Michael Smith, SecTor 2009 Massively Scaled Security Solutions for Massively Scaled IT
Who is Michael Smith? <ul><li>8 years active duty army </li></ul><ul><li>Graduate of Russian basic course, Defense Languag...
$75B IT Budget That’s a lot of green stuff! Photo by The Lizard Queen
Caveat! <ul><li>Elephants don’t turn on a dime, neither does the US Federal Government! </li></ul>
Federal Information Security Management Act <ul><li>Roles & Responsibilities </li></ul><ul><ul><li>Agency Head </li></ul><...
The Standard Approach <ul><li>Break the elephant down into “bite-sized pieces” </li></ul><ul><li>Group commonalities (comm...
Certification and Accreditation: IT Security in the SDLC --NIST SP 800-64
HSPD-12 <ul><li>“ Standard” Smartcard for federal employees </li></ul><ul><li>Cards used for 2-factor authentication </li>...
Federal Desktop Core Configuration—FDCC <ul><li>Based on Air Force desktop configurations </li></ul><ul><li>Attempts to be...
Security Control Automation Protocol—SCAP <ul><li>XML and protocols to exchange technical security information between pro...
Trusted Internet Connections—TIC <ul><li>Reduce Government Internet connections to 50 </li></ul><ul><li>Lowers the demand ...
EINSTEIN <ul><li>Run by DHS and US-CERT </li></ul><ul><li>National-Level Security Incident and Event Monitoring System </l...
Standard Convergence <ul><li>One Government-wide standard for security management </li></ul><ul><li>DCID 6/3 retired in fa...
“ Azimuth Check” <ul><li>Nobody knows where we’re going! </li></ul><ul><li>Merging towards the center from regulation and ...
My View of the World <ul><li>Each layer only knows the one above and below it </li></ul><ul><li>Traditional IT security fo...
Existing Models of Management <ul><li>History Lesson Time: thought you were just here to learn about security? </li></ul>
United Nations Photo by Wikimedia
Public Accounting Photo by Wikimedia
Fast Food Franchises Photo by ebruli
Bolshevism Photo by Wikimedia
Stalingrad Photo by Wikimedia
Counterinsurgency/ LIC/OOTW/SASO Photo by rybolov
Observations and Truthinesses <ul><li>Control v/s audit burdens </li></ul><ul><li>Skill of the constituency </li></ul><ul>...
The Models Begat More Questions… <ul><li>At what layer do you address a specific problem? </li></ul><ul><li>Can a specific...
The Cybertastic Future: Management <ul><li>Use the Enterprise, Project, and Integration Layers </li></ul><ul><li>Start in ...
The Cybertastic Future: Process <ul><li>How do you keep from getting squeezed in the middle? </li></ul><ul><li>If it’s a p...
The Cybertastic Future: Vendors <ul><li>Support multiple 10-dot networks </li></ul><ul><li>Products that tier between laye...
<ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/   </li></ul><ul><li>rybolov(a...
Upcoming SlideShare
Loading in …5
×

Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09

1,385 views

Published on

The US Federal Government is the world's largest consumer of IT products and, by extension, one of the largest consumers of IT security products and services. This talk covers some of the problems with security on such a massive scale; how and why some technical, operational, and managerial solutions are working or not working; and how these lessons can be applied to smaller-scale security environments.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,385
On SlideShare
0
From Embeds
0
Number of Embeds
323
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09

  1. 1. Michael Smith, SecTor 2009 Massively Scaled Security Solutions for Massively Scaled IT
  2. 2. Who is Michael Smith? <ul><li>8 years active duty army </li></ul><ul><li>Graduate of Russian basic course, Defense Language Institute, Monterey, CA </li></ul><ul><li>DotCom survivor </li></ul><ul><li>Infantryman, deployed to Afghanistan (2004) </li></ul><ul><li>CISSP #50247 (2003), ISSEP (2005) </li></ul><ul><li>Former CISO, Unisys Federal Service Delivery Center </li></ul><ul><li>Currently a Manager in a Big Four Firm </li></ul>
  3. 3. $75B IT Budget That’s a lot of green stuff! Photo by The Lizard Queen
  4. 4. Caveat! <ul><li>Elephants don’t turn on a dime, neither does the US Federal Government! </li></ul>
  5. 5. Federal Information Security Management Act <ul><li>Roles & Responsibilities </li></ul><ul><ul><li>Agency Head </li></ul></ul><ul><ul><li>CIO </li></ul></ul><ul><ul><li>Agency Security Officer </li></ul></ul><ul><li>Security Program </li></ul><ul><li>Periodic risk assessments </li></ul><ul><li>Policies and procedures </li></ul><ul><li>Security plans </li></ul><ul><li>Security awareness training </li></ul><ul><li>Periodic testing & evaluation </li></ul><ul><li>Remediation activities </li></ul><ul><li>Incident response capabilities </li></ul><ul><li>Continuity of operations </li></ul><ul><li>Annual Security Review </li></ul><ul><ul><li>Determine sufficiency of security program </li></ul></ul><ul><ul><li>Independent Evaluation (e.g., IG) </li></ul></ul><ul><ul><li>Safeguard evaluation data </li></ul></ul><ul><li>Annual Reporting </li></ul><ul><ul><li>Reports from CIO & IG </li></ul></ul><ul><ul><li>Report material weaknesses </li></ul></ul><ul><ul><li>Provide performance plans </li></ul></ul>§ 3544(a) § 3544(b) §§ 3544(c), 3545 (e) §§ 3544(c), 3545 (e)
  6. 6. The Standard Approach <ul><li>Break the elephant down into “bite-sized pieces” </li></ul><ul><li>Group commonalities (common controls) </li></ul><ul><li>Assess each piece—criticality, requirements, resulting risk </li></ul><ul><li>Manage each piece individually </li></ul><ul><li>Get better at securing each piece </li></ul><ul><li>Caveat: each piece incurs overhead </li></ul>
  7. 7. Certification and Accreditation: IT Security in the SDLC --NIST SP 800-64
  8. 8. HSPD-12 <ul><li>“ Standard” Smartcard for federal employees </li></ul><ul><li>Cards used for 2-factor authentication </li></ul><ul><li>Set of standards for PKI, issuance, clearances, etc </li></ul><ul><li>Think “Reduced sign-on and dual-factor identification federated throughout 50+ enterprises </li></ul>
  9. 9. Federal Desktop Core Configuration—FDCC <ul><li>Based on Air Force desktop configurations </li></ul><ul><li>Attempts to be a Government-wide Security Technical Implementation Guide (STIG) </li></ul><ul><li>Needs automated evaluation tools </li></ul><ul><li>Part of the Federal Acquisition Regulation </li></ul><ul><li>http://fdcc.nist.gov/ </li></ul>
  10. 10. Security Control Automation Protocol—SCAP <ul><li>XML and protocols to exchange technical security information between products </li></ul><ul><li>“ Glue Code” between the following data sets: </li></ul><ul><ul><li>Common Vulnerabilities and Exposures (CVE) </li></ul></ul><ul><ul><li>Common Configuration Enumeration (CCE) </li></ul></ul><ul><ul><li>Common Platform Enumeration (CPE) </li></ul></ul><ul><ul><li>Common Vulnerability Scoring System (CVSS) </li></ul></ul><ul><ul><li>Extensible Configuration Checklist Description Format (XCCDF) </li></ul></ul><ul><ul><li>Open Vulnerability and Assessment Language (OVAL) </li></ul></ul><ul><li>More products certified weekly </li></ul>
  11. 11. Trusted Internet Connections—TIC <ul><li>Reduce Government Internet connections to 50 </li></ul><ul><li>Lowers the demand for skilled personnel </li></ul><ul><li>Uses models from DoD and DHS </li></ul><ul><li>Agencies share Internet connections </li></ul><ul><li>In theory: simplifies protecting Internet connections Government-wide </li></ul><ul><li>http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf </li></ul>
  12. 12. EINSTEIN <ul><li>Run by DHS and US-CERT </li></ul><ul><li>National-Level Security Incident and Event Monitoring System </li></ul><ul><li>Provides alerting and Government-wide threat trends </li></ul><ul><li>Offered as a service to other agencies </li></ul>
  13. 13. Standard Convergence <ul><li>One Government-wide standard for security management </li></ul><ul><li>DCID 6/3 retired in favor of SP 800-37 and 800-53 </li></ul><ul><li>DoDI 8500.2 still in place but “bridged” to new convergent standards </li></ul><ul><li>Transparent transition of people and process between civilian agencies, DoD components, and intelligence organizations </li></ul>
  14. 14. “ Azimuth Check” <ul><li>Nobody knows where we’re going! </li></ul><ul><li>Merging towards the center from regulation and technical solutions </li></ul><ul><li>Enterprise gets the squeeze </li></ul><ul><li>What about the pieces above the enterprise? </li></ul><ul><li>We’re operating beyond the scope of traditional IT security doctrine, research, and products </li></ul>
  15. 15. My View of the World <ul><li>Each layer only knows the one above and below it </li></ul><ul><li>Traditional IT security focuses on the Enterprise and Project layers </li></ul>
  16. 16. Existing Models of Management <ul><li>History Lesson Time: thought you were just here to learn about security? </li></ul>
  17. 17. United Nations Photo by Wikimedia
  18. 18. Public Accounting Photo by Wikimedia
  19. 19. Fast Food Franchises Photo by ebruli
  20. 20. Bolshevism Photo by Wikimedia
  21. 21. Stalingrad Photo by Wikimedia
  22. 22. Counterinsurgency/ LIC/OOTW/SASO Photo by rybolov
  23. 23. Observations and Truthinesses <ul><li>Control v/s audit burdens </li></ul><ul><li>Skill of the constituency </li></ul><ul><li>Need a security professional at each layer </li></ul><ul><li>Is it all just a matter of centralized v/s decentralized? </li></ul>
  24. 24. The Models Begat More Questions… <ul><li>At what layer do you address a specific problem? </li></ul><ul><li>Can a specific solution “scale up” to the Federation/ Community Layer? </li></ul><ul><li>How do I get “clueful” people at each layer? </li></ul><ul><li>How do I communicate between layers? </li></ul>
  25. 25. The Cybertastic Future: Management <ul><li>Use the Enterprise, Project, and Integration Layers </li></ul><ul><li>Start in bite-sized pieces and consolidate wherever possible </li></ul><ul><li>Need “clueful” people at all layers </li></ul><ul><li>Organization at the Federation Layer for self-regulation—some people are already doing it </li></ul>
  26. 26. The Cybertastic Future: Process <ul><li>How do you keep from getting squeezed in the middle? </li></ul><ul><li>If it’s a pain for you, it probably is for others and can be scaled up </li></ul><ul><li>How do we get information up to the higher layers so they can make a decision? </li></ul>
  27. 27. The Cybertastic Future: Vendors <ul><li>Support multiple 10-dot networks </li></ul><ul><li>Products that tier between layers </li></ul><ul><li>Federation and data import/export between products </li></ul><ul><li>Compatibility with initiatives </li></ul>
  28. 28. <ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/ </li></ul><ul><li>rybolov(a)ryzhe.ath.cx </li></ul>

×