The document discusses security models essential for enhancing an organization's defense posture and strategy. Key topics include the relationship between business objectives and security processes, the implementation of a security policy framework, and the use of various security technologies and metrics. Ultimately, it emphasizes the importance of aligning security measures with business goals and leveraging established standards and controls to manage risks effectively.

1. SECURITY MODELS FOR
IMPROVING YOUR
ORGANIZATION’S DEFENCE
POSTURE AND STRATEGY
Vladimir Jirasek
Blog: JirasekOnSecurity.com
Bio: About.me/jirasek
9th Nov 2011

2. About me
• Security professional (11 years)
• Founding member and steering group member of
(Common Assurance Maturity Model) CAMM (common-
assurance.com)
• Director, CSA UK & Ireland
• I love reading books: thrillers (Clive Cussler) and
business management (Jo Owen)

3. I will cover topics today
• Security model for information security
• Security policy structure
• Security processes
• Security technology stack
• Security metrics for organisations

4. Security model – business drives security
Security management Correction of security processes
International CEO & Board
security
standards Process Governance
Policy framework Metrics framework
framework
Information Information Information Line
Security Security Security Management
Laws & policies Processes Metrics
Regulations objectives
Product
Information
Technology
Define Management
Drivers Security Rules
People
Measure Security Inform
standards Metrics Portal
Compliance Program
requirements Management
Information
Security
Artefacts Risk &
Compliance
Business Execute security Measure security
Define security
objectives controls controls maturity
controls Auditors
Security Security Security
threats intelligence Professionals
External security
metrics

5. Information Security Policy framework
CIS
Business and
O
Information Security Policy Security
objectives
Data classification Employee Acceptable
policy Use Policy
CIO
Security
Information Technology Security Policy
objectives
IT
Security
IT security
standards
[reuse Architecture
internationally
accepted controls]
Technology Controls and
Technical Security processes
teams
architecture
repository
Security Processes
guidelines

6. Relationship between business objectives and security
processes
Provides response to “Do we have all business risks covered?”
International standards
Control C1
Control C2 Security
Security
Objective SO1 Control C3
Process P1
Business
objective Security Control C4
BO1 Objective SO2 Control C5
Business process B3
Business process B1
Security
Business process B2
Business
objective Security Control C6 Process P2
BO2 Objective SO3 Control C7
Business
Security Control C8
objective
BO3 Objective SO4 Control C9 Security
Security Control C10 Process P3
Objective SO5
Control C11
Security Process P4
Provides response to “Why are we doing this?”

7. Sources of security controls
• ISO 27000 series
• ISF Standard of Good Practice 2011
• PCI DSS
• NIST SP 800-53
• CObIT 4
• SANS 20 critical controls

8. Security technology stack
GRC Organise security
reporting around the
stack
Information & Event Mgmt
Identity, Entitlement, Access
For each prepare current,
Data Security target state analysis and
Cryptography
roadmap
Application Security
Host Security
Network Security
Physical Security

9. GRC
Information & Event
Security stack::Network
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Network firewalls
Host Security
Network Security
• VPN gateways Physical Security
• Network Intrusion Detection/Prevention
• DDoS
• WiFi security
• Network Access Control
• DNS Security
• Web, Email & IM filtering

10. GRC
Information & Event
Identity, Entitlement, Acc
Network security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Data security
Host security
Monitor and control data Interconnect hosts on
flow s on netw ork netw ork
Use identity Establish secure channel
Retrieve access control Control hosts on
Identity and Access Netw ork security netw ork
Monitor and control Send security logs
applications
Detect security incidents
running on netw ork
Key management Security event management
Crypto offload
Application security
Cryptography

11. GRC
Information & Event
Identity, Entitlement, Acc
Security stack::Host
Mgmt
Data Security
Cryptography
ess
Application Security
• Configuration compliance
Host Security
Network Security
• Patch management Physical Security
• Vulnerability scanning
• Anti-malware
• Application control
• Location awareness
• Device control
• Trusted execution protection

12. GRC
Information & Event
Identity, Entitlement, Acc
Host security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Netw ork security Data security Application security
Monitor and filter
restricted data Protects data at rest
Protect integrity of
applications
Host security
Use identity
Send security logs
Retrieve access control
Detect security incidents
Identity and Access
domain Key management Security even management
Cryptography domain

13. GRC
Information & Event
Security stack::Application
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Code reviews/scanning – binary and source
Host Security
Network Security
• Security sensors (AppSensor) Physical Security
• Web application scanning
• Penetration testing
• Web protection (WAF)
Application Security Services throughout a lifecycle
Num ber of flaw s and
vulnerabilities
o o
C st t iat e
d
rem e
E1 E2 E3 E4 E5 EOL
Binary Code Analysis
IT Security Assessm ent
Web Application Scanning
Web Application Protection
Company Confidential

14. GRC
Information & Event
Identity, Entitlement, Acc
Application security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security

15. GRC
Information & Event
Identity, Entitlement, Acc
Security stack::Data
Mgmt
Data Security
Cryptography
ess
Application Security
• Data classification
Host Security
Network Security
• Email encryption Physical Security
• File encryption
• Document Rights Management
• Data Leakage protection
• Watermarking
• End point encryption
• Database security

16. GRC
Information & Event
Identity, Entitlement, Acc
Data security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security

17. GRC
Information & Event
Security stack::IAEM
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Principal management
Host Security
Network Security
• Account provisioning Physical Security
• Rights management
• Directories
• Single sign on and Federation
• Authorisation
• Role and rights auditing
• 2nd factor authentication

18. GRC
Information & Event
Identity, Entitlement, Acc
IAEM relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Netw ork security Security event management
Provides authentication
and authorisation
services Send security logs
Host security Detect security incidents
Identity and Access
Data security
Key management
Application security
Cryptography domain

19. GRC
Information & Event
Identity, Entitlement, Acc
Security stack::Cryptography
Mgmt
Data Security
Cryptography
ess
Application Security
• Key generation
Host Security
Network Security
• Key escrow Physical Security
• Host and Network HSM
• Certificate management & PKI

20. GRC
Information & Event
Identity, Entitlement, Acc
Cryptography relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Data security
Host security
Store encryption keys
Email certificates Disk encryption
Certificates for
authentication
Identity and Access Cryptography
Digital signatures of log files
Application signing
Encryption of sensitive logs
Encrypted and signed
Application
communication Security event management
IPSec VPN
SSL VPN, SSL split tunnel
Application security
Netw ork Security

21. GRC
Information & Event
Security stack::SIEM
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Collection of security relevant logs
Host Security
Network Security
• Archiving – retention Physical Security
• Correlation with other data sources
• Acting on security information
• Ideal to use MSSP

22. GRC
Information & Event
SIEM relationships
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
Host Security
Network Security
Physical Security
CMDB
Security event
management
Collect security Collect, analyse and
configuration react on security events
I dentity and Access Security even management Data security
Netw ork security Cryptography Application security

23. Security metrics characteristics
• Measurable
• Objective
• Quantitative (ideally)
• Meaningful
• With KPIs attached – know what is good and bad
• Linked to business objectives – money speaks

24. Metrics for CIO – Policy compliance and control
maturity
Policy IT Unit A IT Unit B IT Unit C Overall IT
statement
Governance 3  3.5  2  3 
Awareness 3  4  3  3.5 
Development N/A 2  1  1.5 
Hardening 4  N/A 2  3 
Network N/A N/A 3  3 
End devices 2  2  3  2 
2 (£10m) 3 (£13.1m)
Overall 3 (£3m)  3 (100k) 
 

25. Metrics for CIO – Maturity of controls for business
processes/services
Invest in IT service to
lower the VaR
IT Maturity VaR for VaR for VaR for VaR for IT
ServiceBusi Process A Process B Process C service
ness
process
IT Service 1 2 £1m £2m £1m £4m
Infrastructure 3 £1m £3m £10m £14m
IT Service 2 3 £0.5m N/A £20m £20.5m
IT Service 3 4 N/A £100k £500k £600k
Overall £2.5m £5.1k £31.5m £39.1m

26. Summary
• Business drives security
• Reuse good content from information security community
• Security policy framework – target audience, think of
implementation
• Link security metrics to policy which is linked to business
objectives
• All rounded security controls – good prevention against
cyber threats