SlideShare uma empresa Scribd logo

Creating effective security controls

I
Interop
Educação
1 de 43
Baixar para ler offline
Creating Effective Security Controls: A Ten Year Study of High Performing Security Speaker: Gene Kim, Founder and CTO, Tripwire
Where Did The High Performers Come From? compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 2 Don’t Take Chances. TAKE CONTROL.
Agenda  An uncomfortable question about information security effectiveness  How does information security integrate effectively into daily operations?  How did the high performing IT organizations make their “good to great” transformations?  Seven practical steps to go from “good to great”  How does going from good to great feel?  Additional resources compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 3 Don’t Take Chances. TAKE CONTROL.
Information Security and Compliance Risks  Information security practitioners are always one change away from a security breach  Front page news  Regulatory fines  Brand damage  High profile security failures are increasing external pressures for security and compliance  Sarbanes-Oxley (SOX) Act of 2002, the Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 4 Don’t Take Chances. TAKE CONTROL.
The Dark Side Of Virtualization  Virtualization enables organizations to deploy changes and releases more quickly than ever  “What works at 60 mph may not work at 200 mph…”  Certain required activities in the physical world made it easier to prevent and detect release risks  Watching for servers on the loading dock  Budgeting and procurement activities  Physical data center access  Network cabling What happens when these activities are no longer required to deploy major releases? • And when it is easy to download VMplayer, copy virtual machines, etc… •compliance | security | control wrong? And what could go AUTOMATION IT SECURITY & COMPLIANCE 5 Don’t Take Chances. TAKE CONTROL.
Operations And Security Already Don’t Get Along Operations Hinders Security… Security Hinders Operations…  Deploys insecure components  Creates bureaucracy into production  Security changes break production  Creates production IT systems infrastructure hard to understand  Generates risky, low value IT  Has no information operations work security standard  Generates large backlog  Creates self-inflicted outages of reviews  Uses shared privileged accounts  Creates delays through information security requirements  Can’t quickly address known security vulnerabilities  Brings up project issues that cost too much, takes too long, & reduces feature set Words often used to describe information security: ―hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with compliance | security |immature, shrill, perpetually 6 the SECURITY & COMPLIANCE AUTOMATION IT business, control focused on irrelevant technical minutiae…‖ Don’t Take Chances. TAKE CONTROL.
Going from Good to Great COMPLIANCE SECURITY CONTROL 7
Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization Operations Metrics Benchmarks: Best in Class: Server/sysadmin ratios 10,000 • Highest ratio of staff for pre-production processes 1000 Size of Operation • Lowest amount of Best in Class unplanned work # Servers Ops and Security 100 • Highest change success rate • Best posture of 10 compliance Efficiency of Operation • Lowest cost of compliance 1 0 20 40 60 80 100 120 140 Server/sysadmin ratio Source: IT Process Institute (2001) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 8 Don’t Take Chances. TAKE CONTROL.
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 9 Don’t Take Chances. TAKE CONTROL.
Common Traits of the Highest Performers Culture of… Change management  Integration of IT operations/security via problem/change management  Processes that serve both organizational needs and business objectives  Highest rate of effective change Causality  Highest service levels (MTTR, MTBF)  Highest first fix rate (unneeded rework) Compliance and continual reduction of operational variance  Production configurations  Highest level of pre-production staffing  Effective pre-production controls  Effective pairing of preventive and detective controls Source: IT Process Institute compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 10 Don’t Take Chances. TAKE CONTROL.
Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 11 Don’t Take Chances. TAKE CONTROL.
Over Ten Years, We Benchmarked 1500+ IT Orgs Source: EMA (2009) Source: IT Process Institute (2008) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 12 Don’t Take Chances. TAKE CONTROL.
2007: Three Controls Predict 60% Of Performance  To what extent does an organization define, monitor and enforce the following?  Standardized configuration strategy  Process discipline  Controlled access to production systems Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 13 Don’t Take Chances. TAKE CONTROL.
High Performers Can Bound Maximum MTTR But look at the huge differences for large outages! Large outages required 25-50 people to fix!) Source: IT Process Institute, May 2006 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 14 Don’t Take Chances. TAKE CONTROL.
Seven Practical Steps COMPLIANCE SECURITY CONTROL 15
The Seven Practical Steps To Integrate Information Security Into Daily Operations  Step 1: Gain situational awareness  Step 2: Reduce and monitor privileged access  Step 3: Define and enforce VMM configuration standards  Step 4: Integrate and help enforce change management processes  Step 5: Create library of trusted virtualized builds  Step 6: Integrate into release management  Step 7: Ensure that all activities go through change management compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 16 Don’t Take Chances. TAKE CONTROL.
Step 1: Gain Situational Awareness  Situational awareness: “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission.”  Questions we want to answer:  What IT services are being provided? • e.g. power generation, distribution, financial reporting, etc.  Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.)  What are the relevant regulatory and contractual requirements for the business process • e.g., SOX-404, PCI DSS, FISMA, NERC, etc. • Where is reliance being placed and what are critical functionalities?  What are the technologies and IT processes being run on? • e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc.  Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 17 Don’t Take Chances. TAKE CONTROL.
Step 2: Reduce And Monitor Privileged Access  Know where infrastructure that poses the largest risk to business objectives are.  Ensure that access is properly restricted  Look for administrators who have high levels of privilege Reduce access  They can introduce likelihood of errors, downtime, fraud and security incidents  Can affect mission critical IT services  Can modify logical security settings  Can add, remove and modify VMs ―To err is human. To really screw up requires the root password.‖—Unknown compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 18 Don’t Take Chances. TAKE CONTROL.
Step 2: Reduce And Monitor Privileged Access  Implement preventive controls:  Reconcile admins to authorized staff and delete any ghost accounts  Ensure reasonable number of admins  Issue and revoke accounts upon hiring, firing, reassignment  Implement detective controls:  Monitor privileged user account adds, removes and changes  Reconcile each user account change to an authorized work order  Reconcile each user account to an HR record  Implement account re-accreditation procedures ―Hope is not a strategy. Trust is not a control.‖ compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 19 Don’t Take Chances. TAKE CONTROL.
Step 3: Define And Enforce Configuration Standards  The goal is to create known, trusted, stable, secure and risk- reduced configuration states  External configuration guides include:  Center for Internet Security (CIS)  VMWare: “VMware Infrastructure 3, Security Hardening”  Defense Information Systems Agency (DISA) STIGs ―Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized. compliance | security | Source: Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” Chances. TAKE CONTROL. control IT SECURITY & COMPLIANCE AUTOMATION 20 Don’t Take by Neil MacDonald, March 2007.
Step 4: Help Enforce Change Management Processes  Information security needs change management  Gain situational awareness of production changes  Influence decisions and outcomes.  Add value in the change management process by:  Assessing the potential information security and operational impact of changes  Improving procedures for change authorisation, scheduling, implementation and substantiation  Ensuring that change requests comply with information security requirements, corporate policy, and industry standards compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 21 Don’t Take Chances. TAKE CONTROL.
Step 4: Help Enforce Change Management Processes  Implement preventive controls  Get invited to the Change Advisory Board (CAB) meetings  Ensure “tone at the top” and help define consequences  Implement detective controls  Build and electrify the fence  Substantiate that all changes are authorised  Look for red flags and indicators ―[As auditors,] the top leading indicators of risk when we look at an IT operation are poor service levels and unusual rates of changes.‖ – Bill Philhower compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 22 Don’t Take Chances. TAKE CONTROL.
Step 5: Create A Library Of Trusted Builds  Our goal is to make it easier to use known, stable and secure builds than unauthorised and insecure builds  Implement preventive controls:  Defined process of how to assemble hardened and stable builds  Work with any existing server provisioning teams to add any standard monitoring agents  Ensure that application and service account passwords are changed before deployment compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 23 Don’t Take Chances. TAKE CONTROL.
Step 5: Create A Library Of Trusted Builds  Implement detective controls:  Verify that deployed infrastructure matches known good states  Verify that virtual image configurations against internal and external configuration standards  Monitor the approved virtual image library to ensure for all adds, removes and changes  Reconcile all adds, removes and changes to an authorised change order. compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 24 Don’t Take Chances. TAKE CONTROL.
Step 6: Integrate Into The Release Management Processes  Release management and information security both require standardisation and documentation  Checklists  Detections and reduction of variance  Implement preventive and detective controls:  Develop shared templates with release management, QA and project management and integrate into their checkpoints  Integrate automated security testing tools  Compare preproduction and production images, and reduce any variance compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 25 Don’t Take Chances. TAKE CONTROL.
Step 7: Ensure All Activities Go Through Change Management  Ensure that “only acceptable number of unauthorized changes is zero”  Infrastructure  Application releases  Security patches  Break/fix activities compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 26 Don’t Take Chances. TAKE CONTROL.
What Does Transformation Feel Like? COMPLIANCE SECURITY CONTROL 27
Find What’s Most Important First compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 28 Don’t Take Chances. TAKE CONTROL.
Quickly Find What Is Different… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 29 Don’t Take Chances. TAKE CONTROL.
Before Something Bad Happens… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 30 Don’t Take Chances. TAKE CONTROL.
Find Risk Early… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 31 Don’t Take Chances. TAKE CONTROL.
Communicate It Effectively To Peers… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 32 Don’t Take Chances. TAKE CONTROL.
Hold People Accountable… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 33 Don’t Take Chances. TAKE CONTROL.
Based On Objective Evidence… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 34 Don’t Take Chances. TAKE CONTROL.
Answer Important Questions… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 35 Don’t Take Chances. TAKE CONTROL.
Ever Increasing Situational Mastery… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 36 Don’t Take Chances. TAKE CONTROL.
Do Root Cause Analysis… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 37 Don’t Take Chances. TAKE CONTROL.
Helping The Organization To More compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 38 Don’t Take Chances. TAKE CONTROL.
Show Value To The Business… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 39 Don’t Take Chances. TAKE CONTROL.
Be Recognized For Contribution… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 40 Don’t Take Chances. TAKE CONTROL.
And Do More With Less… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 41 Don’t Take Chances. TAKE CONTROL.
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 42 Don’t Take Chances. TAKE CONTROL.
Resources Ο From the IT Process Institute www.itpi.org  Both Visible Ops Handbooks  ITPI IT Controls Performance Study  Stop by the Tripwire booth for  a copy of Visible Ops Security  “Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks ” white paper  Follow Gene Kim  On Twitter: @RealGeneKim  genek@tripwire.com  Blog: http://www.tripwire.com/blog/?cat=34 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 43 Don’t Take Chances. TAKE CONTROL.

Recomendados

IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product Solution
Arul Nambi
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
Arul Nambi
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
InnoTech
 
Hooks ivy
Hooks ivyHooks ivy
Hooks ivy
NASAPMC
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCING
Arul Nambi
 
Amazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportAmazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team Sport
Paul Muller
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
apompliano
 

Recomendados

IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product Solution
Arul Nambi
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
Arul Nambi
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
InnoTech
 
Hooks ivy
Hooks ivyHooks ivy
Hooks ivy
NASAPMC
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCING
Arul Nambi
 
Amazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportAmazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team Sport
Paul Muller
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
apompliano
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to security
RealTime-at-Work (RTaW)
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
Kaseya
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
Ian Sommerville
 
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring BrochureSystar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
Vivastream
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Case Study: AlertBoot
Case Study: AlertBootCase Study: AlertBoot
Case Study: AlertBoot
OpSource
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
Symantec Brightmail Gateway 9
Symantec Brightmail Gateway 9Symantec Brightmail Gateway 9
Symantec Brightmail Gateway 9
Symantec
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
HyTrust
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
Ian Sommerville
 
Desktop Services
Desktop ServicesDesktop Services
Desktop Services
CloudTechnology
 
DC Seminar Nairobi VMware Presentation
DC Seminar Nairobi VMware PresentationDC Seminar Nairobi VMware Presentation
DC Seminar Nairobi VMware Presentation
Phares Kariuki
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...
InSync Conference
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
Symantec
 
Giaspace Managed Services
Giaspace Managed ServicesGiaspace Managed Services
Giaspace Managed Services
Robert Giannini
 
PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security Controls
Pace IT at Edmonds Community College
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
Amazon Web Services
 
Choosing a video conferencing
Choosing a video conferencingChoosing a video conferencing
Choosing a video conferencing
Interop
 

Mais conteúdo relacionado

Mais procurados

Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to security
RealTime-at-Work (RTaW)
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
Ian Sommerville
 
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring BrochureSystar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
Vivastream
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Case Study: AlertBoot
Case Study: AlertBootCase Study: AlertBoot
Case Study: AlertBoot
OpSource
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
HyTrust
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
Ian Sommerville
 
Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
Giaspace Managed Services
Giaspace Managed ServicesGiaspace Managed Services
Giaspace Managed Services
Robert Giannini
 

Mais procurados (19)

Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
 
Automotive communication systems: from dependability to security
Automotive communication systems: from dependability to securityAutomotive communication systems: from dependability to security
Automotive communication systems: from dependability to security
 
Retail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance BriefingRetail IT 2013: Data Security & PCI Compliance Briefing
Retail IT 2013: Data Security & PCI Compliance Briefing
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring BrochureSystar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Case Study: AlertBoot
Case Study: AlertBootCase Study: AlertBoot
Case Study: AlertBoot
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Symantec Brightmail Gateway 9
Symantec Brightmail Gateway 9Symantec Brightmail Gateway 9
Symantec Brightmail Gateway 9
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
Desktop Services
Desktop ServicesDesktop Services
Desktop Services
 
DC Seminar Nairobi VMware Presentation
DC Seminar Nairobi VMware PresentationDC Seminar Nairobi VMware Presentation
DC Seminar Nairobi VMware Presentation
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10
 
More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...More effective and more flexible security to lower your total cost of ownersh...
More effective and more flexible security to lower your total cost of ownersh...
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
Giaspace Managed Services
Giaspace Managed ServicesGiaspace Managed Services
Giaspace Managed Services
 

Destaque

Choosing a video conferencing
Choosing a video conferencingChoosing a video conferencing
Choosing a video conferencing
Interop
 
Application delivery 2 0
Application delivery 2 0Application delivery 2 0
Application delivery 2 0
Interop
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
Interop
 
Deep dive storage networking the path to performance
Deep dive storage networking the path to performanceDeep dive storage networking the path to performance
Deep dive storage networking the path to performance
Interop
 
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
WASdev Community
 
Branch office in a box
Branch office in a boxBranch office in a box
Branch office in a box
Interop
 
Overview and current topics in solid state storage
Overview and current topics in solid state storageOverview and current topics in solid state storage
Overview and current topics in solid state storage
Interop
 
Desktop virtualization best practices
Desktop virtualization best practicesDesktop virtualization best practices
Desktop virtualization best practices
Interop
 
Risk base approach for security management fujitsu-fms event 15 aug 2011
Risk base approach for security management fujitsu-fms event 15 aug 2011Risk base approach for security management fujitsu-fms event 15 aug 2011
Risk base approach for security management fujitsu-fms event 15 aug 2011
IbuSrikandi
 

Destaque (15)

PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security Controls
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
 
Choosing a video conferencing
Choosing a video conferencingChoosing a video conferencing
Choosing a video conferencing
 
so sanh galaxy s4 vs iphone 5
so sanh galaxy s4 vs iphone 5so sanh galaxy s4 vs iphone 5
so sanh galaxy s4 vs iphone 5
 
Application delivery 2 0
Application delivery 2 0Application delivery 2 0
Application delivery 2 0
 
Pervobytshina2
Pervobytshina2Pervobytshina2
Pervobytshina2
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
 
Deep dive storage networking the path to performance
Deep dive storage networking the path to performanceDeep dive storage networking the path to performance
Deep dive storage networking the path to performance
 
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
ASZ-3034 Build a WebSphere Linux Cloud on System z: From Roll-Your-Own to Pre...
 
Branch office in a box
Branch office in a boxBranch office in a box
Branch office in a box
 
Overview and current topics in solid state storage
Overview and current topics in solid state storageOverview and current topics in solid state storage
Overview and current topics in solid state storage
 
Desktop virtualization best practices
Desktop virtualization best practicesDesktop virtualization best practices
Desktop virtualization best practices
 
Review of NIST Security Controls SC-28 SC-10
Review of NIST Security Controls SC-28 SC-10Review of NIST Security Controls SC-28 SC-10
Review of NIST Security Controls SC-28 SC-10
 
Risk base approach for security management fujitsu-fms event 15 aug 2011
Risk base approach for security management fujitsu-fms event 15 aug 2011Risk base approach for security management fujitsu-fms event 15 aug 2011
Risk base approach for security management fujitsu-fms event 15 aug 2011
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 

Semelhante a Creating effective security controls

Secure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed ServicesSecure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed Services
RNelson20
 
2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"
Gene Kim
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
Andrew White
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 
Virtela Corp Brochure
Virtela Corp BrochureVirtela Corp Brochure
Virtela Corp Brochure
tmcleland
 
Peter J. Simpson Resume
Peter J. Simpson ResumePeter J. Simpson Resume
Peter J. Simpson Resume
Pete Simpson | Senior IT Manager
 
NH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 KamensNH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 Kamens
kamensm02
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
OracleIDM
 

Semelhante a Creating effective security controls (20)

Secure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed ServicesSecure Network Administration, Inc. ProActive IT Managed Services
Secure Network Administration, Inc. ProActive IT Managed Services
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
 
2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"2011 09 18 United "Platitudes, reality and promise"
2011 09 18 United "Platitudes, reality and promise"
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
New Vvma Presentation
New Vvma PresentationNew Vvma Presentation
New Vvma Presentation
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Virtela Corp Brochure
Virtela Corp BrochureVirtela Corp Brochure
Virtela Corp Brochure
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product Line
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems Management
 
Peter J. Simpson Resume
Peter J. Simpson ResumePeter J. Simpson Resume
Peter J. Simpson Resume
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
NH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 KamensNH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 Kamens
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 

Mais de Interop

Preparing for the cloud
Preparing for the cloudPreparing for the cloud
Preparing for the cloud
Interop
 
Portable clouds navigating cloud standards
Portable clouds navigating cloud standardsPortable clouds navigating cloud standards
Portable clouds navigating cloud standards
Interop
 
Planning for (and deploying!) 4 g wireless
Planning for (and deploying!) 4 g wirelessPlanning for (and deploying!) 4 g wireless
Planning for (and deploying!) 4 g wireless
Interop
 
Planning and implementing windows 7
Planning and implementing windows 7Planning and implementing windows 7
Planning and implementing windows 7
Interop
 
Outsourcing it security yes, it’s still your problem
Outsourcing it security yes, it’s still your problemOutsourcing it security yes, it’s still your problem
Outsourcing it security yes, it’s still your problem
Interop
 
Next gen lan infrastructure
Next gen lan infrastructureNext gen lan infrastructure
Next gen lan infrastructure
Interop
 
New approaches to vulnerability management
New approaches to vulnerability managementNew approaches to vulnerability management
New approaches to vulnerability management
Interop
 
Mst cloud interoperability process
Mst cloud interoperability processMst cloud interoperability process
Mst cloud interoperability process
Interop
 
Mobile security new challenges practical solutions
Mobile security new challenges practical solutionsMobile security new challenges practical solutions
Mobile security new challenges practical solutions
Interop
 
Mobile computing threats
Mobile computing threatsMobile computing threats
Mobile computing threats
Interop
 
Mobile application development strategies
Mobile application development strategiesMobile application development strategies
Mobile application development strategies
Interop
 
Managing your virtual environment
Managing your virtual environmentManaging your virtual environment
Managing your virtual environment
Interop
 
Managing change in the data center network
Managing change in the data center networkManaging change in the data center network
Managing change in the data center network
Interop
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
Interop
 
Malice through the looking glass
Malice through the looking glassMalice through the looking glass
Malice through the looking glass
Interop
 
Extending the lifecycle of your storage area network
Extending the lifecycle of your storage area networkExtending the lifecycle of your storage area network
Extending the lifecycle of your storage area network
Interop
 
Desktop virtualization primer one size does not fit all
Desktop virtualization primer one size does not fit allDesktop virtualization primer one size does not fit all
Desktop virtualization primer one size does not fit all
Interop
 
Deep dive why networking must fundamentally change
Deep dive why networking must fundamentally changeDeep dive why networking must fundamentally change
Deep dive why networking must fundamentally change
Interop
 
Deep dive network requirementsfor enterprise video conferencing
Deep dive network requirementsfor enterprise video conferencingDeep dive network requirementsfor enterprise video conferencing
Deep dive network requirementsfor enterprise video conferencing
Interop
 
Deep dive 4 reasons why networking must change
Deep dive 4 reasons why networking must changeDeep dive 4 reasons why networking must change
Deep dive 4 reasons why networking must change
Interop
 

Mais de Interop (20)

Preparing for the cloud
Preparing for the cloudPreparing for the cloud
Preparing for the cloud
 
Portable clouds navigating cloud standards
Portable clouds navigating cloud standardsPortable clouds navigating cloud standards
Portable clouds navigating cloud standards
 
Planning for (and deploying!) 4 g wireless
Planning for (and deploying!) 4 g wirelessPlanning for (and deploying!) 4 g wireless
Planning for (and deploying!) 4 g wireless
 
Planning and implementing windows 7
Planning and implementing windows 7Planning and implementing windows 7
Planning and implementing windows 7
 
Outsourcing it security yes, it’s still your problem
Outsourcing it security yes, it’s still your problemOutsourcing it security yes, it’s still your problem
Outsourcing it security yes, it’s still your problem
 
Next gen lan infrastructure
Next gen lan infrastructureNext gen lan infrastructure
Next gen lan infrastructure
 
New approaches to vulnerability management
New approaches to vulnerability managementNew approaches to vulnerability management
New approaches to vulnerability management
 
Mst cloud interoperability process
Mst cloud interoperability processMst cloud interoperability process
Mst cloud interoperability process
 
Mobile security new challenges practical solutions
Mobile security new challenges practical solutionsMobile security new challenges practical solutions
Mobile security new challenges practical solutions
 
Mobile computing threats
Mobile computing threatsMobile computing threats
Mobile computing threats
 
Mobile application development strategies
Mobile application development strategiesMobile application development strategies
Mobile application development strategies
 
Managing your virtual environment
Managing your virtual environmentManaging your virtual environment
Managing your virtual environment
 
Managing change in the data center network
Managing change in the data center networkManaging change in the data center network
Managing change in the data center network
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
Malice through the looking glass
Malice through the looking glassMalice through the looking glass
Malice through the looking glass
 
Extending the lifecycle of your storage area network
Extending the lifecycle of your storage area networkExtending the lifecycle of your storage area network
Extending the lifecycle of your storage area network
 
Desktop virtualization primer one size does not fit all
Desktop virtualization primer one size does not fit allDesktop virtualization primer one size does not fit all
Desktop virtualization primer one size does not fit all
 
Deep dive why networking must fundamentally change
Deep dive why networking must fundamentally changeDeep dive why networking must fundamentally change
Deep dive why networking must fundamentally change
 
Deep dive network requirementsfor enterprise video conferencing
Deep dive network requirementsfor enterprise video conferencingDeep dive network requirementsfor enterprise video conferencing
Deep dive network requirementsfor enterprise video conferencing
 
Deep dive 4 reasons why networking must change
Deep dive 4 reasons why networking must changeDeep dive 4 reasons why networking must change
Deep dive 4 reasons why networking must change
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Último (20)

Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Creating effective security controls

  • 1. Creating Effective Security Controls: A Ten Year Study of High Performing Security Speaker: Gene Kim, Founder and CTO, Tripwire
  • 2. Where Did The High Performers Come From? compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 2 Don’t Take Chances. TAKE CONTROL.
  • 3. Agenda  An uncomfortable question about information security effectiveness  How does information security integrate effectively into daily operations?  How did the high performing IT organizations make their “good to great” transformations?  Seven practical steps to go from “good to great”  How does going from good to great feel?  Additional resources compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 3 Don’t Take Chances. TAKE CONTROL.
  • 4. Information Security and Compliance Risks  Information security practitioners are always one change away from a security breach  Front page news  Regulatory fines  Brand damage  High profile security failures are increasing external pressures for security and compliance  Sarbanes-Oxley (SOX) Act of 2002, the Gramm- Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 4 Don’t Take Chances. TAKE CONTROL.
  • 5. The Dark Side Of Virtualization  Virtualization enables organizations to deploy changes and releases more quickly than ever  “What works at 60 mph may not work at 200 mph…”  Certain required activities in the physical world made it easier to prevent and detect release risks  Watching for servers on the loading dock  Budgeting and procurement activities  Physical data center access  Network cabling What happens when these activities are no longer required to deploy major releases? • And when it is easy to download VMplayer, copy virtual machines, etc… •compliance | security | control wrong? And what could go AUTOMATION IT SECURITY & COMPLIANCE 5 Don’t Take Chances. TAKE CONTROL.
  • 6. Operations And Security Already Don’t Get Along Operations Hinders Security… Security Hinders Operations…  Deploys insecure components  Creates bureaucracy into production  Security changes break production  Creates production IT systems infrastructure hard to understand  Generates risky, low value IT  Has no information operations work security standard  Generates large backlog  Creates self-inflicted outages of reviews  Uses shared privileged accounts  Creates delays through information security requirements  Can’t quickly address known security vulnerabilities  Brings up project issues that cost too much, takes too long, & reduces feature set Words often used to describe information security: ―hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with compliance | security |immature, shrill, perpetually 6 the SECURITY & COMPLIANCE AUTOMATION IT business, control focused on irrelevant technical minutiae…‖ Don’t Take Chances. TAKE CONTROL.
  • 7. Going from Good to Great COMPLIANCE SECURITY CONTROL 7
  • 8. Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization Operations Metrics Benchmarks: Best in Class: Server/sysadmin ratios 10,000 • Highest ratio of staff for pre-production processes 1000 Size of Operation • Lowest amount of Best in Class unplanned work # Servers Ops and Security 100 • Highest change success rate • Best posture of 10 compliance Efficiency of Operation • Lowest cost of compliance 1 0 20 40 60 80 100 120 140 Server/sysadmin ratio Source: IT Process Institute (2001) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 8 Don’t Take Chances. TAKE CONTROL.
  • 9. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 9 Don’t Take Chances. TAKE CONTROL.
  • 10. Common Traits of the Highest Performers Culture of… Change management  Integration of IT operations/security via problem/change management  Processes that serve both organizational needs and business objectives  Highest rate of effective change Causality  Highest service levels (MTTR, MTBF)  Highest first fix rate (unneeded rework) Compliance and continual reduction of operational variance  Production configurations  Highest level of pre-production staffing  Effective pre-production controls  Effective pairing of preventive and detective controls Source: IT Process Institute compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 10 Don’t Take Chances. TAKE CONTROL.
  • 11. Visible Ops: Playbook of High Performers  The IT Process Institute has been studying high-performing organizations since 1999  What is common to all the high performers?  What is different between them and average and low performers?  How did they become great?  Answers have been codified in the Visible Ops Methodology compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 11 Don’t Take Chances. TAKE CONTROL.
  • 12. Over Ten Years, We Benchmarked 1500+ IT Orgs Source: EMA (2009) Source: IT Process Institute (2008) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 12 Don’t Take Chances. TAKE CONTROL.
  • 13. 2007: Three Controls Predict 60% Of Performance  To what extent does an organization define, monitor and enforce the following?  Standardized configuration strategy  Process discipline  Controlled access to production systems Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 13 Don’t Take Chances. TAKE CONTROL.
  • 14. High Performers Can Bound Maximum MTTR But look at the huge differences for large outages! Large outages required 25-50 people to fix!) Source: IT Process Institute, May 2006 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 14 Don’t Take Chances. TAKE CONTROL.
  • 15. Seven Practical Steps COMPLIANCE SECURITY CONTROL 15
  • 16. The Seven Practical Steps To Integrate Information Security Into Daily Operations  Step 1: Gain situational awareness  Step 2: Reduce and monitor privileged access  Step 3: Define and enforce VMM configuration standards  Step 4: Integrate and help enforce change management processes  Step 5: Create library of trusted virtualized builds  Step 6: Integrate into release management  Step 7: Ensure that all activities go through change management compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 16 Don’t Take Chances. TAKE CONTROL.
  • 17. Step 1: Gain Situational Awareness  Situational awareness: “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission.”  Questions we want to answer:  What IT services are being provided? • e.g. power generation, distribution, financial reporting, etc.  Who are the business and IT units, and how are they organized? (e.g., the centralized IT services group, an IT outsourcer, etc.)  What are the relevant regulatory and contractual requirements for the business process • e.g., SOX-404, PCI DSS, FISMA, NERC, etc. • Where is reliance being placed and what are critical functionalities?  What are the technologies and IT processes being run on? • e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc.  Are there any high-level risk indicators from the past? (e.g., repeat audit findings, frequent outages, management metrics, etc.) compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 17 Don’t Take Chances. TAKE CONTROL.
  • 18. Step 2: Reduce And Monitor Privileged Access  Know where infrastructure that poses the largest risk to business objectives are.  Ensure that access is properly restricted  Look for administrators who have high levels of privilege Reduce access  They can introduce likelihood of errors, downtime, fraud and security incidents  Can affect mission critical IT services  Can modify logical security settings  Can add, remove and modify VMs ―To err is human. To really screw up requires the root password.‖—Unknown compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 18 Don’t Take Chances. TAKE CONTROL.
  • 19. Step 2: Reduce And Monitor Privileged Access  Implement preventive controls:  Reconcile admins to authorized staff and delete any ghost accounts  Ensure reasonable number of admins  Issue and revoke accounts upon hiring, firing, reassignment  Implement detective controls:  Monitor privileged user account adds, removes and changes  Reconcile each user account change to an authorized work order  Reconcile each user account to an HR record  Implement account re-accreditation procedures ―Hope is not a strategy. Trust is not a control.‖ compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 19 Don’t Take Chances. TAKE CONTROL.
  • 20. Step 3: Define And Enforce Configuration Standards  The goal is to create known, trusted, stable, secure and risk- reduced configuration states  External configuration guides include:  Center for Internet Security (CIS)  VMWare: “VMware Infrastructure 3, Security Hardening”  Defense Information Systems Agency (DISA) STIGs ―Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized. compliance | security | Source: Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” Chances. TAKE CONTROL. control IT SECURITY & COMPLIANCE AUTOMATION 20 Don’t Take by Neil MacDonald, March 2007.
  • 21. Step 4: Help Enforce Change Management Processes  Information security needs change management  Gain situational awareness of production changes  Influence decisions and outcomes.  Add value in the change management process by:  Assessing the potential information security and operational impact of changes  Improving procedures for change authorisation, scheduling, implementation and substantiation  Ensuring that change requests comply with information security requirements, corporate policy, and industry standards compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 21 Don’t Take Chances. TAKE CONTROL.
  • 22. Step 4: Help Enforce Change Management Processes  Implement preventive controls  Get invited to the Change Advisory Board (CAB) meetings  Ensure “tone at the top” and help define consequences  Implement detective controls  Build and electrify the fence  Substantiate that all changes are authorised  Look for red flags and indicators ―[As auditors,] the top leading indicators of risk when we look at an IT operation are poor service levels and unusual rates of changes.‖ – Bill Philhower compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 22 Don’t Take Chances. TAKE CONTROL.
  • 23. Step 5: Create A Library Of Trusted Builds  Our goal is to make it easier to use known, stable and secure builds than unauthorised and insecure builds  Implement preventive controls:  Defined process of how to assemble hardened and stable builds  Work with any existing server provisioning teams to add any standard monitoring agents  Ensure that application and service account passwords are changed before deployment compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 23 Don’t Take Chances. TAKE CONTROL.
  • 24. Step 5: Create A Library Of Trusted Builds  Implement detective controls:  Verify that deployed infrastructure matches known good states  Verify that virtual image configurations against internal and external configuration standards  Monitor the approved virtual image library to ensure for all adds, removes and changes  Reconcile all adds, removes and changes to an authorised change order. compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 24 Don’t Take Chances. TAKE CONTROL.
  • 25. Step 6: Integrate Into The Release Management Processes  Release management and information security both require standardisation and documentation  Checklists  Detections and reduction of variance  Implement preventive and detective controls:  Develop shared templates with release management, QA and project management and integrate into their checkpoints  Integrate automated security testing tools  Compare preproduction and production images, and reduce any variance compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 25 Don’t Take Chances. TAKE CONTROL.
  • 26. Step 7: Ensure All Activities Go Through Change Management  Ensure that “only acceptable number of unauthorized changes is zero”  Infrastructure  Application releases  Security patches  Break/fix activities compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 26 Don’t Take Chances. TAKE CONTROL.
  • 27. What Does Transformation Feel Like? COMPLIANCE SECURITY CONTROL 27
  • 28. Find What’s Most Important First compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 28 Don’t Take Chances. TAKE CONTROL.
  • 29. Quickly Find What Is Different… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 29 Don’t Take Chances. TAKE CONTROL.
  • 30. Before Something Bad Happens… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 30 Don’t Take Chances. TAKE CONTROL.
  • 31. Find Risk Early… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 31 Don’t Take Chances. TAKE CONTROL.
  • 32. Communicate It Effectively To Peers… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 32 Don’t Take Chances. TAKE CONTROL.
  • 33. Hold People Accountable… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 33 Don’t Take Chances. TAKE CONTROL.
  • 34. Based On Objective Evidence… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 34 Don’t Take Chances. TAKE CONTROL.
  • 35. Answer Important Questions… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 35 Don’t Take Chances. TAKE CONTROL.
  • 36. Ever Increasing Situational Mastery… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 36 Don’t Take Chances. TAKE CONTROL.
  • 37. Do Root Cause Analysis… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 37 Don’t Take Chances. TAKE CONTROL.
  • 38. Helping The Organization To More compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 38 Don’t Take Chances. TAKE CONTROL.
  • 39. Show Value To The Business… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 39 Don’t Take Chances. TAKE CONTROL.
  • 40. Be Recognized For Contribution… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 40 Don’t Take Chances. TAKE CONTROL.
  • 41. And Do More With Less… compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 41 Don’t Take Chances. TAKE CONTROL.
  • 42. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure  High performers maintain a posture of compliance  Fewest number of repeat audit findings  One-third amount of audit preparation effort  High performers find and fix security breaches faster  5 times more likely to detect breaches by automated control  5 times less likely to have breaches result in a loss event  When high performers implement changes…  14 times more changes  One-half the change failure rate  One-quarter the first fix failure rate  10x faster MTTR for Sev 1 outages  When high performers manage IT resources…  One-third the amount of unplanned work  8 times more projects and IT services  6 times more applications Source: IT Process Institute, May 2008 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 42 Don’t Take Chances. TAKE CONTROL.
  • 43. Resources Ο From the IT Process Institute www.itpi.org  Both Visible Ops Handbooks  ITPI IT Controls Performance Study  Stop by the Tripwire booth for  a copy of Visible Ops Security  “Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks ” white paper  Follow Gene Kim  On Twitter: @RealGeneKim  genek@tripwire.com  Blog: http://www.tripwire.com/blog/?cat=34 compliance | security | control IT SECURITY & COMPLIANCE AUTOMATION 43 Don’t Take Chances. TAKE CONTROL.