Automation of Information (Cyber) Security by Joe Hessmiller

Comprehensive Risk Management for a Cyber-Secure Organization

Presented by

Joe HessmillerDirector

Computer Aid, Inc.

The Take-Away

• Security is a Process.• All Three Information Security Control Areas (Physical,

Technical and Administrative) Rely Heavily on Comprehensive Monitoring to Be Effective

• Automation is Key to Continuously Monitoring Threat Vulnerabilities (Conditions of Failure)

• Automation is Key to Modifying Behavior by Persistent Enforcing and Reinforcing of Security Practices

At the End of this Presentation You Will Be Able to…• Present to Stakeholders the Need for

Automated Support for Information Security ‘Ensurance’

• Present to Stakeholders an Effective Approach to Automating Information Security ‘Ensurance’

Bad Things Happen to Good Systems

http://seekingalpha.com/article/1324971-pandemic-cyber-security-failures-open-an-historic-opportunity-for-investors

Major Violations Occur Too Frequently

The REAL Challenge of Information Security:

Preventing Human Error through Situational Awareness

“Industry has done a great job of increasing productivity and reducing costs, Habibi says, but the time has come to focus on preventing human error. He sees human reliability as the next area ripe for optimization across industry. Optimization is sorely needed here, according to Habibi, because industry has “essentially created a monster of complex information systems combining ERP, production management and real-time systems.”

A key concept of human reliability, according to Habibi is “situation awareness.” Habibi says that situation awareness is essential to preventing errors because it addresses the physical environment (e.g., control room ergonomics, lighting, temperature, comfort, traffic, noise.), organizational culture (e.g., policies and procedures, shift schedules, reporting, work ethic, motivation, training, knowledge and skills) and the human-automation relationship.”

The Human Reliability Challenge, David Greenfield, Director of Content/Editor-in-Chief , AutomationWorld, April 25, 2013 http://www.automationworld.com/safety/human-reliability-challenge

Security is a Process

“If we've learned anything from the past couple of years, it's that computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. "This time it's secure." So far, it hasn't been.

Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.

The Process of Security, by Bruce Schneier, Information Security, April 2000

A Complex Process

Physical Logical Administrative

Preventative

Detective

Corrective

Deterrent

Recovery

Compensating

Control Application Areas

Fu

nct

ion

alit

y

Information Security Matrix

A Complex ProcessOrganized Into Information Security Matrix

Areas of Vulnerability

Responses to Threats

Useful Policies DO Exist

Standards Exist for “Mature” Policies and Procedures

http://www.pkfavantedge.com/wp-content/uploads/2013/COBIT_Security.pdf

http://cmmiinstitute.com/assets/Security-and-CMMI-SVC.pdf

Even Specific Security Standards Exist

NIST SP 800-100 Information Security Handbook: A Guide for Managers

ISO 27002 Information Security – Code of Practice

Checklist Resources Available

http://www.slideshare.net/ATBHATTI/audit-checklist-for-information-systems-14849697

Automated Tools Focused on Specific Threats Exist

• Fireeye: Malware Protection Service (MPS)• Microsoft: Systems Management Server (SMS) and

Active Directory (AD) • TripWire (nCircle): IP360 and Configuration Compliance

Manager• AlienVault: Unified Security Management• Symantec: Protection Suite Enterprise Edition (ED),

NetBackup and Veritas Cluster Server (VCS)• PfSense• APC Infrastruxure• VMware vSphere• Honeywell: NOTIFIER fire alarm systems, Access

control systems and Intrusion detection systems

“Hard” Data Sources

But, Automation Has a Long Way to Go

Automation possibilities in information security management 2011, http://www.sba-research.org/wp-content/uploads/publications/PID1947709.pdf

We Need Comprehensive Monitoring and Control

Effective automation can address the challenges.

Part of the solution is consolidating information security monitoring data into a comprehensive risk management platform for analysis and reporting.

Another part of the solution is getting ALL of the important data. This includes feedback on information security conditions from the people in the process.

Then, the main part is possible; changing behaviors BY monitoring and control.

Administrative Control Silo

Physical Control Silo

Logical Control Silo

Automated Conditions Monitoring and Analysis System

What Does Comprehensive Information Security Automation Look Like?

Controls, Mechanisms

Standards,Guidelines

The “Missing” Link in Information Security Automation

Incorporate:

• “Hard” Data from Automated Systems with

• Human Feedback for

• COMPREHENSIVE Information Security Assessment and

• REINFORCEMENT of Information Security Policies

Automated Security Control Room

‘Hard’ Data From MonitoringSystems

‘Soft’ DataFromHuman Assessments

Comprehensive, At-a-Glance Insight Into Info Security Conditions

Accountability = Behavior Change

• Periodic Assessment – Reminders of “Should Do’s– Validation of “Did Do”s– Two-way Feedback

• Situational Awareness • Behaviors Change

“What gets measured, gets done.”

Why Automate Control Functionality

• So It Will be Done Comprehensively• So It Will Be Done Consistently• So it Will Be Done Effectively• So It Will Be Done Efficiently• So We Will Have Comprehensive Data for

Analysis• BEHAVIOR WILL BE CHANGED