Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Marcus Murray, MVP Agenda What is Risk Management? Security Strategy Mission and Vision Security Principles Risk Based Decision Model Tactical Prioritization Representative Risks and Tactics
Marcus Murray, MVP What is Risk Management? The process of measuring assets and calculating risk! Something we all do! (More or less)
Marcus Murray, MVP
Security Operating Principles Corporate Security Mission and Vision Risk Based Security Strategy Risk Based Decision Model Tactical Prioritization
Marcus Murray, MVP Information Security Mission Assess Risk Define Policy Controls Audit Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets
Marcus Murray, MVP Information Security Vision Key Client Assurances My Identity is not compromised Resources are secure and available Data and communications are private Clearly defined roles and accountability Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client. Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
Marcus Murray, MVP Security Operating Principles Management Commitment Manage risk according to business objectives Define organizational roles and responsibilities Users and Data Manage to practice of Least Privilege Privacy strictly enforced Application and System Development Security built into development lifecycle Layered defense and reduced attack surface Operations and Maintenance Security integrated into Operations Framework Monitor, audit, and response functions aligned to operational functions Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
Marcus Murray, MVP Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk
Marcus Murray, MVP Components of Risk Assessment AssetThreat Impact VulnerabilityMitigation Probability + + = = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset? Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
Marcus Murray, MVP Risk Management Process and Roles 25 Security Policy Compliance 1 Prioritize Risks 34 Security Solutions & Initiatives Sustained Operations Engineering and Operations CorpSec Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization TacticalPrioritization
Marcus Murray, MVP Tactical Prioritization by Environment Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Policies and mitigation tactics appropriate for each environment PrioritizedRisks Data Center Client Unmanaged Client RAS Extranet
Marcus Murray, MVP Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
Marcus Murray, MVP Representative Risks and Tactics Tactical Solutions Enterprise Risks Embody Trustworthy Computing Secure Environment Remediation Unpatched Devices Network Segmentation via IPSec Unmanaged Devices Secure Remote User Remote & Mobile Users 2-Factor for RAS & Administrators Single-Factor Authentication Managed Source Initiatives Focus Controls Across Key Assets
Marcus Murray, MVP Security Solutions and Initiatives Mitigate risk to the infrastructure through implementation of key strategies 1. Secure the Network Perimeter Secure Wireless Secure Wireless Smart Cards for RAS Smart Cards for RAS Secure Remote User Secure Remote User Next Generation AV Next Generation AV Messaging Firewall Messaging Firewall Direct Connections Direct Connections IDC Network Cleanup IDC Network Cleanup 2. Secure the Network Interior Eliminate Weak Passwords Eliminate Weak Passwords Acct Segregation Acct Segregation Patch Management (SMS/WUS/SUS) Patch Management (SMS/WUS/SUS) NT4 Domain Migration NT4 Domain Migration Network Segmentation Network Segmentation Smart Cards for Admin Access Smart Cards for Admin Access Regional Security Assessment Regional Security Assessment 3. Secure Key Assets Automate Vulnerability Scans Automate Vulnerability Scans Secure Source Code Assets Secure Source Code Assets Lab Security Audit Lab Security Audit 4. Enhance Monitoring and Auditing Network Intrusion Detection System Network Intrusion Detection System Host Intrusion Detection Systems Host Intrusion Detection Systems Automate Security Event Analysis Automate Security Event Analysis Use MOM for Server Integrity Checking Use MOM for Server Integrity Checking Use ACS for real-time security log monitoring Use ACS for real-time security log monitoring
Marcus Murray, MVP Compliance and Remediation Overview Compliance Management is a Process + Tools (i.e. not just tools) The “Process” defines the parameters in which the “Tools” operate “Process” includes: Assessment of environments and assigning values to groups of assets Assessment of vulnerabilities – what’s “Critical” for each environment and what’s not Testing Communication up and down the enterprise on Policy Minimum configuration standards Timelines for compliance Timelines and consequences of non-compliance Coordination with other departments in compliance and remediation efforts Enforcement Compliance Audits Reporting
Marcus Murray, MVP Security Update Assessment at Microsoft Evaluate enterprise risk of vulnerability and patch deployment “cost” Combination of MSRC and OTG criteria CorpSec owns decision process Include other stakeholders across OTG MSRC Criteria Critical: propagation without user action Important: significant impact to confidentiality, integrity, or availability of data Moderate: significant, but mitigated by other controls, e.g. default settings, user action, etc. Low: difficult exploitation, low data impact OTG Criteria Use same scale as MSRC, but evaluate additional factors Cost of patch deployment Testing required, application impacts, installation difficulty Compensating controls Network controls, existing OTG best practice, etc.
Marcus Murray, MVP More information
Marcus Murray, MVP Marcus Murray