call us in and we will help you.
  • I apologies for the next bit about egg sucking but it is important if you aren’t doing it already.As already mentioned in lieu of an industry specific Security Framework , set up your own but make sure it includes a structured risk assessment that covers all the areas logical, physical, people etc.This is a manual process and will involve you talking to all aspects of the business to get their views on what is important to them, how long they could live without it and also what they do to reduce their own risk. Once you have done that it would be worth getting an independent assessment of your perimeter, most of us aren’t well versed on abusing security vulnerabilities so call in an expert to assess and help you find some weak points.If you don’t practise security monitoring or have a SIEM solution deployed , investigate push that as a service to the cloud. In most cases this has limited sensitivity and rarely needs keeping after a year so it is one of the few areas that does lend itself to “Cloud” solutionLikewise, threat analysis, we are seeing more and more vendors producing very good threat analysis packages and coupled with systems that have visibilty of your own landscape can give you early warning signals on new threats.
  • So in summaryDo the risk assessment – get somebody in to help start this process, you sometimes don’t see your own risks until somebody asks the right (or wrong) questionPrioritise the gaps – you will already be ahead of the game by knowing what the gaps are. Allocate as many of the tasks to existing personnel you think they have the capability to remediate the gap but check with them, I’ve seen OS and Application patch management come up so many times as a gap and it’s still a gap a year late when I re-check and this isn’t because IT are lazy and don’t want to do it, it’s because they don’t always have the right tools.If you do nothing else – deploy a SIEM before you buy the next fancy trojan bad boy hacking detection and prevention widgetExternal and Internal scanning will at least give you visibility and the urge to patch the most critical systemsA bit like the Plan , Do, Check, Act – schedule regular tests of all your systems and continually perform them.
  • Assess Your Security Posture To Arm Your Defences

    1. 1. ASSESS YOUR SECURITY POSTURE TO ARM YOUR DEFENCES Carl Shallow Head of Compliance & Pre-sales 1
    2. 2. LOOKING BACK… • What were the risks when everything was centralised on mainframes? Overnight batch processing Avoiding data loss Centralised data storage What was printed? 2
    3. 3. LOOKING FORWARD… • Today, we have almost come full circle… Centralised storage Thin client access Don’t allow data to move 3
    4. 4. DEFINING THE PROBLEM • What are the concerns for companies today? Data • • • • • Where is it? Who has access to it? How sensitive is it? How sensitive will it be in a week, a month or a year? What rules do you have to follow to protect it? Applications • • • • • The dangers of downtime, ensuring availability Testing Development Protecting sensitive application data Ensuring perfect performance Physical • • • • Ensuring business continuity Robust disaster protection Data replication Physical site security Connectivity • • • • • Bring Your Own Device Secure remote access Cloud-based services and infrastructure Virtualisation Unified comms and collaboration 4
    5. 5. STATE OF THE MARKET • Securing data has been a moving target for the last 20 years. Today, we’re facing: Squeezed IT budgets Time constraints Changing technology and threats Most companies are locking the stable door after the horse has bolted! 5
    6. 6. WHERE ARE WE GOING? • We’re seeing a proven track record that compliance gives results • Thanks to PCI compliance, credit card fraud reached a 10 year low in 2012 Established security frameworks Increased compliance requirements Companies aligning to ISO 27001 6
    7. 7. WHAT CAN YOU DO? • Assess the unique vulnerabilities of your business • Identify the greatest risks and vulnerabilities to enable you to implement preventative protection Risk assessments Security assessments Security as a service Threat analysis What are the acceptable risks and what are the crucial areas to protect? SensePost Push monitoring data and analytics to the cloud and consume as an expert service Assess on demand and model the potential problem Network Applications Employee training and education Websense, Bluecoat, CheckPoint, SIEM, SkyBox 7
    8. 8. WHAT SHOULD YOU DO NEXT? Perform a risk assessment Prioritise the gaps Deploy a SIEM Implement scanning / patch management Then assess, assess, assess! Assessment is the new incident response 8
    9. 9. THANK YOU Carl Shallow Head of Compliance and Pre-sales +44 1622 723400 9