Abdel Aziz Sorensen Presentation

8/13/2019 Abdel Aziz Sorensen Presentation

1/14


2/14

Objective

Provide guidance that GIAC Enterprises can use tobe in compliance with the most recognizedinformation security frameworks

NIST SP 800 Documents

SANSConsensus Audit Guidelines (CAG)

Australian Government Defence Signals Directorates

(DSD) top 35 Strategieswhile looking for opportunities to automatecontrols and provide information back tomanagement in a meaningful format.


3/14

SP 800, 20 Critical Controls, andDSDs 35 Mitigating Strategies

Federal Information Security Management Act (FISMA)authorized by Title IIIof E-Government Act of 2002.

National Institute of Standards and Technology (NIST) tasked to develop,

document, and implement security standards (FISMA Implementation Project) Special Publication (SP) 800-53

Federal Information Process Standard (FIPS) 200

SANS, US defense base, federal agencies, and private organizations definedmost critical controls to protect information and information systems.

Consensus Audit Guidelines20 Critical controls

Australian Government Defence Signals Directorate

DSDs Top 35 Mitigating Strategies


4/14

SP 800, 20 Critical Controls, andDSDs 35 Mitigating Strategies

The SANS20 Critical Controls are meant to reinforce and prioritizesome of the most important elements of the guidelines, standards,and requirements put forth in other US government documentation,

such as NIST Special Publication 800-53 .These guidelines do not conflict with such recommendations. Infact, the guidelines set forth are a proper subset of therecommendations of NIST SP 800-53, designed so that organizationscan focus on a specific set of actions associated with current threatsand computer attacks they face every day.

The DSDs 35 Mitigating Strategies focus on individual tasksorganizations can undertake to improve their security stance. Theyare a focused subset of the 20 Critical Controls.


5/14

APT-Focused Security Strategy

Risk-Based Approach

Initially implement subset of 20 Critical Controls to addressGIAC Enterpriseshighest risks first (APT-related risks)

Offense informs defenseconcept suggests that 4controlsare best geared to address APT-related risks

Controlled Access based on the Need-to-Know (Control 15) Continuous Vulnerability Assessment and Remediation (Control 4)

Malware Defenses (Control 5)

Data Loss Prevention (DLP) (Control 17)


6/14

Automation Approach: Controls 15 & 17(Focus on the Data)

Credit card data

Privacy data (PII)

Health care information

Sensitive

Regulatory Data

Intellectual propertyFinancial information

Trade secrets

Sensitive

Corporate Data

Control Data-at-Rest Control Data-in-Motion Control Data-in-Use


7/14

Automation Approach: Controls 15 & 17(Automating Data Classification and Policy Definition)

Step 1

Identify files &

set business rules

+

Step 2

Create DLP Policy &

check for feasibility

Step 3

DLP Policy is routed

for approval

Step 4

Approved

DLP

policy

End

Users

DLP

Admin

Business

Managers

Policy applied across the organization


8/14

Automation Approach: Controls 15 & 17(Automating the Control of Data-in-Motion)

Risk Across: web protocols,e-mails, IM, generic TCP/IP

protocols

DISCOVER(Data-in-Motion)

EDUCATE(Data-in-Motion)

ENFORCE(Data-in-Motion)

Process to Reach Automation (Data-in-Motion)

?RISK

TIME

Understand RiskReduce Risk

Users Just-in-Time Encryption, Blocking,etc.

(Monitor Only)(Monitor & Educate) (Automate Action)


9/14

Automation Approach: Controls 15 & 17(Automating the Control of Data-at-Rest)

Data Loss

Prevention (DLP

SharePoint

Databases

Endpoints

NAS/SAN

File

Servers

Risk Remediation

Manager (RRM)

File Activity

Tools

GRC

Systems

Apply DRM

Encrypt

Delete / Shred

Change Permissions

Policy Exception

Business

Users

Discover Sensitive Data Manage RemediationWorkflow

ApplyControls


10/14

Automation Approach: Controls 4 & 5(Prevention and Mitigation of APTs/Understanding the Attack Vector)


11/14

Automation Approach: Controls 4 & 5(Risk Assessment/Continuous Monitoring)

Risk Assessment Vulnerability Scanning


12/14

Automation Approach: Controls 4 & 5(Automating Continuous Vulnerability Assessment and Remediation)


13/14

Automation Approach: Controls 4 & 5(Automating Continuous Monitoring of Malware

and Malware Callbacks)

Reducing risk of data loss through malware infections

Implement basic and necessary malware protectionHIPS, AV,AntiSpam, etc.

Train and educate users concerning social engineering tactics.

Use of advanced technologyVirtual inspection of executablemalware in real-time to identify and block command and controlcommunications.


14/14

Recommended Action Plan

1) Conduct gap assessment to compare GIAC Enterprisesscurrent security stance to detailed critical controls

2) Implement

quick win

critical controls to address gaps

3) Implement controls numbers 4 & 5 using previousautomation approaches

4) Implement controls numbers 15 & 17 using previous

automation approaches5) Analyze and understand how remaining controls (beyond

quck wins, and controls 4, 5, 15, 17) can be deployed

6) Plan for deployment, over the longer term, of theadvanced controls, giving priority to controls 4, 5, 15, 17

Abdel Aziz Sorensen Presentation

Documents

Transcript of Abdel Aziz Sorensen Presentation