mapping*the*enterprise* threat,*risk,*and*security ... · pdf...
TRANSCRIPT
Copyright © 2014 Splunk Inc.
Andrew Gerber Managing InformaBon Security Consultant, Wipro
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Disclaimer
2
During the course of this presentaBon, we may make forward looking statements regarding future events or the expected performance of the company. We cauBon you that such statements reflect our current expectaBons and
esBmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaBon are being made as of the Bme and date of its live presentaBon. If reviewed aRer its live presentaBon, this presentaBon may not contain current or accurate informaBon. We do not assume any obligaBon to update any forward looking statements we may make. In addiBon, any informaBon about our roadmap outlines our general product direcBon and is subject to change at any Bme without noBce. It is for informaBonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaBon either to develop the features or funcBonality described or to
include any such feature or funcBonality in a future release.
About
3
Andrew Gerber is a managing informaBon security consultant at Wipro. Over the last ten years he has focused on security informaBon and event management (SIEM), security analyBcs, and security operaBons center (SOC) design. Andrew addiBonally has experience evaluaBng informaBon security program maturity and building effecBve managed security service offerings. Andrew has worked with clients in North America, Europe, and Asia, including several Fortune 100 and Fortune Global 100 industry leaders in financial services, healthcare, manufacturing, retail, and law enforcement. Andrew holds a B.S. in computer science and an M.B.A. from Purdue University.
Wipro Ltd. (NYSE:WIT) is a global informaBon technology, consulBng, and outsourcing company with over 145,000 employees across 6 conBnents and over 175 ciBes. Wipro posted revenues of $7.3 billion for the financial year ended March 31, 2014. Wipro helps customers do business beber by leveraging our industry-‐wide experience, deep technology experBse, comprehensive porcolio of services, and verBcally aligned business model. Wipro is proud of its strategic partnership with Splunk and the value Wipro delivers using Splunk as a placorm across industries and applicaBons, with a focus in enterprise informaBon security managed services.
Agenda
! New approach to Enterprise Security – SituaBonal Awareness – Kill Chain
! Techniques using this new approach – Looking for threat behavior – Profiling VPN access – Looking for an abacker trying to get out of environment as well as
idenBfying potenBal delivery vectors – Profiling Network Jumpers – A framework for developing addiBonal techniques
! RecommendaBons and best pracBces for further development and implementaBon of this approach
4
The Enterprise Security Landscape ! Abacks and breaches on the rise, threat actors moBvated by previous abacks’ successes
! Abackers sBll have a remarkably easy Bme gejng in
– OrganizaBons are sBll not implemenBng basic controls (i.e. geographic restricBons, segmentaBon,
account lockouts) A LOT CAN BE DONE WITH BASIC CONTROLS
– OrganizaBons are sBll not monitoring/responding to IOCs (Indicator of Compromise); a recent breach analysis showed -‐ mulBple alerts on potenBal malware and malicious acBvity completely missed INFORMATION AND ALERTS FROM ALL SOURCES MUST BE ANALYZED
! Don’t focus solely on alerts for denied or failure events
– FOCUS ON PROFILING BEHAVIOR OVER TIME & ACROSS PLATFORMS TO DISTINGUISH ANOMALIES
5
Threats
6
! Threats are increasing, abacker dwell Bme sBll well over 200 days on average.
! Move from generic malware targeBng everyone to deliberate, smart abackers targeBng you, with a specific objecBve.
! With abackers idenBfying high-‐value objecBves, the investment they are willing to make increases.
! We can see abackers’ methodology evolving over Bme to adapt to organizaBons’ acBons and responses.
! People are being targeted more, resulBng in more valid-‐credenBal based abacks and less need for vulnerability exploits of network/security devices.
! Threat actors now look more like legiLmate users. You can sLll tell them apart, just not with legacy tools/strategies.
Breaches by Asset Category over Time
From Verizon’s 2014 Data Breach InvesBgaBons Report
Threats: Who Abacks and Why?
7
From IBM’s 2013 Cyber Security Intelligence Index
Categories of ATackers ATacker MoLvaLon
Risks: Clear and Present Danger
8
Brand / Revenue / Financial Data / Product Data / Customer & PaBent Records / Financial TheR / Blackmail / Job Loss / OperaBons DisrupBon and ManipulaBon / CompeBBve Espionage / …
SituaBonal Awareness
9
Changing threat environments demand enhanced security monitoring, oRen called “situaBonal awareness”
! Advanced targeted threats have increased the requirement for the proacBve detecBon of potenBal incidents above standard due diligence levels.
! SituaBonal awareness expands on security informaLon and event management (SIEM) processes, and requires a combinaLon of asset and threat informa-on and ac-vity data, in combinaBon with analysis and repor-ng capabili-es.
! Advanced analysis capabiliBes to support “human in the loop” invesBgaBon and decision making are criBcal requirements. From Gartner’s note “Delivering SituaBonal Awareness” (G00214313)
Tech
Process
People To deliver situaBonal awareness, we need to add a process/approach/model to the people (us) and the technology (Splunk) deployed to provide enterprise security.
Kill Chain
10
! Model to idenBfy threat behavior across the lifecycle of an aback – Move from looking at single alert or single aspect of the aback – Must look at enBre spectrum of acBviBes (all data) to determine aback/
threat
! DetecBon earlier in kill chain = lower impact and miBgaBon cost ! DetecBon later in kill chain = greater impact, must look back in Bme to determine infecBon/impact and how to contain/miBgate
Beyond SIEM – True Security AnalyBcs: ! Brings together informaBon that would be Bme consuming or impossible to
manually analyze (goes beyond centralized logging) ! Enables a deep invesBgaBon of what otherwise could only be aggregated and/
or ignored ! Allows dynamic correlaBon – visual representaBon makes anomalies obvious ! Enables exploraBon of loose relaBonships between events, driven by “human-‐
in-‐the-‐loop” processes, leading to a “hypothesis à test à findings” approach instead of an “event à evaluate” approach.
! Accelerates analyst decision trees around behavior ! Is cohesive and behaviorally driven, with a monitoring/response posture based
on knowing your users, assets, and environment
11
Use cases to implement with Splunk
! Use Case 1 -‐ Detect inappropriate or malicious remote access – VPN profiling of employees, contractors, vendors, and other insiders – Useful to idenBfy following kill chain stages
ê C2, ExfiltraBon – Also useful to idenBfy employee/insider Fraud, TheR, & Abuse (FTA)
! Use Case 2 -‐ Detect abempted and actual bypass of network controls – Detect network jumping and off-‐network acBvity – Useful to idenBfy following kill chain stages
ê Delivery, C2, ExfiltraBon – Also useful to idenBfy employee/insider Fraud, TheR, & Abuse (FTA)
12
What & Why?
14
! Find abnormal remote access usage pabern in remote access – VPN access with valid credenBals used in major abacks, including recent healthcare
industry breach
! Profile remote usage by employees, contractors, vendors, and other insiders ! Look for:
– Indicators of Delivery, C2, ExfiltraBon, as well as employee or insider FTA – IdenBfy potenBally compromised credenBals
! Key points to look for: – Increase in login frequency – Odd Bmes/locaBons – Improbable travel distance between logins or login abempts
(velocity requirements between consecuBve geographical login locaBons too high)
Design & Approach
15
Overview – Geographic and Network VPN Trends
Overview – User-‐based VPN Trends
Geographic Analysis with “Traveler” idenBficaBon
“Traveler” mapping & improbable behavior analysis
Design & Approach -‐ Workflow
16
MulBple login failures by count and over Bme and successful logins provide insight into VPN behavior.
User level VPN Trends
At-‐a-‐glance profiling of VPN login success and failures GeolocaBon and domain charBng idenBfy normal vs. abnormal access • Top Level Domains and other domain names to find anomalies,
i.e. connecBons from .edu TLD or external VPN services
Geographic & Network VPN Trends
IdenBfy repeat VPN login failure trends by user Easy to spot outlier and clustered events
Design & Approach -‐ Workflow
17
Determine unlikely distance/Bme combinaBons between VPN logins
“Traveler” mapping & improbable behavior analysis
Per-‐country trends & users with mulBple locaBons in a given Bme period Also idenBfy relaBve distances for users from a relevant fixed locaBon
Geographic Analysis with “Traveler” idenBficaBon
Key Events – VPN AuthenBcaBon Success/Failure
18
The key searches are looking for VPN authenBcaBon success and failure, which we will expand on throughout this use case.
Overview – Geographic & Network VPN Trends
19
index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | iplocaLon IP | geostats count by Username globallimit=0
index=vpn sourcetype=ACMEvpn "Login failed" | eval userinfo=user.":".user_bunit | iplocaLon src_ip | geostats count by userinfo globallimit=0
index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats count by IP | lookup dnslookup clienLp as IP | rex field=clienthost ".*(?P<toplevel>\.\w+)$" | stats count by toplevel
index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats count by IP | lookup dnslookup clienLp as IP | rex field=clienthost ".*\.(?P<midlevel>\w+)\.(?P<toplevel>\w+)$“ | eval thedomain=midlevel.".".toplevel | eval lendomain=len(thedomain) | where lendomain>0 | stats count by thedomain | sort -‐thedomain | sort -‐count
Overview – User-‐based VPN Trends
20
index=firewall (sourcetype=ACMEvpn AND "AAA user authenLcaLon Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND acLon!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | stats count by fulluser | search count>3
index=firewall (sourcetype=ACMEvpn AND "AAA user authenLcaLon Rejected" AND user=*) OR (sourcetype=ACMEtraffic AND src_user=* AND to=VPN AND acLon!="allowed") | rename src_user AS fulluser | rex "user\s\=\s(?<fulluser>.*)" | top fulluser
index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | stats sparkline(count), count by Username | sort -‐count
Overview – User-‐based VPN Trends
21
index=firewall sourcetype=ACMEvpn "AAA user authenLcaLon Rejected" user=* | rex "user\s\=\s(?<fulluser>.*)" | Lmechart count by fulluser useother=f limit=25
Geographic Analysis with “Traveler” idenBficaBon
22
index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" | iplocaLon IP | eval regionlen=len(Region) | where regionlen>0 | eval regioncity=City.",".Region | stats sparkline(dc(IP)),dc(IP) as howmanyIP,dc(regioncity) as howmanyRegion, values(regioncity) as LocaLons by Username | sort -‐howmanyip | where howmanyRegion>1
index=firewall index=firewall sourcetype=ACMEvpn "Security NegoLaLon Complete" |dedup IP | iplocaLon allfields=true IP |eval citylen=len(City) | eval short_lon=round(lon,2) | eval short_lat=round(lat,2) | strcat short_lat "," short_lon as latlon | eval HQ="37.235,-‐115.811" | where citylen>0 | haversine originField=HQ latlon units=mi | table _Lme,Username,City,Region,distance | sort -‐distance | eval distance=round(distance,0)
“Traveler” mapping & improbable behavior analysis
23
index=firewall index=firewall sourcetype=ACMEvpn "Security NegoBaBon Complete" | iplocaBon allfields=true IP | eval short_lon=round(lon,2) | eval short_lat=round(lat,2) | strcat short_lat "," short_lon as latlon | transacBon Username maxspan=1d mvlist=t mvraw=f delim="|" | eval first_src=mvindex(IP,0) | eval last_src=mvindex(IP,-‐1) | where (first_src != last_src) | eval first_tz=mvindex(Timezone,0) | eval last_tz=mvindex(Timezone,-‐1) | where first_tz != last_tz | eval first_latlon=mvindex(latlon,0) | eval last_latlon=mvindex(latlon,-‐1) | eval firstlatlonlen=len(first_latlon) | eval lastlatlonlen=len(last_latlon) | where firstlatlonlen>1 | where lastlatlonlen>1 | eval bothtz=first_tz.last_tz | eval tzlen=len(bothtz) | where tzlen>20 | haversine originField=first_latlon last_latlon units=mi | eval rate_mps=distance/duraBon | eval rate_mph=rate_mps * 3600 | eval tdm=duraBon/60 | eval tdm=round(tdm,2) | eval rate_mph=round(rate_mph,2) | makemv delim="|" src_ip | makemv delim="|" Username | eval username=mvindex(Username,0) | table _Bme,rate_mph,tdm,username,first_tz,last_tz,first_src,last_src,bothtz | rename tdm as "Time Difference(Minutes)" | rename rate_mph as "Speed(MPH)" | search "Speed(MPH)" >100 | sort -‐ "Speed(MPH)" | iplocaBon last_src | geostats count by username
Design & Extension Notes
24
! AddiBonal panels: – Simultaneous logins (oRen rare as a legiBmate scenario) – Increase in data volume over connecBon (sign of exfiltraBon, data collecBon) – PotenBal to add algorithms to refine results and accelerate analysis
! AddiBonal InformaBon about user access paberns – “Out-‐of-‐Office” informaBon -‐ Integrate with Exchange – PTO/Absence/etc. -‐ Integrate with HR/Time management systems
What & Why?
26
! Find assets & users jumping from corporate LAN, WLAN to Guest Network – Detect abempts to bypass security controls – Detect malware vector of “benign” off-‐network browsing
1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report) – If controls exist around Guest network usage, sBll implement this for abestaBon
! Profile jumping behavior to look for paberns and anomalies – IdenBfy the User, IP address, MAC address – IdenBfy acBvity before and aRer jumping – Filter out insider Fraud, Thief, Abuse from possible
Indicators of Compromise
! Key points to look for include – Assets and users jumping periodically –
Normal business users should be on corporate network – Network jumps which don’t appear to be pre-‐meditated
(i.e. looking for programmaBc jumps) – Volume, periodicity, desBnaBon, traffic type can all be
indicators of potenBal ExfiltraBon
“40% [of companies] reported that they had been exposed to a security threat as a direct consequence of an off-‐network user’s laptop gejng compromised within the last twelve months.”
From Google report, “Off-‐Network Workers – The Weakest Link to Corporate Web Security”
Design & Approach
27
Overview – Long/Short Term Off-‐Net Jumping Trends
IdenBfy a user of interest and drill-‐down to invesBgate
Behavior invesBgaBon – longitudinal trending
Behavior invesBgaBon – Pre-‐Jump AcBvity
Behavior invesBgaBon – Guest Network AcBvity
Design & Approach -‐ Workflow
28
SelecBon to lookup user
Dynamic drilldown begins at this point on this dashboard: When you click on the row, the IP, Hostname, MAC is passed on the following subpanels, this is based on drilldown parameters being set in this panel’s XML source.
Rapid invesBgaBon to idenBfy users of interest SelecBon enables deep invesBgaBon via iniBal drilldown into user acBvity/details
At-‐a-‐glance profiling of corporate credenBals used on guest network – acBvity for today, 7-‐days, 14-‐days
Long/Short Term Off-‐Net Jumping Trends Visual analysis to determine what look abnormal
SelecBon determines drill down
Design & Approach -‐ Workflow
29
Paberns idenBfy potenBal repeat offender, or possible C2/exfiltraBon look at guest network acBvity to clarify – compare these two trends
Behavior InvesBgaBon – Longitudinal Trending
Design & Approach -‐ Workflow
30
Looking back in Bme from the jump User acBvity on the corporate network preceding the jump
Behavior InvesBgaBon – Pre-‐Jump AcBvity • Does the jump make sense? – driven by business logic or “benign” behavior • Does the jump look like abacker trying to get out? – more “random” paberns • Does the jump look like insider threat? – exfiltraBon, etc.
Looking back in Bme to the jump User device to IP address mapping of jumper
Looking in Bme aRer the jump User acBvity on the guest network aRer the jump
Key Event – Guest network DHCP request
31
Key search to idenBfy this acBvity • Look at guest network firewall logs which logs DHCP requests (IP à MAC à hostname) • Look at DHCP requests using IP address of one of our corporate networks, and the MAC address. • Eliminate mobile devices, limit results to our corporate hostname naming convenBon • Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.
Trending – How it’s Done
32
index=firewall sourcetype=“ACMEguestFW" (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg=Request ip=“ACMEipSpace” | regex hostname=“ACMEnamingConvenLon" | Lmechart span=4h limit=30 count by hostname
index=firewall sourcetype=“ACMEguestFW” (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg=Request ip=“ACMEipSpace" earliest=-‐14d latest=-‐1d | regex hostname=“ACMEnamingConvenLon" | dedup hostname
| Lmechart span=1h count | eval StartTime=relaLve_Lme(now(),"-‐48h@h") | eval Series=if(_Lme>=StartTime, "Yesterday’s Count", “2 Week Average") | eval Hour = strvime(_Lme,"%H") | chart max(count) by Hour Series
Trending – How it’s Done
33
index=firewall sourcetype=“ACMEguestFW" ip=“ACMEipSpace" (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) dhcp_msg="Request" | regex hostname=“ACMEipSpace"
| Lmechart span=1h count by hostname
IdenBfy User, present addiBonal data – How it’s Done
34
index=firewall (hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*) sourcetype=“ACMEguestFW" ip=“ACMEipSpace" dhcp_msg="Request" | regex hostname=“ACMEipSpace" | stats count by ip,_Lme,hostname,mac| sort _Lme
View the XML Source for the Dashboard (“Edit Source”), find the panel, and add: <drilldown> <set token="source_ip">$row.ip$</set> <set token="mac">$row.mac$</set> <set token="hostname">$row.hostname$</set> </drilldown>
Make this panel only appear when the drilldown is acBvated: <panel><single id="jumpername" depends="$source_ip$">
Search uses $source_ip$ based on click and searches the internal firewall logs to find the most recent user from that IP address: index=firewall sourcetype=ACMEfw src=$source_ip$ | rex field=src_user "\w+\\\(<browseusername>\w+)" | dedup browseusername | table browseusername
1
2
3
4
Drill-‐down to lookup
user
Longitudinal Trending – How It’s Done
35
This panel is driven by the same drill-‐down we’ve been using, based on $hostname$ from the guest network firewall logs. The search simply returns the jumping pabern over the past week and charts it in 15-‐minute spans. index=firewall hostname=$hostname$ dhcp_msg=Request sourcetype=ACMEguestFW | Lmechart span=15m count
Behavior InvesBgaBon – Pre-‐Jump AcBvity
36
Select “Edit Panels” for the Dashboard and then “Add Input”, select “Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This dropdown input sets the token $category$ to the value selected: <input type="dropdown" token="category“ searchWhenChanged="true"> <label>Select Category</label> <populatingSearch earliest="@d" latest="now" fieldForLabel="category" fieldForValue="category">index=firewall sourcetype=pan* src_ip=$source_ip$ | stats count by category</populatingSearch> <choice value="*">ALL</choice> </input>
3
Search the Windows DNS logs for requests and responses triggered by the Jumper on the corporate network. SBll using the same drilldown from before for source_ip: index=winevents sourcetype="MSAD:NT6:DNS" src_ip=$source_ip$ | stats count by quesLonname,quesLontype,response,src_ip | rex mode=sed field=quesLonname s/\(\d+\)/./g | sort –count This is a basic filtering search | stats to take a count of queries made, type and the response by the source ip | regex to use sed to change format of DNS queries to exclude (<digits>) | sort by count
1
SelecBon determines drill down Combined StaBc & Dynamic Dropdown input. StaBc (default) vaue of ALL maps to a value of “*”, dynamic opBons populated by a search: index=firewall sourcetype=ACMEfw src_ip=$source_ip$ | stats count by category
2
Guest Network Sessions for Jumper
37
Again going back to the same drill-‐down, use the MAC address idenBfied and list guest network IPs associated with the MAC we’ve Bed to a corporate asset: index=firewall sourcetype=“ACMEguestFW” (ip!=“ACMEipSpace" AND ip!="0.0.0.0") mac=$mac$| stats count by mac,ip | fields -‐ count
Get a list of IP addresses for the idenBfied jumper based on MAC address from the Guest network firewall logs.
Behavior invesBgaBon – Guest Network AcBvity
38
List hosts accessed by the jumper on the guest network, filtered by pass/block/all as per the staBon radio input above and using the source selected in the original drilldown on the dashboard: index=network sourcetype=ACMEguestWLC srcip=$source$ acLon=$acLon$ | stats count by srcip,hostname,acLon,msg,dsLp | sort -‐count
3
StaBc form input defined to filter the panel’s search on acBon field (block, pass, all)
View the XML Source for the Dashboard (“Add Input”), select “Radio”, drag the input to the panel, and customize in the GUI, or add the XML code directly in “Edit Source”. This radio input sets the token $acBon$ to the value selected: <input type="radio" token="action" searchWhenChanged="true"> <choice value="pass">pass</choice> <choice value="block">block</choice> <choice value="*">all</choice> <default>*</default> </input>
2 1
Design & Extension Notes
39
! Areas to conBnue the invesBgaBon – Select user of interest to drive addiBonal panels – including addiBonal historical trending – AddiBonal review of DNS requests – Data volume on guest network – Threat list mapping for known C2 servers, site hosBng malware/malverBsing
! PracBcal integraBons – Capture page, walled garden for jumpers with training and/or restricBon on Guest Network
! PotenBal to add algorithms to refine results and accelerate analysis – High level charts – 14 day, 7 day, today – Integrate addiBonal data sources to further idenBfy behavior
Developing AddiBonal Use Cases
41
! Have a disciplined approach ! Start with a behavior, choose a point on the kill chain ! IdenBfy what logs sources you have ! Think about and try different visualizaBons ! Use staBsBcs and simple algorithms to clarify the data ! Find related log sources ! Think longitudinally ! Find outliers, shiR your parameters, and let more outliers emerge
AddiBonal Examples
42
! IdenBfying Pass-‐the-‐Hash (PtH) Abacks and other CredenBal TheR Techniques – Look for lateral movement, then get specific in your search for specific techniques. Methods include RDP and other
remote access tools, the use of PsExec, as well as Windows Management InstrumentaBon (WMI). – The NSA report “Spojng the Adversary with Windows Event Log Monitoring” provides many good ideas to build on. For
PtH: ê “The successful use of PtH for lateral movement between workstaBons would trigger event ID 4624, with an event
level of InformaBon, from the security log. This behavior would be a LogonType of 3 using NTLM authenBcaBon where it is not a domain logon and not the ANONYMOUS LOGON account.”
ê “A failed logon abempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a LogonType of 3 using NTLM authenBcaBon where it is not a domain logon and not the ANONYMOUS LOGON account.”
! ValidaBng and Monitoring MiBgaBon AcBons (Closed-‐Loop Management) – When miBgaBng risks and threats in your environment, you need to validate that your measures take effect while
monitoring and minimizing disrupBon to mission-‐criBcal business operaBons. – Look for metrics that are leading indicators to help validate progress – Look for trailing indicators that show potenBal disrupBon – One example would be forced password expiry impairing users who only use applicaBons with integrated authenBcaBon
that do not support password resets
Security Controls ! The average enterprise today has decent but incomplete
coverage via a collecBon of security controls ! In addiBon to gaps in security controls there is usually an
even larger gap in which security controls are centrally logged and monitored
! MulB-‐control correlaBon is rarely done, and even more rarely done right
! Security controls in silos are not enough ! Approach to analysis needs to be cohesive and behaviorally
driven, with a monitoring/response posture based on knowing your users, network, and environment
! Need to evolve: – From compliance reporBng to threat detecBon – From finding/neutralizing malware to dissecBng/disrupBng
aback – From staBc views of data to longitudinal data analyBcs
44
Security Control Frameworks
45
• Perimeter-‐in • CriBcal assets/crown jewels • Kill chain/behavior-‐based • Quick wins
Security Control Monitoring PrioriBes:
SANS CriLcal Security Controls V5 – SANS Top 20
(ISC)2 Common Body of Knowledge (10 Domains)
ISO 27001:2013 (114 Controls in 14 Groups)
NIST Special PublicaLon 800-‐53 Rev. 4 (224 controls in 18 families)
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized SoRware
3. Secure ConfiguraBons for Hardware and SoRware on Mobile Devices, Laptops, WorkstaBons, and Servers
4. ConBnuous Vulnerability Assessment and RemediaBon
5. Malware Defenses 6. ApplicaBon SoRware Security 7. Wireless Access Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate
Training to Fill Gaps 10. Secure ConfiguraBons for Network Devices
such as Firewalls, Routers, and Switches 11. LimitaBon and Control of Network Ports,
Protocols, and Services 12. Controlled Use of AdministraBve Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of
Audit Logs 15. Controlled Access Based on the Need to
Know 16. Account Monitoring and Control 17. Data ProtecBon 18. Incident Response and Management 19. Secure Network Engineering 20. PenetraBon Tests and Red Team Exercises
1. Access Control 2. TelecommunicaBons
and Network Security
3. InformaBon Security Governance and Risk Management
4. SoRware Development Security
5. Cryptography 6. Security Architecture
and Design 7. OperaBons Security 8. Business ConBnuity
and Disaster Recovery Planning
9. Legal, RegulaBons, InvesBgaBons and Compliance
10. Physical (Environmental) Security
1. InformaBon security policies (2 controls)
2. OrganizaBon of informaBon security (7 controls)
3. Human resource security -‐ 6 controls that are applied before, during, or aRer employment
4. Asset management (10 controls) 5. Access control (14 controls) 6. Cryptography (2 controls) 7. Physical and environmental security
(15 controls) 8. OperaBons security (14 controls) 9. CommunicaBons security (7
controls) 10. System acquisiBon, development
and maintenance (13 controls) 11. Supplier relaBonships (5 controls) 12. InformaBon security incident
management (7 controls) 13. InformaBon security aspects of
business conBnuity management (4 controls)
14. Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
1. Access Control 2. Awareness & Training 3. Audit & Accountability 4. CerBficaBon,
AccreditaBon & Security Assessments
5. ConfiguraBon Management
6. ConBngency Planning 7. IdenBficaBon And
AuthenBcaBon 8. Incident Response 9. Maintenance 10. Media ProtecBon 11. Physical & Environmental
ProtecBon 12. Planning 13. Personnel Security 14. Risk Assessment 15. System & Services
AcquisiBon 16. System & CommunicaBon
ProtecBon 17. System & InformaBon
Integrity 18. Program Management
THANK YOU Andrew Gerber [email protected]