Embed Size (px)
Citation preview
SHOW & TELL: METHODS AND METRICS TO
IMPROVE YOUR INFORMATION SECURITY PROGRAM
LEARNING OBJECTIVES
1. Teams in Place 2. Tools Used By Firms To Enforce and Monitor
Data Security3. Checklists 4. Metrics5. Methods To Track Emerging Threats6. Methods To Tracking Client and Compliance
Requirements
TEAMS IN PLACE
• InfoSec• Network Engineering• Server/Storage/AD/Messaging• Desktop• Development• HelpDesk• DDM• Leadership
TOOLS IN PLACEEndPoint Network SIEM Monitoring Vulnerability
ScannerOther
SymantecCarbon BlackCylanceTrendSophosDLP
Whitelisting
MobileIronAirWatchBlackberry
CheckpointCisco ASAPalo AltoFortinetTrend IPSWebsenseDLP
Log RhythmQradarAlien VaultSplunk
SolarWinds(Orion)LanSweeper
NessusDDI FrontlineNmap
FireEye ATPFireEye SMTPDarktraceOffice365 ATPSCCMMSSP (Third Party)
PhishMeKnowb4Wombat
VaronisCyberArkAvecto DefendPoint
ProofpointMessageLabs
FIREEYE ATP
• Inline to internet gateway• Receive Alerts in email• Known/Unknown threats blocked or
sandboxed
AIRWATCH - MDM
PROCESS: DAILY, WEEKLY, MONTHLY
1. Create Technical reference/documentation2. Develop SOC Runbook/Operational processes3. Create check-out processes (daily, weekly, monthly, etc.)4. Create HW/Network monitoring and capacity management
system and process5. Create Incident Management System6. Monitor these 24/7
MORE ON PROCESS….• Daily cyber hygiene report
– List all Administrator group changes (add/remove) over previous 24 hours– List all accounts deactivated over previous 24 hours– List all accounts unused for 30 or more days
• Weekly patch velocity report– Percentage of critical patches successfully deployed– Percentage of important patches successfully deployed– Percentage of moderate patches successfully deployed– Percentage of low patches successfully deployed
• Monthly cyber hygiene report– Percentage of your staff who have completed cybersecurity training– Percentage of staff actively using a password manager– Percentage of your computers using ad blockers in their web browsers– Percentage of new customer contractual requirements that have been successfully incorporated
into your SOPs• Annual cyber hygiene report
– Risk assessment completed?– Percentage of policies reviewed?
SOPHOS ANTI-VIRUS
• Check alert status and config issues• Daily and weekly reports
METRICS AND REPORTINGType Description
Management Reports Monthly InfoSec report with statistics
Dashboards Phishing, ATP, Vulnerability Scanners, etc.
Incident Management System Internal and external incidents
ISO27001 Reports Compliance
METRICS: MANAGEMENT REPORTSystem / Software Category 2017-Jan 2017-Feb Mar-17 17-Apr
FW Firewall - Blocked 87,177,436 70,789,864 124,708,413 105,237,826
ATP Threats - Blocked 6 23 79 12
SMTP/ATP Malware - Blocked 31 102 86 58
HelpDesk Security Incident 196 136 139 197
Incident Management System Total Incidents 167 105 104 120
SPAM/Cloud Spam / Malware detected 193,000 181,276 204,523 185,342
MSSP Incidents 68 80 79 84
Trad AV Malware - Blocked 13 35 97 18
IPS IPS - Blocked 82,934 307,975 225,414 91,813
Exch AV Malware / Spam / URLs detected 168 62 290 197
WAP DLP - Blocked 0 0 0 0
WAP Web - Blocked 36,775 53,629 82,801 48,442
Total Detected / Blocked 87,490,794 71,333,287 125,222,025 105,564,109
DDI FRONTLINE VULN SCANNER
• Internal/External Scans• Run reports• Periodic scanner updates (3 in May)
VULNERABILITY MANAGEMENT REPORT
PHISHME CAMPAIGN (1 OF 3)
PHISHME CAMPAIGN (2 OF 3)
PHISHME CAMPAIGN (3 OF 3)
PHISHING SIMULATION REPORT
Risk
Cost
Too muchJust right!
Not enough
HOW TO MEASURE SECURITY?
TRACKING EMERGING THREATS
• CarbonBlack Threat Feeds• Infragard (Not usually very timely)• MSSP Feeds• LS-ISAO• Twitter and other real time “news” feeds
• @TheHackerNews, @taviso, @HackingDave, @demonslay335, @e_kaspersky, @briankrebs, @SwiftOnSecurity
TRACKING CLIENT REQUIREMENTS
• Intranet for organization of client assessments• Spreadsheets for tracking common Q&A• ISO 27001 compliance requirements
QUESTIONS
• ????
