Download presentation
Presentation is loading. Please wait.
Published byBertina Douglas Modified over 9 years ago
1
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec marcus.murray@truesec.se
2
Marcus Murray, MVP marcus.murray@truesec.se Agenda What is Risk Management? Security Strategy Mission and Vision Security Principles Risk Based Decision Model Tactical Prioritization Representative Risks and Tactics
3
Marcus Murray, MVP marcus.murray@truesec.se What is Risk Management? The process of measuring assets and calculating risk! Something we all do! (More or less)
4
Marcus Murray, MVP marcus.murray@truesec.se
13
Security Operating Principles Corporate Security Mission and Vision Risk Based Security Strategy Risk Based Decision Model Tactical Prioritization
14
Marcus Murray, MVP marcus.murray@truesec.se Information Security Mission Assess Risk Define Policy Controls Audit Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets
15
Marcus Murray, MVP marcus.murray@truesec.se Information Security Vision Key Client Assurances My Identity is not compromised Resources are secure and available Data and communications are private Clearly defined roles and accountability Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client. Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
16
Marcus Murray, MVP marcus.murray@truesec.se Security Operating Principles Management Commitment Manage risk according to business objectives Define organizational roles and responsibilities Users and Data Manage to practice of Least Privilege Privacy strictly enforced Application and System Development Security built into development lifecycle Layered defense and reduced attack surface Operations and Maintenance Security integrated into Operations Framework Monitor, audit, and response functions aligned to operational functions Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
17
Marcus Murray, MVP marcus.murray@truesec.se Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk
18
Marcus Murray, MVP marcus.murray@truesec.se Components of Risk Assessment AssetThreat Impact VulnerabilityMitigation Probability + + = = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset? Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
19
Marcus Murray, MVP marcus.murray@truesec.se Risk Management Process and Roles 25 Security Policy Compliance 1 Prioritize Risks 34 Security Solutions & Initiatives Sustained Operations Engineering and Operations CorpSec Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization TacticalPrioritization
20
Marcus Murray, MVP marcus.murray@truesec.se Tactical Prioritization by Environment Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Policies and mitigation tactics appropriate for each environment PrioritizedRisks Data Center Client Unmanaged Client RAS Extranet
21
Marcus Murray, MVP marcus.murray@truesec.se Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization
22
Marcus Murray, MVP marcus.murray@truesec.se Representative Risks and Tactics Tactical Solutions Enterprise Risks Embody Trustworthy Computing Secure Environment Remediation Unpatched Devices Network Segmentation via IPSec Unmanaged Devices Secure Remote User Remote & Mobile Users 2-Factor for RAS & Administrators Single-Factor Authentication Managed Source Initiatives Focus Controls Across Key Assets
23
Marcus Murray, MVP marcus.murray@truesec.se Security Solutions and Initiatives Mitigate risk to the infrastructure through implementation of key strategies 1. Secure the Network Perimeter Secure Wireless Secure Wireless Smart Cards for RAS Smart Cards for RAS Secure Remote User Secure Remote User Next Generation AV Next Generation AV Messaging Firewall Messaging Firewall Direct Connections Direct Connections IDC Network Cleanup IDC Network Cleanup 2. Secure the Network Interior Eliminate Weak Passwords Eliminate Weak Passwords Acct Segregation Acct Segregation Patch Management (SMS/WUS/SUS) Patch Management (SMS/WUS/SUS) NT4 Domain Migration NT4 Domain Migration Network Segmentation Network Segmentation Smart Cards for Admin Access Smart Cards for Admin Access Regional Security Assessment Regional Security Assessment 3. Secure Key Assets Automate Vulnerability Scans Automate Vulnerability Scans Secure Source Code Assets Secure Source Code Assets Lab Security Audit Lab Security Audit 4. Enhance Monitoring and Auditing Network Intrusion Detection System Network Intrusion Detection System Host Intrusion Detection Systems Host Intrusion Detection Systems Automate Security Event Analysis Automate Security Event Analysis Use MOM for Server Integrity Checking Use MOM for Server Integrity Checking Use ACS for real-time security log monitoring Use ACS for real-time security log monitoring
24
Marcus Murray, MVP marcus.murray@truesec.se Compliance and Remediation Overview Compliance Management is a Process + Tools (i.e. not just tools) The “Process” defines the parameters in which the “Tools” operate “Process” includes: Assessment of environments and assigning values to groups of assets Assessment of vulnerabilities – what’s “Critical” for each environment and what’s not Testing Communication up and down the enterprise on Policy Minimum configuration standards Timelines for compliance Timelines and consequences of non-compliance Coordination with other departments in compliance and remediation efforts Enforcement Compliance Audits Reporting
25
Marcus Murray, MVP marcus.murray@truesec.se Security Update Assessment at Microsoft Evaluate enterprise risk of vulnerability and patch deployment “cost” Combination of MSRC and OTG criteria CorpSec owns decision process Include other stakeholders across OTG MSRC Criteria Critical: propagation without user action Important: significant impact to confidentiality, integrity, or availability of data Moderate: significant, but mitigated by other controls, e.g. default settings, user action, etc. Low: difficult exploitation, low data impact OTG Criteria Use same scale as MSRC, but evaluate additional factors Cost of patch deployment Testing required, application impacts, installation difficulty Compensating controls Network controls, existing OTG best practice, etc.
26
Marcus Murray, MVP marcus.murray@truesec.se More information www.microsoft.se/technet www.microsoft.se/security www.truesec.se/events www.itproffs.se
27
Marcus Murray, MVP marcus.murray@truesec.se Marcus Murray marcus.murray@truesec.se
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.