Building a Comprehensive SecurityArchitecture FrameworkMark Whitteker, MSIA, CISSPSecurity Architect / Information Systems...
Mark Whitteker, MSIA, CISSP, GSNA, GCFA  Security Architect and Information Systems Security   Officer at Cisco Systems, ...
Agenda  The Problem  The Solution  The Dirty Details  Q&A           © 2010 Cisco Systems, Inc. All rights reserved.   ...
Why do I need a security framework?Here’s a house built on a planned framework…      Framework                            ...
Why do I need a security framework?Here’s a house built without a planned framework…     The result: I haven’t seen my wif...
The Problem       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Problem Description  Few of us have the luxury of building our   organization’s security architecture from the ground   u...
Compliance with RequirementsCan you say “Checkbox Security”?!?  Auditors validate that all the checkboxes are   complete...
If you keep going how you’vealways gone, you’ll end up whereyou’ve always been.             © 2010 Cisco Systems, Inc. All...
The Solution   © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Bring it all together!  Map security services to industry standards through   a comprehensive, end-to-end security framew...
The Dirty Details      © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Comprehensive Framework Diagram      © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   13
Implementation Phases              Phase 3                                                         Phase 1              Me...
Phase 1 - Define Requirements       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   15
Industry Standards       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   16
Industry StandardsBuild a Requirements Crosswalk Matrix  Most industry standards, while different, are based   on the sam...
Crosswalk Example – Audit Logging  Company must comply with ISO 27001/27002  A business unit within the company provides...
Crosswalk Example – Continued  ISO 27001/27002 – A.10.10.1    Audit logs recording user activities, exceptions, and    in...
Crosswalk Example – Continued  Organizational Audit Logging Requirements    Combines requirements from both standards int...
Organizational Policies       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   21
Organizational Policies  Once the organizational   requirements have been   determined, the organization must   now devel...
Organizational Policies Example                           Business                            Contract Security           ...
Organizational Policies Example (cont)                                                       NIST SP 800-53            ISO...
Organizational Policies Example (cont)                                                     NIST SP 800-53         ISO 2700...
Policy Standards       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   26
Policy Standards  Specific technical implementation requirements   should be defined in policy standards  The policies t...
Policy Standards Example       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   28
Policy Standards Example  Cryptographic Controls policy states:    Purpose: This policy governs the use of cryptographic ...
Policy Standards Reality Check  Often times there isn’t simply a 1:1 mapping   between policies and standards  In many c...
Phase 2 - Implement Requirements       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   31
Policy Implementation Procedures       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   32
Policy Implementation Procedures  While Policy Standards specify the technical   implementation requirements necessary to...
Procedures ExampleInstalling the Secure Print Client (Windows XP):1.    Open Windows Explorer.2.    In the Address field, ...
Security Services       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   35
Security Services  Security Services is the most ambiguous area of   the framework  It can be very simple (1-3 services)...
Security Services ExampleSystems Security Engineering Capability Maturity Model  Includes 11 security services:    Admini...
Security Services ExampleNIST SP 800-35: Guide to Information Technology Security Services  Includes 3 categories of serv...
Phase 3 – Measure Success       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   39
Measure Success  How do you know if your security program is   successful?          © 2010 Cisco Systems, Inc. All rights...
Risk Assessments  Perform a risk assessment!  There are 2 types of risk assessments:    Qualitative       A subjective a...
Qualitative Risk Assessments  Pros     Calculations are simple     Not necessary to determine monetary value or threat fr...
Quantitative Risk Assessments  Pros     Based on independently objective processes and metrics     Value of information e...
Other Items to Consider  Establish a Compliance Management Program   Configuration Management      Develop standard confi...
Visual Representation•  All systems must                                                                                  ...
Q&A© 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
2010-02 Building Security Architecture Framework
Upcoming SlideShare
Loading in...5
×

2010-02 Building Security Architecture Framework

339

Published on

2010-02 Building Security Architecture Framework
by Mark Whitteker, Cisco

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
339
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2010-02 Building Security Architecture Framework

  1. 1. Building a Comprehensive SecurityArchitecture FrameworkMark Whitteker, MSIA, CISSPSecurity Architect / Information Systems Security OfficerCisco Systems, Inc.
  2. 2. Mark Whitteker, MSIA, CISSP, GSNA, GCFA  Security Architect and Information Systems Security Officer at Cisco Systems, Inc.  15+ years of experience in secure solutions development, systems and network auditing, forensic discovery, vulnerability assessments, and security management.  Extensive background in the application of commercial and US government regulations and requirements  Can be reached at: mwhittek@cisco.com http://www.linkedin.com/pub/mark-whitteker/3/480/68b © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
  3. 3. Agenda  The Problem  The Solution  The Dirty Details  Q&A © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
  4. 4. Why do I need a security framework?Here’s a house built on a planned framework… Framework Finished Product The result: an efficient and elegant home! © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
  5. 5. Why do I need a security framework?Here’s a house built without a planned framework… The result: I haven’t seen my wife and children in days! © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
  6. 6. The Problem © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  7. 7. Problem Description  Few of us have the luxury of building our organization’s security architecture from the ground up  Some security services already exist (hopefully)  Your organization must comply with one or more industry standards ISO 27001/27002 NIST SP 800-53 SOX PCI  You need to demonstrate to auditors your compliance with the resulting requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
  8. 8. Compliance with RequirementsCan you say “Checkbox Security”?!?  Auditors validate that all the checkboxes are complete  Security professionals know (or should know) that: Compliance != Security  Security is achieved by understanding the organization’s risks and implementing mitigation steps to reduce them to within management’s tolerance level  So how do you show auditors compliance with requirements while actually improving your security posture? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
  9. 9. If you keep going how you’vealways gone, you’ll end up whereyou’ve always been. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
  10. 10. The Solution © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  11. 11. Bring it all together!  Map security services to industry standards through a comprehensive, end-to-end security framework  Shows auditors how you are complying with industry standards  Demonstrates to management the value of security services Industry Security Standards Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
  12. 12. The Dirty Details © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  13. 13. Comprehensive Framework Diagram © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
  14. 14. Implementation Phases Phase 3 Phase 1 Measure Define Success Requirements Rinse and Repeat Phase 2 Implement Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
  15. 15. Phase 1 - Define Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
  16. 16. Industry Standards © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
  17. 17. Industry StandardsBuild a Requirements Crosswalk Matrix  Most industry standards, while different, are based on the same security principles/requirements  Determine where similarities exist and group them together Industry Standard A Password Complexity Requirement Organizational Password Complexity Requirement Industry Standard B Password Complexity Requirement © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
  18. 18. Crosswalk Example – Audit Logging  Company must comply with ISO 27001/27002  A business unit within the company provides government services and must comply with NIST SP 800-53 (per FISMA)  Crosswalk matrix developed to integrate both sets of requirements into a single framework ISO 27001 A.10.10.1 Organizational Audit Logging Requirements NIST SP 800-53 AU-1-5, 8, 11, 12 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
  19. 19. Crosswalk Example – Continued  ISO 27001/27002 – A.10.10.1 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Includes a list of 12 relevant event types  NIST SP 800-53 AU-1-AU-5, AU-8, AU-11, AU-12 Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Time Stamps, Audit Record Retention, and Audit Generation © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
  20. 20. Crosswalk Example – Continued  Organizational Audit Logging Requirements Combines requirements from both standards into a single set of organizational standards Where there are differences between the level of implementation/stringency, the most stringent requirement prevails Example: 3 year log retention vs. 5 year log retention Organizational Requirement – 5 year retention Where there are conflicts, the organization must determine which industry standard has precedence May require the involvement of the legal department © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
  21. 21. Organizational Policies © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
  22. 22. Organizational Policies  Once the organizational requirements have been determined, the organization must now develop security policies  Developing policies and obtaining executive approval can be a cumbersome and time consuming process  Keep policies high-level and solution agnostic Helps to ensure successful collaboration efforts among policy contributors Minimizes need to revisit policies as technology changes 2 year review cycle is usually sufficient  Create as few policies as possible, but keep them domain specific © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
  23. 23. Organizational Policies Example Business Contract Security Cryptographic Acceptable Use Continuity and for Information Data Classification Controls Disaster Recovery Systems Information Information System Information Incident Data Protection Security Authorization and Systems Auditing Management Management Account and Testing Management Personnel Physical and Security IT Operations Security for Environmental Risk Management Compliance Security Information Security Management Systems Standardized System Security Policy Security Training User Identification Glossary – Development Architecture and Awareness and Authentication Taxonomy Lifecycle SecuritySource: Cisco’s Global Government Solutions Group – IT (GGSG-IT) © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
  24. 24. Organizational Policies Example (cont) NIST SP 800-53 ISO 27001/27002 SECURITY POLICY Rev 2 07.01.03, 11.02.03, 11.03.01, 11.03.02, 11.03.03 PL-4, PS-6 Acceptable Use 14.01.02, 14.01.03, 14.01.04, 14.01.05 CP-(1-10) Business Continuity and Disaster Recovery Plan 06.01.04, 06.02.03, 12.01, 12.05, 15.01.02 SA-(1,6,9) Contract Security for Information 12.03.01, 12.03.02, 15.01.06 IA-7, SC-(8,9,12,13) Cryptographic Controls 07.02, 07.02.01, 07.02.02, 10.07.03 AC-16, MP-3 Data Classification 06, 07.02.02, 09.01, 10, 11, 12, 15 MP-1, SC-(8,9), SI-(1,7) Data Protection06.01.05, 06.01.06, 13.01.01, 13.01.02, 13.02 IR-(1-7) Incident Management 06.01.01, 06.01.02, 06.01.07, 06.01.08 PL-1 Information Security Management06.02.01, 07.01.03, 08.02.01, 10.02, 10.10.03, Information System Authorization and Account AC-(1,2) 11.01.01, 11.04, 11.05, 11.06.02 Management AU-(1-11), RA-(3-5), SA06.02.01, 07.01.01, 10.01.03, 10.10.05, 15.02, 15.03 (5,11), CA-(1,2) AC-5, IR-3, Information Systems Auditing & Testing CP-4, SI-6 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
  25. 25. Organizational Policies Example (cont) NIST SP 800-53 ISO 27001/27002 SECURITY POLICY Rev 2 06.01.03, 10, 11, 12, 15 SC-1, SI-1 IT Operations Security06.01.03, 06.01.05, 08.01, 08.02, 08.03, 13.01, 15.01, 15.02.01 PS-(1-8) Personnel Security for Information Systems 09.01, 09.02, 13.01.02, 14.01.03 PE-(1-17) Physical and Environmental Security 14.01.02, 08.02.02 RA-1 Risk Management AC-1, AT-1, AU-1, CA-1,10.10.01, 10.10.02, 13.01.01, 13.02.03, CM-1, CP-1, RA-1, MA-1, 15.01, 15.02.01, 15.02.02 MP-1, IA-1, IR-1, PE-1, PL-1, Security Compliance Management PS-(1,7), SA-(1,9), SC-1, SI-1 05.01.01, 05.01.02 PL-1 Security Policy Architecture 05.01.02, 06.02.03, 08.02.02 AT-(1-4) Security Training and Awareness 07.01.02 , 07.02, 07.02.01 Appendix B Standardized Glossary - Taxonomy10.01.04, 10.03.02, 10.07.04, 12.01.01,12.04.02, 12.04.03, 12.05.01, 12.05.03 SA-(3,8,11) System Development Lifecycle Security 11.02, 11.04.02, 11.05.02 IA-(1,2) User Identification and Authentication © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
  26. 26. Policy Standards © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
  27. 27. Policy Standards  Specific technical implementation requirements should be defined in policy standards  The policies themselves contain hyperlinks and/or references to associated policy standards  Policy standards do not require review/approval by senior management Defined by organizational Subject Matter Experts (SMEs) Doesn’t require modification of the overarching policy  Standards can be modified/updated as technology advances  Should be reviewed by the SMEs at least yearly to ensure standards stay current with industry trends © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
  28. 28. Policy Standards Example © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
  29. 29. Policy Standards Example  Cryptographic Controls policy states: Purpose: This policy governs the use of cryptographic controls and key management to protect the confidentiality & integrity of Cisco GGSG information assets, as well as to support non-repudiation.  References multiple policy standards such as: Full disk encryption Mail, file and folder encryption Public Key Infrastructure (PKI)  More than one policy may apply when defining standards Data Protection policy also closely related to CC policy © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
  30. 30. Policy Standards Reality Check  Often times there isn’t simply a 1:1 mapping between policies and standards  In many cases multiple policies reference the same standards Cryptographic Controls Policy Data Acceptable Protection Use Policy Policy Email Encryption Standard © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
  31. 31. Phase 2 - Implement Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
  32. 32. Policy Implementation Procedures © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
  33. 33. Policy Implementation Procedures  While Policy Standards specify the technical implementation requirements necessary to comply with policies, Policy Implementation Procedures document the step-by-step instructions for implementing those standards  They are: Specific Repeatable Thorough Validated Approved  Assists in improving an organization’s CMM level © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
  34. 34. Procedures ExampleInstalling the Secure Print Client (Windows XP):1.  Open Windows Explorer.2.  In the Address field, type (or cut & paste) Rtp-filer09awg-gggsg- appsPublishedSecure-Print and press <Enter>.3.  Double-click on the spxpinstall.bat script from the folder you just opened.4.  Enter your CEC credentials (if prompted).5.  Click Open (if prompted).6.  If necessary, click Yes on the Cisco Security Agent window to allow the script to run.7.  A command window will open and display the installation progress.8.  When the software is done installing, click OK. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
  35. 35. Security Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
  36. 36. Security Services  Security Services is the most ambiguous area of the framework  It can be very simple (1-3 services), or very complex (dozens of services), depending on the size and scope of your organization  Don’t reinvent the wheel!  There are existing industry sources that can be used as a baseline SSE-CMM: Secure Systems Engineering Capability Maturity Model NIST SP 800-35: Guide to Information Technology Security Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
  37. 37. Security Services ExampleSystems Security Engineering Capability Maturity Model  Includes 11 security services: Administer Security Controls Assess Impact Assess Security Risks Assess Threats Assess Vulnerabilities Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
  38. 38. Security Services ExampleNIST SP 800-35: Guide to Information Technology Security Services  Includes 3 categories of services: Management, Operational and Technical  Management Services Security Program, Security Policy, Risk Management, Security Architecture, Certification and Accreditation, and Security Evaluation of IT Projects  Operational Services Contingency Planning, Incident Handling, Testing, and Training  Technical Services Firewalls, Intrusion Detection/Prevention, and Public Key Infrastructure © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
  39. 39. Phase 3 – Measure Success © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
  40. 40. Measure Success  How do you know if your security program is successful? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
  41. 41. Risk Assessments  Perform a risk assessment!  There are 2 types of risk assessments: Qualitative A subjective assessment of the organization’s risk, typically achieved through personnel interviews and surveys. Quantitative A non-subjective assessment of the organization’s risk based on mathematical calculations using security metrics and monetary values of assets.  Which one is right for your organization? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
  42. 42. Qualitative Risk Assessments  Pros Calculations are simple Not necessary to determine monetary value or threat frequency Not necessary to estimate cost of risk mitigation measures General indication of significant risks is provided  Cons Subjective in both process and metrics Perception of asset/resource value may not reflect actual value No basis is provided for cost/benefit analysis Not possible to track risk management performance  Although this method is very subjective in nature, it can be very beneficial when an organization is young and still maturing © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
  43. 43. Quantitative Risk Assessments  Pros Based on independently objective processes and metrics Value of information expressed in monetary terms is better understood Credible basis for cost/benefit assessment is provided Risk management performance can be tracked and evaluated Results are derived and expressed in management’s language  Cons Calculations are complex Not practical to execute without automated tool and associated knowledge bases A substantial amount of information must be gathered  Appropriate once an organization has reached a higher level of maturity, and now requires an assessment against standardized, objective measures © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
  44. 44. Other Items to Consider  Establish a Compliance Management Program Configuration Management Develop standard configurations Infrastructure Devices (network, hosts, etc.) Data (databases, NAS, SAN, etc.) Applications (web server, programming languages, protocols) Change Management Any proposed change to your production environment should be recorded, reviewed and approved by an SME from each domain: Security, Infrastructure, Data, Application, Operations, Support Release Management Any changes that impact, or could potentially impact, the availability of a production service, should be released at scheduled intervals: Weekly, Monthly, Quarterly, etc. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
  45. 45. Visual Representation•  All systems must Configurationcomply with configuration Managementmanagement standards•  All changes must besubmitted and performedthrough changemanagement Change Management•  Those changes thatimpact the availability ofproduction systems or Release Managementservices must be bundledinto a scheduled release © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
  46. 46. Q&A© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×