SlideShare a Scribd company logo

A holistic view_of_enterprise_security

Download as PPT, PDF
E
ehawk01

Enterprise Security Presentation

Technology
1 of 47
A Holistic View of EnterpriseA Holistic View of Enterprise SecuritySecurity Rafal LukawieckiRafal Lukawiecki Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk www.projectbotticelli.co.ukwww.projectbotticelli.co.uk Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify allCopyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field ininformation before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.
22 ObjectivesObjectives Define security in a practical, measurable, andDefine security in a practical, measurable, and achievable wayachievable way Introduce security frameworksIntroduce security frameworks Introduce OCTAVEIntroduce OCTAVE Introduce simple risk assessmentIntroduce simple risk assessment Introduce the concepts of threat modelling forIntroduce the concepts of threat modelling for enterprise securityenterprise security Overview major security technologiesOverview major security technologies
33 Session AgendaSession Agenda Defining Security ConceptsDefining Security Concepts Building a Secure EnvironmentBuilding a Secure Environment ProcessesProcesses OCTAVEOCTAVE Simplified Security Risk AnalysisSimplified Security Risk Analysis Formal Threat ModellingFormal Threat Modelling SummarySummary
44 Defining Security ConceptsDefining Security Concepts
55 SecuritySecurity Definition (Cambridge Dictionary of English)Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger orAbility to avoid being harmed by any risk, danger or threatthreat ……therefore, in practice, an impossible goaltherefore, in practice, an impossible goal  What can we do then?What can we do then? Be as secure as neededBe as secure as needed Ability to avoid being harmed too much byAbility to avoid being harmed too much by reasonably predictable risks, dangers or threatsreasonably predictable risks, dangers or threats (Rafal’s Definition)(Rafal’s Definition)
66 ChallengeChallenge Security must be balanced with usability (andSecurity must be balanced with usability (and accessibility)accessibility) Most secure = uselessMost secure = useless Most useful = insecureMost useful = insecure Know the balance you needKnow the balance you need Factor the price: both security and usability cost a lotFactor the price: both security and usability cost a lot
77 Cost-Effectiveness of SecurityCost-Effectiveness of Security "Appropriate business security is that which"Appropriate business security is that which protects the business from undue operationalprotects the business from undue operational risks in a cost-effective manner.“ – Sherwood,risks in a cost-effective manner.“ – Sherwood, 20032003 Estimation of cost and effectiveness of securityEstimation of cost and effectiveness of security requires knowledge and estimation of:requires knowledge and estimation of: Assets to protectAssets to protect Possible threats or lossesPossible threats or losses Cost of their preventionCost of their prevention Cost of contingenciesCost of contingencies
88 Adequate SecurityAdequate Security CERT usefully suggests:CERT usefully suggests: ““A desired enterprise security state is the condition where theA desired enterprise security state is the condition where the protection strategiesprotection strategies for an organization's criticalfor an organization's critical assetsassets andand businessbusiness processesprocesses are commensurate with the organization'sare commensurate with the organization's risk appetiterisk appetite andand risk tolerancesrisk tolerances.” –.” – www.cert.org/governance/adequate.htmlwww.cert.org/governance/adequate.html Risk Appetite – defined through executive decision, influencesRisk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals andamount of risk worth taking to achieve enterprise goals and missionsmissions Relates to risks that must be mitigated and managedRelates to risks that must be mitigated and managed Risk Tolerance – residual risk acceptedRisk Tolerance – residual risk accepted Relates to risk for which no mitigation would be in placeRelates to risk for which no mitigation would be in place
99 11stst ConclusionConclusion As 100% security is impossible, you need to decide whatAs 100% security is impossible, you need to decide what needs to be secured and how well it needs to beneeds to be secured and how well it needs to be securedsecured In other words, you need:In other words, you need: Asset listAsset list Threat analysis to identify risksThreat analysis to identify risks Risk impact estimate for each assetRisk impact estimate for each asset Ongoing process for reviewing assets, threats and risksOngoing process for reviewing assets, threats and risks Someone responsible for this processSomeone responsible for this process Operational procedures for responding to changing conditionsOperational procedures for responding to changing conditions (emergencies, high risk etc.)(emergencies, high risk etc.)
1010 Digital Security as Extension ofDigital Security as Extension of Physical Security ofPhysical Security of Key AssetsKey Assets Strong PhysicalStrong Physical Security of KASecurity of KA Strong DigitalStrong Digital SecuritySecurity Good SecurityGood Security EverywhereEverywhere Weak PhysicalWeak Physical Security of KASecurity of KA Strong DigitalStrong Digital SecuritySecurity InsecureInsecure EnvironmentEnvironment Strong PhysicalStrong Physical Security of KASecurity of KA Weak DigitalWeak Digital SecuritySecurity InsecureInsecure EnvironmentEnvironment
1111 Aspects of SecurityAspects of Security Static, passive, pervasiveStatic, passive, pervasive ConfidentialityConfidentiality ◄◄ Your data/service provides no useful information to unauthorisedYour data/service provides no useful information to unauthorised peoplepeople IntegrityIntegrity ◄◄ If anyone tampers with your asset it will be immediately evidentIf anyone tampers with your asset it will be immediately evident AuthenticityAuthenticity ◄◄ We can verify that asset is attributable to its authors or caretakersWe can verify that asset is attributable to its authors or caretakers IdentityIdentity ◄◄ We can verify who is the specific individual entity associated with yourWe can verify who is the specific individual entity associated with your assetasset Non-repudiationNon-repudiation ◄◄ The author or owner or caretaker of asset cannot deny that they areThe author or owner or caretaker of asset cannot deny that they are associated with itassociated with it
1212 Aspects of SecurityAspects of Security Dynamic, active, transientDynamic, active, transient AuthorisationAuthorisation ◄◄ It is clear what actions are permitted with respect to your assetIt is clear what actions are permitted with respect to your asset LossLoss ◄◄ Asset is irrecoverably lost (or the cost of recovery is too high)Asset is irrecoverably lost (or the cost of recovery is too high) Denial of access (aka denial of service)Denial of access (aka denial of service) ◄◄ Access to asset is temporarily impossibleAccess to asset is temporarily impossible
1313 Approaches for Achieving SecurityApproaches for Achieving Security Two approaches are needed:Two approaches are needed: ActiveActive, dynamic, transient, dynamic, transient Implemented throughImplemented through behaviour and pattern analysisbehaviour and pattern analysis PassivePassive, static, pervasive, static, pervasive Implemented throughImplemented through cryptographycryptography
1414 Behaviour (Pattern) AnalysisBehaviour (Pattern) Analysis Prohibits reaching an asset if access is out-of-pattern, e.g.:Prohibits reaching an asset if access is out-of-pattern, e.g.: Password lock-out after N unsuccessful attemptsPassword lock-out after N unsuccessful attempts Blocking packets at a router if too many come from a given sourceBlocking packets at a router if too many come from a given source Denying a connection based on IPSec filter rulesDenying a connection based on IPSec filter rules Stopping a user from seeing more than N records in a database perStopping a user from seeing more than N records in a database per dayday Time-out of an idle secure sessionTime-out of an idle secure session ““Active”Active” Cannot always prevent unauthorised use of assetCannot always prevent unauthorised use of asset Can prevent legitimate access – need easy and secure “unlock”Can prevent legitimate access – need easy and secure “unlock” mechanismsmechanisms Strength varies with sophistication on known attacksStrength varies with sophistication on known attacks
1515 CryptographyCryptography Using hard mathematics to implement passive securityUsing hard mathematics to implement passive security aspects mentioned earlieraspects mentioned earlier ““Static”Static” Cannot detect or prevent problems arising from a pattern ofCannot detect or prevent problems arising from a pattern of behaviourbehaviour Relies of physical security of Key Assets (such asRelies of physical security of Key Assets (such as master private keys etc.)master private keys etc.) Strength changes with time, depending on the power ofStrength changes with time, depending on the power of computers and developments in cryptanalysiscomputers and developments in cryptanalysis
1616 Future Security TechnologiesFuture Security Technologies Behaviour analysis is under tremendousBehaviour analysis is under tremendous development at presentdevelopment at present Expect from Microsoft:Expect from Microsoft: Microsoft Operations Manager 2005Microsoft Operations Manager 2005 Already available, more rules on their wayAlready available, more rules on their way Active ProtectionActive Protection Set of technologies for intrusion detection and automaticSet of technologies for intrusion detection and automatic response and ongoing protectionresponse and ongoing protection Imagine: MOM + IDS based on neural network +Imagine: MOM + IDS based on neural network + GPOsGPOs
1717 Holistic View of SecurityHolistic View of Security Security should be:Security should be: Static + ActiveStatic + Active AcrossAcross All Your AssetsAll Your Assets Based OnBased On Ongoing Threat Risk AssessmentOngoing Threat Risk Assessment
1818 Building a Secure EnvironmentBuilding a Secure Environment
1919 Defense in DepthDefense in Depth Using a layered approach:Using a layered approach: Increases an attacker’s risk of detectionIncreases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success Policies, Procedures, & Awareness Policies, Procedures, & Awareness OS hardening, update management,OS hardening, update management, authenticationauthentication Firewalls, VPN quarantineFirewalls, VPN quarantine Guards, locks, tracking devices,Guards, locks, tracking devices, HSMHSM Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS Application hardening, antivirusApplication hardening, antivirus ACL, encryptionACL, encryption User education against socialUser education against social engineeringengineering Physical SecurityPhysical Security PerimeterPerimeter Internal NetworkInternal Network HostHost ApplicationApplication DataData
2020 Secure EnvironmentSecure Environment A secure environment is a combination of:A secure environment is a combination of: Hardened hosts (nodes)Hardened hosts (nodes) Intrusion Detection System (IDS)Intrusion Detection System (IDS) Operating ProcessesOperating Processes Standard and EmergencyStandard and Emergency Threat Modelling and AnalysisThreat Modelling and Analysis Dedicated Responsible StaffDedicated Responsible Staff Chief Security Officer (CSO) responsible for allChief Security Officer (CSO) responsible for all Continuous TrainingContinuous Training Users and security staff – against “social engineering”Users and security staff – against “social engineering”
2121 ProcessesProcesses Operating ProcessesOperating Processes Microsoft Operations Framework (MOF)Microsoft Operations Framework (MOF) IT Infrastructure LibraryIT Infrastructure Library BS7799 and related ISOBS7799 and related ISO Informal: Standard and Emergency Operating ProceduresInformal: Standard and Emergency Operating Procedures Risk and Threat Analysis ProcessesRisk and Threat Analysis Processes Simple Security Risk AnalysisSimple Security Risk Analysis Attack Vectors and Threat ModellingAttack Vectors and Threat Modelling OCTAVEOCTAVE
2222 Operating ProcessesOperating Processes As a minimum, defineAs a minimum, define Standard Operating ProceduresStandard Operating Procedures Set of security policies used during “normal” conditionsSet of security policies used during “normal” conditions Could be based on Windows AD Group PoliciesCould be based on Windows AD Group Policies Emergency Operating ProceduresEmergency Operating Procedures Tighter policies used during “high-risk” or “under-attack”Tighter policies used during “high-risk” or “under-attack” conditionsconditions Aim for compliance with an overall operational processAim for compliance with an overall operational process frameworkframework E.g. Microsoft Operation Framework’s SLAs, OLAs and UCsE.g. Microsoft Operation Framework’s SLAs, OLAs and UCs
2323 Education & ResearchEducation & Research As minimum, you really need to subscribe to securityAs minimum, you really need to subscribe to security advisories:advisories: Microsoft Security Notification ServiceMicrosoft Security Notification Service www.microsoft.com/securitywww.microsoft.com/security CERTCERT www.cert.orgwww.cert.org SANS InstituteSANS Institute www.sans.orgwww.sans.org Other vendor-specificOther vendor-specific CISCO, Oracle, IBM and so onCISCO, Oracle, IBM and so on Apart from notifications, study available operationalApart from notifications, study available operational security guidancesecurity guidance www.microsoft.com/technet/securitywww.microsoft.com/technet/security
2424 OCTAVEOCTAVE
2525 OCTAVEOCTAVE Operationally Critical Threat, Asset andOperationally Critical Threat, Asset and Vulnerability EvaluationVulnerability Evaluation Carnegie-Mellon University guidanceCarnegie-Mellon University guidance Origin in 2001Origin in 2001 Used by US military and a growing number of largerUsed by US military and a growing number of larger organisationsorganisations www.cert.org/octavewww.cert.org/octave
2626 Concept of OCTAVEConcept of OCTAVE Workshop-based analysisWorkshop-based analysis Collaborative approachCollaborative approach Guided by an 18-volume publicationGuided by an 18-volume publication Very specific, with suggested timings, personnel selection etc.Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.htmlwww.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and mediumSmaller version, OCTAVE-S, for small and medium organisationsorganisations www.cert.org/octave/osig.htmlwww.cert.org/octave/osig.html
2727 OCTAVE ProcessOCTAVE Process Progressive Series of WorkshopsProgressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
2828 Steps of OCTAVE ProcessesSteps of OCTAVE Processes
2929 Simplified Security Risk AnalysisSimplified Security Risk Analysis
3030 ExamplesExamples Asset:Asset: Internal mailbox of your Managing DirectorInternal mailbox of your Managing Director Risk Impact Estimate (examples!)Risk Impact Estimate (examples!) Risk of loss: Medium impactRisk of loss: Medium impact Risk of access by staff: High impactRisk of access by staff: High impact Risk of access by press: Catastrophic impactRisk of access by press: Catastrophic impact Risk of access by a competitor: High impactRisk of access by a competitor: High impact Risk of temporary no access by MD: Low impactRisk of temporary no access by MD: Low impact Risk of change of content: Medium impactRisk of change of content: Medium impact
3131 Creating Your Asset ListCreating Your Asset List List all of yourList all of your namednamed assets starting with theassets starting with the most sensitivemost sensitive Your list won’t ever be complete, keep updatingYour list won’t ever be complete, keep updating as time goes onas time goes on Create default “all other assets” entriesCreate default “all other assets” entries Divide them into logical groups based on theirDivide them into logical groups based on their probability of attacks or the risk of their “location”probability of attacks or the risk of their “location” between perimetersbetween perimeters
3232 Risk Impact AssessmentRisk Impact Assessment For each asset and risk attach a measure of impactFor each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbersMonetary scale if possible (difficult) or relative numbers with agreed meaningwith agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex:Ex: Asset: Internal MD mailboxAsset: Internal MD mailbox Risk: Access to content by pressRisk: Access to content by press Impact: Catastrophic (5)Impact: Catastrophic (5)
3333 Risk Probability AssessmentRisk Probability Assessment Now for each entry measure probability the lossNow for each entry measure probability the loss may happenmay happen Real probabilities (difficult) or a relative scaleReal probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and(easier) such as: Low (0.3), Medium, (0.6), and High (0.9)High (0.9) Ex:Ex: Asset: Internal MD mailboxAsset: Internal MD mailbox Risk: Access to content by pressRisk: Access to content by press Probability: Low (0.3)Probability: Low (0.3)
3434 Risk Exposure and Risk ListRisk Exposure and Risk List Multiply probability by impact for each entryMultiply probability by impact for each entry ExposureExposure = Probability x Impact= Probability x Impact Sort by exposureSort by exposure High-exposure risks need very strong security measuresHigh-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanismsLowest-exposure risks can be covered by default mechanisms or ignoredor ignored Example:Example: Press may access MD mailbox:Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is ourBy the way, minimum exposure is 0.3 and maximum is 4.5 is our examplesexamples
3535 Mitigation and ContingencyMitigation and Contingency For high-exposure risks plan:For high-exposure risks plan: Mitigation: Reduce its probability or impact (soMitigation: Reduce its probability or impact (so exposure)exposure) Transfer: Make someone else responsible for the riskTransfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the assetAvoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes realityContingency: what to do if the risk becomes reality
3636 Formal Threat ModellingFormal Threat Modelling
3737 Threat ModelingThreat Modeling Structured analysis aimedStructured analysis aimed at:at: Finding infrastructureFinding infrastructure vulnerabilitiesvulnerabilities Evaluating security threatsEvaluating security threats Identify countermeasuresIdentify countermeasures Originated from softwareOriginated from software development security threatdevelopment security threat analysisanalysis 1. Identify Assets1. Identify Assets 2. Create an Architecture Overview2. Create an Architecture Overview 3. Decompose the System3. Decompose the System 4. Identify the Threats4. Identify the Threats 5. Document the Threats5. Document the Threats 6. Rate the Threats6. Rate the Threats
3838 Architecture Diagram (Step 2)Architecture Diagram (Step 2) Bob Alice Bill Asset #4 Asset #1 Asset #2 Asset #3 Asset #5 Asset #6 IIS ASP.NET Web Server Login State Main Database Server FirewallFirewall
3939 Decomposition (Step 3)Decomposition (Step 3) Bob Alice Bill IIS ASP.NET Web Server Database Server Trust Forms Authentication URL Authorization DPAPI Windows Authentication FirewallFirewall Login State Main
4040 STRIDESTRIDE A Technique for Threat Identification (Step 4)A Technique for Threat Identification (Step 4) Type of ThreatType of Threat ExamplesExamples SSpoofingpoofing Forging Email MessageForging Email Message Replaying AuthenticationReplaying Authentication TTamperingampering Altering data during transmissionAltering data during transmission Changing data in databaseChanging data in database RRepudiationepudiation Delete critical data and deny itDelete critical data and deny it Purchase product and deny itPurchase product and deny it IInformation disclosurenformation disclosure Expose information in error messagesExpose information in error messages Expose code on web siteExpose code on web site DDenial of Serviceenial of Service Flood web service with invalid requestFlood web service with invalid request Flood network with SYNFlood network with SYN EElevation of Privilegelevation of Privilege Obtain Administrator privilegesObtain Administrator privileges Use assembly in GAC to create acctUse assembly in GAC to create acct
4141 Threat TreeThreat Tree Inside Attack Enabled Inside Attack Enabled Attack domain controller from inside Attack domain controller from inside SQL InjectionSQL Injection An application doesn’t validate user’s input and allows evil texts An application doesn’t validate user’s input and allows evil texts Dev ServerDev Server Unhardened SQL server used by internal developers Unhardened SQL server used by internal developers Messenger XferMessenger Xfer Novice admin uses an instant messenger on a server Novice admin uses an instant messenger on a server Trojan Soc EngTrojan Soc Eng Attacker sends a trojan masquerading as network util Attacker sends a trojan masquerading as network util OR AND AND
4242 Attack Vector in a Threat TreeAttack Vector in a Threat Tree Theft of Auth Cookies Theft of Auth Cookies Obtain auth cookie to spoof identity Obtain auth cookie to spoof identity Unencrypted Connection Unencrypted Connection Cookies travel over unencrypted HTTP Cookies travel over unencrypted HTTP EavesdroppingEavesdropping Attacker uses sniffer to monitor HTTP traffic Attacker uses sniffer to monitor HTTP traffic Cross-Site Scripting Cross-Site Scripting Attacker possesses means and knowledge Attacker possesses means and knowledge XSS Vulnerability XSS Vulnerability Application is vulnerable to XSS attacks Application is vulnerable to XSS attacks OR AND AND
4343 Document Threats (Step 5)Document Threats (Step 5) DescriptionDescription TargetTarget RiskRisk AttackAttack TechniquesTechniques CountermeasuresCountermeasures AttackerAttacker obtainsobtains credentialscredentials User AuthUser Auth processprocess SnifferSniffer Use SSL to encryptUse SSL to encrypt channelchannel Injection ofInjection of SQLSQL commandscommands Data AccessData Access ComponentComponent Append SQLAppend SQL to user nameto user name Validate user nameValidate user name Parameterized storedParameterized stored procedure for dataprocedure for data accessaccess
4444 Rate Threats (Step 6)Rate Threats (Step 6) Rate RiskRate Risk Probability-Impact-ExposureProbability-Impact-Exposure Risk Exposure = Probability * Damage PotentialRisk Exposure = Probability * Damage Potential DREADDREAD
4545 DREADDREAD DD – Damage Potential– Damage Potential RR – Reproducibility– Reproducibility EE – Exploitability– Exploitability AA – Affected Users– Affected Users DD – Discoverability– Discoverability Rate each category High(3), Medium(2) and Low(1)Rate each category High(3), Medium(2) and Low(1) ThreatThreat DD RR EE AA DD TotalTotal RatingRating Attacker obtains credentialsAttacker obtains credentials 33 33 22 22 22 1212 HighHigh Injection of SQL commandsInjection of SQL commands 33 33 33 33 22 1414 HighHigh
4646 SummarySummary
4747 SummarySummary Viewing security holistically combines perspectives ofViewing security holistically combines perspectives of people, processes, technologies and requires ongoingpeople, processes, technologies and requires ongoing research and educationresearch and education Security goals oppose those of usabilitySecurity goals oppose those of usability Cost of protection is a factor that necessitates a riskCost of protection is a factor that necessitates a risk assessmentassessment Processes such as OCTAVE allow for threatProcesses such as OCTAVE allow for threat identification as well as cost-effectiveness analysisidentification as well as cost-effectiveness analysis Lower security needs can be solved with cheaper,Lower security needs can be solved with cheaper, reactive approachesreactive approaches High security needs require more expensive, formalHigh security needs require more expensive, formal methodsmethods

Recommended

Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Farewell to the Security Sandwich
Farewell to the Security SandwichFarewell to the Security Sandwich
Farewell to the Security SandwichThoughtworks
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Enterprise Italia
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Digital Transformation EXPO Event Series
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP WaveEnvision Technology Advisors
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?Legal Services National Technology Assistance Project (LSNTAP)
 

Recommended

Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Farewell to the Security Sandwich
Farewell to the Security SandwichFarewell to the Security Sandwich
Farewell to the Security SandwichThoughtworks
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Enterprise Italia
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Digital Transformation EXPO Event Series
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP WaveEnvision Technology Advisors
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?Legal Services National Technology Assistance Project (LSNTAP)
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 BrochureOCTF Industry Engagement
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgChristopher R. Ward
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client AlertRobyn Melnyk
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud SecurityPeak 10
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)Spencer Henderson
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)Jonathan Holman
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Nastec Corporate Profile
Nastec Corporate ProfileNastec Corporate Profile
Nastec Corporate ProfileMillicent Agoncillo-Obregon
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsJoshua Berman
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSolarWinds
 
Reduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceReduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceAlienVault
 
How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?0 0
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Gabriel (Gaby) Bar Giora
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 

More Related Content

What's hot

Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsCybereason
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgChristopher R. Ward
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client AlertRobyn Melnyk
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud SecurityPeak 10
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)Spencer Henderson
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)Jonathan Holman
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsJoshua Berman
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSolarWinds
 
Reduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceReduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceAlienVault
 
How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?0 0
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 

What's hot (20)

Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 Brochure
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sg
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client Alert
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
13 Tips for Cloud Security
13 Tips for Cloud Security13 Tips for Cloud Security
13 Tips for Cloud Security
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
Nastec Corporate Profile
Nastec Corporate ProfileNastec Corporate Profile
Nastec Corporate Profile
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall Logs
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
 
Reduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceReduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat Intelligence
 
How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?How would you handle and prevent fires from IoT forests?
How would you handle and prevent fires from IoT forests?
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)
 

Similar to A holistic view_of_enterprise_security

Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Gabriel (Gaby) Bar Giora
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
The Small Business Cyber Security Best Practice Guide
The Small Business Cyber Security Best Practice GuideThe Small Business Cyber Security Best Practice Guide
The Small Business Cyber Security Best Practice GuideInspiring Women
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Ch01
Ch01Ch01
Ch01n C
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityTom Janetscheck
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 

Similar to A holistic view_of_enterprise_security (20)

Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Application Security
Application SecurityApplication Security
Application Security
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
The Small Business Cyber Security Best Practice Guide
The Small Business Cyber Security Best Practice GuideThe Small Business Cyber Security Best Practice Guide
The Small Business Cyber Security Best Practice Guide
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Ch01
Ch01Ch01
Ch01
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
Sect f41
Sect f41Sect f41
Sect f41
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Security analysis
Security analysisSecurity analysis
Security analysis
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure Security
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

A holistic view_of_enterprise_security

  • 1. A Holistic View of EnterpriseA Holistic View of Enterprise SecuritySecurity Rafal LukawieckiRafal Lukawiecki Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk www.projectbotticelli.co.ukwww.projectbotticelli.co.uk Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify allCopyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field ininformation before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.
  • 2. 22 ObjectivesObjectives Define security in a practical, measurable, andDefine security in a practical, measurable, and achievable wayachievable way Introduce security frameworksIntroduce security frameworks Introduce OCTAVEIntroduce OCTAVE Introduce simple risk assessmentIntroduce simple risk assessment Introduce the concepts of threat modelling forIntroduce the concepts of threat modelling for enterprise securityenterprise security Overview major security technologiesOverview major security technologies
  • 3. 33 Session AgendaSession Agenda Defining Security ConceptsDefining Security Concepts Building a Secure EnvironmentBuilding a Secure Environment ProcessesProcesses OCTAVEOCTAVE Simplified Security Risk AnalysisSimplified Security Risk Analysis Formal Threat ModellingFormal Threat Modelling SummarySummary
  • 5. 55 SecuritySecurity Definition (Cambridge Dictionary of English)Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger orAbility to avoid being harmed by any risk, danger or threatthreat ……therefore, in practice, an impossible goaltherefore, in practice, an impossible goal  What can we do then?What can we do then? Be as secure as neededBe as secure as needed Ability to avoid being harmed too much byAbility to avoid being harmed too much by reasonably predictable risks, dangers or threatsreasonably predictable risks, dangers or threats (Rafal’s Definition)(Rafal’s Definition)
  • 6. 66 ChallengeChallenge Security must be balanced with usability (andSecurity must be balanced with usability (and accessibility)accessibility) Most secure = uselessMost secure = useless Most useful = insecureMost useful = insecure Know the balance you needKnow the balance you need Factor the price: both security and usability cost a lotFactor the price: both security and usability cost a lot
  • 7. 77 Cost-Effectiveness of SecurityCost-Effectiveness of Security "Appropriate business security is that which"Appropriate business security is that which protects the business from undue operationalprotects the business from undue operational risks in a cost-effective manner.“ – Sherwood,risks in a cost-effective manner.“ – Sherwood, 20032003 Estimation of cost and effectiveness of securityEstimation of cost and effectiveness of security requires knowledge and estimation of:requires knowledge and estimation of: Assets to protectAssets to protect Possible threats or lossesPossible threats or losses Cost of their preventionCost of their prevention Cost of contingenciesCost of contingencies
  • 8. 88 Adequate SecurityAdequate Security CERT usefully suggests:CERT usefully suggests: ““A desired enterprise security state is the condition where theA desired enterprise security state is the condition where the protection strategiesprotection strategies for an organization's criticalfor an organization's critical assetsassets andand businessbusiness processesprocesses are commensurate with the organization'sare commensurate with the organization's risk appetiterisk appetite andand risk tolerancesrisk tolerances.” –.” – www.cert.org/governance/adequate.htmlwww.cert.org/governance/adequate.html Risk Appetite – defined through executive decision, influencesRisk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals andamount of risk worth taking to achieve enterprise goals and missionsmissions Relates to risks that must be mitigated and managedRelates to risks that must be mitigated and managed Risk Tolerance – residual risk acceptedRisk Tolerance – residual risk accepted Relates to risk for which no mitigation would be in placeRelates to risk for which no mitigation would be in place
  • 9. 99 11stst ConclusionConclusion As 100% security is impossible, you need to decide whatAs 100% security is impossible, you need to decide what needs to be secured and how well it needs to beneeds to be secured and how well it needs to be securedsecured In other words, you need:In other words, you need: Asset listAsset list Threat analysis to identify risksThreat analysis to identify risks Risk impact estimate for each assetRisk impact estimate for each asset Ongoing process for reviewing assets, threats and risksOngoing process for reviewing assets, threats and risks Someone responsible for this processSomeone responsible for this process Operational procedures for responding to changing conditionsOperational procedures for responding to changing conditions (emergencies, high risk etc.)(emergencies, high risk etc.)
  • 10. 1010 Digital Security as Extension ofDigital Security as Extension of Physical Security ofPhysical Security of Key AssetsKey Assets Strong PhysicalStrong Physical Security of KASecurity of KA Strong DigitalStrong Digital SecuritySecurity Good SecurityGood Security EverywhereEverywhere Weak PhysicalWeak Physical Security of KASecurity of KA Strong DigitalStrong Digital SecuritySecurity InsecureInsecure EnvironmentEnvironment Strong PhysicalStrong Physical Security of KASecurity of KA Weak DigitalWeak Digital SecuritySecurity InsecureInsecure EnvironmentEnvironment
  • 11. 1111 Aspects of SecurityAspects of Security Static, passive, pervasiveStatic, passive, pervasive ConfidentialityConfidentiality ◄◄ Your data/service provides no useful information to unauthorisedYour data/service provides no useful information to unauthorised peoplepeople IntegrityIntegrity ◄◄ If anyone tampers with your asset it will be immediately evidentIf anyone tampers with your asset it will be immediately evident AuthenticityAuthenticity ◄◄ We can verify that asset is attributable to its authors or caretakersWe can verify that asset is attributable to its authors or caretakers IdentityIdentity ◄◄ We can verify who is the specific individual entity associated with yourWe can verify who is the specific individual entity associated with your assetasset Non-repudiationNon-repudiation ◄◄ The author or owner or caretaker of asset cannot deny that they areThe author or owner or caretaker of asset cannot deny that they are associated with itassociated with it
  • 12. 1212 Aspects of SecurityAspects of Security Dynamic, active, transientDynamic, active, transient AuthorisationAuthorisation ◄◄ It is clear what actions are permitted with respect to your assetIt is clear what actions are permitted with respect to your asset LossLoss ◄◄ Asset is irrecoverably lost (or the cost of recovery is too high)Asset is irrecoverably lost (or the cost of recovery is too high) Denial of access (aka denial of service)Denial of access (aka denial of service) ◄◄ Access to asset is temporarily impossibleAccess to asset is temporarily impossible
  • 13. 1313 Approaches for Achieving SecurityApproaches for Achieving Security Two approaches are needed:Two approaches are needed: ActiveActive, dynamic, transient, dynamic, transient Implemented throughImplemented through behaviour and pattern analysisbehaviour and pattern analysis PassivePassive, static, pervasive, static, pervasive Implemented throughImplemented through cryptographycryptography
  • 14. 1414 Behaviour (Pattern) AnalysisBehaviour (Pattern) Analysis Prohibits reaching an asset if access is out-of-pattern, e.g.:Prohibits reaching an asset if access is out-of-pattern, e.g.: Password lock-out after N unsuccessful attemptsPassword lock-out after N unsuccessful attempts Blocking packets at a router if too many come from a given sourceBlocking packets at a router if too many come from a given source Denying a connection based on IPSec filter rulesDenying a connection based on IPSec filter rules Stopping a user from seeing more than N records in a database perStopping a user from seeing more than N records in a database per dayday Time-out of an idle secure sessionTime-out of an idle secure session ““Active”Active” Cannot always prevent unauthorised use of assetCannot always prevent unauthorised use of asset Can prevent legitimate access – need easy and secure “unlock”Can prevent legitimate access – need easy and secure “unlock” mechanismsmechanisms Strength varies with sophistication on known attacksStrength varies with sophistication on known attacks
  • 15. 1515 CryptographyCryptography Using hard mathematics to implement passive securityUsing hard mathematics to implement passive security aspects mentioned earlieraspects mentioned earlier ““Static”Static” Cannot detect or prevent problems arising from a pattern ofCannot detect or prevent problems arising from a pattern of behaviourbehaviour Relies of physical security of Key Assets (such asRelies of physical security of Key Assets (such as master private keys etc.)master private keys etc.) Strength changes with time, depending on the power ofStrength changes with time, depending on the power of computers and developments in cryptanalysiscomputers and developments in cryptanalysis
  • 16. 1616 Future Security TechnologiesFuture Security Technologies Behaviour analysis is under tremendousBehaviour analysis is under tremendous development at presentdevelopment at present Expect from Microsoft:Expect from Microsoft: Microsoft Operations Manager 2005Microsoft Operations Manager 2005 Already available, more rules on their wayAlready available, more rules on their way Active ProtectionActive Protection Set of technologies for intrusion detection and automaticSet of technologies for intrusion detection and automatic response and ongoing protectionresponse and ongoing protection Imagine: MOM + IDS based on neural network +Imagine: MOM + IDS based on neural network + GPOsGPOs
  • 17. 1717 Holistic View of SecurityHolistic View of Security Security should be:Security should be: Static + ActiveStatic + Active AcrossAcross All Your AssetsAll Your Assets Based OnBased On Ongoing Threat Risk AssessmentOngoing Threat Risk Assessment
  • 18. 1818 Building a Secure EnvironmentBuilding a Secure Environment
  • 19. 1919 Defense in DepthDefense in Depth Using a layered approach:Using a layered approach: Increases an attacker’s risk of detectionIncreases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success Policies, Procedures, & Awareness Policies, Procedures, & Awareness OS hardening, update management,OS hardening, update management, authenticationauthentication Firewalls, VPN quarantineFirewalls, VPN quarantine Guards, locks, tracking devices,Guards, locks, tracking devices, HSMHSM Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS Application hardening, antivirusApplication hardening, antivirus ACL, encryptionACL, encryption User education against socialUser education against social engineeringengineering Physical SecurityPhysical Security PerimeterPerimeter Internal NetworkInternal Network HostHost ApplicationApplication DataData
  • 20. 2020 Secure EnvironmentSecure Environment A secure environment is a combination of:A secure environment is a combination of: Hardened hosts (nodes)Hardened hosts (nodes) Intrusion Detection System (IDS)Intrusion Detection System (IDS) Operating ProcessesOperating Processes Standard and EmergencyStandard and Emergency Threat Modelling and AnalysisThreat Modelling and Analysis Dedicated Responsible StaffDedicated Responsible Staff Chief Security Officer (CSO) responsible for allChief Security Officer (CSO) responsible for all Continuous TrainingContinuous Training Users and security staff – against “social engineering”Users and security staff – against “social engineering”
  • 21. 2121 ProcessesProcesses Operating ProcessesOperating Processes Microsoft Operations Framework (MOF)Microsoft Operations Framework (MOF) IT Infrastructure LibraryIT Infrastructure Library BS7799 and related ISOBS7799 and related ISO Informal: Standard and Emergency Operating ProceduresInformal: Standard and Emergency Operating Procedures Risk and Threat Analysis ProcessesRisk and Threat Analysis Processes Simple Security Risk AnalysisSimple Security Risk Analysis Attack Vectors and Threat ModellingAttack Vectors and Threat Modelling OCTAVEOCTAVE
  • 22. 2222 Operating ProcessesOperating Processes As a minimum, defineAs a minimum, define Standard Operating ProceduresStandard Operating Procedures Set of security policies used during “normal” conditionsSet of security policies used during “normal” conditions Could be based on Windows AD Group PoliciesCould be based on Windows AD Group Policies Emergency Operating ProceduresEmergency Operating Procedures Tighter policies used during “high-risk” or “under-attack”Tighter policies used during “high-risk” or “under-attack” conditionsconditions Aim for compliance with an overall operational processAim for compliance with an overall operational process frameworkframework E.g. Microsoft Operation Framework’s SLAs, OLAs and UCsE.g. Microsoft Operation Framework’s SLAs, OLAs and UCs
  • 23. 2323 Education & ResearchEducation & Research As minimum, you really need to subscribe to securityAs minimum, you really need to subscribe to security advisories:advisories: Microsoft Security Notification ServiceMicrosoft Security Notification Service www.microsoft.com/securitywww.microsoft.com/security CERTCERT www.cert.orgwww.cert.org SANS InstituteSANS Institute www.sans.orgwww.sans.org Other vendor-specificOther vendor-specific CISCO, Oracle, IBM and so onCISCO, Oracle, IBM and so on Apart from notifications, study available operationalApart from notifications, study available operational security guidancesecurity guidance www.microsoft.com/technet/securitywww.microsoft.com/technet/security
  • 25. 2525 OCTAVEOCTAVE Operationally Critical Threat, Asset andOperationally Critical Threat, Asset and Vulnerability EvaluationVulnerability Evaluation Carnegie-Mellon University guidanceCarnegie-Mellon University guidance Origin in 2001Origin in 2001 Used by US military and a growing number of largerUsed by US military and a growing number of larger organisationsorganisations www.cert.org/octavewww.cert.org/octave
  • 26. 2626 Concept of OCTAVEConcept of OCTAVE Workshop-based analysisWorkshop-based analysis Collaborative approachCollaborative approach Guided by an 18-volume publicationGuided by an 18-volume publication Very specific, with suggested timings, personnel selection etc.Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.htmlwww.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and mediumSmaller version, OCTAVE-S, for small and medium organisationsorganisations www.cert.org/octave/osig.htmlwww.cert.org/octave/osig.html
  • 27. 2727 OCTAVE ProcessOCTAVE Process Progressive Series of WorkshopsProgressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
  • 28. 2828 Steps of OCTAVE ProcessesSteps of OCTAVE Processes
  • 29. 2929 Simplified Security Risk AnalysisSimplified Security Risk Analysis
  • 30. 3030 ExamplesExamples Asset:Asset: Internal mailbox of your Managing DirectorInternal mailbox of your Managing Director Risk Impact Estimate (examples!)Risk Impact Estimate (examples!) Risk of loss: Medium impactRisk of loss: Medium impact Risk of access by staff: High impactRisk of access by staff: High impact Risk of access by press: Catastrophic impactRisk of access by press: Catastrophic impact Risk of access by a competitor: High impactRisk of access by a competitor: High impact Risk of temporary no access by MD: Low impactRisk of temporary no access by MD: Low impact Risk of change of content: Medium impactRisk of change of content: Medium impact
  • 31. 3131 Creating Your Asset ListCreating Your Asset List List all of yourList all of your namednamed assets starting with theassets starting with the most sensitivemost sensitive Your list won’t ever be complete, keep updatingYour list won’t ever be complete, keep updating as time goes onas time goes on Create default “all other assets” entriesCreate default “all other assets” entries Divide them into logical groups based on theirDivide them into logical groups based on their probability of attacks or the risk of their “location”probability of attacks or the risk of their “location” between perimetersbetween perimeters
  • 32. 3232 Risk Impact AssessmentRisk Impact Assessment For each asset and risk attach a measure of impactFor each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbersMonetary scale if possible (difficult) or relative numbers with agreed meaningwith agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex:Ex: Asset: Internal MD mailboxAsset: Internal MD mailbox Risk: Access to content by pressRisk: Access to content by press Impact: Catastrophic (5)Impact: Catastrophic (5)
  • 33. 3333 Risk Probability AssessmentRisk Probability Assessment Now for each entry measure probability the lossNow for each entry measure probability the loss may happenmay happen Real probabilities (difficult) or a relative scaleReal probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and(easier) such as: Low (0.3), Medium, (0.6), and High (0.9)High (0.9) Ex:Ex: Asset: Internal MD mailboxAsset: Internal MD mailbox Risk: Access to content by pressRisk: Access to content by press Probability: Low (0.3)Probability: Low (0.3)
  • 34. 3434 Risk Exposure and Risk ListRisk Exposure and Risk List Multiply probability by impact for each entryMultiply probability by impact for each entry ExposureExposure = Probability x Impact= Probability x Impact Sort by exposureSort by exposure High-exposure risks need very strong security measuresHigh-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanismsLowest-exposure risks can be covered by default mechanisms or ignoredor ignored Example:Example: Press may access MD mailbox:Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is ourBy the way, minimum exposure is 0.3 and maximum is 4.5 is our examplesexamples
  • 35. 3535 Mitigation and ContingencyMitigation and Contingency For high-exposure risks plan:For high-exposure risks plan: Mitigation: Reduce its probability or impact (soMitigation: Reduce its probability or impact (so exposure)exposure) Transfer: Make someone else responsible for the riskTransfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the assetAvoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes realityContingency: what to do if the risk becomes reality
  • 37. 3737 Threat ModelingThreat Modeling Structured analysis aimedStructured analysis aimed at:at: Finding infrastructureFinding infrastructure vulnerabilitiesvulnerabilities Evaluating security threatsEvaluating security threats Identify countermeasuresIdentify countermeasures Originated from softwareOriginated from software development security threatdevelopment security threat analysisanalysis 1. Identify Assets1. Identify Assets 2. Create an Architecture Overview2. Create an Architecture Overview 3. Decompose the System3. Decompose the System 4. Identify the Threats4. Identify the Threats 5. Document the Threats5. Document the Threats 6. Rate the Threats6. Rate the Threats
  • 38. 3838 Architecture Diagram (Step 2)Architecture Diagram (Step 2) Bob Alice Bill Asset #4 Asset #1 Asset #2 Asset #3 Asset #5 Asset #6 IIS ASP.NET Web Server Login State Main Database Server FirewallFirewall
  • 39. 3939 Decomposition (Step 3)Decomposition (Step 3) Bob Alice Bill IIS ASP.NET Web Server Database Server Trust Forms Authentication URL Authorization DPAPI Windows Authentication FirewallFirewall Login State Main
  • 40. 4040 STRIDESTRIDE A Technique for Threat Identification (Step 4)A Technique for Threat Identification (Step 4) Type of ThreatType of Threat ExamplesExamples SSpoofingpoofing Forging Email MessageForging Email Message Replaying AuthenticationReplaying Authentication TTamperingampering Altering data during transmissionAltering data during transmission Changing data in databaseChanging data in database RRepudiationepudiation Delete critical data and deny itDelete critical data and deny it Purchase product and deny itPurchase product and deny it IInformation disclosurenformation disclosure Expose information in error messagesExpose information in error messages Expose code on web siteExpose code on web site DDenial of Serviceenial of Service Flood web service with invalid requestFlood web service with invalid request Flood network with SYNFlood network with SYN EElevation of Privilegelevation of Privilege Obtain Administrator privilegesObtain Administrator privileges Use assembly in GAC to create acctUse assembly in GAC to create acct
  • 41. 4141 Threat TreeThreat Tree Inside Attack Enabled Inside Attack Enabled Attack domain controller from inside Attack domain controller from inside SQL InjectionSQL Injection An application doesn’t validate user’s input and allows evil texts An application doesn’t validate user’s input and allows evil texts Dev ServerDev Server Unhardened SQL server used by internal developers Unhardened SQL server used by internal developers Messenger XferMessenger Xfer Novice admin uses an instant messenger on a server Novice admin uses an instant messenger on a server Trojan Soc EngTrojan Soc Eng Attacker sends a trojan masquerading as network util Attacker sends a trojan masquerading as network util OR AND AND
  • 42. 4242 Attack Vector in a Threat TreeAttack Vector in a Threat Tree Theft of Auth Cookies Theft of Auth Cookies Obtain auth cookie to spoof identity Obtain auth cookie to spoof identity Unencrypted Connection Unencrypted Connection Cookies travel over unencrypted HTTP Cookies travel over unencrypted HTTP EavesdroppingEavesdropping Attacker uses sniffer to monitor HTTP traffic Attacker uses sniffer to monitor HTTP traffic Cross-Site Scripting Cross-Site Scripting Attacker possesses means and knowledge Attacker possesses means and knowledge XSS Vulnerability XSS Vulnerability Application is vulnerable to XSS attacks Application is vulnerable to XSS attacks OR AND AND
  • 43. 4343 Document Threats (Step 5)Document Threats (Step 5) DescriptionDescription TargetTarget RiskRisk AttackAttack TechniquesTechniques CountermeasuresCountermeasures AttackerAttacker obtainsobtains credentialscredentials User AuthUser Auth processprocess SnifferSniffer Use SSL to encryptUse SSL to encrypt channelchannel Injection ofInjection of SQLSQL commandscommands Data AccessData Access ComponentComponent Append SQLAppend SQL to user nameto user name Validate user nameValidate user name Parameterized storedParameterized stored procedure for dataprocedure for data accessaccess
  • 44. 4444 Rate Threats (Step 6)Rate Threats (Step 6) Rate RiskRate Risk Probability-Impact-ExposureProbability-Impact-Exposure Risk Exposure = Probability * Damage PotentialRisk Exposure = Probability * Damage Potential DREADDREAD
  • 45. 4545 DREADDREAD DD – Damage Potential– Damage Potential RR – Reproducibility– Reproducibility EE – Exploitability– Exploitability AA – Affected Users– Affected Users DD – Discoverability– Discoverability Rate each category High(3), Medium(2) and Low(1)Rate each category High(3), Medium(2) and Low(1) ThreatThreat DD RR EE AA DD TotalTotal RatingRating Attacker obtains credentialsAttacker obtains credentials 33 33 22 22 22 1212 HighHigh Injection of SQL commandsInjection of SQL commands 33 33 33 33 22 1414 HighHigh
  • 47. 4747 SummarySummary Viewing security holistically combines perspectives ofViewing security holistically combines perspectives of people, processes, technologies and requires ongoingpeople, processes, technologies and requires ongoing research and educationresearch and education Security goals oppose those of usabilitySecurity goals oppose those of usability Cost of protection is a factor that necessitates a riskCost of protection is a factor that necessitates a risk assessmentassessment Processes such as OCTAVE allow for threatProcesses such as OCTAVE allow for threat identification as well as cost-effectiveness analysisidentification as well as cost-effectiveness analysis Lower security needs can be solved with cheaper,Lower security needs can be solved with cheaper, reactive approachesreactive approaches High security needs require more expensive, formalHigh security needs require more expensive, formal methodsmethods