Embed Size (px)
DESCRIPTION
35 Key Critical Controls Roadmap to Risk Management
Citation preview
The Key to Radical Security Improvement While Saving Money
Alan Paller Director of Research
SANS Institute
Stephen Covey, author of “Seven Habits of Highly Effective People”
Decide what your highest priorities are and have the courage -‐ pleasantly, smilingly, nonapologetically -‐ to say 'no' to other things. And the way to do that is by having a bigger 'yes' burning inside.
The enemy of the 'best' is often the 'good.'
Part 1:
• Prioritize But how?
• Implement first only those controls that are proven to stop the most dangerous threats.
• If you do not do that well, nothing else you do matters.
Part 2:
• Automate to ensure continuing effectiveness of the controls
• Money wasted writing reports is money taken away from effective security.
Why?
• The path to rapid security improvements and associated career success – opportunities open up to the people who can show the following two slides with reliable data for their organizations
Risk Reduction in 12 Months
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
6
Google - Aurora Attack
7
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2-‐Apr 4-‐Apr 6-‐Apr 8-‐Apr 10-‐Apr 12-‐Apr 14-‐Apr 16-‐Apr
% Both of app
licab
le hosts Rep
orting and
Patche
d
Date
MS10-‐018 Patch Coverage
40 points : April 3 – 9, 2010 40 points : April 3 – 9, 2010 40 points : April 3 – 9, 2010 40 points : April 3 – 9, 2010
Risk scoring escalation from 40, 80, 120, 160
and then 320 points
Quantify Special Threats
MS10-012 Patch Feb- March 2010
Coming up
• Eric Cole on the 20 Critical Controls (NSA, DHS, DoD, Energy Labs, Forensics and Pen Testing firms – offensive knowledge
• The Australian 35 and 4 in the Sweet Spot
20 Critical Controls – All Rights Reserved © Eric Cole 2010
20 Critical Controls Version 3.0 and Sample Implementation
Dr. Eric Cole
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Introduction
• Offense must drive the defense – Based on new threats, the controls needed an update
• Other efforts are being worked and the critical controls needs to complement these efforts
• Implementation is critical to the success of the controls • Automation is key to success
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Version 3.0 Updates
• Realignment of the subcontrols based on emerging threats
• Establishment of definitions and guidelines to evaluate tools to satisfy the requirements of each of the 20 Controls
• Alignment of 20 Controls to the National Security Agency’s Associated Manageable Network Plan Revision 2.0 Milestones and the associated Network Security Tasks Manageable Network Plan
• Inclusion of the finding of the Australian government, which yielded the 35 top mitigations for targeted attacks
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Realignment of the Subcontrols Sample Updates
• In Critical Control 2, configuring client workstations with non-persistent virtualized operating environments is added as a sub control.
• In Critical Control 3, configuring non-executable stacks and heaps through the use of operating system features such as Data Execution Prevention (DEP) has been added as a quick win, since it is an effective way to deal with this attack vector.
• In Critical Control 5, implementing the Sender Policy Framework (SPF) by deploying SPF records in DNS is added as a way to lower the chance of spoofed email messages.
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Definitions and Guidelines to Evaluate Tools
Sensor: File integrity software Measurement: File integrity monitoring software is deployed on servers as a part of the base configuration. Centralized solutions like Tripwire are preferred over stand-alone solutions. Score: 50 percent awarded for using a solution like Tripwire with a central monitoring/reporting component. The remaining 50 percent is based on the percentage of servers on which the solution is deployed. Sensor: Standard images Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as CIS, NSA, DISA and others. Score: Pass/Fail
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Automating the Controls Sample Implementation – Control 5
• Inventory of Authorized and Unauthorized Software – Kaspersky Anti Virus tool
• Software inventory report lists software and version number
– Microsoft System Center Configuration Manager (SCCM)
• Inventory software and services on each system
– Windows Management Instrumentation Console (WMIC)
• Ability to script and automate the process
20 Critical Controls– All Rights Reserved © Eric Cole 2010
Automating the Controls Sample Implementation
• Maintenance and Analysis of Security Audit Logs – Splunk and Kiwi
• Compiles all logs from all key devices
– Enterprise Log Search and Archive (ELSA) • Centralize syslog platform
– Utilizing syslog as the unified format, makes automation easier
20 Critical Controls– All Rights Reserved © Eric Cole 2010
THANK YOU for your time Dr. Eric Cole Twitter: drericcole
The Australian 35
Defense Signals Directorate
DSD in Australia
• Covers NSA and DHS responsibilities
• Analyzed all targeted attacks on both civilian and military government sites
• Found the 35 that mattered most
• And PRIORITIZED THEM!
The Sweet Spot
• Just 4 of the 35 are critical for all agencies
• The Secretary of Defense required all agencies to implement these
• The DSD developed extraordinary guides to help
• The agencies that have fully implemented them have seen no more successful targeted attacks while others are still being hammered
• Your mileage may vary – but can you demonstrate a better record?
• Oh, the SecDef was elevated to Secretary to the Prime Minister
What Are the Four?
1 Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
2 Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
What Are the Four?
3. Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing
4. Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker
Peter Drucker on Leaders
Leaders are purpose driven-‐-‐yes, mission driven. They know how to establish a mission. And another thing, they know how to say no. The pressure on leaders to do 984 different things is unbearable, so the effective ones learn how to say no and stick with it. They don't suffocate themselves as a result. Too many leaders try to do a little bit of 25 things and get nothing done. They are very popular because they always say yes. But they get nothing done.
The Bottom Line
• Start with the 4 in the Sweet Spot
• Automate
• When you complete the Sweet Spot move on to the other 20 Critical Controls
• Take the money that is going for compliance reports to pay for it.
• Stand up to the auditors; those that force you to implement low priority controls will self destruct when they try to justify their approach
