Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

34

Share

Download to read offline

Security models for security architecture

Download to read offline

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk

Related Books

Free with a 30 day trial from Scribd

See all

Security models for security architecture

  1. 1. SECURITY MODELS FORIMPROVING YOURORGANIZATION’S DEFENCEPOSTURE AND STRATEGYVladimir JirasekBlog: JirasekOnSecurity.comBio: About.me/jirasek9th Nov 2011
  2. 2. About me• Security professional (11 years)• Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com)• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
  3. 3. I will cover topics today• Security model for information security• Security policy structure• Security processes• Security technology stack• Security metrics for organisations
  4. 4. Security model – business drives security Security management Correction of security processesInternational CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes MetricsRegulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Programrequirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
  5. 5. Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives ITSecurity IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
  6. 6. Relationship between business objectives and securityprocesses Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1Businessobjective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2Businessobjective Security Control C6 Process P2 BO2 Objective SO3 Control C7Business Security Control C8objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
  7. 7. Sources of security controls• ISO 27000 series• ISF Standard of Good Practice 2011• PCI DSS• NIST SP 800-53• CObIT 4• SANS 20 critical controls
  8. 8. Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
  9. 9. GRC Information & EventSecurity stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Network firewalls Host Security Network Security• VPN gateways Physical Security• Network Intrusion Detection/Prevention• DDoS• WiFi security• Network Access Control• DNS Security• Web, Email & IM filtering
  10. 10. GRC Information & Event Identity, Entitlement, AccNetwork security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts onIdentity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
  11. 11. GRC Information & Event Identity, Entitlement, AccSecurity stack::Host Mgmt Data Security Cryptography ess Application Security• Configuration compliance Host Security Network Security• Patch management Physical Security• Vulnerability scanning• Anti-malware• Application control• Location awareness• Device control• Trusted execution protection
  12. 12. GRC Information & Event Identity, Entitlement, AccHost security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
  13. 13. GRC Information & EventSecurity stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Code reviews/scanning – binary and source Host Security Network Security• Security sensors (AppSensor) Physical Security• Web application scanning• Penetration testing• Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
  14. 14. GRC Information & Event Identity, Entitlement, AccApplication security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  15. 15. GRC Information & Event Identity, Entitlement, AccSecurity stack::Data Mgmt Data Security Cryptography ess Application Security• Data classification Host Security Network Security• Email encryption Physical Security• File encryption• Document Rights Management• Data Leakage protection• Watermarking• End point encryption• Database security
  16. 16. GRC Information & Event Identity, Entitlement, AccData security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  17. 17. GRC Information & EventSecurity stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Principal management Host Security Network Security• Account provisioning Physical Security• Rights management• Directories• Single sign on and Federation• Authorisation• Role and rights auditing• 2nd factor authentication
  18. 18. GRC Information & Event Identity, Entitlement, AccIAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
  19. 19. GRC Information & Event Identity, Entitlement, AccSecurity stack::Cryptography Mgmt Data Security Cryptography ess Application Security• Key generation Host Security Network Security• Key escrow Physical Security• Host and Network HSM• Certificate management & PKI
  20. 20. GRC Information & Event Identity, Entitlement, AccCryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
  21. 21. GRC Information & EventSecurity stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Collection of security relevant logs Host Security Network Security• Archiving – retention Physical Security• Correlation with other data sources• Acting on security information• Ideal to use MSSP
  22. 22. GRC Information & EventSIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
  23. 23. Security metrics characteristics• Measurable• Objective• Quantitative (ideally)• Meaningful• With KPIs attached – know what is good and bad• Linked to business objectives – money speaks
  24. 24. Metrics for CIO – Policy compliance and controlmaturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
  25. 25. Metrics for CIO – Maturity of controls for businessprocesses/services Invest in IT service to lower the VaRIT Maturity VaR for VaR for VaR for VaR for ITServiceBusi Process A Process B Process C servicenessprocessIT Service 1 2 £1m £2m £1m £4mInfrastructure 3 £1m £3m £10m £14mIT Service 2 3 £0.5m N/A £20m £20.5mIT Service 3 4 N/A £100k £500k £600kOverall £2.5m £5.1k £31.5m £39.1m
  26. 26. Summary• Business drives security• Reuse good content from information security community• Security policy framework – target audience, think of implementation• Link security metrics to policy which is linked to business objectives• All rounded security controls – good prevention against cyber threats
  • ntchinh

    Mar. 22, 2021
  • mmpasha

    Oct. 30, 2020
  • czyke

    Jul. 14, 2020
  • NishikantPatil15

    Jun. 25, 2020
  • MIZANURRAHMAN62

    May. 3, 2020
  • DaveDhar1

    Dec. 7, 2019
  • opexxx

    Aug. 30, 2019
  • ash_sids

    Jul. 21, 2018
  • thomkozik

    May. 27, 2018
  • mzmindbns

    Sep. 7, 2017
  • abhi75

    Aug. 23, 2017
  • padraigkenny

    Dec. 26, 2016
  • tankengine

    Nov. 24, 2016
  • jelit2011

    Oct. 8, 2016
  • BalaSureshMBAPMP

    Oct. 4, 2016
  • MateFarkas

    Sep. 27, 2016
  • SharadChandraCEHCHFI

    Aug. 10, 2016
  • makix13

    May. 19, 2016
  • AlbenaAlekova

    Apr. 5, 2016
  • donovanrjohnson

    Mar. 14, 2016

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value. The presentation was given at BrighTalk

Views

Total views

20,988

On Slideshare

0

From embeds

0

Number of embeds

238

Actions

Downloads

1,828

Shares

0

Comments

0

Likes

34

×