Mark Whitteker, MSIA, CISSP Security Architect / Information Systems Security Officer Cisco Systems, Inc. Building a Comprehensive Security Architecture Framework
Nov 06, 2014
Mark Whitteker, MSIA, CISSP
Security Architect / Information Systems Security Officer
Cisco Systems, Inc.
Building a Comprehensive Security Architecture Framework
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Mark Whitteker, MSIA, CISSP, GSNA, GCFA
Security Architect and Information Systems Security Officer at Cisco Systems, Inc.
15+ years of experience in secure solutions development, systems and network auditing, forensic discovery, vulnerability assessments, and security management.
Extensive background in the application of commercial and US government regulations and requirements
Can be reached at: [email protected] http://www.linkedin.com/pub/mark-whitteker/3/480/68b
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Agenda
The Problem
The Solution
The Dirty Details
Q&A
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Why do I need a security framework? Here’s a house built on a planned framework…
Framework Finished Product
The result: an efficient and elegant home!
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Why do I need a security framework? Here’s a house built without a planned framework…
The result: I haven’t seen my wife and children in days!
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The Problem
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Problem Description
Few of us have the luxury of building our organization’s security architecture from the ground up
Some security services already exist (hopefully)
Your organization must comply with one or more industry standards
ISO 27001/27002 NIST SP 800-53 SOX PCI
You need to demonstrate to auditors your compliance with the resulting requirements
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Compliance with Requirements Can you say “Checkbox Security”?!?
Auditors validate that all the checkboxes are complete
Security professionals know (or should know) that: Compliance != Security
Security is achieved by understanding the organization’s risks and implementing mitigation steps to reduce them to within management’s tolerance level
So how do you show auditors compliance with requirements while actually improving your security posture?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
If you keep going how you’ve always gone, you’ll end up where you’ve always been.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The Solution
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Bring it all together!
Map security services to industry standards through a comprehensive, end-to-end security framework
Shows auditors how you are complying with industry standards
Demonstrates to management the value of security services
Industry Standards
Security Services
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The Dirty Details
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Comprehensive Framework Diagram
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Implementation Phases
Phase 1 Define
Requirements
Phase 2 Implement
Requirements
Phase 3 Measure Success
Rinse and Repeat
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Phase 1 - Define Requirements
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Industry Standards
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Industry Standards Build a Requirements Crosswalk Matrix Most industry standards, while different, are based
on the same security principles/requirements
Determine where similarities exist and group them together
Industry Standard A Password Complexity
Requirement
Industry Standard B Password Complexity
Requirement
Organizational Password Complexity
Requirement
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Crosswalk Example – Audit Logging
Company must comply with ISO 27001/27002
A business unit within the company provides government services and must comply with NIST SP 800-53 (per FISMA)
Crosswalk matrix developed to integrate both sets of requirements into a single framework
ISO 27001 A.10.10.1
NIST SP 800-53
AU-1-5, 8, 11, 12
Organizational Audit Logging Requirements
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Crosswalk Example – Continued
ISO 27001/27002 – A.10.10.1 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Includes a list of 12 relevant event types
NIST SP 800-53 AU-1-AU-5, AU-8, AU-11, AU-12 Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Time Stamps, Audit Record Retention, and Audit Generation
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Crosswalk Example – Continued
Organizational Audit Logging Requirements Combines requirements from both standards into a single set of organizational standards Where there are differences between the level of implementation/stringency, the most stringent requirement prevails
Example: 3 year log retention vs. 5 year log retention Organizational Requirement – 5 year retention
Where there are conflicts, the organization must determine which industry standard has precedence
May require the involvement of the legal department
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Organizational Policies
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Organizational Policies
Developing policies and obtaining executive approval can be a cumbersome and time consuming process
Keep policies high-level and solution agnostic Helps to ensure successful collaboration efforts among policy contributors Minimizes need to revisit policies as technology changes
2 year review cycle is usually sufficient
Create as few policies as possible, but keep them domain specific
Once the organizational requirements have been determined, the organization must now develop security policies
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Organizational Policies Example
Source: Cisco’s Global Government Solutions Group – IT (GGSG-IT)
Acceptable Use Business
Continuity and Disaster Recovery
Contract Security for Information
Systems
Cryptographic Controls Data Classification
Data Protection Incident Management
Information Security
Management
Information System
Authorization and Account
Management
Information Systems Auditing
and Testing
IT Operations Security
Personnel Security for Information
Systems
Physical and Environmental
Security Risk Management
Security Compliance Management
Security Policy Architecture
Security Training and Awareness
Standardized Glossary – Taxonomy
System Development
Lifecycle Security
User Identification and Authentication
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Organizational Policies Example (cont)
ISO 27001/27002 NIST SP 800-53
Rev 2 SECURITY POLICY
07.01.03, 11.02.03, 11.03.01, 11.03.02, 11.03.03 PL-4, PS-6 Acceptable Use
14.01.02, 14.01.03, 14.01.04, 14.01.05 CP-(1-10) Business Continuity and Disaster Recovery Plan
06.01.04, 06.02.03, 12.01, 12.05, 15.01.02 SA-(1,6,9) Contract Security for Information
12.03.01, 12.03.02, 15.01.06 IA-7, SC-(8,9,12,13) Cryptographic Controls
07.02, 07.02.01, 07.02.02, 10.07.03 AC-16, MP-3 Data Classification
06, 07.02.02, 09.01, 10, 11, 12, 15 MP-1, SC-(8,9), SI-(1,7) Data Protection
06.01.05, 06.01.06, 13.01.01, 13.01.02, 13.02 IR-(1-7) Incident Management
06.01.01, 06.01.02, 06.01.07, 06.01.08 PL-1 Information Security Management
06.02.01, 07.01.03, 08.02.01, 10.02, 10.10.03, 11.01.01, 11.04, 11.05, 11.06.02 AC-(1,2) Information System Authorization and Account
Management
06.02.01, 07.01.01, 10.01.03, 10.10.05, 15.02, 15.03
AU-(1-11), RA-(3-5), SA(5,11), CA-(1,2) AC-5, IR-3,
CP-4, SI-6 Information Systems Auditing & Testing
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Organizational Policies Example (cont)
ISO 27001/27002 NIST SP 800-53
Rev 2 SECURITY POLICY
06.01.03, 10, 11, 12, 15 SC-1, SI-1 IT Operations Security
06.01.03, 06.01.05, 08.01, 08.02, 08.03, 13.01, 15.01, 15.02.01 PS-(1-8) Personnel Security for Information Systems
09.01, 09.02, 13.01.02, 14.01.03 PE-(1-17) Physical and Environmental Security
14.01.02, 08.02.02 RA-1 Risk Management
10.10.01, 10.10.02, 13.01.01, 13.02.03, 15.01, 15.02.01, 15.02.02
AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, RA-1, MA-1,
MP-1, IA-1, IR-1, PE-1, PL-1, PS-(1,7), SA-(1,9), SC-1, SI-1
Security Compliance Management
05.01.01, 05.01.02 PL-1 Security Policy Architecture
05.01.02, 06.02.03, 08.02.02 AT-(1-4) Security Training and Awareness
07.01.02 , 07.02, 07.02.01 Appendix B Standardized Glossary - Taxonomy
10.01.04, 10.03.02, 10.07.04, 12.01.01, 12.04.02, 12.04.03, 12.05.01, 12.05.03 SA-(3,8,11) System Development Lifecycle Security
11.02, 11.04.02, 11.05.02 IA-(1,2) User Identification and Authentication
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Policy Standards
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Policy Standards
Specific technical implementation requirements should be defined in policy standards
The policies themselves contain hyperlinks and/or references to associated policy standards
Policy standards do not require review/approval by senior management
Defined by organizational Subject Matter Experts (SMEs) Doesn’t require modification of the overarching policy
Standards can be modified/updated as technology advances
Should be reviewed by the SMEs at least yearly to ensure standards stay current with industry trends
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Policy Standards Example
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Policy Standards Example
Cryptographic Controls policy states: Purpose: This policy governs the use of cryptographic controls and key management to protect the confidentiality & integrity of Cisco GGSG information assets, as well as to support non-repudiation.
References multiple policy standards such as: Full disk encryption Mail, file and folder encryption Public Key Infrastructure (PKI)
More than one policy may apply when defining standards
Data Protection policy also closely related to CC policy
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Policy Standards Reality Check
Often times there isn’t simply a 1:1 mapping between policies and standards
In many cases multiple policies reference the same standards
Email Encryption Standard
Acceptable Use Policy
Cryptographic Controls Policy
Data Protection
Policy
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Phase 2 - Implement Requirements
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Policy Implementation Procedures
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Policy Implementation Procedures
While Policy Standards specify the technical implementation requirements necessary to comply with policies, Policy Implementation Procedures document the step-by-step instructions for implementing those standards
They are: Specific Repeatable Thorough Validated Approved
Assists in improving an organization’s CMM level
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Procedures Example Installing the Secure Print Client (Windows XP): 1. Open Windows Explorer.
2. In the Address field, type (or cut & paste) \\Rtp-filer09a\wg-g\ggsg-apps\Published\Secure-Print\ and press <Enter>.
3. Double-click on the spxpinstall.bat script from the folder you just opened.
4. Enter your CEC credentials (if prompted).
5. Click Open (if prompted).
6. If necessary, click Yes on the Cisco Security Agent window to allow the script to run.
7. A command window will open and display the installation progress.
8. When the software is done installing, click OK.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Security Services
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Security Services
Security Services is the most ambiguous area of the framework
It can be very simple (1-3 services), or very complex (dozens of services), depending on the size and scope of your organization
Don’t reinvent the wheel!
There are existing industry sources that can be used as a baseline
SSE-CMM: Secure Systems Engineering Capability Maturity Model NIST SP 800-35: Guide to Information Technology Security Services
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Security Services Example Systems Security Engineering Capability Maturity Model
Includes 11 security services: Administer Security Controls Assess Impact Assess Security Risks Assess Threats Assess Vulnerabilities Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Security Services Example NIST SP 800-35: Guide to Information Technology Security Services
Includes 3 categories of services: Management, Operational and Technical
Management Services Security Program, Security Policy, Risk Management, Security Architecture, Certification and Accreditation, and Security Evaluation of IT Projects
Operational Services Contingency Planning, Incident Handling, Testing, and Training
Technical Services Firewalls, Intrusion Detection/Prevention, and Public Key Infrastructure
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Phase 3 – Measure Success
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Measure Success
How do you know if your security program is successful?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Risk Assessments
Perform a risk assessment!
There are 2 types of risk assessments: Qualitative
A subjective assessment of the organization’s risk, typically achieved through personnel interviews and surveys.
Quantitative A non-subjective assessment of the organization’s risk based on mathematical calculations using security metrics and monetary values of assets.
Which one is right for your organization?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Qualitative Risk Assessments
Pros Calculations are simple Not necessary to determine monetary value or threat frequency Not necessary to estimate cost of risk mitigation measures General indication of significant risks is provided
Cons Subjective in both process and metrics Perception of asset/resource value may not reflect actual value No basis is provided for cost/benefit analysis
Not possible to track risk management performance
Although this method is very subjective in nature, it can be very beneficial when an organization is young and still maturing
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Quantitative Risk Assessments
Pros Based on independently objective processes and metrics Value of information expressed in monetary terms is better understood Credible basis for cost/benefit assessment is provided Risk management performance can be tracked and evaluated Results are derived and expressed in management’s language
Cons Calculations are complex Not practical to execute without automated tool and associated knowledge bases A substantial amount of information must be gathered
Appropriate once an organization has reached a higher level of maturity, and now requires an assessment against standardized, objective measures
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Other Items to Consider
Establish a Compliance Management Program Configuration Management
Develop standard configurations Infrastructure Devices (network, hosts, etc.)
Data (databases, NAS, SAN, etc.)
Applications (web server, programming languages, protocols)
Change Management Any proposed change to your production environment should be recorded, reviewed and approved by an SME from each domain:
Security, Infrastructure, Data, Application, Operations, Support
Release Management Any changes that impact, or could potentially impact, the availability of a production service, should be released at scheduled intervals:
Weekly, Monthly, Quarterly, etc.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Visual Representation
Configuration Management
Release Management
Change Management
• All systems must comply with configuration management standards
• All changes must be submitted and performed through change management
• Those changes that impact the availability of production systems or services must be bundled into a scheduled release
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Q & A