Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Creating effective security controls
1. Creating Effective Security Controls:
A Ten Year Study of High Performing
Security
Speaker: Gene Kim, Founder and CTO, Tripwire
2. Where Did The High Performers Come From?
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 2 Don’t Take Chances. TAKE CONTROL.
3. Agenda
An uncomfortable question about information security
effectiveness
How does information security integrate effectively into daily
operations?
How did the high performing IT organizations make their
“good to great” transformations?
Seven practical steps to go from “good to great”
How does going from good to great feel?
Additional resources
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 3 Don’t Take Chances. TAKE CONTROL.
4. Information Security and Compliance Risks
Information security practitioners are always one
change away from a security breach
Front page news
Regulatory fines
Brand damage
High profile security failures are
increasing external pressures for security and
compliance
Sarbanes-Oxley (SOX) Act of 2002, the Gramm-
Leach-Bliley Act, Health Insurance Portability and
Accountability Act (HIPAA), emerging privacy laws,
and the Payment Card Industry Data Security
Standard (PCI DSS)
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 4 Don’t Take Chances. TAKE CONTROL.
5. The Dark Side Of Virtualization
Virtualization enables organizations to deploy changes and
releases more quickly than ever
“What works at 60 mph may not work at 200 mph…”
Certain required activities in the physical world made it easier
to prevent and detect release risks
Watching for servers on the loading dock
Budgeting and procurement activities
Physical data center access
Network cabling
What happens when these activities are no longer required to deploy major releases?
• And when it is easy to download VMplayer, copy virtual machines, etc…
•compliance | security | control wrong?
And what could go AUTOMATION
IT SECURITY & COMPLIANCE 5 Don’t Take Chances. TAKE CONTROL.
6. Operations And Security Already Don’t Get Along
Operations Hinders Security… Security Hinders Operations…
Deploys insecure components Creates bureaucracy
into production
Security changes break production
Creates production IT systems
infrastructure hard to understand
Generates risky, low value IT
Has no information operations work
security standard
Generates large backlog
Creates self-inflicted outages of reviews
Uses shared privileged accounts Creates delays through
information security requirements
Can’t quickly address known
security vulnerabilities Brings up project issues that cost
too much, takes too long, &
reduces feature set
Words often used to describe information security:
―hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with
compliance | security |immature, shrill, perpetually 6
the SECURITY & COMPLIANCE AUTOMATION
IT business, control focused on irrelevant technical minutiae…‖
Don’t Take Chances. TAKE CONTROL.
8. Desired Outcome: Create A Higher Performing,
More Nimble and More Secure IT Organization
Operations Metrics Benchmarks:
Best in Class: Server/sysadmin ratios
10,000
• Highest ratio of staff
for pre-production
processes
1000
Size of Operation
• Lowest amount of
Best in Class unplanned work
# Servers
Ops and Security
100 • Highest change
success rate
• Best posture of
10
compliance
Efficiency of Operation • Lowest cost of
compliance
1
0 20 40 60 80 100 120 140
Server/sysadmin ratio Source: IT Process Institute (2001)
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 8 Don’t Take Chances. TAKE CONTROL.
9. Higher Performing IT Organizations Are More Stable,
Nimble, Compliant And Secure
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applications
Source: IT Process Institute, May 2008
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 9 Don’t Take Chances. TAKE CONTROL.
10. Common Traits of the Highest Performers
Culture of…
Change management
Integration of IT operations/security via problem/change management
Processes that serve both organizational needs and business objectives
Highest rate of effective change
Causality
Highest service levels (MTTR, MTBF)
Highest first fix rate (unneeded rework)
Compliance and continual reduction of
operational variance
Production configurations
Highest level of pre-production staffing
Effective pre-production controls
Effective pairing of preventive and detective controls
Source: IT Process Institute
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 10 Don’t Take Chances. TAKE CONTROL.
11. Visible Ops: Playbook of High Performers
The IT Process Institute has been
studying high-performing organizations
since 1999
What is common to all the high
performers?
What is different between them and
average and low performers?
How did they become great?
Answers have been codified in the
Visible Ops Methodology
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 11 Don’t Take Chances. TAKE CONTROL.
12. Over Ten Years, We Benchmarked 1500+ IT Orgs
Source: EMA (2009)
Source: IT Process Institute (2008)
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 12 Don’t Take Chances. TAKE CONTROL.
13. 2007: Three Controls Predict 60% Of Performance
To what extent does an organization define, monitor and
enforce the following?
Standardized configuration strategy
Process discipline
Controlled access to production systems
Source: IT Process Institute, May 2008
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 13 Don’t Take Chances. TAKE CONTROL.
14. High Performers Can Bound Maximum MTTR
But look at the
huge differences
for large outages!
Large outages
required 25-50
people to fix!)
Source: IT Process Institute, May 2006
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 14 Don’t Take Chances. TAKE CONTROL.
16. The Seven Practical Steps To Integrate Information
Security Into Daily Operations
Step 1: Gain situational awareness
Step 2: Reduce and monitor privileged access
Step 3: Define and enforce VMM configuration standards
Step 4: Integrate and help enforce change management
processes
Step 5: Create library of trusted virtualized builds
Step 6: Integrate into release management
Step 7: Ensure that all activities go through change
management
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 16 Don’t Take Chances. TAKE CONTROL.
17. Step 1: Gain Situational Awareness
Situational awareness: “the ability to identify, process, and comprehend
the critical elements of information about what is happening to the team
with regard to the mission.”
Questions we want to answer:
What IT services are being provided?
• e.g. power generation, distribution, financial reporting, etc.
Who are the business and IT units, and how are they organized? (e.g., the
centralized IT services group, an IT outsourcer, etc.)
What are the relevant regulatory and contractual requirements for the
business process
• e.g., SOX-404, PCI DSS, FISMA, NERC, etc.
• Where is reliance being placed and what are critical functionalities?
What are the technologies and IT processes being run on?
• e.g., Microsoft Windows Server, Sun Solaris, SQL Server, Oracle, etc.
Are there any high-level risk indicators from the past? (e.g., repeat audit
findings, frequent outages, management metrics, etc.)
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 17 Don’t Take Chances. TAKE CONTROL.
18. Step 2: Reduce And Monitor Privileged Access
Know where infrastructure that poses the largest risk to
business objectives are.
Ensure that access is properly restricted
Look for administrators who have high levels of privilege
Reduce access
They can introduce likelihood of errors, downtime, fraud and
security incidents
Can affect mission critical IT services
Can modify logical security settings
Can add, remove and modify VMs
―To err is human. To really screw up requires the root password.‖—Unknown
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 18 Don’t Take Chances. TAKE CONTROL.
19. Step 2: Reduce And Monitor Privileged Access
Implement preventive controls:
Reconcile admins to authorized staff and delete any ghost accounts
Ensure reasonable number of admins
Issue and revoke accounts upon hiring, firing, reassignment
Implement detective controls:
Monitor privileged user account adds, removes and changes
Reconcile each user account change to an authorized work order
Reconcile each user account to an HR record
Implement account re-accreditation procedures
―Hope is not a strategy. Trust is not a control.‖
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 19 Don’t Take Chances. TAKE CONTROL.
20. Step 3: Define And Enforce Configuration Standards
The goal is to create known, trusted, stable, secure and risk-
reduced configuration states
External configuration guides include:
Center for Internet Security (CIS)
VMWare: “VMware Infrastructure 3, Security Hardening”
Defense Information Systems Agency (DISA) STIGs
―Like their physical counterparts, most security vulnerabilities will be introduced through
misconfiguration and mismanagement. The security issues related to vulnerability and
configuration management get worse, not better, when virtualized.
compliance | security | Source: Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” Chances. TAKE CONTROL.
control
IT SECURITY & COMPLIANCE AUTOMATION 20 Don’t Take by Neil MacDonald, March 2007.
21. Step 4: Help Enforce Change Management Processes
Information security needs change management
Gain situational awareness of production changes
Influence decisions and outcomes.
Add value in the change management process by:
Assessing the potential information security and operational impact of
changes
Improving procedures for change authorisation, scheduling, implementation
and substantiation
Ensuring that change requests comply with information security
requirements, corporate policy, and industry standards
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 21 Don’t Take Chances. TAKE CONTROL.
22. Step 4: Help Enforce Change Management Processes
Implement preventive controls
Get invited to the Change Advisory Board (CAB) meetings
Ensure “tone at the top” and help define consequences
Implement detective controls
Build and electrify the fence
Substantiate that all changes are authorised
Look for red flags and indicators
―[As auditors,] the top leading indicators of risk when we look at an IT operation are poor
service levels and unusual rates of changes.‖ – Bill Philhower
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 22 Don’t Take Chances. TAKE CONTROL.
23. Step 5: Create A Library Of Trusted Builds
Our goal is to make it easier to use known, stable and secure
builds than unauthorised and insecure builds
Implement preventive controls:
Defined process of how to assemble hardened and stable builds
Work with any existing server provisioning teams to add any
standard monitoring agents
Ensure that application and service account passwords are
changed before deployment
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 23 Don’t Take Chances. TAKE CONTROL.
24. Step 5: Create A Library Of Trusted Builds
Implement detective controls:
Verify that deployed infrastructure matches known good states
Verify that virtual image configurations against internal and external
configuration standards
Monitor the approved virtual image library to ensure for all adds,
removes and changes
Reconcile all adds, removes and changes to an authorised change
order.
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 24 Don’t Take Chances. TAKE CONTROL.
25. Step 6: Integrate Into The Release Management Processes
Release management and information security both require
standardisation and documentation
Checklists
Detections and reduction of variance
Implement preventive and detective controls:
Develop shared templates with release management, QA and project
management and integrate into their checkpoints
Integrate automated security testing tools
Compare preproduction and production images, and reduce any
variance
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 25 Don’t Take Chances. TAKE CONTROL.
26. Step 7: Ensure All Activities Go Through Change
Management
Ensure that “only acceptable number of unauthorized
changes is zero”
Infrastructure
Application releases
Security patches
Break/fix activities
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 26 Don’t Take Chances. TAKE CONTROL.
36. Ever Increasing Situational Mastery…
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 36 Don’t Take Chances. TAKE CONTROL.
37. Do Root Cause Analysis…
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 37 Don’t Take Chances. TAKE CONTROL.
38. Helping The Organization To More
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 38 Don’t Take Chances. TAKE CONTROL.
39. Show Value To The Business…
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 39 Don’t Take Chances. TAKE CONTROL.
40. Be Recognized For Contribution…
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 40 Don’t Take Chances. TAKE CONTROL.
41. And Do More With Less…
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 41 Don’t Take Chances. TAKE CONTROL.
42. Higher Performing IT Organizations Are More Stable,
Nimble, Compliant And Secure
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applications
Source: IT Process Institute, May 2008
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 42 Don’t Take Chances. TAKE CONTROL.
43. Resources
Ο From the IT Process Institute
www.itpi.org
Both Visible Ops Handbooks
ITPI IT Controls Performance Study
Stop by the Tripwire booth for
a copy of Visible Ops Security
“Gene Kim’s Practical Steps To Mitigate
Virtualization Security Risks ” white paper
Follow Gene Kim
On Twitter: @RealGeneKim
genek@tripwire.com
Blog: http://www.tripwire.com/blog/?cat=34
compliance | security | control
IT SECURITY & COMPLIANCE AUTOMATION 43 Don’t Take Chances. TAKE CONTROL.