Download - Abdel Aziz Sorensen Presentation
-
8/13/2019 Abdel Aziz Sorensen Presentation
1/14
-
8/13/2019 Abdel Aziz Sorensen Presentation
2/14
Objective
Provide guidance that GIAC Enterprises can use tobe in compliance with the most recognizedinformation security frameworks
NIST SP 800 Documents
SANSConsensus Audit Guidelines (CAG)
Australian Government Defence Signals Directorates
(DSD) top 35 Strategieswhile looking for opportunities to automatecontrols and provide information back tomanagement in a meaningful format.
-
8/13/2019 Abdel Aziz Sorensen Presentation
3/14
SP 800, 20 Critical Controls, andDSDs 35 Mitigating Strategies
Federal Information Security Management Act (FISMA)authorized by Title IIIof E-Government Act of 2002.
National Institute of Standards and Technology (NIST) tasked to develop,
document, and implement security standards (FISMA Implementation Project) Special Publication (SP) 800-53
Federal Information Process Standard (FIPS) 200
SANS, US defense base, federal agencies, and private organizations definedmost critical controls to protect information and information systems.
Consensus Audit Guidelines20 Critical controls
Australian Government Defence Signals Directorate
DSDs Top 35 Mitigating Strategies
-
8/13/2019 Abdel Aziz Sorensen Presentation
4/14
SP 800, 20 Critical Controls, andDSDs 35 Mitigating Strategies
The SANS20 Critical Controls are meant to reinforce and prioritizesome of the most important elements of the guidelines, standards,and requirements put forth in other US government documentation,
such as NIST Special Publication 800-53 .These guidelines do not conflict with such recommendations. Infact, the guidelines set forth are a proper subset of therecommendations of NIST SP 800-53, designed so that organizationscan focus on a specific set of actions associated with current threatsand computer attacks they face every day.
The DSDs 35 Mitigating Strategies focus on individual tasksorganizations can undertake to improve their security stance. Theyare a focused subset of the 20 Critical Controls.
-
8/13/2019 Abdel Aziz Sorensen Presentation
5/14
APT-Focused Security Strategy
Risk-Based Approach
Initially implement subset of 20 Critical Controls to addressGIAC Enterpriseshighest risks first (APT-related risks)
Offense informs defenseconcept suggests that 4controlsare best geared to address APT-related risks
Controlled Access based on the Need-to-Know (Control 15) Continuous Vulnerability Assessment and Remediation (Control 4)
Malware Defenses (Control 5)
Data Loss Prevention (DLP) (Control 17)
-
8/13/2019 Abdel Aziz Sorensen Presentation
6/14
Automation Approach: Controls 15 & 17(Focus on the Data)
Credit card data
Privacy data (PII)
Health care information
Sensitive
Regulatory Data
Intellectual propertyFinancial information
Trade secrets
Sensitive
Corporate Data
Control Data-at-Rest Control Data-in-Motion Control Data-in-Use
-
8/13/2019 Abdel Aziz Sorensen Presentation
7/14
Automation Approach: Controls 15 & 17(Automating Data Classification and Policy Definition)
Step 1
Identify files &
set business rules
+
Step 2
Create DLP Policy &
check for feasibility
Step 3
DLP Policy is routed
for approval
Step 4
Approved
DLP
policy
End
Users
DLP
Admin
Business
Managers
Policy applied across the organization
-
8/13/2019 Abdel Aziz Sorensen Presentation
8/14
Automation Approach: Controls 15 & 17(Automating the Control of Data-in-Motion)
Risk Across: web protocols,e-mails, IM, generic TCP/IP
protocols
DISCOVER(Data-in-Motion)
EDUCATE(Data-in-Motion)
ENFORCE(Data-in-Motion)
Process to Reach Automation (Data-in-Motion)
?RISK
TIME
Understand RiskReduce Risk
Users Just-in-Time Encryption, Blocking,etc.
(Monitor Only)(Monitor & Educate) (Automate Action)
-
8/13/2019 Abdel Aziz Sorensen Presentation
9/14
Automation Approach: Controls 15 & 17(Automating the Control of Data-at-Rest)
Data Loss
Prevention (DLP
SharePoint
Databases
Endpoints
NAS/SAN
File
Servers
Risk Remediation
Manager (RRM)
File Activity
Tools
GRC
Systems
Apply DRM
Encrypt
Delete / Shred
Change Permissions
Policy Exception
Business
Users
Discover Sensitive Data Manage RemediationWorkflow
ApplyControls
-
8/13/2019 Abdel Aziz Sorensen Presentation
10/14
Automation Approach: Controls 4 & 5(Prevention and Mitigation of APTs/Understanding the Attack Vector)
-
8/13/2019 Abdel Aziz Sorensen Presentation
11/14
Automation Approach: Controls 4 & 5(Risk Assessment/Continuous Monitoring)
Risk Assessment Vulnerability Scanning
-
8/13/2019 Abdel Aziz Sorensen Presentation
12/14
Automation Approach: Controls 4 & 5(Automating Continuous Vulnerability Assessment and Remediation)
-
8/13/2019 Abdel Aziz Sorensen Presentation
13/14
Automation Approach: Controls 4 & 5(Automating Continuous Monitoring of Malware
and Malware Callbacks)
Reducing risk of data loss through malware infections
Implement basic and necessary malware protectionHIPS, AV,AntiSpam, etc.
Train and educate users concerning social engineering tactics.
Use of advanced technologyVirtual inspection of executablemalware in real-time to identify and block command and controlcommunications.
-
8/13/2019 Abdel Aziz Sorensen Presentation
14/14
Recommended Action Plan
1) Conduct gap assessment to compare GIAC Enterprisesscurrent security stance to detailed critical controls
2) Implement
quick win
critical controls to address gaps
3) Implement controls numbers 4 & 5 using previousautomation approaches
4) Implement controls numbers 15 & 17 using previous
automation approaches5) Analyze and understand how remaining controls (beyond
quck wins, and controls 4, 5, 15, 17) can be deployed
6) Plan for deployment, over the longer term, of theadvanced controls, giving priority to controls 4, 5, 15, 17