240 likes | 385 Views
IT Security Operations. From Art to Science Ian Lawden. Contents. Context The Threat Landscape The Art of Decision Making Applying The Science Conclusion. Context. Context. Threats Increasing (and more complex): Cyber crime, Politically Motivated DoS New ‘Opportunities’ for breach
E N D
IT Security Operations From Art to Science Ian Lawden
Contents • Context • The Threat Landscape • The Art of Decision Making • Applying The Science • Conclusion
Context • Threats Increasing (and more complex): • Cyber crime, Politically Motivated DoS • New ‘Opportunities’ for breach • Off Shore services, Cloud Computing, Web2.0 • IT Security Operations Managers having to make decisions that minimise impact on business: • Minimise Downtime, Avoid Restrictions, Reduce Costs • Pressure on funding: • Need to justify investment • Repercussions are serious: • Loss of system • Loss of funds • Loss of reputation • Loss of face - if the professionals get it wrong?
Potential for Contention? Change Management Formal control versus Emergency (and risky) response Incident Management User up and running quickly versus preservation of Forensic Evidence ITIL Service Management Processes Service Support Service Delivery Incident Management Service Level Management Capacity Management Support Business Objective versus ‘security seen as an overhead Availability Management Customer satisfaction equates to ‘up time’ versus security requires maintenance windows Problem Management Financial Management Change Management Capacity Management Release Management IT Continuity Management Configuration Management Availability Management
Threats Users Under Attack Electronic Attack Electronic Attack Defence Defence Defence Defence Defence Defence Internal Threat
Pillars of Vulnerability Defence in Depth Defence Defence Defence Defence Organisation Defence Defence Capability User Awareness Supplier Performance Effective risk Management Operational Decision Making Defence Training & Certification Internal Awareness Training Supplier Management Stakeholder Engagement Review, Analysis, Modelling 8
System Thinking Intuitive, quick, automatic, effortless, and influenced by emotion, Reliance increases when a situation is complex and a state of cognitive overload is reached, Decisive! • Slower, more conscious, effortful, and logical. • Instinctively understood, • Controllable, • Follows rules, • Requires evidence! 1 2
The Analytical Model • Problem Definition • Agree problem to be modelled • Model Construction • Data gathering, and interviews with key stakeholders • Collect the information needed to build a model of enterprise security environment • Model Exploration • “Execute” the model • Take measurements such as the time taken to patch or have other mitigations in place • Run thousands of simulations • Different parameters • Possible outcomes predicted through rigorous “what-if” analysis • Decision-making • Understanding of the conclusions and consequences = improved decision making
Preparing and Responding • Operational Decision Making • Defence in Depth • Desktop Estate Emails to employees (Awareness) Antivirus plus Buffer Overflow 80% of OS or privilege escalation exploits require admin rights Effective for 32% of vulnerability cases E,G, shutting down part of the network Up to 20 days to be received and read Protects the full client population Temporary workarounds Restriction of Administrative Privileges Network Gateway
Vulnerability Timeline Disclosure Discovery Timeline Public exploit Code Zero day exploit Malware Some Public data Much Public data Patching Process Not Measurable Only some groups aware – no public data yet Patch Deployed Signature Available Patch Available Window of Exposure
Risk Exposure – Gateway Protection Exposure (Internal)
Risk Exposure – Admin Privileges Minimised Defence in Depth
DEFENCE IN DEPTH CONCLUSIONS • A multi-layer approach can be effective to reduce risk exposure • A defence-in-depth position is less strong • If a vulnerability is not dealt with by network gateway security, it is likely a large proportion of the infrastructure will be vulnerable if malware appears • The threat environment should be regularly monitored • For changes in malware and infection rates, and for new spread vectors for example • Timely patching remains important • To ensure the population of workstations no longer contains the vulnerability
CANDIDATES FOR EVALUATION • Server Patching: • Exploring the trade-off between disruption created when applying fixes to servers, versus bundling patches to reduce disruption but in turn, increasing risk • Identity and Access Management • Provisioning and De-provisioning • Web Access: • Website blocking effectiveness • Infection risk likelihood (based on employees' browsing habits). • Fine-grained analytics: • Infection risk based on employees' age + preferences • Website likelihood infection according to popularity/age • Amount of time employees' spent on web
Key Messages • A more scientific and analytical approach to risk mitigation and defence posture is possible &: - • Allows greater understanding of the effectiveness of an organisation’s defences • Supports IT Security Operations Managers in focusing on key areas for attention • The time is right to: • Evidence day to day decisions with historical data • Influence future strategies and policies using more structured techniques • Carefully consider and challenge rationale for simply deploying solutions that ‘make us feel better’
Further Reading & Research Anna Squicciarini, Sathya Dev Rajasekaran, Marco Casassa Mont - Using Modeling and Simulation to Evaluate Enterprises' Risk Exposures to Social Networks, IEEE Computer Magazine, Volume 44, Number 1, pp. 66-73, January 2011, 2011 Marco Casassa Mont, Yolanta Beres, David Pym, Simon Shiu - Economics of Identity and Access Management: Providing Decision Support for Investments, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010 Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security processes, IEEE International Workshop on Security Measurements and Metrics, IEEE MetriSec 2009, 14 October, Lake Buena Vista, Florida, US Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management, IEEE 10th Symposium on Policies for Distributed Systems and Networks, IEEE Policy 2009 Symposium, 20-22 July, London, 2009 Yolanta Beres, Jonathan Griffin, Max Heitman, David Markle, Peter Ventura, “Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Windows”, Proc. of 2008 ACSAC, Dec 2008. Yolanta Beres, David Pym, Simon Shiu, “Decision Support For Systems Security Investment”, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010 24