Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Practical Example to Using SABSAExtended Security-in-Depth StrategyAllen Baranov
Who Am I?Allen Baranov, CISSPInformation Security ProfessionalSABSA Foundation CertifiedSpecialist In Security Management,...
This is my proposal for an extended Security-in-Depth Strategy. It is based on theone in the official SABSA documentation ...
DeterPreventContainDetect and NotifyEvidence & TrackRecover + RestoreAssureOriginal SABSA Security-in-Depth StrategyThis i...
… so I extended it. For each negative action, there is a positive one and I havegrouped them into 6 groups. I moved Assura...
Deconstructing the purpose of a Firewall.• Operates on the network layer.• It usually defines the border between two netwo...
•Deter – create logical border between networks•Invite authorised traffic to be used for business purposesNegotiate Networ...
I then took each layer and this became a section in the Standard. Note thatespecially the “Negotiate” section should be wr...
This way the Standards can be more comprehensive.They are also not so negative and they show the balance of what is needed...
…other bits and piecesWhat is SABSA?SABSA is a proven framework and methodology for Enterprise Security Architecture and S...
Upcoming SlideShare
Loading in …5
×

A Practical Example to Using SABSA Extended Security-in-Depth Strategy

14,297 views

Published on

A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.

Published in: Business, Technology

A Practical Example to Using SABSA Extended Security-in-Depth Strategy

  1. 1. A Practical Example to Using SABSAExtended Security-in-Depth StrategyAllen Baranov
  2. 2. Who Am I?Allen Baranov, CISSPInformation Security ProfessionalSABSA Foundation CertifiedSpecialist In Security Management, Security Architecture andRisk and ComplianceLooking for new permanent position!See LinkedIn for more details or email me for more information!au.linkedin.com/in/allenbaranov/
  3. 3. This is my proposal for an extended Security-in-Depth Strategy. It is based on theone in the official SABSA documentation but extended to be more practical asyou’ll see later in this presentation.Assurance • Deter• InviteNegotiate• Prevent• AllowEnforcement• Contain (Deny)• (Continue to) AllowPost BreachEnforcement• Detect and Notify• Detect and Process (Service)Activity Monitoring• Evidence & Track• Baseline and service improvementTraffic Monitoring• Recover and Restore• Monitor and Optimise (Hierarchical Storage Management)Data AvailabilityMaint.Extended SABSA Security-in-Depth Strategy
  4. 4. DeterPreventContainDetect and NotifyEvidence & TrackRecover + RestoreAssureOriginal SABSA Security-in-Depth StrategyThis is the original SABSA S-i-D Strategy diagram. You will see that it has “negative”actions which (IMHO) doesn’t fit with the SABSA risk/opportunity philosophy.
  5. 5. … so I extended it. For each negative action, there is a positive one and I havegrouped them into 6 groups. I moved Assurance to its own super group with eachlevel feeding back to it. This is still a WIP and I am keen for feedback.Assurance • Deter• InviteNegotiate• Prevent• AllowEnforcement• Contain (Deny)• (Continue to) AllowPost BreachEnforcement• Detect and Notify• Detect and Process (Service)Activity Monitoring• Evidence & Track• Baseline and service improvementTraffic Monitoring• Recover and Restore• Monitor and Optimise (Hierarchical Storage Management)Data AvailabilityMaint.Extended SABSA Security-in-Depth Strategy
  6. 6. Deconstructing the purpose of a Firewall.• Operates on the network layer.• It usually defines the border between two networks of differinglevels of risk.• It investigates traffic and makes decisions on how to pass the trafficbased on predefined rules (known as rulebase or policy)• It can be used for tracking connectivity.• Firewalls may also do deeper inspection into network traffic andFirewalls may be physical hardware, software, dedicated boxes, aservice or a virtual machine.Practical Example - FirewallsI extended it so as to come up with a practical way to use SABSA for writing aFirewall Standard. The first thing to do is to work out exactly what a Firewall isaiming to achieve. Then to fit it into the 6 layers of the model. See next slide.
  7. 7. •Deter – create logical border between networks•Invite authorised traffic to be used for business purposesNegotiate NetworkUsage•Prevent – prevent unauthorised traffic from flowing across the network boundary•Allow – allow authorised (business enhancing) traffic across the network boundary.Enforcement ofpredefined rules•Contain (Deny) – Temporarily stop a compromised network leaking onto a “clean” network.•(Continue to) Allow “clean” networks to communicate until a breach is detected.Post Breach NetworkManagement•Detect and Notify – monitor all traffic and notify of suspicious traffic.•Detect and Process – allow network traffic to pass and baseline “normal”Network ActivityMonitoring•Evidence & Track – watch for anomalies on traffic flow and suspicious connections to build a profile of activities.•Baseline and service improvement – watch for opportunities to improve connectivity and gain understanding ofnetwork usage across the org.Network TrafficMonitoring•Recover and Restore – have redundant devices and network connections with automatic service continuation.•Monitor and Optimise – Look for opportunities for reducing speed in some connections and increasing speed forothers.Network AvailabilityMaint.Practical Example - Firewalls
  8. 8. I then took each layer and this became a section in the Standard. Note thatespecially the “Negotiate” section should be written as a contract with both whatwill be delivered and what is expected.
  9. 9. This way the Standards can be more comprehensive.They are also not so negative and they show the balance of what is neededfor compliance and security against what is offered.The firewall standard, for example, shows that without a firewall all thebenefits of the Internet would not be available.Also, while we are monitoring for bad traffic, we could also be monitoring forperformance.There is one more major advantage that turns the whole SABSA philosophyon its head but I will save that one for next time… ;)For more, visit my blog – http://securethink.blogspot.com.au
  10. 10. …other bits and piecesWhat is SABSA?SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Managementused successfully by numerous organisations around the world. Now used globally to meet a wide variety ofEnterprise needs including Risk Management, Information Assurance, Governance, and ContinuityManagement, SABSA has evolved since 1995 to be the approach of choice for commercial organisations andGovernment alike.SABSA ensures that the needs of your enterprise are met completely and that security services are designed,delivered and supported as an integral part of your business and IT management infrastructure.Although copyright protected, SABSA is an open-use methodology, not a commercial product.ImagesAll images are used with permission. Some are from the site stock.xchng (http://www.sxc.hu/)

×