The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
JMeter webinar - integration with InfluxDB and Grafana
Security models for security architecture
1. SECURITY MODELS FOR
IMPROVING YOUR
ORGANIZATION’S DEFENCE
POSTURE AND STRATEGY
Vladimir Jirasek
Blog: JirasekOnSecurity.com
Bio: About.me/jirasek
9th Nov 2011
2. About me
• Security professional (11 years)
• Founding member and steering group member of
(Common Assurance Maturity Model) CAMM (common-
assurance.com)
• Director, CSA UK & Ireland
• I love reading books: thrillers (Clive Cussler) and
business management (Jo Owen)
3. I will cover topics today
• Security model for information security
• Security policy structure
• Security processes
• Security technology stack
• Security metrics for organisations
4. Security model – business drives security
Security management Correction of security processes
International CEO & Board
security
standards Process Governance
Policy framework Metrics framework
framework
Information Information Information Line
Security Security Security Management
Laws & policies Processes Metrics
Regulations objectives
Product
Information
Technology
Define Management
Drivers Security Rules
People
Measure Security Inform
standards Metrics Portal
Compliance Program
requirements Management
Information
Security
Artefacts Risk &
Compliance
Business Execute security Measure security
Define security
objectives controls controls maturity
controls Auditors
Security Security Security
threats intelligence Professionals
External security
metrics
5. Information Security Policy framework
CIS
Business and
O
Information Security Policy Security
objectives
Data classification Employee Acceptable
policy Use Policy
CIO
Security
Information Technology Security Policy
objectives
IT
Security
IT security
standards
[reuse Architecture
internationally
accepted controls]
Technology Controls and
Technical Security processes
teams
architecture
repository
Security Processes
guidelines
6. Relationship between business objectives and security
processes
Provides response to “Do we have all business risks covered?”
International standards
Control C1
Control C2 Security
Security
Objective SO1 Control C3
Process P1
Business
objective Security Control C4
BO1 Objective SO2 Control C5
Business process B3
Business process B1
Security
Business process B2
Business
objective Security Control C6 Process P2
BO2 Objective SO3 Control C7
Business
Security Control C8
objective
BO3 Objective SO4 Control C9 Security
Security Control C10 Process P3
Objective SO5
Control C11
Security Process P4
Provides response to “Why are we doing this?”
7. Sources of security controls
• ISO 27000 series
• ISF Standard of Good Practice 2011
• PCI DSS
• NIST SP 800-53
• CObIT 4
• SANS 20 critical controls
8. Security technology stack
GRC Organise security
reporting around the
stack
Information & Event Mgmt
Identity, Entitlement, Access
For each prepare current,
Data Security target state analysis and
Cryptography
roadmap
Application Security
Host Security
Network Security
Physical Security
9. GRC
Information & Event
Security stack::Network
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Network firewalls
Host Security
Network Security
• VPN gateways Physical Security
• Network Intrusion Detection/Prevention
• DDoS
• WiFi security
• Network Access Control
• DNS Security
• Web, Email & IM filtering
10. GRC
Information & Event
Identity, Entitlement, Acc
Network security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Data security
Host security
Monitor and control data Interconnect hosts on
flow s on netw ork netw ork
Use identity Establish secure channel
Retrieve access control Control hosts on
Identity and Access Netw ork security netw ork
Monitor and control Send security logs
applications
Detect security incidents
running on netw ork
Key management Security event management
Crypto offload
Application security
Cryptography
12. GRC
Information & Event
Identity, Entitlement, Acc
Host security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Netw ork security Data security Application security
Monitor and filter
restricted data Protects data at rest
Protect integrity of
applications
Host security
Use identity
Send security logs
Retrieve access control
Detect security incidents
Identity and Access
domain Key management Security even management
Cryptography domain
13. GRC
Information & Event
Security stack::Application
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Code reviews/scanning – binary and source
Host Security
Network Security
• Security sensors (AppSensor) Physical Security
• Web application scanning
• Penetration testing
• Web protection (WAF)
Application Security Services throughout a lifecycle
Num ber of flaw s and
vulnerabilities
o o
C st t iat e
d
rem e
E1 E2 E3 E4 E5 EOL
Binary Code Analysis
IT Security Assessm ent
Web Application Scanning
Web Application Protection
Company Confidential
15. GRC
Information & Event
Identity, Entitlement, Acc
Security stack::Data
Mgmt
Data Security
Cryptography
ess
Application Security
• Data classification
Host Security
Network Security
• Email encryption Physical Security
• File encryption
• Document Rights Management
• Data Leakage protection
• Watermarking
• End point encryption
• Database security
16. GRC
Information & Event
Identity, Entitlement, Acc
Data security relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
17. GRC
Information & Event
Security stack::IAEM
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Principal management
Host Security
Network Security
• Account provisioning Physical Security
• Rights management
• Directories
• Single sign on and Federation
• Authorisation
• Role and rights auditing
• 2nd factor authentication
20. GRC
Information & Event
Identity, Entitlement, Acc
Cryptography relationships
Mgmt
Data Security
Cryptography
ess
Application Security
Host Security
Network Security
Physical Security
Data security
Host security
Store encryption keys
Email certificates Disk encryption
Certificates for
authentication
Identity and Access Cryptography
Digital signatures of log files
Application signing
Encryption of sensitive logs
Encrypted and signed
Application
communication Security event management
IPSec VPN
SSL VPN, SSL split tunnel
Application security
Netw ork Security
21. GRC
Information & Event
Security stack::SIEM
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
• Collection of security relevant logs
Host Security
Network Security
• Archiving – retention Physical Security
• Correlation with other data sources
• Acting on security information
• Ideal to use MSSP
22. GRC
Information & Event
SIEM relationships
Mgmt
Identity, Entitlement,
Data Security
Cryptography
Access
Application Security
Host Security
Network Security
Physical Security
CMDB
Security event
management
Collect security Collect, analyse and
configuration react on security events
I dentity and Access Security even management Data security
Netw ork security Cryptography Application security
23. Security metrics characteristics
• Measurable
• Objective
• Quantitative (ideally)
• Meaningful
• With KPIs attached – know what is good and bad
• Linked to business objectives – money speaks
24. Metrics for CIO – Policy compliance and control
maturity
Policy IT Unit A IT Unit B IT Unit C Overall IT
statement
Governance 3 3.5 2 3
Awareness 3 4 3 3.5
Development N/A 2 1 1.5
Hardening 4 N/A 2 3
Network N/A N/A 3 3
End devices 2 2 3 2
2 (£10m) 3 (£13.1m)
Overall 3 (£3m) 3 (100k)
25. Metrics for CIO – Maturity of controls for business
processes/services
Invest in IT service to
lower the VaR
IT Maturity VaR for VaR for VaR for VaR for IT
ServiceBusi Process A Process B Process C service
ness
process
IT Service 1 2 £1m £2m £1m £4m
Infrastructure 3 £1m £3m £10m £14m
IT Service 2 3 £0.5m N/A £20m £20.5m
IT Service 3 4 N/A £100k £500k £600k
Overall £2.5m £5.1k £31.5m £39.1m
26. Summary
• Business drives security
• Reuse good content from information security community
• Security policy framework – target audience, think of
implementation
• Link security metrics to policy which is linked to business
objectives
• All rounded security controls – good prevention against
cyber threats
Editor's Notes
This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies
Why infosec policy and then IT sec policy, IT sec policy is for CIO/CTOArchitecture repository -
Examples of business objectives – increase market share by adopting e-commerce, increase output in factories by 20%Examples of security processes, security controls can span more than one security process, and security processes typically cover multiple controls,
Areas support each other, all feed into SIEM and GRC
Network firewalls – ideally application sessions aware, audit the configurationVPN gateways – linked to IAEM platform, Network Access Control, Application streamingNetwork Intrusion Detection/Prevention – physical and virtual, linked to CMDB, vulnerability data and loggingDDoS – protecting against flooding but also application specific DoS