mappingtheenterprise* threat,risk,and*security ... · pdf...

Copyright © 2014 Splunk Inc.

Andrew Gerber Managing InformaBon Security Consultant, Wipro

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

Disclaimer

2

During the course of this presentaBon, we may make forward looking statements regarding future events or the expected performance of the company. We cauBon you that such statements reflect our current expectaBons and

esBmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,

please review our filings with the SEC. The forward-‐looking statements made in the this presentaBon are being made as of the Bme and date of its live presentaBon. If reviewed aRer its live presentaBon, this presentaBon may not contain current or accurate informaBon. We do not assume any obligaBon to update any forward looking statements we may make. In addiBon, any informaBon about our roadmap outlines our general product direcBon and is subject to change at any Bme without noBce. It is for informaBonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaBon either to develop the features or funcBonality described or to

include any such feature or funcBonality in a future release.

About

3

Andrew Gerber is a managing informaBon security consultant at Wipro. Over the last ten years he has focused on security informaBon and event management (SIEM), security analyBcs, and security operaBons center (SOC) design. Andrew addiBonally has experience evaluaBng informaBon security program maturity and building effecBve managed security service offerings. Andrew has worked with clients in North America, Europe, and Asia, including several Fortune 100 and Fortune Global 100 industry leaders in financial services, healthcare, manufacturing, retail, and law enforcement. Andrew holds a B.S. in computer science and an M.B.A. from Purdue University.

Wipro Ltd. (NYSE:WIT) is a global informaBon technology, consulBng, and outsourcing company with over 145,000 employees across 6 conBnents and over 175 ciBes. Wipro posted revenues of $7.3 billion for the financial year ended March 31, 2014. Wipro helps customers do business beber by leveraging our industry-‐wide experience, deep technology experBse, comprehensive porcolio of services, and verBcally aligned business model. Wipro is proud of its strategic partnership with Splunk and the value Wipro delivers using Splunk as a placorm across industries and applicaBons, with a focus in enterprise informaBon security managed services.

Agenda

!   New approach to Enterprise Security –  SituaBonal Awareness –  Kill Chain

!   Techniques using this new approach –  Looking for threat behavior – Profiling VPN access –  Looking for an abacker trying to get out of environment as well as

idenBfying potenBal delivery vectors – Profiling Network Jumpers –  A framework for developing addiBonal techniques

!   RecommendaBons and best pracBces for further development and implementaBon of this approach

4

The Enterprise Security Landscape !   Abacks and breaches on the rise, threat actors moBvated by previous abacks’ successes

!   Abackers sBll have a remarkably easy Bme gejng in

–  OrganizaBons are sBll not implemenBng basic controls (i.e. geographic restricBons, segmentaBon,

account lockouts) A LOT CAN BE DONE WITH BASIC CONTROLS

–  OrganizaBons are sBll not monitoring/responding to IOCs (Indicator of Compromise); a recent breach analysis showed -‐ mulBple alerts on potenBal malware and malicious acBvity completely missed INFORMATION AND ALERTS FROM ALL SOURCES MUST BE ANALYZED

!   Don’t focus solely on alerts for denied or failure events

–  FOCUS ON PROFILING BEHAVIOR OVER TIME & ACROSS PLATFORMS TO DISTINGUISH ANOMALIES

5

Threats

6

!  Threats are increasing, abacker dwell Bme sBll well over 200 days on average.

!  Move from generic malware targeBng everyone to deliberate, smart abackers targeBng you, with a specific objecBve.

!  With abackers idenBfying high-‐value objecBves, the investment they are willing to make increases.

!  We can see abackers’ methodology evolving over Bme to adapt to organizaBons’ acBons and responses.

!  People are being targeted more, resulBng in more valid-‐credenBal based abacks and less need for vulnerability exploits of network/security devices.

!  Threat actors now look more like legiLmate users. You can sLll tell them apart, just not with legacy tools/strategies.

Breaches by Asset Category over Time

From Verizon’s 2014 Data Breach InvesBgaBons Report

Threats: Who Abacks and Why?

7

From IBM’s 2013 Cyber Security Intelligence Index

Categories of ATackers ATacker MoLvaLon

Risks: Clear and Present Danger

8

Brand / Revenue / Financial Data / Product Data / Customer & PaBent Records / Financial TheR / Blackmail / Job Loss / OperaBons DisrupBon and ManipulaBon / CompeBBve Espionage / …

SituaBonal Awareness

9

Changing threat environments demand enhanced security monitoring, oRen called “situaBonal awareness”

!   Advanced targeted threats have increased the requirement for the proacBve detecBon of potenBal incidents above standard due diligence levels.

!   SituaBonal awareness expands on security informaLon and event management (SIEM) processes, and requires a combinaLon of asset and threat informa-on and ac-vity data, in combinaBon with analysis and repor-ng capabili-es.

!   Advanced analysis capabiliBes to support “human in the loop” invesBgaBon and decision making are criBcal requirements. From Gartner’s note “Delivering SituaBonal Awareness” (G00214313)

Tech

Process

People To deliver situaBonal awareness, we need to add a process/approach/model to the people (us) and the technology (Splunk) deployed to provide enterprise security.

Kill Chain

10

!   Model to idenBfy threat behavior across the lifecycle of an aback –  Move from looking at single alert or single aspect of the aback –  Must look at enBre spectrum of acBviBes (all data) to determine aback/

threat

!   DetecBon earlier in kill chain = lower impact and miBgaBon cost !   DetecBon later in kill chain = greater impact, must look back in Bme to determine infecBon/impact and how to contain/miBgate

Beyond SIEM – True Security AnalyBcs: !   Brings together informaBon that would be Bme consuming or impossible to

manually analyze (goes beyond centralized logging) !   Enables a deep invesBgaBon of what otherwise could only be aggregated and/

or ignored !   Allows dynamic correlaBon – visual representaBon makes anomalies obvious !   Enables exploraBon of loose relaBonships between events, driven by “human-‐

in-‐the-‐loop” processes, leading to a “hypothesis à test à findings” approach instead of an “event à evaluate” approach.

!   Accelerates analyst decision trees around behavior !   Is cohesive and behaviorally driven, with a monitoring/response posture based

on knowing your users, assets, and environment

11

Use cases to implement with Splunk

!   Use Case 1 -‐ Detect inappropriate or malicious remote access –  VPN profiling of employees, contractors, vendors, and other insiders –  Useful to idenBfy following kill chain stages

ê  C2, ExfiltraBon –  Also useful to idenBfy employee/insider Fraud, TheR, & Abuse (FTA)

!   Use Case 2 -‐ Detect abempted and actual bypass of network controls –  Detect network jumping and off-‐network acBvity –  Useful to idenBfy following kill chain stages

ê  Delivery, C2, ExfiltraBon –  Also useful to idenBfy employee/insider Fraud, TheR, & Abuse (FTA)

12

Do this: Profile VPN AcBvity

What & Why?

14

!   Find abnormal remote access usage pabern in remote access –  VPN access with valid credenBals used in major abacks, including recent healthcare

industry breach

!   Profile remote usage by employees, contractors, vendors, and other insiders !   Look for:

–  Indicators of Delivery, C2, ExfiltraBon, as well as employee or insider FTA –  IdenBfy potenBally compromised credenBals

!   Key points to look for: –  Increase in login frequency –  Odd Bmes/locaBons –  Improbable travel distance between logins or login abempts

(velocity requirements between consecuBve geographical login locaBons too high)

Design & Approach

15

Overview – Geographic and Network VPN Trends

Overview – User-‐based VPN Trends

Geographic Analysis with “Traveler” idenBficaBon

“Traveler” mapping & improbable behavior analysis

Design & Approach -‐ Workflow

16

MulBple login failures by count and over Bme and successful logins provide insight into VPN behavior.

User level VPN Trends

At-‐a-‐glance profiling of VPN login success and failures GeolocaBon and domain charBng idenBfy normal vs. abnormal access •  Top Level Domains and other domain names to find anomalies,

i.e. connecBons from .edu TLD or external VPN services

Geographic & Network VPN Trends

IdenBfy repeat VPN login failure trends by user Easy to spot outlier and clustered events


17

Determine unlikely distance/Bme combinaBons between VPN logins


Per-‐country trends & users with mulBple locaBons in a given Bme period Also idenBfy relaBve distances for users from a relevant fixed locaBon


Key Events – VPN AuthenBcaBon Success/Failure

18

The key searches are looking for VPN authenBcaBon success and failure, which we will expand on throughout this use case.

Overview – Geographic & Network VPN Trends

19

index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | iplocaLon IP | geostats count by Username globallimit=0

index=vpn sourcetype=ACMEvpn "Login failed" | eval userinfo=user.":".user_bunit | iplocaLon src_ip | geostats count by userinfo globallimit=0

index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats count by IP | lookup dnslookup clienLp as IP | rex field=clienthost ".*(?P<toplevel>\.\w+)$" | stats count by toplevel

index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats count by IP | lookup dnslookup clienLp as IP | rex field=clienthost ".*\.(?P<midlevel>\w+)\.(?P<toplevel>\w+)$“ | eval thedomain=midlevel.".".toplevel | eval lendomain=len(thedomain) | where lendomain>0 | stats count by thedomain | sort -‐thedomain | sort -‐count


20

index=firewall (sourcetype=ACMEvpn AND "AAA user authenLcaLon Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND acLon!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | stats count by fulluser | search count>3

index=firewall (sourcetype=ACMEvpn AND "AAA user authenLcaLon Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND acLon!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | top fulluser

index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats sparkline(count), count by Username | sort -‐count


21

index=firewall sourcetype=ACMEvpn "AAA user authenLcaLon Rejected" user=* | rex "user\s\=\s(?<fulluser>.*)" | Lmechart count by fulluser useother=f limit=25

Design & Extension Notes

24

!   AddiBonal panels: –  Simultaneous logins (oRen rare as a legiBmate scenario) –  Increase in data volume over connecBon (sign of exfiltraBon, data collecBon) –  PotenBal to add algorithms to refine results and accelerate analysis

!   AddiBonal InformaBon about user access paberns –  “Out-‐of-‐Office” informaBon -‐ Integrate with Exchange –  PTO/Absence/etc. -‐ Integrate with HR/Time management systems

Do this: Monitor Network Jumping and Off-‐Network AcBvity

What & Why?

26

!   Find assets & users jumping from corporate LAN, WLAN to Guest Network –  Detect abempts to bypass security controls –  Detect malware vector of “benign” off-‐network browsing

1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report) –  If controls exist around Guest network usage, sBll implement this for abestaBon

!   Profile jumping behavior to look for paberns and anomalies –  IdenBfy the User, IP address, MAC address –  IdenBfy acBvity before and aRer jumping –  Filter out insider Fraud, Thief, Abuse from possible

Indicators of Compromise

!   Key points to look for include –  Assets and users jumping periodically –

Normal business users should be on corporate network –  Network jumps which don’t appear to be pre-‐meditated

(i.e. looking for programmaBc jumps) –  Volume, periodicity, desBnaBon, traffic type can all be

indicators of potenBal ExfiltraBon

“40% [of companies] reported that they had been exposed to a security threat as a direct consequence of an off-‐network user’s laptop gejng compromised within the last twelve months.”

From Google report, “Off-‐Network Workers – The Weakest Link to Corporate Web Security”

Design & Approach

27

Overview – Long/Short Term Off-‐Net Jumping Trends

IdenBfy a user of interest and drill-‐down to invesBgate

Behavior invesBgaBon – longitudinal trending

Behavior invesBgaBon – Pre-‐Jump AcBvity

Behavior invesBgaBon – Guest Network AcBvity


28

SelecBon to lookup user

Dynamic drilldown begins at this point on this dashboard: When you click on the row, the IP, Hostname, MAC is passed on the following subpanels, this is based on drilldown parameters being set in this panel’s XML source.

Rapid invesBgaBon to idenBfy users of interest SelecBon enables deep invesBgaBon via iniBal drilldown into user acBvity/details

At-‐a-‐glance profiling of corporate credenBals used on guest network – acBvity for today, 7-‐days, 14-‐days

Long/Short Term Off-‐Net Jumping Trends Visual analysis to determine what look abnormal

SelecBon determines drill down


29

Paberns idenBfy potenBal repeat offender, or possible C2/exfiltraBon look at guest network acBvity to clarify – compare these two trends

Behavior InvesBgaBon – Longitudinal Trending


30

Looking back in Bme from the jump User acBvity on the corporate network preceding the jump

Behavior InvesBgaBon – Pre-‐Jump AcBvity •  Does the jump make sense? – driven by business logic or “benign” behavior •  Does the jump look like abacker trying to get out? – more “random” paberns •  Does the jump look like insider threat? – exfiltraBon, etc.

Looking back in Bme to the jump User device to IP address mapping of jumper

Looking in Bme aRer the jump User acBvity on the guest network aRer the jump

Key Event – Guest network DHCP request

31

Key search to idenBfy this acBvity •  Look at guest network firewall logs which logs DHCP requests (IP à MAC à hostname) •  Look at DHCP requests using IP address of one of our corporate networks, and the MAC address. •  Eliminate mobile devices, limit results to our corporate hostname naming convenBon •  Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.

Trending – How it’s Done

32

index=firewall sourcetype=“ACMEguestFW" (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg=Request ip=“ACMEipSpace” | regex hostname=“ACMEnamingConvenLon" | Lmechart span=4h limit=30 count by hostname

index=firewall sourcetype=“ACMEguestFW” (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg=Request ip=“ACMEipSpace" earliest=-‐14d latest=-‐1d | regex hostname=“ACMEnamingConvenLon" | dedup hostname

| Lmechart span=1h count | eval StartTime=relaLve_Lme(now(),"-‐48h@h") | eval Series=if(_Lme>=StartTime, "Yesterday’s Count", “2 Week Average") | eval Hour = strvime(_Lme,"%H") | chart max(count) by Hour Series

Trending – How it’s Done

33

index=firewall sourcetype=“ACMEguestFW" ip=“ACMEipSpace" (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg="Request" | regex hostname=“ACMEipSpace"

| Lmechart span=1h count by hostname

IdenBfy User, present addiBonal data – How it’s Done

34

index=firewall (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) sourcetype=“ACMEguestFW" ip=“ACMEipSpace" dhcp_msg="Request" | regex hostname=“ACMEipSpace" | stats count by ip,_Lme,hostname,mac| sort _Lme

View the XML Source for the Dashboard (“Edit Source”), find the panel, and add: <drilldown> <set token="source_ip">$row.ip$</set> <set token="mac">$row.mac$</set> <set token="hostname">$row.hostname$</set> </drilldown>

Make this panel only appear when the drilldown is acBvated: <panel><single id="jumpername" depends="$source_ip$">

Search uses $source_ip$ based on click and searches the internal firewall logs to find the most recent user from that IP address: index=firewall sourcetype=ACMEfw src=$source_ip$ | rex field=src_user "\w+\\\(<browseusername>\w+)" | dedup browseusername | table browseusername

1

2

3

4

Drill-‐down to lookup

user

Longitudinal Trending – How It’s Done

35

This panel is driven by the same drill-‐down we’ve been using, based on $hostname$ from the guest network firewall logs. The search simply returns the jumping pabern over the past week and charts it in 15-‐minute spans. index=firewall hostname=$hostname$ dhcp_msg=Request sourcetype=ACMEguestFW | Lmechart span=15m count

Behavior InvesBgaBon – Pre-‐Jump AcBvity

36

Select “Edit Panels” for the Dashboard and then “Add Input”, select “Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This dropdown input sets the token $category$ to the value selected: <input type="dropdown" token="category“ searchWhenChanged="true"> <label>Select Category</label> <populatingSearch earliest="@d" latest="now" fieldForLabel="category" fieldForValue="category">index=firewall sourcetype=pan* src_ip=$source_ip$ | stats count by category</populatingSearch> <choice value="*">ALL</choice> </input>

3

Search the Windows DNS logs for requests and responses triggered by the Jumper on the corporate network. SBll using the same drilldown from before for source_ip: index=winevents sourcetype="MSAD:NT6:DNS" src_ip=$source_ip$ | stats count by quesLonname,quesLontype,response,src_ip | rex mode=sed field=quesLonname s/$\d+$/./g | sort –count This is a basic filtering search | stats to take a count of queries made, type and the response by the source ip | regex to use sed to change format of DNS queries to exclude (<digits>) | sort by count

1

SelecBon determines drill down Combined StaBc & Dynamic Dropdown input. StaBc (default) vaue of ALL maps to a value of “*”, dynamic opBons populated by a search: index=firewall sourcetype=ACMEfw src_ip=$source_ip$ | stats count by category

2

Guest Network Sessions for Jumper

37

Again going back to the same drill-‐down, use the MAC address idenBfied and list guest network IPs associated with the MAC we’ve Bed to a corporate asset: index=firewall sourcetype=“ACMEguestFW” (ip!=“ACMEipSpace" AND ip!="0.0.0.0") mac=$mac$| stats count by mac,ip | fields -‐ count

Get a list of IP addresses for the idenBfied jumper based on MAC address from the Guest network firewall logs.

Behavior invesBgaBon – Guest Network AcBvity

38

List hosts accessed by the jumper on the guest network, filtered by pass/block/all as per the staBon radio input above and using the source selected in the original drilldown on the dashboard: index=network sourcetype=ACMEguestWLC srcip=$source$ acLon=$acLon$ | stats count by srcip,hostname,acLon,msg,dsLp | sort -‐count

3

StaBc form input defined to filter the panel’s search on acBon field (block, pass, all)

View the XML Source for the Dashboard (“Add Input”), select “Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This radio input sets the token $acBon$ to the value selected: <input type="radio" token="action" searchWhenChanged="true"> <choice value="pass">pass</choice> <choice value="block">block</choice> <choice value="*">all</choice> <default>*</default> </input>

2 1

Design & Extension Notes

39

!   Areas to conBnue the invesBgaBon –  Select user of interest to drive addiBonal panels – including addiBonal historical trending –  AddiBonal review of DNS requests –  Data volume on guest network –  Threat list mapping for known C2 servers, site hosBng malware/malverBsing

!   PracBcal integraBons –  Capture page, walled garden for jumpers with training and/or restricBon on Guest Network

!   PotenBal to add algorithms to refine results and accelerate analysis –  High level charts – 14 day, 7 day, today –  Integrate addiBonal data sources to further idenBfy behavior

Next Steps: ConLnuing with other SituaLonal Awareness & Kill Chain Use Cases

Developing AddiBonal Use Cases

41

!   Have a disciplined approach !   Start with a behavior, choose a point on the kill chain !   IdenBfy what logs sources you have !   Think about and try different visualizaBons !   Use staBsBcs and simple algorithms to clarify the data !   Find related log sources !   Think longitudinally !   Find outliers, shiR your parameters, and let more outliers emerge

AddiBonal Examples

42

!  IdenBfying Pass-‐the-‐Hash (PtH) Abacks and other CredenBal TheR Techniques –  Look for lateral movement, then get specific in your search for specific techniques. Methods include RDP and other

remote access tools, the use of PsExec, as well as Windows Management InstrumentaBon (WMI). –  The NSA report “Spojng the Adversary with Windows Event Log Monitoring” provides many good ideas to build on. For

PtH: ê  “The successful use of PtH for lateral movement between workstaBons would trigger event ID 4624, with an event

level of InformaBon, from the security log. This behavior would be a LogonType of 3 using NTLM authenBcaBon where it is not a domain logon and not the ANONYMOUS LOGON account.”

ê  “A failed logon abempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a LogonType of 3 using NTLM authenBcaBon where it is not a domain logon and not the ANONYMOUS LOGON account.”

!  ValidaBng and Monitoring MiBgaBon AcBons (Closed-‐Loop Management) –  When miBgaBng risks and threats in your environment, you need to validate that your measures take effect while

monitoring and minimizing disrupBon to mission-‐criBcal business operaBons. –  Look for metrics that are leading indicators to help validate progress –  Look for trailing indicators that show potenBal disrupBon –  One example would be forced password expiry impairing users who only use applicaBons with integrated authenBcaBon

that do not support password resets

Kill Chain Based Aback Lifecycle Concept

43

Security Controls !   The average enterprise today has decent but incomplete

coverage via a collecBon of security controls !   In addiBon to gaps in security controls there is usually an

even larger gap in which security controls are centrally logged and monitored

!   MulB-‐control correlaBon is rarely done, and even more rarely done right

!   Security controls in silos are not enough !   Approach to analysis needs to be cohesive and behaviorally

driven, with a monitoring/response posture based on knowing your users, network, and environment

!   Need to evolve: –  From compliance reporBng to threat detecBon –  From finding/neutralizing malware to dissecBng/disrupBng

aback –  From staBc views of data to longitudinal data analyBcs

44

Security Control Frameworks

45

•  Perimeter-‐in •  CriBcal assets/crown jewels •  Kill chain/behavior-‐based •  Quick wins

Security Control Monitoring PrioriBes:

SANS CriLcal Security Controls V5 – SANS Top 20

(ISC)2 Common Body of Knowledge (10 Domains)

ISO 27001:2013 (114 Controls in 14 Groups)

NIST Special PublicaLon 800-‐53 Rev. 4 (224 controls in 18 families)

1.  Inventory of Authorized and Unauthorized Devices

2.  Inventory of Authorized and Unauthorized SoRware

3.  Secure ConfiguraBons for Hardware and SoRware on Mobile Devices, Laptops, WorkstaBons, and Servers

4.  ConBnuous Vulnerability Assessment and RemediaBon

5.  Malware Defenses 6.  ApplicaBon SoRware Security 7.  Wireless Access Control 8.  Data Recovery Capability 9.  Security Skills Assessment and Appropriate

Training to Fill Gaps 10.  Secure ConfiguraBons for Network Devices

such as Firewalls, Routers, and Switches 11.  LimitaBon and Control of Network Ports,

Protocols, and Services 12.  Controlled Use of AdministraBve Privileges 13.  Boundary Defense 14.  Maintenance, Monitoring, and Analysis of

Audit Logs 15.  Controlled Access Based on the Need to

Know 16.  Account Monitoring and Control 17.  Data ProtecBon 18.  Incident Response and Management 19.  Secure Network Engineering 20.  PenetraBon Tests and Red Team Exercises

1.  Access Control 2.  TelecommunicaBons

and Network Security

3.  InformaBon Security Governance and Risk Management

4.  SoRware Development Security

5.  Cryptography 6.  Security Architecture

and Design 7.  OperaBons Security 8.  Business ConBnuity

and Disaster Recovery Planning

9.  Legal, RegulaBons, InvesBgaBons and Compliance

10.  Physical (Environmental) Security

1.  InformaBon security policies (2 controls)

2.  OrganizaBon of informaBon security (7 controls)

3.  Human resource security -‐ 6 controls that are applied before, during, or aRer employment

4.  Asset management (10 controls) 5.  Access control (14 controls) 6.  Cryptography (2 controls) 7.  Physical and environmental security

(15 controls) 8.  OperaBons security (14 controls) 9.  CommunicaBons security (7

controls) 10.  System acquisiBon, development

and maintenance (13 controls) 11.  Supplier relaBonships (5 controls) 12.  InformaBon security incident

management (7 controls) 13.  InformaBon security aspects of

business conBnuity management (4 controls)

14.  Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

1.  Access Control 2.  Awareness & Training 3.  Audit & Accountability 4.  CerBficaBon,

AccreditaBon & Security Assessments

5.  ConfiguraBon Management

6.  ConBngency Planning 7.  IdenBficaBon And

AuthenBcaBon 8.  Incident Response 9.  Maintenance 10.  Media ProtecBon 11.  Physical & Environmental

ProtecBon 12.  Planning 13.  Personnel Security 14.  Risk Assessment 15.  System & Services

AcquisiBon 16.  System & CommunicaBon

ProtecBon 17.  System & InformaBon

Integrity 18.  Program Management

THANK YOU Andrew Gerber [email protected]

mapping*the*enterprise* threat,*risk,*and*security ... · pdf...

Documents

mappingtheenterprise* threat,risk,and*security ... · pdf...