5. #WBInsights15#WBInsights15
Plan, Design and Implement
Plan and Design
• Asset Patch Management
• Written Information Security Policy
• Security and Compliance/Incident Management Handbook
• Multi-layer Approach
• Roadmap
Implement
• Phased roll-out
• Test group before organization
7. #WBInsights15#WBInsights15
Detect and Remediate
Detect
• Do you know who is accessing your network?
• Do you know who is accessing and changing files?
• Do you know when you users are logging in and out? From
Where?
Remediate
• What are you doing to remediate your findings?
• Is there a action plan or incident management policy on
what to do and a clear understanding of who is
accountable for making sure it gets done?
Introduction to topic and emphasize that the same core principles are the same across all governing bodies.
JD – Cover overview. Define what I need to do, deploy the needed stuff and then execute.
DH –Introduce myself, 15 years, etc.
What we do with current clients and who our clients are, Provide Security knowledge, vulnerability assessments, policy reform, etc.
Co-Source IT and IT Security
Security Staffing Numbers – Some say 1:20 and some say 1:100 to be effective. Understand where you fall and ask yourself is someone really being held accountable for security.
Understand that it takes a process. Rome was not built in a day. There is not a finish line.
We are not about to talk about a bullet proof vest.
Importance of proper assessment.
Risk - What are our risks? What type of data do we have? What is our exposure? What data are we worried about?
Partner for what is trending in security.
Compliance – Credit Card – PCI, Medical – HIPPA,
Vulnerability Assessment – have you ran one? Internal and external, patching
Policy- do you have a active police and procedure process
Current Security Controls – understand what you have
Understand what can hurt my business, maybe it is not data but operational cost.
Asset Patch Management – understand your assets for Patch Management
Written Information Security Policy – for the employees understand policy and covers your company from legal signoff
Security and Compliance/Incident Management Handbook – how to manual when it comes to your security products and or how to handle security breaches/incidents/etc
Multi-layer Approach - Network (IDS/IPS, host-based AV/HIDS and user level Content Filtering/Training/Endpoint Encryption)
Roadmap - Rome wasn't built in a day. How will you close the gaps. Set realistic expectations
Implement – Phased roll-out and Test Group before rolling out to organization
Devise multi-layer approach. If you’re relying on a single layer of defense you are not protected. Alabama defense example.
Network Level- (Firewalls on edge and internal/wireless, IPS/IDS Intrusion Prevention/Detection Systems)
Host Level - (AV, Event Monitoring, Content Filtering, Hard Drive encryption, Patch Management)
User Level (Training and Content Filtering) Cryptolocker – how to block
Data in Transit - (Email Encryption, SSH for File Transmissions)
Remote Access - (2factor Authentication)
BYOD - Smartphones/Tablets (Email Encryption)
Detect – This is your (IPS/IDS, SIEM, Log Management, etc) This use to be a Enterprise only. Not anymore. Prices have come down and requirements have went up.
The detection piece is great but do you have the remediation and or action plan to follow when the detection occurs. Incident Management Plans.
Remediation - We spend time to identify weakness but do not hold anyone accountable for remediation.
Remediate – this is your Action plans, incident management, etc.
Who is checking? Detect Patches – 88 % of attackers are on known vulnerabilities, 44% of those are on patch 2 years and older.
What process or product is providing the information?
Is there clear workflows and incident management plans on what to do with information you are getting back? Events, Users, Actions?
Who is accountable for the results coming back and ensuring they are addressed?
If someone has this as a secondary role then it will always take a back seat which is what usually gets us out of whack. That is where automated systems or monitoring pickup.
The reporting piece of the proven process is to give you metrics of what is working and or what is not working in your security practice.
Gives you a place to go back.
Closing –
Next steps – Gather your team whether it be in house or co sourced and devise a plan. Make sure you are accounting for availability of resources.
Start Prioritizing threats and produce your move forward roadmap.
Everyone is open for these attacks, big small, financial none financial. Internet means risk.
No one wants to spend the Money. There is on direct ROI. It is like buying insurance. The risk is real, we decide to ignore or act on it. Put it on the budget.
People have a tendency to shop on logic, purchase on emotion.
The money spent in the end cost a lot more then it would up front. We have had customers that call us after the attack and is losing money by the hour.
Cryptolocker being the main one. There are best practices to stop it but need it.
Check with vendors on patches. Have you staff give you the reports on where you stand.