The Future Is SECURITY THAT MAKES A DIFFERENCE Implementing the 20 Critical Controls
Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical controls is key. The controls are prescriptive The controls can be automated
Getting Started With Implementation What do you need? What am I trying to protect? What are my gaps? What are my priorities? Where can I automate? How can my vendor partners help? Where can I learn more?
Data Driven Decisions 90 80 70 60 50 40 Control 1 Score Control 2 Score Control 3 Score Control 4 Score Number of Breaches 30 20 10 0 Project 1 Project 2 Project 3 Project 4 Project 5 Project 6 Project 7
Track Progress 6 5 4 3 Project 1 Project 2 2 1 0 Jan Feb March April May June July August Sept Oct Nov Dec
Understand the Environment 10.10. 5.x 10.10. 5.3 10.10. 5.9 2 2 8 5 4 1 Sendmail 5 0 3 4 Apache 8.12.10 3 Expn VRFY input 1.3.26 buffer allowed overfl ow 10.10. 5.10 8 0
Rule 1: Fix the Problem Not the Symptoms Critical Controls Starting Point Critical Controls 20: Penetration Test Critical Controls 4: Continuous Vulnerability Assessment and Remediation
Understanding the Problem PrivacyRights.org (updated weekly) Here are some that are reported (most are not) Just a small sample (organization/records breached): Heartland Payment Systems (130+ million 1/2009) Oklahoma Dept of Human Services (1 million 4/2009) Oklahoma Housing Finance Agency (225,000 4/2009) University of California (160,000 5/2009) Network Solutions (573,000 7/2009) U.S. Military Veterans Administration (76 million 10/2009) BlueCross BlueShield Assn. (187,000 10/2009)
Rule 2: Understand the Problem Critical Controls Starting Point Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations
What is the Adversary After
Rule 3: Focus on the Data Critical Controls Starting Point Critical Control 15: Controlled Access Based on Need to Know Critical Control 17: Data Loss Prevention
Understand How the Adversary Works
Rule 4: Implement a Multi-Dimensional Approach to Security Critical Controls Starting Point Critical Control 5: Malware Defense Critical Control 6: Application Security Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs
Performing Gap Analysis Create a spreadsheet with the following columns Critical Control Current State Ideal State (18 months) Subtract the two columns Maturity 0 No sub-controls Maturity 1 - Quick Wins (QW) Maturity 2 - Improved Visibility and Attribution (Vis/Attrib) Maturity 3 - Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) Maturity 4 - Advanced (Adv)
Gap Analysis Drives Plan
Implementing the Controls Sample Implementation Control 2 Inventory of Authorized and Unauthorized Software Kaspersky Anti Virus tool Software inventory report lists software and version number Microsoft System Center Configuration Manager (SCCM) Inventory software and services on each system Windows Management Instrumentation Console (WMIC) Ability to script and automate the process
Implementing the Controls Sample Implementation Control 4 Continuous Vulnerability Assessment and Remediation QualysGuard Enterprise Suite Comprehensive vulnerability scanning Includes critical control 1 and 2 plus more.
Starting with Implementation The Top 5 The First Five cover (1) software white listing (2) secure standard configurations (3) application security patch installation within 48 hours (4) system security patch installation within 48 hours (5) ensuring administrative privileges are not active while browsing the web or handling email.
ER Diagram Drives Implementation Entity Relationship Diagram (ERD) One of the 14 types of UML diagrams (structure) Also referred to as a Class Diagram Type of static structure diagram that describes the structure of a system by showing the system's classes, their attributes, and the relationships between the classes. Wikipedia
Sample ER Diagram (Critical Control #1)
Potential Result: A Consolidated ERD
Summary: Plan for Success Perform Initial Gap Assessment determining what has been implemented and where gaps remain for each control and sub-control. Develop an Implementation Roadmap selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations. Implement the First Phase of Controls identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training. Integrate Controls into Operations focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations. Report and Manage Progress against the Implementation Roadmap developed.
THANK YOU for your time Dr. Eric Cole Twitter: drericcole ecole@secureanchor.com eric@sans.org www.securityhaven.com