Applying the CIS Critical Security Controls to the Cloud

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Security Guidelines and Management
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Network security Product Group 2 McAfee Network Security Platform.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Chapter 2 Securing Network Server and User Workstations.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Security fundamentals Topic 10 Securing the network perimeter.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
CPT 123 Internet Skills Class Notes Internet Security Session B.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
IS3220 Information Technology Infrastructure Security
Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security.
Information Security tools for records managers Frank Rankin.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Kevin Watson and Ammar Ammar IT Asset Visibility.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Your Partner for Superior Cybersecurity
OIT Security Operations
CompTIA Security+ Study Guide (SY0-401)
Securing Network Servers
Chapter 6: Securing the Cloud
Critical Security Controls
Security Standard: “reasonable security”
Secure Software Confidentiality Integrity Data Security Authentication
Securing the Network Perimeter with ISA 2004
CompTIA Security+ Study Guide (SY0-401)
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Contact Center Security Strategies
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Applying the CIS Critical Security Controls to the Cloud Bart Westerink April 26, 2016

Agenda Migration to the cloud Overview of the top 20 security controls Adapting the controls to the cloud Leverage the controls to build a highly secure cloud infrastructure

Primary Motivation for Deploying Public Cloud IaaS Source: Gartner

Shared Responsibility of Security

Traditional Security Perimeter Network segmentation Strict change controls Slower rate of change Dedicated security hardware

Securing the Cloud Shared responsibility No natural perimeter No network segmentation Elastic and on-demand No dedicated security hardware

What are the Top 20 Critical Controls? A prioritized, risk-based approach to cybersecurity In 2008, the NSA led a consortium of security professionals from government and experts from the private industry, who were asked: “In practice, what works and where do you start?” The Critical Controls have become a blueprint to help CISOs deploy controls that have the greatest impact in improving risk posture Organizations should focus on securing the business first - and documenting the process to show compliance second

Five Critical Tenets used to develop the Controls Offense informs defense Prioritization Metrics Continuous monitoring Automation

Five Critical Tenets #1 - Offense informs Defense Intelligence agencies have performed thousands of investigations Controls are derived from the most common attack patterns All Rights Resevered - CloudPassage

Five Critical Tenets #2 - Prioritization Some controls have greater impact on security risk than others Should I focus on configuration monitoring or awareness training?

Five Critical Tenets #3 - Metrics How many servers are out of compliance with policy? What percentage of my servers have critical vulnerabilities?

Five Critical Tenets #4 - Continuous Monitoring Understand the state of systems at any given time Critical for rapid response A continuous feedback loop to validate your security controls is essential

Five Critical Tenets #5 - Automation Security teams need to find ways to do more with less Managing workloads in elastic cloud environments requires automation

The Top 20 Critical Controls...

#1 Inventory of Authorized and Unauthorized Devices Control Description Family CSC1-1 Deploy an automated asset discovery tool. Employ both active and passive tools System CSC1-4 Record network address, system name, purpose and asset owner. CSC1-5 Deploy network level via 802.1x to limit and control which devices can be connected to the network. Must be tied to inventory. In the public cloud, use host-based firewalls to keep unauthorized or unmanaged systems off your Ephemeral resources are still in scope for auditor inspection

#2 Inventory of Authorized and Unauthorized Software Control Description Family CSC2-1 Device a list of authorized software and use file integrity checking to validate that the software has not been modified System CSC2-2 Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system CSC2-3 Deploy a software inventory tool. Track OS, applications, version info, patch levels CSC2-4 Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk... location. Maintaining a real-time inventory of software enables rapid response

#3 Secure Configurations for Hardware and Software Control Description Family CSC3-4 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. System CSC3-5 Utilize file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered CSC3-6 Implement and test an automated configuration monitoring system. This includes detecting new listening ports, new administrative users, changes to group and local policy objects, (where applicable), and new services running on a system. Developing initial configuration settings is a complex task and systems must be continually managed to avoid security “decay” In the cloud, control costs using lightweight security solutions which provide breadth

#4 Continuous Vulnerability Assessments and Remediation Control Description Family CSC4-1 Run automated vulnerability scanning tools against all systems on the network on a weekly (or more frequent) basis System CSC4-5 Deploy automated patch management tools and software update tools for operating system and software/applications on all systems CSC4-6 Monitor logs for unapproved scanning activity CSC4-8 Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability Continuous monitoring of vulnerabilities enables rapid response Host based scanners provide great visibility, efficiency and speed

#5 Controlled Use of Administrative Privileges Description Family CSC5-1 Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. System CSC5-3 Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts CSC5-4 Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system Closely monitor the creation of privileged accounts Use multifactor authentication to protect administrative accounts

#6 Monitoring and Analysis of Audit Logs Control Description Family CSC6-4 Have security personnel and/or system administrators run bi-weekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings. System CSC6-5 Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device. CSC6-6 Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Automate the collection and reporting of logs Human expertise and intuition are required to identify and understand attack patterns

#7 Email and Web Browser Protections Control Description Family CSC7-3 Limit the use of unnecessary scripting languages in all web browsers and email clients. This includes the use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities System CSC7-6 Enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. CSC7-8 Scan and block all e-mail attachments entering the organization's e-mail gateway if they contain malicious code or file types that are unnecessary for the organization's business. Endpoints used to manage production systems should be locked down and monitored closely Use secure jump hosts to separate endpoints from production systems

#8 Malware Defenses Control Description Family CSC8-1 Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. System CSC8-5 Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content.. CSC8-6 Enable DNS query logging to detect hostname lookup for known malicious C2 domains. As malware becomes more evasive, re-assess NIDS vs HIDS Monitor logs, file changes, firewall connections and policy violations

#9 Limitation and Control of Network Ports

#10 Data Recovery Capability

#11 Secure Configurations for Network Devices

#12 Boundary Defense Control Description Family CSC12-2 On DMZ networks, configure monitoring systems (which may be built into the IDS sensors or deployed as a separate technology) to record at least packet header information Network CSC12-3 Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems In the public cloud, use host-based firewalls to keep unauthorized or unmanaged systems off your network Standardize across public, private or hybrid cloud deployments

#12 Boundary Defense Adopt a Least Privilege strategy Eliminate “soft and chewy” networks Host based firewalls provide a greater level of micro segmentation

#13 Data Protection Control Description Family CSC13-2 Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data. Network CSC13-3 Deploy an automated tool on the network perimeter that monitors for sensitive information (e.g. PII) to discover unauthorized attempts to exfiltrate data.. In the public cloud, use use volume based encryption to protect sensitive data on shared storage. Encrypt all network communications Restrict and monitor outbound connectivity and secure remote access

#14 Controlled Access based on Need to Know

#15 Wireless Access Control

#16 Account Monitoring and Control Description Family CSC16-11 Require multi‐factor authentication for all user accounts that have access to sensitive data or systems. Multi‐factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics. Application CSC16-13 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Implement MFA for remote access management Encrypt all network connections

#17 Security Skills Assessment and Appropriate Training Control Description Family CSC17-2 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training.. Application CSC17-3 Implement a security awareness program Security professionals must make security processes more embedded, faster and more continuous The cloud accelerates DevOps because it offers scalable environments to develop and test code

#18 Application Software Security Control Description Category CSC18-1 For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations. . Application CSC18-4 Test in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment. Continuously monitor application libraries and packages for vulnerabilities For applications that rely on a database, use standard hardening configuration templates

#19 Incident Response and Management

#20 Penetration Tests and Red Team

Moving to the Cloud securely... Use the Top 20 Critical Security Controls to guide you Develop sound processes Continuous monitoring, automation Implement the right technology Light-weight / provides breadth Automated / scalable / API / SaaS Work across in public, hybrid and private clouds Benchmark yourself!

Thank You!