Architecting Enterprise Security

1
Architecting Enterprise Security

• Speaker
• Bruce Lobree, CISSP

2
Bruce Lobree

• Senior Security Architect Safeco
• Vice President Security Consulting
• Corporate Security Manager - Siebel Systems
• Global Security Manager Oracle
• Senior Security Engineer Wells Fargo
• Senior Security Auditor Bank of America

3
Architecting Enterprise Security

• Architecting Enterprise Security
• Performing a Gap analysis of the current security
  architecture
• Identifying the TO BE security architecture
• Implementing the solution
• The Politics of security (and how to handle them)
• The perfect security architecture (Nirvana)
• Common problems with enterprise security -
  causes, politics, organizational structure
  impact, lack of direction, lack of resources
  human etc
• Top 10 Risks with poorly designed security
• Good security auditing utilities and resources
  (could provide hyperlinks, demo of basic tools
  e.g. Microsoft Security Benchmark Analyzer...)

4
My Network
5
Performing a Gap analysis

• What is the Gap
• The difference between your perceived security
  and your real security
• How to Identify the Gap
• Workflow versus flowing work
• When Security becomes a disabler instead of an
  enabler
• Who owns the Gap
• Security or IT Operations
• How about both
• Business owner or Corporation
• Depends on your business model
• The Test of Time
• Is a whole a hole or a solid object

6
Security Architecture

• The whole model
• Viruss, hackers, Trojans and more
• Adobe, Aprelium Technol-ogies, ArGoSoft, Avaya,
  Ben Chivers, Bharat Mediratta, Brother, Cerulean
  Studios, Cisco Systems, Compaq Computer
  Corporation, D-Link, dotmarketing.org, Endity.
  com, Ensim, Fake Identd, Frederic Tyndiuk,
  FreeBSD, Google, Hewlett Packard Systems,
  Hylafax, Imatix, Inso, Inter7, IpSwitch, Jacob
  Navia, John G. Myers, LibPNG,Lucent
  Technol-ogies, Macro-media, Macro-media,
  Microsoft, Mozilla, Multiple Vendors, Niels Chr
  Rød. Denmark, NullSoft, OpenSSH, Project, Opera
  Software, ParaChat, Qual-comm, Inc., Rob Flynn,
  Rod Clark, SEH, Sun Micro-systems, Inc., Sun
  Micro-systems, Inc. / iPlanet, Symantec,
  Synthetic Reality, T. Hauck, William Deich
• Details at
• http//www.nipc.gov/cybernotes/cyber2002.htm
• Pieces of the model
• Virus protection (http//securityresponse.symantec
  .com/avcenter/vinfodb.html/)
• Hacker Protection (http//www.phreak.org/html/vuln
  erabilities.shtml)
• Monitoring
• Shareware http//packetstorm.dnsi.info/defense.htm
  l shareware
• Non shareware reviews and more http//secinf.net/
• Owners of the model
• Support Real Time
• Security Watching and past Time
• Audit Making sure we are doing it right

7
Implementing the solution

• Define the solution
• Policy
• General - Corporate
• Specific - Implementation
• Nobody cares - Reality
• Design
• Tools that fit the corporation
• Tools designed to meet a need
• Testing the design before implementation
• Implementation
• Always the same always completed per the design

8
Politics of security

• I own it versus you own it
• Security role They Prevent us from working
• Audit Role They dont know what they are doing
• Management role Lights are on, is anyone home
• Support role They are the biggest single risk
  to our company
• Employees role RISK, RISK, RISK
• Legal issues and compliancy, A reason or an
  excuse
• HIPPA - http//cms.hhs.gov/hipaa/hipaa2/default.as
  p
• GLBA - http//www.ftc.gov/privacy/glbact/
• Safeharbor - http//www.export.gov/safeharbor/
• COPPA - http//www.ftc.gov/os/1999/9910/64fr59888.
  pdf
• Patriot Act - http//www.house.gov/judiciary_democ
  rats/usapatriotsecbysec102301.pdf
• Freedom of Information Act - http//www.usdoj.gov/
  04foia/
• Etc.
• Education and Awareness and HR WHO?
• Government Sponsored special interest group
  http//www.orau.gov/se/

9
The perfect security architecture

• The Silver Bullet, The holy Grail
• Does one exist.
• Each company is different
• What works for them may not work for you.
• No vendor offers the perfect solution
• Prove it.
• No solution is complete
• Layered Systems
• A layered defense starts with you
• People are your best defense
• Policy and procedure

10
Common problems with enterprise security

• Employees not following the rules
• What incentive do they have?
• Are they signing off that they do so?
• Management afraid to enforce the rules
• Litigation
• Public Perception of the company
• Media
• Policies that are not realistic
• All information will be protected at all times
• Unreasonable expectations of security and Audit
• Is there technology that can really do that
• Did we put it in writing for a reason, what was
  the reason
• If I could only, He can, why cant I
• The competition is doing it and we want to as
  well
• I saw a great article in a newspaper about.
• If we do it, who will be held accountable if
  something bad happens

11
Top 10 Risks

• Employees
• Poor support Lack of training
• Mis-configured systems
• Mis-identified issues
• Policy enforcement
• Lack of Policy and procedure to enforce
• Wrong tools To broad in scope or to focused
• Poorly implemented monitoring
• Poorly written Code
• Employees

12
Auditing utilities and resources

• Services
• Qualys External assessment
• Foundstone External and Internal Assessment
• Vendors
• Spydynamics WebCode
• ISS Network Vulnerabilities
• Tripwire System Baseline
• General Data
• General list of auditing information
  http//www.auditnet.org/asapind.htm
• List of tools for defense and comparison
  http//www.insecure.org/tools.html
• Great place for general knowledge and tools
  http//packetstormsecurity.org/index.shtml
• Audit Requirements and other good practices
  http//rr.sans.org/audit/audit_list.php
• Data and exploits that you can try.
  http//www.cert.org/

13
Closing

• The hard questions
• Does management support you in action
• Do you record your knowledge
• Do you enforce your policies and procedures
• Defined Roles and Responsibilities
• Check, verify, validate and confirm on a regular
  basis.
• Is what you are doing in the best interest of the
  business.

14
Questions and Maybe Answers

• Bruce A Lobree
• Safeco
• Email brulob_at_safeco.com
• Voice (425) 376-4786