Cyber Security Defence Operations Centre

Cyber Security Defence Operations Centre

Method

  • Protect, Detect, Correct
  • People, Process, Policy

Overview

GOAL

Develop a easy to consume Security Service Catalog that adheres to industry best practice with Managed and Consumption based licensing.

Business

  • Low C-level awareness and appreciation for today’s threat landscape leading to an underfunded security operations program and to increased risk exposure
  • Defending against advanced threats requires a substantial shift in resources from prevention to detection and response, but organizations that make this shift often discover they don’t have the necessary expertise to create and execute the transition
  • Investment Security negativity impacts innovation

Technology

  • Point security products that are poorly integrated and deployed without first differentiating high and low asset values, resulting in misallocation of scarce security resources
  • Inability to discover sophisticated attack techniques, resulting in exposure to targeted attacks
  • Lack of centralized security monitoring and alerting, resulting in difficulty in detecting and investigating attacks and in scoping the nature and extent of an initial breach
  • Lack of automation for incident-response workflows, resulting in extended breach exposure time
  • Lack of threat-intelligence capabilities, resulting in less effective defense countermeasures

Operations

  • Poor patch-management processes, resulting in extended exposure to known vulnerabilities
  • Poorly defined security roles and responsibilities, resulting in less effective security defenses
  • Ad hoc processes and procedures, resulting in operational inefficiency and extended breach exposure time
  • Lack of post-incident “lessons learned” discipline, resulting in foregone opportunities to enhance security operations
  • Huge operational impact when a potential breach occurs, resulting in increased costs and negative impact on focus on core business

Business Case

  • Business Canvas
  • Marketing Description
  • SANs 20 Control Products Selection Matrix (RSA, Nessus, Trend)

 QUALIFYing questions

  • Have you had a virus infection that affected your business?
  • How much time do you spend on Security?
  • What regulatory requirements to you need to be compliant ?
  • Are you comfortable with your network security?
  • What was the results of your last security audit?
  • How much money have you invested in Security? (Virus software, Firwalls, etc.)
  • Would you use a managed service for security back by SLAs?
  • Do you have a business score card on your security status?
  • Do you have a Security Policy?
  • What is the impact on data loss on security breach?
  • Do you have complete visibility, control and auditing access to your critical data and systems?
  • How do you secure SaaS or Public Clouds beyond your permitter defence?

Cloud Security Solutions

 

SANs 20 Controls product matrix

  1. Inventory of Authorized and Unauthorized Devices
    1. Nessus and Tripwire Enterprise
  2. Inventory of Authorized and Unauthorized Software
    1. Nessus and Tripwire Enterprise
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Nessus and Tripwire Enterprise
  5. Continuous Vulnerability Assessment and Remediation
    1. Nessus and Tripwire Enterprise
  6. Malware Defenses
    1. SPAM
    2. Endpoints
    3. Internet Access
      1. TrendMicro and FortiGate
  7. Application Software Security
    1. NetScaler Application Firewall
  8. Wireless Access Control
    1. Nessus, TripWire
  9. Data Recovery Capability
    1. Data Protection
    2. Varonis
  10. Security Skills Assessment and Appropriate Training to Fill Gaps
  11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
    1. Nessus, TripWire
  12. Limitation and Control of Network Ports, Protocols, and Services
    1. Nessus, TripWire
  13. Controlled Use of Administrative Privileges
    1. TripWire
    2. CyberArk
  14. Boundary Defense
    1. Firewall
    2. IDS
    3. IPS
    4. Cisco, Foritinte
  15. Maintenance, Monitoring, and Analysis of Audit Logs
    1. Nessu, TripWire (SIEM)
  16. Controlled Access Based on the Need to Know
    1. TripWire
  17. Account Monitoring and Control
    1. TripWire
  18. Data Protection
  19. Incident Response and Management
    1. EMC Archer
  20. Secure Network Engineering
    1. TripWire
  21. Penetration Tests and Red Team Exercises
    1. Nessus

 Additional Controls

 

  1. Multi-factor Authentication/BioMetrics
  2. Single Sign On
  3. Rights Managment
  4. Data Loss Prevention
  5. eDiscovery
  6. Legal Hold
  7. ITIL
  8. DDOS Mitigation (DNS)
  9. MDM
  10. DR (Snapshots, Imagine, Restore)
  11. Critical Response Team
  12. Governance/Compliance
  13. Education

 

IT GRC TOols

Service catalog

  • UTM
  • MDM
  • Secure WiFI
  • Identify Management and Automation SEIM
  • SSO, Multi-factor, Bio metric, vicinity login solutions
  • Shadow IT Dashboards
  • 24/7 Security Incident Monitoring
  • 24/7 Security Breach Critical Incident Response
  • Internet Access Security Monitoring and Managed
  • SPAM Filtering Monitoring and Managed
  • EndPoint Monitoring and Managed
  • Patch Management
  • Continuous Monitoring and PenTesting
  • Web Site Threat Monitoring
  • Firewall Monitoring and Managed
  • IPS Monitoring and Managed
  • IDS Monitoring and Managed
  • Compliance and Governance Reporting
  • Compliance and Governance Remediation
  • Security Governance Policy Development
  • Certificate Management
  • Configuration Management (Insure any baseline configuration changes are tracked for OS and Networking Devices Only.)
  • Privileged Access Management

Managed security service providers and SOCs

Research

SANs Missing Items

Security Mapping and Maturity Models

Maturity Model Levels

  1. Initial (chaotic, ad hoc, individual heroics) – the starting point for use of a new or undocumented repeat process.
  2. Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted.
  3. Defined – the process is defined/confirmed as a standard business processes.
  4. Managed – the process is quantitatively managed in accordance with agreed-upon metrics.
  5. Optimizing – process management includes deliberate process optimization/improvement

GAP ANALYSIS

Initial – the starting point for use of a new or undocumented repeat process.

  • (chaotic, ad hoc, individual heroics)
  • Formal, up-to-date documented policies stated as “shall” or “will” statements exist and are readily available to employees.
  • Policies establish a continuing cycle of assessing risk and implementation and use monitoring for program effectiveness.
  • Policies written to cover all major facilities and operations agency-wide or for a specific asset.
  • Policies are approved by key affected parties.
  • Policies delineate the IT security management structure, clearly assign IT security responsibilities, and lay the foundation necessary to reliably measure progress and compliance.
  • Policies identify specific penalties and disciplinary actions to be used if the policy is not followed

Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted.

  • Formal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies.
  • Procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed.
  • Procedures clearly define IT security responsibilities and expected behaviors for
    asset owners and users information resources management and data processing personnel, management, andIT security administrators.
    Procedures contain appropriate individuals to be contacted for further information, guidance, and compliance.
  • Procedures document the implementation of and the rigor in which the control is applied. .
  • Defined – the process is defined/confirmed as a standard business processes.
  • Procedures are communicated to individuals who are required to follow them.
  • IT security procedures and controls are implemented in a consistent manner everywhere that the procedure applies and are reinforced through training.
  • Ad hoc approaches that tend to be applied on an individual or case-by-case basis are discouraged.
  • Policies are approved by key affected parties.
  • Initial testing is performed to ensure controls are operating as intended.

Managed – the process is quantitatively managed in accordance with agreed-upon metrics.

  • Tests are routinely conducted to evaluate the adequacy and effectiveness of all implementations.
  • Tests ensure that all policies, procedures, and controls are acting as intended and that they ensure the appropriate IT security level.
  • Effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual IT security incidents or through IT security alerts issued by FedCIRC, vendors, and other trusted sources.
  • Self-assessments, a type of test that can be performed by agency staff, by contractors, or others engaged by agency management, are routinely conducted to evaluate the adequacy and effectiveness of all implementations
  • Independent audits such as those arranged by the General Accounting Office (GAO) or an agency Inspector General (IG), are an important check on agency performance, but are not viewed as a substitute for evaluations initiated by agency management.
  • Information gleaned from records of potential and actual IT security incidents and from security alerts, such as those issued by software vendors are considered as test results. Such information can identify specific vulnerabilities and provide insights into the latest threats and resulting risk.
    vulnerabilities and provide insights into the latest threats and resulting risk. Evaluation requirements, including requirements regarding the type and frequency of testing, are documented, approved, and effectively implemented.
  • The frequency and rigor with which individual controls are tested depend on the risks that will be posed if the controls are not operating effectively.

Optimizing – process management includes deliberate process optimization/improvement

  • Effective implementation of IT security controls is second nature.
  • Policies, procedures, implementations, and tests are continually reviewed and improvements are made.
  • A comprehensive IT security program is an integral part of the culture.
  • Decision-making is based on cost, risk, and mission impact.
  • The consideration of IT security is pervasive in the culture.
  • There is an active enterprise-wide IT security program that achieves cost-effective IT security.
  • IT security is an integrated practice.
  • Security vulnerabilities are understood and managed.
  • Threats are continually reevaluated, and controls adapted to changing IT security environment.
  • Additional or more cost-effective IT security alternatives are identified as the need arises.
  • Costs and benefits of IT security are measured as precisely as practicable.
  • Status metrics for the IT security program are established and met.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s