Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security models for security architecture

20,217 views

Published on

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk

Published in: Technology
  • These are one of the best companies for review articles. High quality with cheap rates. ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ I highly recommend it :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ has really great writers to help you get the grades you need, they are fast and do great research. Support will always contact you if there is any confusion with the requirements of your paper so they can make sure you are getting exactly what you need.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Was a little hesitant about using ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ at first, but am very happy that I did. The writer was able to write my paper by the deadline and it was very well written. So guys don’t hesitate to use it.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • To get professional research papers you must go for experts like ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If we are speaking about saving time and money this site HelpWriting.net is going to be the best option!! I personally used lots of times and remain highly satisfied.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security models for security architecture

  1. 1. SECURITY MODELS FORIMPROVING YOURORGANIZATION’S DEFENCEPOSTURE AND STRATEGYVladimir JirasekBlog: JirasekOnSecurity.comBio: About.me/jirasek9th Nov 2011
  2. 2. About me• Security professional (11 years)• Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com)• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
  3. 3. I will cover topics today• Security model for information security• Security policy structure• Security processes• Security technology stack• Security metrics for organisations
  4. 4. Security model – business drives security Security management Correction of security processesInternational CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes MetricsRegulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Programrequirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
  5. 5. Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives ITSecurity IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
  6. 6. Relationship between business objectives and securityprocesses Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1Businessobjective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2Businessobjective Security Control C6 Process P2 BO2 Objective SO3 Control C7Business Security Control C8objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
  7. 7. Sources of security controls• ISO 27000 series• ISF Standard of Good Practice 2011• PCI DSS• NIST SP 800-53• CObIT 4• SANS 20 critical controls
  8. 8. Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
  9. 9. GRC Information & EventSecurity stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Network firewalls Host Security Network Security• VPN gateways Physical Security• Network Intrusion Detection/Prevention• DDoS• WiFi security• Network Access Control• DNS Security• Web, Email & IM filtering
  10. 10. GRC Information & Event Identity, Entitlement, AccNetwork security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts onIdentity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
  11. 11. GRC Information & Event Identity, Entitlement, AccSecurity stack::Host Mgmt Data Security Cryptography ess Application Security• Configuration compliance Host Security Network Security• Patch management Physical Security• Vulnerability scanning• Anti-malware• Application control• Location awareness• Device control• Trusted execution protection
  12. 12. GRC Information & Event Identity, Entitlement, AccHost security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
  13. 13. GRC Information & EventSecurity stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Code reviews/scanning – binary and source Host Security Network Security• Security sensors (AppSensor) Physical Security• Web application scanning• Penetration testing• Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
  14. 14. GRC Information & Event Identity, Entitlement, AccApplication security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  15. 15. GRC Information & Event Identity, Entitlement, AccSecurity stack::Data Mgmt Data Security Cryptography ess Application Security• Data classification Host Security Network Security• Email encryption Physical Security• File encryption• Document Rights Management• Data Leakage protection• Watermarking• End point encryption• Database security
  16. 16. GRC Information & Event Identity, Entitlement, AccData security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  17. 17. GRC Information & EventSecurity stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Principal management Host Security Network Security• Account provisioning Physical Security• Rights management• Directories• Single sign on and Federation• Authorisation• Role and rights auditing• 2nd factor authentication
  18. 18. GRC Information & Event Identity, Entitlement, AccIAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
  19. 19. GRC Information & Event Identity, Entitlement, AccSecurity stack::Cryptography Mgmt Data Security Cryptography ess Application Security• Key generation Host Security Network Security• Key escrow Physical Security• Host and Network HSM• Certificate management & PKI
  20. 20. GRC Information & Event Identity, Entitlement, AccCryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
  21. 21. GRC Information & EventSecurity stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Collection of security relevant logs Host Security Network Security• Archiving – retention Physical Security• Correlation with other data sources• Acting on security information• Ideal to use MSSP
  22. 22. GRC Information & EventSIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
  23. 23. Security metrics characteristics• Measurable• Objective• Quantitative (ideally)• Meaningful• With KPIs attached – know what is good and bad• Linked to business objectives – money speaks
  24. 24. Metrics for CIO – Policy compliance and controlmaturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
  25. 25. Metrics for CIO – Maturity of controls for businessprocesses/services Invest in IT service to lower the VaRIT Maturity VaR for VaR for VaR for VaR for ITServiceBusi Process A Process B Process C servicenessprocessIT Service 1 2 £1m £2m £1m £4mInfrastructure 3 £1m £3m £10m £14mIT Service 2 3 £0.5m N/A £20m £20.5mIT Service 3 4 N/A £100k £500k £600kOverall £2.5m £5.1k £31.5m £39.1m
  26. 26. Summary• Business drives security• Reuse good content from information security community• Security policy framework – target audience, think of implementation• Link security metrics to policy which is linked to business objectives• All rounded security controls – good prevention against cyber threats

×