Architecting Enterprise Security - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Architecting Enterprise Security

Description:

The Politics of security (and how to handle them) The perfect security architecture (Nirvana) ... (http://securityresponse.symantec.com/avcenter/vinfodb.html ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 15
Provided by: brucelob
Category:

less

Transcript and Presenter's Notes

Title: Architecting Enterprise Security


1
Architecting Enterprise Security
  • Speaker
  • Bruce Lobree, CISSP

2
Bruce Lobree
  • Senior Security Architect Safeco
  • Vice President Security Consulting
  • Corporate Security Manager - Siebel Systems
  • Global Security Manager Oracle
  • Senior Security Engineer Wells Fargo
  • Senior Security Auditor Bank of America

3
Architecting Enterprise Security
  • Architecting Enterprise Security
  • Performing a Gap analysis of the current security
    architecture
  • Identifying the TO BE security architecture
  • Implementing the solution
  • The Politics of security (and how to handle them)
  • The perfect security architecture (Nirvana)
  • Common problems with enterprise security -
    causes, politics, organizational structure
    impact, lack of direction, lack of resources
    human etc
  • Top 10 Risks with poorly designed security
  • Good security auditing utilities and resources
    (could provide hyperlinks, demo of basic tools
    e.g. Microsoft Security Benchmark Analyzer...)

4
My Network
5
Performing a Gap analysis
  • What is the Gap
  • The difference between your perceived security
    and your real security
  • How to Identify the Gap
  • Workflow versus flowing work
  • When Security becomes a disabler instead of an
    enabler
  • Who owns the Gap
  • Security or IT Operations
  • How about both
  • Business owner or Corporation
  • Depends on your business model
  • The Test of Time
  • Is a whole a hole or a solid object

6
Security Architecture
  • The whole model
  • Viruss, hackers, Trojans and more
  • Adobe, Aprelium Technol-ogies, ArGoSoft, Avaya,
    Ben Chivers, Bharat Mediratta, Brother, Cerulean
    Studios, Cisco Systems, Compaq Computer
    Corporation, D-Link, dotmarketing.org, Endity.
    com, Ensim, Fake Identd, Frederic Tyndiuk,
    FreeBSD, Google, Hewlett Packard Systems,
    Hylafax, Imatix, Inso, Inter7, IpSwitch, Jacob
    Navia, John G. Myers, LibPNG,Lucent
    Technol-ogies, Macro-media, Macro-media,
    Microsoft, Mozilla, Multiple Vendors, Niels Chr
    Rød. Denmark, NullSoft, OpenSSH, Project, Opera
    Software, ParaChat, Qual-comm, Inc., Rob Flynn,
    Rod Clark, SEH, Sun Micro-systems, Inc., Sun
    Micro-systems, Inc. / iPlanet, Symantec,
    Synthetic Reality, T. Hauck, William Deich
  • Details at
  • http//www.nipc.gov/cybernotes/cyber2002.htm
  • Pieces of the model
  • Virus protection (http//securityresponse.symantec
    .com/avcenter/vinfodb.html/)
  • Hacker Protection (http//www.phreak.org/html/vuln
    erabilities.shtml)
  • Monitoring
  • Shareware http//packetstorm.dnsi.info/defense.htm
    l shareware
  • Non shareware reviews and more http//secinf.net/
  • Owners of the model
  • Support Real Time
  • Security Watching and past Time
  • Audit Making sure we are doing it right

7
Implementing the solution
  • Define the solution
  • Policy
  • General - Corporate
  • Specific - Implementation
  • Nobody cares - Reality
  • Design
  • Tools that fit the corporation
  • Tools designed to meet a need
  • Testing the design before implementation
  • Implementation
  • Always the same always completed per the design

8
Politics of security
  • I own it versus you own it
  • Security role They Prevent us from working
  • Audit Role They dont know what they are doing
  • Management role Lights are on, is anyone home
  • Support role They are the biggest single risk
    to our company
  • Employees role RISK, RISK, RISK
  • Legal issues and compliancy, A reason or an
    excuse
  • HIPPA - http//cms.hhs.gov/hipaa/hipaa2/default.as
    p
  • GLBA - http//www.ftc.gov/privacy/glbact/
  • Safeharbor - http//www.export.gov/safeharbor/
  • COPPA - http//www.ftc.gov/os/1999/9910/64fr59888.
    pdf
  • Patriot Act - http//www.house.gov/judiciary_democ
    rats/usapatriotsecbysec102301.pdf
  • Freedom of Information Act - http//www.usdoj.gov/
    04foia/
  • Etc.
  • Education and Awareness and HR WHO?
  • Government Sponsored special interest group
    http//www.orau.gov/se/

9
The perfect security architecture
  • The Silver Bullet, The holy Grail
  • Does one exist.
  • Each company is different
  • What works for them may not work for you.
  • No vendor offers the perfect solution
  • Prove it.
  • No solution is complete
  • Layered Systems
  • A layered defense starts with you
  • People are your best defense
  • Policy and procedure

10
Common problems with enterprise security
  • Employees not following the rules
  • What incentive do they have?
  • Are they signing off that they do so?
  • Management afraid to enforce the rules
  • Litigation
  • Public Perception of the company
  • Media
  • Policies that are not realistic
  • All information will be protected at all times
  • Unreasonable expectations of security and Audit
  • Is there technology that can really do that
  • Did we put it in writing for a reason, what was
    the reason
  • If I could only, He can, why cant I
  • The competition is doing it and we want to as
    well
  • I saw a great article in a newspaper about.
  • If we do it, who will be held accountable if
    something bad happens

11
Top 10 Risks
  • Employees
  • Poor support Lack of training
  • Mis-configured systems
  • Mis-identified issues
  • Policy enforcement
  • Lack of Policy and procedure to enforce
  • Wrong tools To broad in scope or to focused
  • Poorly implemented monitoring
  • Poorly written Code
  • Employees

12
Auditing utilities and resources
  • Services
  • Qualys External assessment
  • Foundstone External and Internal Assessment
  • Vendors
  • Spydynamics WebCode
  • ISS Network Vulnerabilities
  • Tripwire System Baseline
  • General Data
  • General list of auditing information
    http//www.auditnet.org/asapind.htm
  • List of tools for defense and comparison
    http//www.insecure.org/tools.html
  • Great place for general knowledge and tools
    http//packetstormsecurity.org/index.shtml
  • Audit Requirements and other good practices
    http//rr.sans.org/audit/audit_list.php
  • Data and exploits that you can try.
    http//www.cert.org/

13
Closing
  • The hard questions
  • Does management support you in action
  • Do you record your knowledge
  • Do you enforce your policies and procedures
  • Defined Roles and Responsibilities
  • Check, verify, validate and confirm on a regular
    basis.
  • Is what you are doing in the best interest of the
    business.

14
Questions and Maybe Answers
  • Bruce A Lobree
  • Safeco
  • Email brulob_at_safeco.com
  • Voice (425) 376-4786
Write a Comment
User Comments (0)
About PowerShow.com