Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations


Presentation on theme: "Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec"— Presentation transcript:

1 Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec marcus.murray@truesec.se

2 Marcus Murray, MVP marcus.murray@truesec.se Agenda  What is Risk Management?  Security Strategy  Mission and Vision  Security Principles  Risk Based Decision Model  Tactical Prioritization  Representative Risks and Tactics

3 Marcus Murray, MVP marcus.murray@truesec.se What is Risk Management?  The process of measuring assets and calculating risk!  Something we all do! (More or less)

4 Marcus Murray, MVP marcus.murray@truesec.se

5

6

7

8

9

10

11

12

13 Security Operating Principles Corporate Security Mission and Vision Risk Based Security Strategy Risk Based Decision Model Tactical Prioritization

14 Marcus Murray, MVP marcus.murray@truesec.se Information Security Mission Assess Risk Define Policy Controls Audit Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets

15 Marcus Murray, MVP marcus.murray@truesec.se Information Security Vision  Key Client Assurances  My Identity is not compromised  Resources are secure and available  Data and communications are private  Clearly defined roles and accountability  Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client. Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

16 Marcus Murray, MVP marcus.murray@truesec.se Security Operating Principles  Management Commitment  Manage risk according to business objectives  Define organizational roles and responsibilities  Users and Data  Manage to practice of Least Privilege  Privacy strictly enforced  Application and System Development  Security built into development lifecycle  Layered defense and reduced attack surface  Operations and Maintenance  Security integrated into Operations Framework  Monitor, audit, and response functions aligned to operational functions Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

17 Marcus Murray, MVP marcus.murray@truesec.se Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk

18 Marcus Murray, MVP marcus.murray@truesec.se Components of Risk Assessment AssetThreat Impact VulnerabilityMitigation Probability + + = = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset? Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

19 Marcus Murray, MVP marcus.murray@truesec.se Risk Management Process and Roles 25 Security Policy Compliance 1 Prioritize Risks 34 Security Solutions & Initiatives Sustained Operations Engineering and Operations CorpSec Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization TacticalPrioritization

20 Marcus Murray, MVP marcus.murray@truesec.se Tactical Prioritization by Environment Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Policies and mitigation tactics appropriate for each environment PrioritizedRisks Data Center Client Unmanaged Client RAS Extranet

21 Marcus Murray, MVP marcus.murray@truesec.se Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

22 Marcus Murray, MVP marcus.murray@truesec.se Representative Risks and Tactics Tactical Solutions Enterprise Risks Embody Trustworthy Computing Secure Environment Remediation Unpatched Devices Network Segmentation via IPSec Unmanaged Devices Secure Remote User Remote & Mobile Users 2-Factor for RAS & Administrators Single-Factor Authentication Managed Source Initiatives Focus Controls Across Key Assets

23 Marcus Murray, MVP marcus.murray@truesec.se Security Solutions and Initiatives Mitigate risk to the infrastructure through implementation of key strategies 1. Secure the Network Perimeter Secure Wireless Secure Wireless Smart Cards for RAS Smart Cards for RAS Secure Remote User Secure Remote User Next Generation AV Next Generation AV Messaging Firewall Messaging Firewall Direct Connections Direct Connections IDC Network Cleanup IDC Network Cleanup 2. Secure the Network Interior Eliminate Weak Passwords Eliminate Weak Passwords Acct Segregation Acct Segregation Patch Management (SMS/WUS/SUS) Patch Management (SMS/WUS/SUS) NT4 Domain Migration NT4 Domain Migration Network Segmentation Network Segmentation Smart Cards for Admin Access Smart Cards for Admin Access Regional Security Assessment Regional Security Assessment 3. Secure Key Assets Automate Vulnerability Scans Automate Vulnerability Scans Secure Source Code Assets Secure Source Code Assets Lab Security Audit Lab Security Audit 4. Enhance Monitoring and Auditing Network Intrusion Detection System Network Intrusion Detection System Host Intrusion Detection Systems Host Intrusion Detection Systems Automate Security Event Analysis Automate Security Event Analysis Use MOM for Server Integrity Checking Use MOM for Server Integrity Checking Use ACS for real-time security log monitoring Use ACS for real-time security log monitoring

24 Marcus Murray, MVP marcus.murray@truesec.se Compliance and Remediation Overview  Compliance Management is a Process + Tools (i.e. not just tools)  The “Process” defines the parameters in which the “Tools” operate  “Process” includes:  Assessment of environments and assigning values to groups of assets  Assessment of vulnerabilities – what’s “Critical” for each environment and what’s not  Testing  Communication up and down the enterprise on  Policy  Minimum configuration standards  Timelines for compliance  Timelines and consequences of non-compliance  Coordination with other departments in compliance and remediation efforts  Enforcement  Compliance Audits  Reporting

25 Marcus Murray, MVP marcus.murray@truesec.se Security Update Assessment at Microsoft  Evaluate enterprise risk of vulnerability and patch deployment “cost”  Combination of MSRC and OTG criteria  CorpSec owns decision process  Include other stakeholders across OTG  MSRC Criteria  Critical: propagation without user action  Important: significant impact to confidentiality, integrity, or availability of data  Moderate: significant, but mitigated by other controls, e.g. default settings, user action, etc.  Low: difficult exploitation, low data impact  OTG Criteria  Use same scale as MSRC, but evaluate additional factors  Cost of patch deployment  Testing required, application impacts, installation difficulty  Compensating controls  Network controls, existing OTG best practice, etc.

26 Marcus Murray, MVP marcus.murray@truesec.se More information  www.microsoft.se/technet  www.microsoft.se/security  www.truesec.se/events  www.itproffs.se

27 Marcus Murray, MVP marcus.murray@truesec.se Marcus Murray marcus.murray@truesec.se


Download ppt "Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec"

Similar presentations


Ads by Google