SlideShare a Scribd company logo

Unified Security Governance

Download as PPTX, PDF
Can Demirel
Can Demirel

The document discusses setting up a unified security governance program including establishing a cross-functional team, defining scope and milestones, performing security analyses, designing and implementing processes, and establishing unified vulnerability and security operations centers. It provides examples of tasks for different roles on the project team and considerations for analyzing security, designing processes, and selecting a vulnerability management platform.

1 of 30
Can Demirel Public Version V1.0.0 Unified Security Governance
Agenda • Unified Security Governance • Setting up Cross Functional Team • Scope & Milestones • Analysis • Process design & Implementation • Unified Vulnerability Management • Security Operation Center
• Governance: Doing the right job • Management: Doing the job right
• What is your job? (Not your linkedin title) – Reports, Presentation, Budget Planning, Tracking unsolved vulnerabilities Or – Security operations, find vulnerabilities, process design and manage processes
• Complexity has a cost. – Infrastructure – Technology – Design – Process – Analysis tools – Supplier
Role Tasks Personal Characteristics[1] Project Sponsor Solve project conflicts Leadership Top management commitment Ensure project plan still applicable Enterprising , Social Project Lead Coordinate all team Organize periodic meetings Update project plan Escalate problems when necessary Conventional, Social Technical Lead Planning technical need and assuring them Assign tasks to technical team Review technical team results Realistic, Creative Technical Team Accomplish given tasks Realistic [1] http://sourcesofinsight.com/6-personality-and-work-environment- types/
• Scope matters. – Cost – Time – KPI Photo credit:Bernhard Schambeck Feature China/Barcroft Media http://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND- blindfolded.html
• If you are new in the town. – Computer Based • Review all external/internal DNS host records  • Review all firewall rules  • Review all router/switch configuration  • Review suppliers/hosting records 
• Human Based – Face to face interview to all possible business partners including; • Company departments • Top management • Suppliers • Paper Based – Review all written rules/policies/procedures about this domain  • Probably nothing is written
• Your scope is shining. Need milestones? • Yet another project going to graveyard? Page by Tom Parker http://tevp.net
• Analysis – Penetration Tests – Security Review • Process Design & Implementation • Unified Vulnerability Management • Security Operation Center
• External pentest • Local area network pentest • Web Application pentest • Web Services pentest • Mobile Application pentest • Wireless pentest • VOIP pentest • ERP/SAP pentest • SCADA Pentest • Code Review • Social Engineering • Load, performance, Denial of Service tests
• Local area network review • WAN/MPLS Review • OS Security Review • Database Security Review • Active Directory and Services Review • IPS Review • Firewall Review • WLC Review • Virtualization Security Review • Any other security platform review – Proxy, DDOS protection…
• We need to talk and write some papers! http://theberry.com/2013/09/06/run-forrest-run-24-photos/
• Risk Management • Asset Management • Incident Management • Access Management • Password Management • Project Management • Secure-SDLC • HR Security • Physical Security • Change & ConfigurationM anagement • Capacity Management • Supplier Management • And many
• Handling – Users – Assets – Scans – Vulnerability Database & Correlation – Task Management – Cyber Intelligence – Alarms – Logging and Log Management – Reports Photo credit:Bernhard Schambeck Photography www.bernhardschambeck.de
• Your platform should allow you to; – Create different type users&rolees – Create different groups
• Your platform should allow you to; – Define assets in any type – Define asset groups by asset attribute – Define ownership – Auto discover
• Your platform should allow you to; – Define asset/asset group scan – Manage scan&scan results in one platform – Integrate historical scans – Define compliance based scans – Define and handle passive vulnerability scan
• Your platform should allow you to; – Define your vulnerabilities in any language – Group your vulnerabilities – Define Manuel vulnerability and so on
• Your platform should allow you to; – Integration to GRC – Integration to ticketing mechanism – Assign vulnerabilities manually or automatically – Assign vulnerabilities based on assets
• Your platform should allow you to; – Track domain records – Track SSL information – Track information disclosure over internet – Track social media
• Your platform should allow you to; – Define asset based alarms – Define vulnerability based alarms – Define scan based alarms – Define SLA based alarms – Define cyber intelligence based alarms
• Your platform should allow you to; – Collect log on your platform – Integration to Central Log Management
• Give me’ some nice reports! • Make it simple! Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html
• Your platform should allow you to; – Create reports in desired language – Create report templates – Filter your report based on asset, vulnerability or any other parameter – Compare your reports by given parameter
Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues: • Evebody talks about it! • To much information will kill you in the end!
• Centralized log management • Scenario!!! • Incident management • Big data analysis! • Forensics
• http://sourcesofinsight.com/6-personality-and-work-environment-types/ • IT Governance Institute, CobIT 5.0 • IS0 27001:2013 Information technology— Security techniques — Information security management systems — Requirements • Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi • http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why • Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları • https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi- zys.html

Recommended

Critical Infrastructure and Security
Critical Infrastructure and SecurityCritical Infrastructure and Security
Critical Infrastructure and SecurityCan Demirel
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009Narinrit Prem-apiwathanokul
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 

Recommended

Critical Infrastructure and Security
Critical Infrastructure and SecurityCritical Infrastructure and Security
Critical Infrastructure and SecurityCan Demirel
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overviewpgmaynard
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009Narinrit Prem-apiwathanokul
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)International Electrotechnical Commission (IEC)
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_securityGuide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_securityDeepakraj Sahu
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power gridP K Agarwal
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCommunity Protection Forum
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...Eran Goldstein
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Industrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentationIndustrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentationGavin Davey
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 

More Related Content

What's hot

Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_securityGuide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_securityDeepakraj Sahu
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power gridP K Agarwal
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCommunity Protection Forum
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...Eran Goldstein
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Industrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentationIndustrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentationGavin Davey
 

What's hot (20)

Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_securityGuide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_security
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Cyber security of power grid
Cyber security of power gridCyber security of power grid
Cyber security of power grid
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT Approach
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
 
ICS security
ICS securityICS security
ICS security
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
 
Industrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentationIndustrial Cybersecurity & SCADA hacks presentation
Industrial Cybersecurity & SCADA hacks presentation
 

Similar to Unified Security Governance

NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeCloudHesive
 
Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013twasserman
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
SharePoint: Application Lifecycle Management
SharePoint: Application Lifecycle ManagementSharePoint: Application Lifecycle Management
SharePoint: Application Lifecycle ManagementAlexandre Ferreira
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014Amazon Web Services
 
Icinga Camp Bangalore - Enterprise exceptions
Icinga Camp Bangalore - Enterprise exceptions Icinga Camp Bangalore - Enterprise exceptions
Icinga Camp Bangalore - Enterprise exceptions Icinga
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Sri Ambati
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
Cloud Hosting for Government Agencies: Drupal Platform as a Service
Cloud Hosting for Government Agencies: Drupal Platform as a ServiceCloud Hosting for Government Agencies: Drupal Platform as a Service
Cloud Hosting for Government Agencies: Drupal Platform as a ServiceAcquia
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 

Similar to Unified Security Governance (20)

NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our Time
 
Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013Wasserman Keynote at ICSSP 2013
Wasserman Keynote at ICSSP 2013
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Boot camp - Migration to AWS
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
SharePoint: Application Lifecycle Management
SharePoint: Application Lifecycle ManagementSharePoint: Application Lifecycle Management
SharePoint: Application Lifecycle Management
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014(ENT306) Application Portfolio Migration | AWS re:Invent 2014
(ENT306) Application Portfolio Migration | AWS re:Invent 2014
 
Icinga Camp Bangalore - Enterprise exceptions
Icinga Camp Bangalore - Enterprise exceptions Icinga Camp Bangalore - Enterprise exceptions
Icinga Camp Bangalore - Enterprise exceptions
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
Cloud Hosting for Government Agencies: Drupal Platform as a Service
Cloud Hosting for Government Agencies: Drupal Platform as a ServiceCloud Hosting for Government Agencies: Drupal Platform as a Service
Cloud Hosting for Government Agencies: Drupal Platform as a Service
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 

Unified Security Governance

  • 1. Can Demirel Public Version V1.0.0 Unified Security Governance
  • 2. Agenda • Unified Security Governance • Setting up Cross Functional Team • Scope & Milestones • Analysis • Process design & Implementation • Unified Vulnerability Management • Security Operation Center
  • 3. • Governance: Doing the right job • Management: Doing the job right
  • 4. • What is your job? (Not your linkedin title) – Reports, Presentation, Budget Planning, Tracking unsolved vulnerabilities Or – Security operations, find vulnerabilities, process design and manage processes
  • 5. • Complexity has a cost. – Infrastructure – Technology – Design – Process – Analysis tools – Supplier
  • 6. Role Tasks Personal Characteristics[1] Project Sponsor Solve project conflicts Leadership Top management commitment Ensure project plan still applicable Enterprising , Social Project Lead Coordinate all team Organize periodic meetings Update project plan Escalate problems when necessary Conventional, Social Technical Lead Planning technical need and assuring them Assign tasks to technical team Review technical team results Realistic, Creative Technical Team Accomplish given tasks Realistic [1] http://sourcesofinsight.com/6-personality-and-work-environment- types/
  • 7. • Scope matters. – Cost – Time – KPI Photo credit:Bernhard Schambeck Feature China/Barcroft Media http://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND- blindfolded.html
  • 8. • If you are new in the town. – Computer Based • Review all external/internal DNS host records  • Review all firewall rules  • Review all router/switch configuration  • Review suppliers/hosting records 
  • 9. • Human Based – Face to face interview to all possible business partners including; • Company departments • Top management • Suppliers • Paper Based – Review all written rules/policies/procedures about this domain  • Probably nothing is written
  • 10. • Your scope is shining. Need milestones? • Yet another project going to graveyard? Page by Tom Parker http://tevp.net
  • 11. • Analysis – Penetration Tests – Security Review • Process Design & Implementation • Unified Vulnerability Management • Security Operation Center
  • 12. • External pentest • Local area network pentest • Web Application pentest • Web Services pentest • Mobile Application pentest • Wireless pentest • VOIP pentest • ERP/SAP pentest • SCADA Pentest • Code Review • Social Engineering • Load, performance, Denial of Service tests
  • 13. • Local area network review • WAN/MPLS Review • OS Security Review • Database Security Review • Active Directory and Services Review • IPS Review • Firewall Review • WLC Review • Virtualization Security Review • Any other security platform review – Proxy, DDOS protection…
  • 14. • We need to talk and write some papers! http://theberry.com/2013/09/06/run-forrest-run-24-photos/
  • 15. • Risk Management • Asset Management • Incident Management • Access Management • Password Management • Project Management • Secure-SDLC • HR Security • Physical Security • Change & ConfigurationM anagement • Capacity Management • Supplier Management • And many
  • 16. • Handling – Users – Assets – Scans – Vulnerability Database & Correlation – Task Management – Cyber Intelligence – Alarms – Logging and Log Management – Reports Photo credit:Bernhard Schambeck Photography www.bernhardschambeck.de
  • 17. • Your platform should allow you to; – Create different type users&rolees – Create different groups
  • 18. • Your platform should allow you to; – Define assets in any type – Define asset groups by asset attribute – Define ownership – Auto discover
  • 19. • Your platform should allow you to; – Define asset/asset group scan – Manage scan&scan results in one platform – Integrate historical scans – Define compliance based scans – Define and handle passive vulnerability scan
  • 20. • Your platform should allow you to; – Define your vulnerabilities in any language – Group your vulnerabilities – Define Manuel vulnerability and so on
  • 21. • Your platform should allow you to; – Integration to GRC – Integration to ticketing mechanism – Assign vulnerabilities manually or automatically – Assign vulnerabilities based on assets
  • 22. • Your platform should allow you to; – Track domain records – Track SSL information – Track information disclosure over internet – Track social media
  • 23. • Your platform should allow you to; – Define asset based alarms – Define vulnerability based alarms – Define scan based alarms – Define SLA based alarms – Define cyber intelligence based alarms
  • 24. • Your platform should allow you to; – Collect log on your platform – Integration to Central Log Management
  • 25. • Give me’ some nice reports! • Make it simple! Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html
  • 26. • Your platform should allow you to; – Create reports in desired language – Create report templates – Filter your report based on asset, vulnerability or any other parameter – Compare your reports by given parameter
  • 27. Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues: • Evebody talks about it! • To much information will kill you in the end!
  • 28. • Centralized log management • Scenario!!! • Incident management • Big data analysis! • Forensics
  • 29.
  • 30. • http://sourcesofinsight.com/6-personality-and-work-environment-types/ • IT Governance Institute, CobIT 5.0 • IS0 27001:2013 Information technology— Security techniques — Information security management systems — Requirements • Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi • http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why • Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları • https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi- zys.html

Editor's Notes

  1. HBR Turkey, Sept 2015