Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

iDEAFest Enteprise InfoSec Program Lessons Learned

102 views

Published on

Presented at the http://ideafest2020.org/ conference on April 21, 2020

Published in: Technology
  • Be the first to comment

  • Be the first to like this

iDEAFest Enteprise InfoSec Program Lessons Learned

  1. 1. © Halfaker and Associates, LLC Lessons Learned Building an Enterprise Security Program April 21-22, 2020 Michael King
  2. 2. Protected 2  Context  Create a Program, not a Binder  Select Security Control Framework(s)  Define Outsourcing Philosophy  Design the Process Architecture  Prioritize Investments  Select Tech Stack  Design and Build the Team  Manage and Communicate Risk  Accelerate your InfoSec Program  Lessons We Learned Agenda
  3. 3. Protected 3 Context: About Halfaker  Halfaker and Associates (Halfaker, www.halfaker.com) is a midsize company, headquartered in Arlington  Halfaker creates, modernizes, integrates, and secures mission critical systems for Federal Government organizations  Halfaker is a fast-growing, midsize organization  Because of our support of Federal Government organizations, we have many Information Security compliance requirements (e.g. NIST 800-171, DoD CMMC, VA 6500, CMS ARS 3.1) Building an Enterprise Security Program Context: About Me  I’m a fan of certifications: PMP, PMI- ACP, SAFe® SA, ITIL  Want to follow up? – michael.king@halfaker.com – @mikehking (Twitter) – https://www.linkedin.com/in/mikehking  Halfaker CIO and CISO / Formerly with Lockheed Martin  Own IT, Information Security, and Process/Quality at Halfaker
  4. 4. Protected 4 Create a Program, not a Binder Do not think about an Information Security Program as just a set of policies, or just a stack of technologies! A comprehensive InfoSec program must have all these components: An InfoSec program is never “done” – think continuously not just on running the program (e.g. updating risks, reviewing SIEM dashboards), but also identifying where to invest in improvements (e.g. identifying holes or adding layers of ‘defense in depth’ maturity) Building an Enterprise Security Program Component Description Example Artifact(s) Governance and Strategy How the program is monitored, improved upon, and resourced (e.g. budgeted)  ISMS Manual  Security Program Charter  Roadmap  Goals and Metrics Policies and Processes Defines how the program is executed  Process Architecture  Traceable, comprehensive policies and processes Technology Tools and systems used  System Architecture  Service Catalog People Employees, partners, and vendors, and how they are organized/allocated  Defined roles and responsibilities
  5. 5. Protected 5 Select Security Control Framework(s)  There are many mature InfoSec Frameworks – do not try to create your own  Two framework types: – Program: Assess your InfoSec program (e.g. NIST CSF (see below), ISO 27001) – Controls: Baseline of implementation controls (e.g. ISO 27002, NIST 800-53, PCI, HIPAA)  Ideally, select a primary program framework and then a primary controls framework, and align with those  Consider using on an industry-specific framework (e.g. Healthcare using HITRUST, DoD Contractors using CMMC) Building an Enterprise Security Program
  6. 6. Protected 6 Select Security Control Framework(s) (continued)  If you don’t know where to start, start with CIS Top 20 (see Slide 9), then NIST CSF (most popular + free)  Don’t start with a fancy Governance, Risk, and Compliance (GRC) tool – start with a spreadsheet to identify posture (see https://info.expel.io/expel-self- scoring-tool-for-nist-csf)  Your Security Processes should align with, and be traceable, to your Security Framework(s) Building an Enterprise Security Program
  7. 7. Protected 7 Define Outsourcing Philosophy Decide your organization’s philosophy on Insourcing vs. Outsourcing how you design and execute your InfoSec Program Building an Enterprise Security Program  Virtual CISO (vCISO) to provide strategic direction  Security Program Policy Templates  Managed Security Service Provider (MSSP)  Lean team to set strategy, maintain expertise  Complement team with services like SOC as a Service and/or Managed Detection and Response (MDR) Outsource Hybrid Insource  Hire an InfoSec lead (e.g. CISO or Dir, InfoSec)  Manage a suite of best-in-breed technologies  Establish and staff a Security Operations Center (SOC) Where is your organization on this spectrum?
  8. 8. Protected 8 Design the Process Architecture  Be intentional with the design of your process architecture – start lean and think about the hierarchy of manuals, policies, and procedures, and how they are organized  Consider investing in a template package, for example: – https://certikit.com/products/cyber-essentials-toolkit/ – https://certikit.com/templates/iso-27001-toolkit/) Building an Enterprise Security Program Governance • Security Charter • Roles and Responsibilities • Strategic Plan and Roadmap • Risk Management Procedure • Communication Plan • POA&M Plan Policies • Acceptable Use Policy • Social Media Policy • Mobile Device Policy • Teleworking Policy • HR Security • Asset Security and Access Control Operations • Monitoring Procedures • Supplier Evaluation Program • Event Identification and Management Procedure • Incident Response Plan (IRP) Consider drawing your process asset structure out, like an org chart, to visualize the areas and design for future enhancements. Align with your primary framework(s) ▼ ISMS Manual
  9. 9. Protected 9 Prioritize Investments: CIS Controls (Top 20) Building an Enterprise Security Program
  10. 10. Protected 10 Prioritize Investments: Build Backlog based on Needs (See Example) Building an Enterprise Security Program 1. Know what you have (Spreadsheet or CMDB of equipment and applications) 2. Vulnerability Management 3. Define roles/responsibilities 4. Pick primary framework and assess current posture 5. Identify your top business risks 6. Multi-Factor Auth. for all Admins 7. Anti-Virus and Endpoint Encrypt. 8. Firewalls and Intrusion Detection 9. Audit logging and E-Discovery 10.Security awareness training 11.Identify gaps and track POA&Ms 12.Practice Incident Response 1. Secure Email Gateway 2. MFA for all users 3. Eliminate shared accounts 4. Log Analysis, SIEM, CASB, User Behavior Analytics, Data Loss Prevention 5. Establish Single Sign On (SSO) 6. Cloud Access Security Broker 7. Establish Sec. Ops Center / MSSP 8. Establish governance committee and change mngmt. board 9. Persistent VPN and Block USB 10.Practice Disaster Recovery 11.Move your compliance matrix from spreadsheet to GRC tool 1. Use tools like MITRE ATT&CK and OWAP Cyber Defense Matrix to inform your backlog of future improvements 2. Improve risk communication 3. Web Filtering/DNS Protection 4. Conduct pen tests 5. Conduct tabletop exercises 6. Identity Governance & Administration (IGA) solution (automate provisioning) 7. Key/Secrets Management 8. Conduct threat hunting 9. Mature Forensics capabilities Build the Foundation Mature Build Layered Defense
  11. 11. Protected 11 Building an Enterprise Security Program Select Tech Stack  Determine your philosophy: – Do you want simplicity (e.g. fewer systems, SaaS)? – Or do you want more control/ flexibility (e.g. best-of-breed systems, hosted on-site, highly-integrated systems)?  Focus on improving areas of weakness within your program/ infrastructure – do NOT listen to sales pitches without thinking in terms of your prioritized risks/issues  If you’re early in your information security maturity, focus on something simple like your NIST CSF self- assessment and attacking the red areas
  12. 12. Protected 12 Select Tech Stack  As you mature, consider investing time in assessing yourself against MITRE’s ATT&CK™ (https://attack.mitre.org/), where you can assess your posture against 12 attack tactics, which decompose into 283 specific attack types Building an Enterprise Security Program Initial Access (10 items) Execution (33 items) Persistence (58 items) Privilege Escalation (28 items) Defense Evasion (63 items) Credential Access (19 items) Discovery (20 items) Lateral Movement (17 items) Collection (13 items) Command and Control (21 items) Exfiltration (9 items) Impact (16 items) ATT&CK™ Matrix for Enterprise ▼
  13. 13. Protected 13 Design and Build the Team  Consider your insourcing/outsourcing approach  Early in an organization’s growth, they will likely dual-hat someone to own and oversee security, such as the IT leader  As an organization scales, they’ll need a head of security (e.g. CISO)  Determine how you want to structure your security personnel: – Centralized – enterprise-level, centralized function – Decentralized – distributed security personnel in individual business units/locations  As an organization scales, it should covers each of these security domains with personnel expertise/responsibilities/ownership: 1. Governance, Risk, and Strategy – Policy, Compliance, Strategy, Risk, Awareness, Business Continuity 2. Infrastructure Protection – Application security, data security, vulnerability management 3. Identity and Access Management – Identity Governance and Administration (IGA), Access Management 4. Security Operations – Monitoring and Detection, Incident Response, Threat Hunting, Vulnerability Assessment, Pen Testing, Red/Blue Teaming 5. Administrative Operations – e.g. Patch Management, System Administration, Change Management, Provisioning Building an Enterprise Security Program
  14. 14. Protected 14 Manage and Communicate Risk  Iteratively identify, capture, analyze, & update risks (use business vocab, not IT vocab)  Align budget requests and initiative selection/prioritization with risks to show business value  Do NOT use Fear, Uncertainty, and Doubt (FUD) – communicate in productive ways  Communicate your program’s posture/areas of weaknesses, based on a framework (e.g. CSF), and focus on threats/risks unique to your organization, not generic ones  Partner with business leaders – the head of InfoSec (e.g. CISO / Dir Infosec) should NOT own security risk, the business does, and the CISO helps facilitate/drive posture improvements  Your organization’s InfoSec risk exposure will never be zero! Building an Enterprise Security Program Current Risk Posture Target Risk Posture Low Maturity InfoSec Program High Maturity InfoSec Program
  15. 15. Protected 15 Accelerate your InfoSec Program 1. Assess your organization against NIST CSF using Expel.io scoring spreadsheet  https://info.expel.io/expel-self-scoring-tool-for-nist-csf 2. Build a central spreadsheet/database of all the equipment and software your organization owns/manages (or update it) 3. Enable MFA everywhere you can 4. Teach your employees to be suspicious 5. Separate admin access from your user accounts 6. Reduce/eliminate shared accounts (e.g. laptop login, email accounts) 7. Consider buying Information Security policy template package, such as https://certikit.com/products/cyber-essentials-toolkit/ 8. If you use cloud infrastructure (e.g. AWS, Azure), use configuration monitoring services, such as AWS Trusted Advisor or Cloud Security Posture Management solutions like , such as https://cloudcheckr.com/ 9. Consider investing in consulting/services (e.g. MSSP) to help you understand your gaps/blind spot and prioritize how you’ll improve Building an Enterprise Security Program
  16. 16. Protected 16 Lessons We Learned 1. Don’t confuse compliance and ‘real’ security – they’re related, not the same 2. Information Security is a fast-moving domain – don’t feel overwhelmed or depressed by your current gaps, focus on making a map/list and prioritizing it Building an Enterprise Security Program 3. “Step back” and look at all your possible areas for improvement and intentionally prioritize/stack-rank them based on attacking your most significant risks (not just what the industry says it the most important things, but the most important thing based on your business model) 4. Don’t chase the ‘shiny new technologies’ – the fundamentals of security are hard to do, and without them, the new things are irrelevant 5. Focus on the business risks – the InfoSec leader/team does NOT own information security risk, the business does! – Talk to business executives about their concerns and priorities, align with those! – Partner with business leaders, don’t try to take on their infosec risks
  17. 17. Protected 17 Questions? Slides will be published to https://www.slideshare.net/mikehking/ Want to follow up? michael.king@halfaker.com @mikehking (Twitter) https://www.linkedin.com/in/mikehking

×