How Do You Secure An Environment Without a Perimeter?

How Do You Secure An

Environment Without a

Perimeter?

Using Emerging Technology Processes to Support

InfoSec Efforts in an Agile Data Center

About  the  Presenters  

CHARLA GRIFFY-BROWN

Professor, Information Systems and Tech Mgt Director, Center for Teaching & Learning

Excellence

Graziadio School of Business and Management, Pepperdine University, USA

DEMETRIOS LAZARIKOS (LAZ)

CISA, CISM, CRISC, CSSLP, MBA, MCIS IT Security Strategist and Two Time Former CISO

Blue Lava Consulting

MARK CHUN

Associate Professor,

Information Systems & Technology Management, Graziadio School of Business and Management,

Agenda  

•  Results and Methodology

•  InfoSec Maturity Model

•  Evolution – How Did We Get Here?

•  What Organizations Are Doing to Prepare

for “The Catastrophic Event”

•  Resources

Quan3ta3ve  Methodology  

• 

Visited  27  ci3es  throughout  the  world  

• 

Mee3ngs  with  204  individuals  in  mul3ple  ver3cals  

• 

Total  of  80  organiza3ons  

• 

Board  of  Directors  and  Execu3ve  Leadership  Teams  

• 

Industry  Prac33oners  and  Engineers  

• 

Top  Items  Emerged  

– 

The  InfoSec  Maturity  Model  

– 

How  the  perimeter  doesn’t  exist  anymore  

– 

Internet  of  Things  (IoT)  

Results  

• 

The  InfoSec  security  model  developed  describes  the  companies  examined  

but  only  a  small  percent  are  taking  a  risk-­‐based  approach  and  are  

therefore  3ed  to  a  world  with  corporate  “perimeters”  

• 

Current  architecture  in  most  firms  is  a  “hot  mess”  lacking  any  perimeter  

BY  DESIGN  

• 

Cybercriminals  bypass  tradi3onal  security  systems  easily  

• 

Firms  need  a  way  to  put  together  processes  and  tools  for  coordina3on  and  

alignment  to  business  to  support  hyper  growth  of  emerging  technologies  

and  agile  environments  

• 

Using  the  InfoSec  security  model  approaches  and  tools  were  iden3fied  

and  discussed  

InfoSec  Maturity  Model  

Reac%ve  

Proac%ve  

Blocking  &  

Tackling  

Compliance  

Driven  

Risk-­‐Based  

Approach  

• 

Lack  of  Execu3ve  

support  

• 

Underfunded  

• 

Understaffed  

• 

Lack  of  metrics  for  

repor3ng  

• 

Set  up  for  failure  

• 

Control-­‐based  

security  approach  

• 

Align  to  mandatory  

regula3ons  

• 

ISO  2700x  

• 

FFIEC  

• 

PCI  

• 

HIPAA  

• 

EU/PII  Data  

protec3on  

• 

NCUA  

• 

Mul3-­‐layered  

security  and  risk-­‐

based  approach  

• 

Using  behavior  

analy3cs  

• 

Linking  events  across  

mul3ple  disciplines  

• 

Using  dynamic  

InfoSec  and  IT  Audit  

controls  in  the  

environment*  

Results  

17  

156  

31  

Source:    Blue  Lava  Consul3ng  

17  

156  

31  

0  

20  

40  

60  

80  

100  

120  

140  

160  

Blocking/Tackling  

Compliance  Driven  

Risk-­‐Based  Approach  

17  

144  

43  

How  Did  We  Get  Here?  

Web  

Apps  

DBs  

Tr

affi

c  

N  

S  

No  Visibility  to  

Internal  Traffic  

App  

DB  

Web  

IoT  

-­‐  Third  Par3es  

-­‐  Cloud  

Limited  Visibility  

Evolu3on  –  The  Agile  Data  Center    

No  Visibility  to  

Internal  Traffic  

No  Visibility  to  

Internal  Traffic  

Web  

IoT  

App  

DB  

-­‐  Third  Par3es  

-­‐  Cloud  

Limited  Visibility  

Web  

IoT  

App  

DB  

East-­‐West  Traffic  

East-­‐West  Traffic  

No  Visibility  to  

Internal  Traffic  

Third  Party  Vendor  

Limited  Visibility  

No  Visibility  to  

Internal  Traffic  

Gartner  es)mates  that  East-­‐West  traffic    

will  increase  by  80%  through  2016  

Ignored  

AppSec  Vulns  

-­‐  Third  Par3es  

_{-­‐  Cloud}  

Limited  Visibility  

Evolu3on  –  The  Agile  Data  Center    

Web  

IoT  

App  

DB  

East/West  Traffic  

East/West  Traffic  

No  Visibility  to  

Internal  Traffic  

Limited  Visibility  

No  Visibility  to  

Internal  Traffic  

-­‐  Third  Par3es  

-­‐  Cloud  

Limited  Visibility  

Ignored  

AppSec  Vulns  

Third  Party  Vendor  

What  Organiza3ons  Are  Doing  

•

Board  of  Directors  and  Execu3ves  are  more  involved  with  Informa3on  

Security  and  IT  Audit  –  budgets  are  approved  faster  

•

Embracing  mul3ple  InfoSec  and  monitoring  solu3ons  for  Internet  of  

Things  (IoT)  

•

Moving  towards  agile  frameworks  with  exit  criteria  embedded  through  

the  idea,  development,  and  support  processes  

•

Inves3ng  in  Big  Data  and  User  Behavior  Analy3cs  (UBA)  solu3ons  

•

Evalua3ng  cyber  liability  insurance    

There  is  no  silver-­‐bullet  to  solving  these  complex  issues  

Aligning  Informa3on  Security  with  the  

Business  and  PMO  

Idea  

• What  data  will  this  applica3on  store,  process,  or  transmit?  

• Is  this  a  mobile  or  Internet-­‐facing  applica3on?  

Dev  

• Security  framework  and  standards  review  

• Peer  review  /  source  code  review*  

Test  

• Internal  scans  24x7x365  (network,  OS,  and  applica3on)*  

Prod  

• External  scans  24x7x365  (network,  OS,  and  applica3on)*  

Maint  

• What  new  func3onality  will  be  supported?  

Dashboards  and  Repor3ng  

Build  rela3onships  with  internal  stakeholders  to  achieve  these  goals  

•

Create  an  inventory  of  issues  and  solu3ons  within  your  

environment  

•

Iden3fy  the  risks,  gaps,  observa3ons,  and  what  you  need  to  

be  successful  with  your  program  

•

Generate  reports  in  terms  the  business  understands    

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application

Security

Web application vulnerabilities lead to significant issues when P1s aren’t

resolved with current SLAs.

1.  Training  for  developers  (internal  and  third  par3es)   2.  External  and  internal  scans  24x7x365  (WhiteHat)   3.  Penetra3on  tes3ng  (3rd  _{party  quarterly  tests)}  

4.  Source  code  analysis  (WhiteHat  SCA)   5.  Behavior  analy3cs  (RSA  and  Shape  Security)   6.  WAF  (Integrate  with  WhiteHat  rules)  

1.  There  is  14%  aEri%on  with  the  developers.  

2.  P1  appsec  vulns  are  increasing  by  12%  a  week.  

3.  Integrate  WhiteHat  vulns  with  the  WAF  for   automa%on.  

Network/OS/ Systems

PCI 3.0 states that virtualized environments are in scope.

The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers,

zones, supporting networks, and cloud integration.

1.  Elas3city  and  agility  to  spin  up/down  environments   (vArmour)  

2.  Network  and  OS  scanner  (Nessus)  

3.  PCI  3.0  management  of  physical  and  virtualized   environments  (vArmour)  

4.  File  integrity  monitoring  (OSSEC  agents)   5.  Monitoring  internal  (east/west)  malicious  traffic  

(vArmour)  

1.  PCI  3.0  states  that  all  virtualized  environments   that  store,  process,  and  transmit  cardholder   data  are  in  scope.  

2.  vArmour  allows  you  to  manage  both  physical   and  virtual  PCI  environments  under  one   policy  and  one  enterprise  soQware  solu%on.  

3.  OSSEC  agents  are  not  being  used  and   configured  properly.  

Innovation

Automobiles Bitcoin

Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC,

Garage Doors) Virtualization

1.  Partner  with  manufacturers  –  insert  InfoSec  legal   requirements  into  contract  agreements  

2.  Applica3on  scanning  24x7x365  (WhiteHat)   3.  Cloud  integra3on  (vArmour)  

4.  IoT  (WhiteHat  and  vArmour)  

5.  Physical  and  virtualized  management  (vArmour)  

1.  System  of  systems*  will  be  in  scope  for  PCI,   HIPAA,  GLBA,  PII,  Privacy,  EU  Data  Protec%on.   Emerging

Threats (Internal)

The company needs a ways to identify, monitor, and combat emerging threats

once cyber criminals break the perimeter. 1.  Monitoring  ‘east  /  west  traffic’  (vArmour)  

1.  Internal  traffic  anomalies  are  increasing  by   15%  per  month.    Anomalous  traffic  paEerns   are  moving  between  Zone  X  and  Y  and  four   data  centers  at  2:21am  daily.  

External Mobile Security Applications

Mobile device usage is increasing by 54% year over year. 15 mobile applications

are being developed by external teams

that are out of corporate compliance and do not meet mandatory industry

regulations.

1.  Behavior  analy3cs  sooware  (RSA)   2.  Monitoring  mobile  app  stores  (Risk  I/Q)   3.  WhiteHat  source  code  analysis  (SCA)   4.  Cyber  threat  research  (FOX-­‐IT)  

1.  Mobile  source  code  being  developed  by  third   party  organiza3ons  is  not  compliant  with   corporate  InfoSec  policies  and  industry   regula3ons.  

Mobile Security

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application

Security

Web application vulnerabilities lead to significant issues when P1s aren’t

resolved with current SLAs.

1.  Training  for  developers  (internal  and  third  par3es)   2.  External  and  internal  scans  24x7x365  (WhiteHat)   3.  Penetra3on  tes3ng  (3rd  _{party  quarterly  tests)}  

4.  Source  code  analysis  (WhiteHat  SCA)   5.  Behavior  analy3cs  (RSA  and  Shape  Security)   6.  WAF  (Integrate  with  WhiteHat  rules)  

1.  There  is  14%  aEri%on  with  the  developers.  

2.  P1  appsec  vulns  are  increasing  by  12%  a  week.  

3.  Integrate  WhiteHat  vulns  with  the  WAF  for   automa%on.  

Innovation

Automobiles Bitcoin

Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC,

Garage Doors) Virtualization

1.  Partner  with  manufacturers  –  insert  InfoSec  legal   requirements  into  contract  agreements  

2.  Applica3on  scanning  24x7x365  (WhiteHat)   3.  Cloud  integra3on  (vArmour)  

4.  IoT  (WhiteHat  and  vArmour)  

5.  Physical  and  virtualized  management  (vArmour)  

1.  System  of  systems*  will  be  in  scope  for  PCI,   HIPAA,  GLBA,  PII,  Privacy,  EU  Data  Protec%on.   Emerging

Threats (Internal)

The company needs a ways to identify, monitor, and combat emerging threats

once cyber criminals break the perimeter. 1.  Monitoring  ‘east  /  west  traffic’  (vArmour)  

1.  Internal  traffic  anomalies  are  increasing  by   15%  per  month.    Anomalous  traffic  paEerns   are  moving  between  Zone  X  and  Y  and  four   data  centers  at  2:21am  daily.  

External Mobile Security Applications

Mobile device usage is increasing by 54% year over year. 15 mobile applications

are being developed by external teams

that are out of corporate compliance and do not meet mandatory industry

regulations.

1.  Behavior  analy3cs  sooware  (RSA)   2.  Monitoring  mobile  app  stores  (Risk  I/Q)   3.  WhiteHat  source  code  analysis  (SCA)   4.  Cyber  threat  research  (FOX-­‐IT)  

1.  Mobile  source  code  being  developed  by  third   party  organiza3ons  is  not  compliant  with   corporate  InfoSec  policies  and  industry   regula3ons.  

Mobile Security

(Internal/BYOD) The company needs to support the BYOD policy. 1.  Access  controls  (LDAP/AD)  2.  MDM  (Good  Technology)   1.  Need  to  determine  how  the  MDM  solu3on  will  scale  over  the  next  12  months.  

Source:    Blue  Lava  Consul3ng  

Threat Vector Problem Statement Tools Implemented Current Observations, Risks, and Gaps Application

Security

Web application vulnerabilities lead to significant issues when P1s aren’t

resolved with current SLAs.

1.  Training  for  developers  (internal  and  third  par3es)   2.  External  and  internal  scans  24x7x365  (WhiteHat)   3.  Penetra3on  tes3ng  (3rd  _{party  quarterly  tests)}  

4.  Source  code  analysis  (WhiteHat  SCA)   5.  Behavior  analy3cs  (RSA  and  Shape  Security)   6.  WAF  (Integrate  with  WhiteHat  rules)  

1.  There  is  14%  aEri%on  with  the  developers.  

2.  P1  appsec  vulns  are  increasing  by  12%  a  week.  

3.  Integrate  WhiteHat  vulns  with  the  WAF  for   automa%on.  

Innovation

Automobiles Bitcoin

Cloud (third party integration) IoT (eg. Wearables, Appliances, HVAC,

Garage Doors) Virtualization

1.  Partner  with  manufacturers  –  insert  InfoSec  legal   requirements  into  contract  agreements  

2.  Applica3on  scanning  24x7x365  (WhiteHat)   3.  Cloud  integra3on  (vArmour)  

4.  IoT  (WhiteHat  and  vArmour)  

5.  Physical  and  virtualized  management  (vArmour)  

1.  System  of  systems*  will  be  in  scope  for  PCI,   HIPAA,  GLBA,  PII,  Privacy,  EU  Data  Protec%on.  

Network/OS/ Systems

PCI 3.0 states that virtualized environments are in scope.

The company needs to meet agile business requirements. The company needs to detect laterally moving traffic between the data centers,

zones, supporting networks, and cloud integration.

1.  Elas3city  and  agility  to  spin  up/down  environments   (vArmour)  

2.  Network  and  OS  scanner  (Nessus)  

3.  PCI  3.0  management  of  physical  and  virtualized   environments  (vArmour)  

4.  File  integrity  monitoring  (OSSEC  agents)   5.  Monitoring  internal  (east/west)  malicious  traffic  

(vArmour)  

1.  PCI  3.0  states  that  all  virtualized  environments   that  store,  process,  and  transmit  cardholder   data  are  in  scope.  

2.  vArmour  allows  you  to  manage  both  physical   and  virtual  PCI  environments  under  one   policy  and  one  enterprise  soQware  solu%on.  

3.  OSSEC  agents  are  not  being  used  and   configured  properly.  

Emerging Threats (Internal)

The company needs a ways to identify, monitor, and combat emerging threats

once cyber criminals break the perimeter. 1.  Monitoring  ‘east  /  west  traffic’  (vArmour)  

1.  Internal  traffic  anomalies  are  increasing  by   15%  per  month.    Anomalous  traffic  paEerns   are  moving  between  Zone  X  and  Y  and  four   data  centers  at  2:21am  daily.  

External Mobile Security Applications

Mobile device usage is increasing by 54% year over year. 15 mobile applications

are being developed by external teams

that are out of corporate compliance and do not meet mandatory industry

regulations.

1.  Behavior  analy3cs  sooware  (RSA)   2.  Monitoring  mobile  app  stores  (Risk  I/Q)   3.  WhiteHat  source  code  analysis  (SCA)   4.  Cyber  threat  research  (FOX-­‐IT)  

1.  Mobile  source  code  being  developed  by  third   party  organiza3ons  is  not  compliant  with   corporate  InfoSec  policies  and  industry   regula3ons.  

Mobile Security

Addressing  the  Issues  

Web  

IoT  

App  

DB  

East/West  Traffic  

East/West  Traffic  

Complete  

Visibility  

Complete  

Visibility  

Complete  

Visibility  

Third  Party  Vendor  

Gartner  es)mates  that  East-­‐West  traffic    

will  increase  by  80%  through  2016  

WAF  

• 

CMM  

• 

COBIT  

• 

CVSS  

• 

Home  Grown  

• 

ISO  

Risk  Frameworks  

• 

NIST  

• 

OCTAVE  

• 

RiskCalibrator  

• 

RiskIT  

• 

TARA  

Cri3cal  Risk  

Low  Risk  

High  Risk  

Repor3ng  in  Business  Terms  

Source:    CXOWare,  WhiteHat  Security,  and  Blue  Lava  Consul3ng    

Where  Do  We  Go  from  Here  

•

Informa3on  Security  must  be  part  of  the  culture  –  driven  by  the  

Board  of  Directors  and  Execu3ves  throughout  the  organiza3on  

•

Cyber  criminals  are  evolving  –  we  must  as  well  

•

It’s  not  if  the  cyber  criminal  will  access  your  environment  –  it’s  

when  –  invest  in  current  technologies  and  have  a  plan  to  address  

the  issue  

•

User  behavior  analy3cs  (UBA)  is  cri3cal  

•

Evaluate  your  InfoSec  and  IT  Audit  programs  frequently  –  ensure  

part  of  the  program  is  to  evaluate  emerging  technology  

•

Be  flexible  –  introduce  dynamic  InfoSec  and  IT  Audit  controls  in  the  

Resources  –  Con3nued  

•

WhiteHat  Security  

WhiteHat  Security  Blog:    

hrps://blog.whitehatsec.com

Website  Security  for  Dummies:  

hrps://info.whitehatsec.com/Cont-­‐Synd-­‐ISACA-­‐Website-­‐Security-­‐

Dummies-­‐LP.html

Securing  the  SDLC  for  Dummies:  

hrps://info.whitehatsec.com/Cont-­‐Synd-­‐ISACA-­‐SDLC-­‐Dummies-­‐LP.html

•

ISACA  

COBIT  5  Framework  

hrp://www.isaca.org/cobit/pages/default.aspx?cid=1003566&appeal=pr

•

vArmour  

www.varmour.com

•

Verizon  

2014  Data  Breach  Inves3ga3ons  Report

•

Andy  Hoernecke,  Applica3on  Security,  Data  Visualiza3on  Expert,  and  Inventor  of  D3Dash  

www.d3dash.com

•

Avivah  Litan,  VP  and  Dis3nguished  Analyst,  Gartner  

Market  Guide  for  User  Behavior  Analy3cs  (UBA),  G00260457,  August  2014  

•

How  to  Measure  Anything,  Douglas  W.  Hubbard  

ISBN-­‐13:  978-­‐0470539392  

•

Iron-­‐Clad  Java:  Building  Secure  Web  Applica3ons,  Jim  Manico  and  August  Detlefsen  

ISBN-­‐13:  978-­‐0071835886  

•

Measuring  and  Managing  Informa3on  Risk:    A  FAIR  Approach,  by  Jack  Freund  and  Jack  Jones  

ISBN-­‐13:  978-­‐0124202313  

•

Perceptual  Edge  

www.perceptualedge.com

•

Security  Metrics:  Replacing  Fear,  Uncertainty,  and  Doubt  ,  Andrew  Jaquith  

ISBN-­‐13:  978-­‐0321349989