1 / 14

Automating Crosswalk between

Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government DSD ’ s 35 Mitigating Strategies. Ahmed Abdel-Aziz and Robert Sorensen February, 2012 SANS Technology Institute M.Sc. in Information Security Engineering. Objective.

ella
Download Presentation

Automating Crosswalk between

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SANS Technology Institute - Candidate for Master of Science Degree Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government DSD’s 35 Mitigating Strategies Ahmed Abdel-Aziz and Robert Sorensen February, 2012 SANS Technology Institute M.Sc. in Information Security Engineering

  2. Objective • Provide guidance that GIAC Enterprises can use to be in compliance with the most recognized information security frameworks… • NIST SP 800 Documents • SANS’ Consensus Audit Guidelines (CAG) • Australian Government Defence Signals Directorate’s (DSD) top 35 Strategies • …while looking for opportunities to automate controls and provide information back to management in a meaningful format.

  3. SP 800, 20 Critical Controls, and DSD’s 35 Mitigating Strategies • Federal Information Security Management Act (FISMA) – authorized by Title III of E-Government Act of 2002. • National Institute of Standards and Technology (NIST) tasked to develop, document, and implement security standards (FISMA Implementation Project) • Special Publication (SP) 800-53 • Federal Information Process Standard (FIPS) 200 • SANS’, US defense base, federal agencies, and private organizations defined most critical controls to protect information and information systems. • Consensus Audit Guidelines – 20 Critical controls • Australian Government Defence Signals Directorate • DSD’s Top 35 Mitigating Strategies

  4. SP 800, 20 Critical Controls, and DSD’s 35 Mitigating Strategies The SANS’ 20 Critical Controls are meant to reinforce and prioritize some of the most important elements of the guidelines, standards, and requirements put forth in other US government documentation, such as NIST Special Publication 800-53 . These guidelines do not conflict with such recommendations. In fact, the guidelines set forth are a proper subset of the recommendations of NIST SP 800-53, designed so that organizations can focus on a specific set of actions associated with current threats and computer attacks they face every day. The DSD’s 35 Mitigating Strategies focus on individual tasks organizations can undertake to improve their security stance. They are a focused subset of the 20 Critical Controls.

  5. APT-Focused Security Strategy Risk-Based Approach • Initially implement subset of 20 Critical Controls to address GIAC Enterprises’ highest risks first (APT-related risks) • “Offense informs defense” concept suggests that 4 controls are best geared to address APT-related risks • Controlled Access based on the Need-to-Know (Control 15) • Continuous Vulnerability Assessment and Remediation (Control 4) • Malware Defenses (Control 5) • Data Loss Prevention (DLP) (Control 17)

  6. Control Data-at-Rest Control Data-in-Motion Control Data-in-Use Automation Approach: Controls 15 & 17 (Focus on the Data) Sensitive Regulatory Data Sensitive Corporate Data • Credit card data Privacy data (PII) Health care information • Intellectual property Financial information Trade secrets

  7. + • Step 1 Identify files & set business rules • Step 3 DLP Policy is routed for approval Business Managers • Step 2 Create DLP Policy & check for feasibility • Step 4 Approved DLP policy DLP Admin End Users Policy applied across the organization Automation Approach: Controls 15 & 17 (Automating Data Classification and Policy Definition) 

  8. Automation Approach: Controls 15 & 17 (Automating the Control of Data-in-Motion) Process to Reach Automation (Data-in-Motion) DISCOVER (Data-in-Motion) EDUCATE (Data-in-Motion) ENFORCE (Data-in-Motion) Risk Across: web protocols, e-mails, IM, generic TCP/IP protocols Encryption, Blocking, etc. Users Just-in-Time ? (Monitor Only) RISK (Monitor & Educate) Understand Risk (Automate Action) Reduce Risk TIME

  9. Business Users Apply DRM Encrypt Risk Remediation Manager (RRM) Data Loss Prevention (DLP Delete / Shred Change Permissions File Activity Tools • GRC Systems Policy Exception Manage Remediation Workflow Apply Controls Discover Sensitive Data Automation Approach: Controls 15 & 17 (Automating the Control of Data-at-Rest) SharePoint Databases File Servers NAS/SAN Endpoints

  10. Automation Approach: Controls 4 & 5 • (Prevention and Mitigation of APTs/Understanding the Attack Vector)

  11. Automation Approach: Controls 4 & 5 (Risk Assessment/Continuous Monitoring) Risk Assessment Vulnerability Scanning

  12. Automation Approach: Controls 4 & 5 (Automating Continuous Vulnerability Assessment and Remediation)

  13. Automation Approach: Controls 4 & 5 • (Automating Continuous Monitoring of Malware • and Malware Callbacks) • Reducing risk of data loss through malware infections • Implement basic and necessary malware protection – HIPS, AV, AntiSpam, etc. • Train and educate users concerning social engineering tactics. • Use of advanced technology – Virtual inspection of executable malware in real-time to identify and block command and control communications.

  14. Recommended Action Plan • Conduct gap assessment to compare GIAC Enterprises’s current security stance to detailed critical controls • Implement “quick win” critical controls to address gaps • Implement controls numbers 4 & 5 using previous automation approaches • Implement controls numbers 15 & 17 using previous automation approaches • Analyze and understand how remaining controls (beyond quck wins, and controls 4, 5, 15, 17) can be deployed • Plan for deployment, over the longer term, of the “advanced controls”, giving priority to controls 4, 5, 15, 17

More Related