Post on 19-Dec-2015
The State of Security Management
By Jim Reavis
jim@reavis.org
January 2003
Agenda
What is Security Management? What are the different components? What do I do?
What is Security Management?
A comprehensive system of tools and processes used to assure company policy compliance, identify deviations and adjust network computing systems accordingly
OR A cycle of pushing controls to the network
and collecting risk and threat information from all devices
Breaking down Security Mgt
Configuration Management Policy Management Event Management
Relating it to the Enterprise Users Computers Network
Configuration Management
Maintaining consistent security profiles for networked devices, accounts, applications and data– Centralized vs decentralized– Hierarchical– Transparent
Configuration Management
Users: Identity Management, Authentication, Tokens
Computers: Installation and Patch Management
Network: Network Management
Configuration Management Issues Identity Mgt, PKI, etc., are expensive and
difficult to implement Corporations have difficulty keeping up
with vendor patches and advisories Corporations like “stable” networks with
infrequent changes to standards Many administrators “push back” against
automation of configuration (e.g. Cisco IOS gurus)
Configuration Management Trends Self service password resetting is a “killer app” for
enterprise identity management Patch management will improve capabilities to
automate PC updates Business Security Intelligence will grow in
popularity to improve configuration decisions Combination of vulnerability assessment/quick
remediation will be seen as superior to traditional technologies such as AntiVirus
Policy Management Translating corporate security policies into a
computer friendly format, identifying systems that are out of compliance, bringing them back into compliance– Proactive – Force users to be created, systems to be
built with secure, i.e. non-default setups– Vulnerability assessment – use network and host
scanning to identify policy violations, enabled guest accounts, poor passwords, etc.
– Create a “Closed Loop” system forcing non-compliant systems discovered by VA to be brought into compliance
Policy Management
Users: Creating corporate policies, Building policy awareness
Computers: Synchronizing computer settings with corporate policies
Network: Monitoring network traffic for out of compliance activity and anomalous behaviors, Synchronizing network devices with policies
Policy Management Issues
Many corporate policies are difficult to enforce with technology
Tight corporate policies create unintended side effects, e.g. forwarding sensitive messages to Internet accounts
Low end user awareness of corporate policies
Low mgt awareness of how their networks are really being used
Policy Management Trends
Enterprise “Carnivore” – big brother applications that track all network activity and identify policy violations
Policy education programs integrated with Human Resources
Automated policy mgt gets integrated with configuration mgt
Event Management
Collect real time information from Firewalls, IDS, Syslogs, Network probes and other devices – Data reduction, normalization & correlation– Comprehensive device support– Visualization & situational analysis
Event Management
Users: Intruder lockouts, abnormal user behavior
Computers: Identify attacks and mitigate them
Network: Identify attacks and filter anomalous traffic
Event Management Issues
Accuracy - we still see too many false alarms when managing
Manual - people still need to make most of the decisions to counter an attack
No standards for risk ratings, reporting formats
Difficult for management consoles to keep up with device version changes
Event Management Trends
In line – identify threats AND coordinate prevention
Quality of results depends on improving underlying technologies, notably IDS
Convergence with systems mgt vendors
What do I do?
Use a Risk Management approach to determine the level of security management required for your enterprise
Risk = Asset Value * Severity of Vulnerability * Likelihood of successful attack
Allocate security mgt resources to reduce your levels of vulnerability and attack likelihood in order to bring risk to an acceptable level
Baseline Management Approach
Identify your existing Baselines/Benchmarks
Set goals for new baselines Set milestones for new goals Measure progress
Outsourcing/MSSP Approach
You must have an internal Risk Management program before you can outsource anything
Create SLAs Measure performance
Summary
Security Management is about taking a … Comprehensive Integrated Proactive
…Approach
Reference listing of companies– http://csoinformer.com/research/sec-mgt.shtml
Questions How do I cost justify investments in security management? Will we see large systems management vendors such as IBM and CA dominate the Security management space? What impact do industry regulations such as HIPAA and GLB have on Security management? What role does Microsoft play is Security management? Can I trust product vendors to provide management capabilities for third party products? What standards can I look to for guidance in Security management? What is an ISAC? Is there specific training and certifications I should have for Security management?