security mindfulness dwayne.

Similar documents
Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

locuz.com SOC Services

Altius IT Policy Collection

Survey Results: Virtual Insecurity

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Securing Your Cloud Introduction Presentation

Development. Architecture QA. Operations

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Title: Planning AWS Platform Security Assessment?

Cybersecurity in Higher Ed

Security Configuration Assessment (SCA)

Information Technology Procedure IT 3.4 IT Configuration Management

Architecting for Greater Security in AWS

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

CLOUD WORKLOAD SECURITY

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Secure Access & SWIFT Customer Security Controls Framework

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Managing SaaS risks for cloud customers

Daxko s PCI DSS Responsibilities

Security Camp 2016 Cloud Security. August 18, 2016

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

10 FOCUS AREAS FOR BREACH PREVENTION

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Total Security Management PCI DSS Compliance Guide

SIEMLESS THREAT MANAGEMENT

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

VMware vcloud Air SOC 1 Control Matrix

Watson Developer Cloud Security Overview

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

INTRO TO AWS: SECURITY

Taking Control of Your Application Security

Minfy MS Workloads Use Case

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

01.0 Policy Responsibilities and Oversight

IT infrastructure layers requiring Privileged Identity Management

LBI Public Information. Please consider the impact to the environment before printing this.

ISO27001 Preparing your business with Snare

Help Your Security Team Sleep at Night

How NOT To Get Hacked

Take Risks in Life, Not with Your Security

LOGmanager and PCI Data Security Standard v3.2 compliance

Security Governance and Management Scorecard

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Designing and Building a Cybersecurity Program

ACM Retreat - Today s Topics:

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Embedding GDPR into the SDLC

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

How to Prepare a Response to Cyber Attack for a Multinational Company.

The Global Information Security Compliance Packet (GISCP): The World's most In-Depth set of professionally researched and developed information

Unlocking the Power of the Cloud

Presentation Overview

Security Audit What Why

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Trust Services Principles and Criteria

90% of data breaches are caused by software vulnerabilities.

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

CoreMax Consulting s Cyber Security Roadmap

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

Understanding Perimeter Security

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cyber Essentials Questionnaire Guidance

Traditional Security Solutions Have Reached Their Limit

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Carbon Black PCI Compliance Mapping Checklist

Compliance Audit Readiness. Bob Kral Tenable Network Security

The erosion of the perimeter in higher education. Why IAM is becoming your first line of defence.

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cloud Security Whitepaper

Twilio cloud communications SECURITY

Security. Made Smarter.

CompTIA CASP (Advanced Security Practitioner)

Cloud Transformation Program Cloud Change Champions June 20, 2018

Protect Your Organization from Cyber Attacks

WELCOME ISO/IEC 27001:2017 Information Briefing

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Certified Information Systems Auditor (CISA)

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Effective Strategies for Managing Cybersecurity Risks

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Juniper Vendor Security Requirements

Transcription:

security mindfulness dwayne. foley@eagledream.com

security mindfulness defined - the quality or state of being aware that you need to build security into your daily practice -the secure state achieved by focusing one s security awareness on what one controls, used to achieve a secure state and a good night s sleep

five steps to security mindfulness 1 2 3 4 5 You are in Control Sphere of Influence Understanding Risk, Vectors, Value Get in Touch Detailed documentation Practice Build process into your daily activities You are in the Zone It becomes second nature

step 1: you are in control of What is in your Sphere of Influence

as a security practitioner your influence IT Business Management Users Customers

as an IT professional their influence Network Windows Linux Application / Business owner Application dev and support Infrastructure (IAM, FW, DNS, Monitoring) DB Cloud Just a process

as a business professional their influence Business Process Audits, Assessments, Compliance Controls Applications PII, PHI and other NPI Paper records & process

two security concepts to think about when looking at what is in your sphere of influence Least Privileged Accountability

Role Based Controls least privilege (more than accounts) Think Subsystems OS Web DB System Hardening Remove unnecessary packages Configure / stop services Limit ports and services Network Application Dev Think Authentication Think Authorization

accountabilit y Who did what when Need to have logs and alerts Across all systems and systems components OS, Web, DB, Network (TACAC), Application, Dev Aggregation and Correlation Centralized logging

accountabilit y (a bit of a twist) What system and processes are under your control Define ownership and responsibility Business owner IT Owner / Custodian Be clear on what you own and what you are responsible for securing Be clear on the touch points (gray areas) -- the gap! Be clear on what is not yours but make sure you know who owns it

hey it s the security guy I don t do security you do

step 2: understandin g Value of the data and systems to the business Risks Vectors of attack

understandin g what has value What is the Classification Intellectual property Regulatory Contractual National Security Sensitive PII PHI Financial Reputational PCI (PAN)

understandin g risks What type data do you have Where is the data What system components are you protecting OS Web DB Application Network Are you plugged in to get security updates from the vendors

understandin g vectors Internal External What is the Security Maturity level of your environment? What controls do you have in place Have you limited access to need to know? Least privileged How would you hold someone accountable? Accountability logs and alerts - review

you need to be plugged in CTI Know your environment Get alerts and bulletins Review how that matches your environment Have an escalated patch plan

story about (not) understandin g risk lack of encryption not least privileged any any rules or viruses not accountable not patched

step 3: get in touch Accurately documenting

diagrams and lists Detailed Diagrams Inventory Hardware Software Users OS Levels Patch Levels Support sites to get patch alerts

Procedures (patching example) How to apply escalated patches Approval Who to notify Who is impacted Risk decision to escalate to

responsibility matrix Who does what Backup resource Trained Skill Set

least privilege role based controls We often think about just the OS For each system component: OS Web App DB Network

monitoring - logs and alerts Hard to do Need to document what is being logged Templates for each system component New tools Cloud Think Kill Chain and be smarter about what to log and alert on

example on docs Border Router

better diagram Border Router

Example documentation by application environment (details needed)

step 4: practice Include security into your processes and procedures for all of IT For all systems components

hardware Gold images Check system hardening status after build Checklist Have it reviewed before deployment (like a code review)

software Check update and patch levels Know your dependencies Know your inventory Configurations, setting and modules Checklists

daily and weekly tasks that include security Check audit trails Scan Review log reports Check for patches and updates Build metrics Improve

Training required for anyone that wants to develop example on building into practice All developers that build software have to have OWASP-type training This one action had tremendous impact!

step 5: it becomes second nature Built into all processes and procedures

built into SDLC OWASP training Scan early, scan often Code reviews Dev opps - ZAP tool In the cloud have a hardened image, in AWS CIS AWI

least privilege rule It is a mindset Across all systems components Don t forget service accounts Review system and network, ports and services Review quarterly

accountability (both types) Monitor, Alert Report on sensitive accounts Review Quarterly Access controls Processes and touch points, makes sure cracks do not form Update Review responsibility matrix Things change Processes change People change Needs to be evergreen

built into the job description In the PEP Part of the performance review Metrics Top down

built into the design Security mindset needs to be part of the business requirements from day one of an idea, project, initiative

security becomes part of the base requirements (not optional or phase II) without this, it rarely gets done and never works efficiently

built into the culture Prego It s in there

wrap up As the security practitioner you are the expert and the evangelist You can t fix it alone, you need everyone's help Chunk it up Empower The mindset is an evergreen risk assessment and security plan You don t do security, well, you do, but so does everyone commissioning, designing, building, maintaining, using the computing environment

questions dwayne. foley@eagledream.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback