A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.

1. A Practical Example to Using SABSA
Extended Security-in-Depth Strategy
Allen Baranov

2. Who Am I?
Allen Baranov, CISSP
Information Security Professional
SABSA Foundation Certified
Specialist In Security Management, Security Architecture and
Risk and Compliance
Looking for new permanent position!
See LinkedIn for more details or email me for more information!
au.linkedin.com/in/allenbaranov/

3. This is my proposal for an extended Security-in-Depth Strategy. It is based on the
one in the official SABSA documentation but extended to be more practical as
you’ll see later in this presentation.
Assurance • Deter
• InviteNegotiate
• Prevent
• AllowEnforcement
• Contain (Deny)
• (Continue to) Allow
Post Breach
Enforcement
• Detect and Notify
• Detect and Process (Service)Activity Monitoring
• Evidence & Track
• Baseline and service improvementTraffic Monitoring
• Recover and Restore
• Monitor and Optimise (Hierarchical Storage Management)
Data Availability
Maint.
Extended SABSA Security-in-Depth Strategy

4. Deter
Prevent
Contain
Detect and Notify
Evidence & Track
Recover + Restore
Assure
Original SABSA Security-in-Depth Strategy
This is the original SABSA S-i-D Strategy diagram. You will see that it has “negative”
actions which (IMHO) doesn’t fit with the SABSA risk/opportunity philosophy.

5. … so I extended it. For each negative action, there is a positive one and I have
grouped them into 6 groups. I moved Assurance to its own super group with each
level feeding back to it. This is still a WIP and I am keen for feedback.
Assurance • Deter
• InviteNegotiate
• Prevent
• AllowEnforcement
• Contain (Deny)
• (Continue to) Allow
Post Breach
Enforcement
• Detect and Notify
• Detect and Process (Service)Activity Monitoring
• Evidence & Track
• Baseline and service improvementTraffic Monitoring
• Recover and Restore
• Monitor and Optimise (Hierarchical Storage Management)
Data Availability
Maint.
Extended SABSA Security-in-Depth Strategy

6. Deconstructing the purpose of a Firewall.
• Operates on the network layer.
• It usually defines the border between two networks of differing
levels of risk.
• It investigates traffic and makes decisions on how to pass the traffic
based on predefined rules (known as rulebase or policy)
• It can be used for tracking connectivity.
• Firewalls may also do deeper inspection into network traffic and
Firewalls may be physical hardware, software, dedicated boxes, a
service or a virtual machine.
Practical Example - Firewalls
I extended it so as to come up with a practical way to use SABSA for writing a
Firewall Standard. The first thing to do is to work out exactly what a Firewall is
aiming to achieve. Then to fit it into the 6 layers of the model. See next slide.

7. •Deter – create logical border between networks
•Invite authorised traffic to be used for business purposes
Negotiate Network
Usage
•Prevent – prevent unauthorised traffic from flowing across the network boundary
•Allow – allow authorised (business enhancing) traffic across the network boundary.
Enforcement of
predefined rules
•Contain (Deny) – Temporarily stop a compromised network leaking onto a “clean” network.
•(Continue to) Allow “clean” networks to communicate until a breach is detected.
Post Breach Network
Management
•Detect and Notify – monitor all traffic and notify of suspicious traffic.
•Detect and Process – allow network traffic to pass and baseline “normal”
Network Activity
Monitoring
•Evidence & Track – watch for anomalies on traffic flow and suspicious connections to build a profile of activities.
•Baseline and service improvement – watch for opportunities to improve connectivity and gain understanding of
network usage across the org.
Network Traffic
Monitoring
•Recover and Restore – have redundant devices and network connections with automatic service continuation.
•Monitor and Optimise – Look for opportunities for reducing speed in some connections and increasing speed for
others.
Network Availability
Maint.
Practical Example - Firewalls

8. I then took each layer and this became a section in the Standard. Note that
especially the “Negotiate” section should be written as a contract with both what
will be delivered and what is expected.

9. This way the Standards can be more comprehensive.
They are also not so negative and they show the balance of what is needed
for compliance and security against what is offered.
The firewall standard, for example, shows that without a firewall all the
benefits of the Internet would not be available.
Also, while we are monitoring for bad traffic, we could also be monitoring for
performance.
There is one more major advantage that turns the whole SABSA philosophy
on its head but I will save that one for next time… ;)
For more, visit my blog – http://securethink.blogspot.com.au

10. …other bits and pieces
What is SABSA?
SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management
used successfully by numerous organisations around the world. Now used globally to meet a wide variety of
Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity
Management, SABSA has evolved since 1995 to be the 'approach of choice' for commercial organisations and
Government alike.
SABSA ensures that the needs of your enterprise are met completely and that security services are designed,
delivered and supported as an integral part of your business and IT management infrastructure.
Although copyright protected, SABSA is an open-use methodology, not a commercial product.
Images
All images are used with permission. Some are from the site stock.xchng (http://www.sxc.hu/)