Transcript IT Security Operations

IT SECURITY OPERATIONS
From Art to Science
Ian Lawden
CONTENTS
 Context
 The
Threat Landscape
 The Art of Decision Making
 Applying The Science
 Conclusion
2
CONTEXT
3
CONTEXT

Threats Increasing (and more complex):


New ‘Opportunities’ for breach


4
Need to justify investment
Repercussions are serious:




Minimise Downtime, Avoid Restrictions, Reduce Costs
Pressure on funding:


Off Shore services, Cloud Computing, Web2.0
IT Security Operations Managers having to make decisions that
minimise impact on business:


Cyber crime, Politically Motivated DoS
Loss of system
Loss of funds
Loss of reputation
Loss of face - if the professionals get it wrong?
POTENTIAL FOR CONTENTION?
ITIL Service Management Processes
Service
Support
Incident Management
User up and running quickly
Incident
versus
preservation of
Forensic Evidence
Management
Formal control versus
Emergency
(andLevel
risky)
Service
response
Management
Problem
Management
Availability
Financial
Management
Capacity Management
Management
Support Business Objective
Capacity
versus ‘security seen as an
Management
overhead
Change
Customer satisfaction
Management
equates
to ‘up time’ versus
security requires
Release
maintenance
windows
5
Change
Service
Delivery
Management
Management
IT Continuity
Management
Configuration
Management
Availability
Management
THE THREAT LANDSCAPE
6
THREATS
Users
Under
Attack
Internal Threat
7
PILLARS
OF VULNERABILITY
DEFENCE
IN DEPTH
Organisation
Defence
Capability
User
Awareness
Supplier
Performance
Effective risk
Management
Training & Certification
Internal Awareness Training
Supplier Management
Stakeholder Engagement
8
Review, Analysis, Modelling
Operational
Decision
Making
THE ‘ART’ OF DECISION MAKING
9
GUT REACTIONS ARE NOT ALWAYS RELIABLE
10
11
SYSTEM THINKING
1
2
Intuitive, quick, automatic,
effortless, and influenced
by emotion,
Slower, more conscious,
effortful, and logical.
Reliance increases when a situation
is complex and a state of cognitive
overload is reached,
Decisive!
12
Instinctively understood,
Controllable,
Follows rules,
Requires evidence!
APPLYING THE SCIENCE
13
THE ANALYTICAL MODEL

Problem Definition


Agree problem to be modelled
Model Construction

Data gathering, and interviews with key stakeholders


Model Exploration

“Execute” the model



Different parameters
Possible outcomes predicted through rigorous “what-if” analysis
Decision-making

14
Take measurements such as the time taken to patch or have other mitigations in place
Run thousands of simulations


Collect the information needed to build a model of enterprise security environment
Understanding of the conclusions and consequences = improved decision making
Preparing and Responding
Operational Decision Making
Defence in Depth
Desktop Estate
80% of OS or
Effective
E,G,
shutting
for
Up
to
20
days
to
Protects
the 32%
full
privilege
down
of received
vulnerability
partexploits
ofand
the
be
client
population
escalation
network
cases
read
require
admin
rights
Temporary
workarounds
15
VULNERABILITY TIMELINE
Discovery
Disclosure
Zero day
exploit
Public exploit
Code
Malware
Timeline
Not Measurable
Only some groups
aware – no public
data yet
Some
Public
data
Much Public
data
Signature
Available
Patching
Process
Patch
Available
Window of Exposure
16
Patch
Deployed
RISK EXPOSURE – TRADITIONAL
350
300
Vulnerabilities per year
AV
250
200
email staff
150
100
50
patching
0
0
Exposure
17
20
40
60
80
100
120
Risk window in days
140
160
180
More
RISK EXPOSURE – GATEWAY PROTECTION
350
300
Vulnerabilities per year
network gateway
250
200
AV
150
email staff
100
50
patching
0
0
18
Exposure
(Internal)
20
40
60
80
100
120
Risk window in days
140
160
180
More
RISK EXPOSURE – ADMIN PRIVILEGES MINIMISED
350
300
Vulnerabilities per year
admin privs
250
network gateway
200
AV
150
100
email staff
50
patching
0
0
19
Defence in
Depth
20
40
60
80
100
120
Risk window in days
140
160
180
More
DEFENCE IN DEPTH CONCLUSIONS


A multi-layer approach can be effective to reduce risk
exposure
A defence-in-depth position is less strong


The threat environment should be regularly monitored


For changes in malware and infection rates, and for new
spread vectors for example
Timely patching remains important

20
If a vulnerability is not dealt with by network gateway security,
it is likely a large proportion of the infrastructure will be
vulnerable if malware appears
To ensure the population of workstations no longer contains
the vulnerability
CANDIDATES FOR EVALUATION

Server Patching:


Identity and Access Management


Exploring the trade-off between disruption created when applying
fixes to servers, versus bundling patches to reduce disruption but
in turn, increasing risk
Provisioning and De-provisioning
Web Access:
Website blocking effectiveness
 Infection risk likelihood (based on employees' browsing habits).
 Fine-grained analytics:




21
Infection risk based on employees' age + preferences
Website likelihood infection according to popularity/age
Amount of time employees' spent on web
CONCLUSION
22
KEY MESSAGES


23
A more scientific and analytical approach to risk mitigation and
defence posture is possible &:  Allows greater understanding of the effectiveness of an
organisation’s defences
 Supports IT Security Operations Managers in focusing on
key areas for attention
The time is right to:
 Evidence day to day decisions with historical data
 Influence future strategies and policies using more
structured techniques
 Carefully consider and challenge rationale for simply
deploying solutions that ‘make us feel better’
Further Reading & Research
Anna Squicciarini, Sathya Dev Rajasekaran, Marco Casassa Mont - Using Modeling and Simulation to Evaluate
Enterprises' Risk Exposures to Social Networks, IEEE Computer Magazine, Volume 44, Number 1, pp. 66-73,
January 2011, 2011
Marco Casassa Mont, Yolanta Beres, David Pym, Simon Shiu - Economics of Identity and Access Management:
Providing Decision Support for Investments, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM
2010, 19 April 2010, Osaka, Japan, 2010
Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive
Modelling and Simulation to Assess Security processes, IEEE International Workshop on Security Measurements
and Metrics, IEEE MetriSec 2009, 14 October, Lake Buena Vista, Florida, US
Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in
Identity Management, IEEE 10th Symposium on Policies for Distributed Systems and Networks, IEEE Policy 2009
Symposium, 20-22 July, London, 2009
Yolanta Beres, Jonathan Griffin, Max Heitman, David Markle, Peter Ventura, “Analysing the Performance of Security
Solutions to Reduce Vulnerability Exposure Windows”, Proc. of 2008 ACSAC, Dec 2008.
Yolanta Beres, David Pym, Simon Shiu, “Decision Support For Systems Security Investment”, 5th IFIP/IEEE Workshop
on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010
24