Security architecture analyses brief 21 april 2015

IINFOSECFORCENFOSECFORCE

1BILL ROSS

Application SecurityBILL ROSS

15 Sept 2008


“ “ Balancing security controls to business requirements “Balancing security controls to business requirements “

“ “ The Invisible Person …. The The Invisible Person …. The Information Security Architect “Information Security Architect “


“ We are in a CYBER War and corporations and governments are being clobbered by

an invisible enemy that, at times, seems to own numerous private networks.

Information Security Teams across the globe are fighting the good fight and win and

lose in this battle. Every year thousands of articles and conferences across the

globe address this challenge and when one reads the literature and attends the

meetings, one gleans that a core weapon is missing in the discussion:

Cohesive risk and business based information security architecture

Systematically and strategically planned and executed

An Information Security Architect with a “Ninja war fighting spirit”

INFOSECFORCE 2012

“ Will the real Information Security Architect step out of the shadows and

reveal him/her self so we all know who and what we are? “

Critical Reason for ISA ExcellenceCritical Reason for ISA Excellence

IINFOSECFORCENFOSECFORCE Searching for YETI ?Searching for YETI ?

The Invisible Person

The Security Architect


Two years ago, wrote paper “ The Invisible Person …. The Security Architecture “

Concerned about the wide degree of interpretations of what a Security Architect is?

Posted on “ONLY” two LinkedIn sites

Amazing response …. Over 600 global requests for the paper in two years

Two Reasons Why ?

BackgroundBackground

IINFOSECFORCENFOSECFORCE Egregious data breaches this yearEgregious data breaches this year Which should not be on this list?Which should not be on this list?

Source http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


Source: http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf

Will anything stop them ?Will anything stop them ?

“ Cyber Security’s Maginot Line “

“Sample : 1216 organizations, 63 countries, 20 industries, 67 Billion spent on security”

Did the Security Architecture Fail ?


The Information Security Community (ISC) does not yet have a consistent and recognized universal definition defining what an ISA is BUT we are gaining on it.

Limited recognition in IT standard frameworks for what an ISA should accomplish. (EA, TOGAF, DoDAF, Zackman)

Security community standards ISA (SABSA, OSA, ISC2, Huxman )

As such, wide ranging and variable job descriptions covering every aspect of Information Security roles and responsibilities.

Given the lack of an ISA standard, the Security

Architect sometimes struggles in his role as what he/she

thinks he/she should do is not what the company thinks

they hired him for.

SOURCE: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf

ISA Operational reportISA Operational report

Current indicators

Note about Enterprise Architecture


The ISA brief objectivesThe ISA brief objectives

Background:

Invisible person thought piece written 8/12/2014 … posted on ONLY two blogs … almost 600 global requests.

Purpose:

Discuss definition and roles of an information security architect (ISA)?

Is there a problem ?

Examine possible industry ISA interpretations ?

Review information security models ?

System Security Architecture Implementation Models ?

Expected outcome:

Enhanced awareness of the an ISA roles and responsibilities

More writings and better certifications and definitions

More securely built applications and infrastructure

Not the “ Big Bang Theory “


Personal ISA experience Personal ISA experience

Have built Security Architectures/plans/road maps, designed strategies, hired Security Architects and mentored them …. I am a self taught architect …. Just like to build things.

Enthralled by TAFIM in the 1990’s

Built the Tactical Collection Framework for Central American Wars

Integrated the Air Force Special Ops and regular USAF Intelligence architectures

Base lined the technical architecture for the global Army Material Command

For CSC, managed deploying JP Morgan’s first global security architecture

Built the security technical road map for the Federal Reserve IT

Appointed someone as the Federal Reserve’s first security architect

Hired the security architect for the Northrop VITA contract

Hired by AXA Tech as the Security Architect

Defined strategy for the Information Risk Architecture Framework (IRAF)

Security Architect for AIG at United Guaranty Corporation

Wrote “ The Invisible Person …. the Security Architect “

Sherwood Applied Business Security Architecture Trained

SAIC Information Assurance Architect

INFOSECFORCE llc Security Process Architect


Architecture has its origins in the building of towns and cities, and everyone

understands this sense of the word, so it makes sense to begin by examining the

meaning of ‘architecture’ in this traditional context.

Architecture is a set of rules and conventions by which we create buildings that

serve the purposes for which we intend them, both functionally and

aesthetically. ‘

Architecture is founded upon an understanding of the requirements that it must fulfil.

These needs are expressed in terms of function, aesthetics, culture, government

policies and civil priorities.

Architecture is also both driven and constrained by a number of specific factors.

The Origins of Architecture The Origins of Architecture

Man’s primordial need to scream build

IT Architect

IT Enterprise Architecture Evolution

smb://upload.wikimedia.org/wikipedia/commons/b/bd/Network_Overlay.svg


Relentless attacks hurting INFOSEC reputation

Focus on frameworks like NIST and PCI versus architecting and

engineering

Enterprise Architecture, TOGAF and ISO 27001 just now integrating SABSA

Multiple IT and then Security Architecture frameworks …. Overwhelming

Various interpretations of what an Information Security Architect is

Scant references in the trades of the importance of integrating security

SABSA and ISC2 certs but need Engineering equivalents

SABSA the closest thing to ISA champion (like early ITIL mostly offshore)

No true professional organization like “ The Global Information Security

Architect Association (GISAA) “

Forthcoming and relentless Cyber Attacks

ISA corundum ISA corundum

Working on to good ……………


JDs exemplify organizational ISA Soul Searching

1.Extremely technical in one or two security technologies such as Firewalls or

intrusion detection devices.

2. Extremely technical on all aspects of security but cannot connect the

architecture to business requirements and the overall strategy. Could install a

HIDS or even a firewall but the person did not design a strategy on how these

systems could operationally and tactically integrate as part of the intrusion

detection framework.

3. Extremely technical engineer and strategists who also has a holistic view of the

business objectives and the requirements definition process.

4. Highly technical and can combine all aspects of risk management and business

requirements into a cohesive strategy and technical plan.

5. Calling the security director or security manager the security architect

Various ISA job descriptionsVarious ISA job descriptions


Great High Medium LowExtremely technical in one or two technologies like firewalls X

Extremely technical in all things security technology but no business acumen

X

Extremely technical engineer and strategists who also has a holistic view of the business objectives and the requirements definition process.

X

Highly technical and can combine all aspects of risk management and business requirements into a cohesive strategy and technical plan.

X

Calling the security director or security manager the security architect

X

10 years experience in information security X

SABSA, TOGAF, OSA, Brackman trained and certified X

Highly experienced in one of these frameworks NIST, SANS, ISO 27001, COBIT, Cyber Security Framework, PCI, FTI, FISMA, DIACAP, RMF

X

ITIL, CISSP, GIAC, EE, DISA X

Likelihood of succeeding as an ISALikelihood of succeeding as an ISA


Optimum ISA Job Description

” An information security architect should have at least 10 years experience in

information security and at one point in his/her career should have had hands on

technical experience in anything from help desk support to being a UNIX or data

base administrator. This person should have extensive knowledge of security

platforms, has managed acquisition efforts, identity access management, cyber

warfare, and governance as it is translated from security standards and policies

into an operational technical environment that is aligned with the core business

processes be they financial institutions like JP Morgan or e-commerce giants like

Amazon or Best Buy. This person should have served on the front lines of cyber

battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an

EE degree, is a visionary, and understands security support business objectives.

Ultimately, the Security Architect is a perfect blend of a highly skilled security

engineer, a governance and policy expert, an enterprise architect, and a business

savvy professional with a Ninja spirit. “

Who ya gonna call ?

IINFOSECFORCENFOSECFORCE SAN think SAN think

“ Can you build a Defense in Depth architecture without an architect ? “

“ Of course, you are not going to get very far with an architectural approach to Defense in Depth without an architect. Unfortunately, the industry is still unclear as to exactly what an IT Security Architect is.

The concept is, however, starting to mature.

(ISC)2 organization has created an ISSAP (Information Systems Security Architecture Professional) certification[2].

SABSA organization has three levels of certifications for Security Architects: Foundation, Practitioner, and Master.

There are job opportunities for positions labeled as "Security Architects," although many times they sound more like engineers than architects.

Though specific knowledge about systems and networks is important, an architect should have the ability to assemble and disassemble pieces of knowledge to/from a whole. “

Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board

Source: http://www.sans.edu/research/security-laboratory/article/security-architect


ISA Certification syllabusesISA Certification syllabuses

SABSA•Define enterprise security architecture, its role, objectives and benefits•Describe the SABSA model, architecture matrix, service management matrix and terminology•Describe SABSA principles, framework, approach and lifecycle•Use business goals and objectives to engineer information security requirements•Create a business attributes taxonomy•Apply key architectural defence-in-depth concepts•Explain security engineering principles, methods and techniques•Use an architected approach to design an integrated compliance framework•Describe and design appropriate policy architecture•Define security architecture value proposition,•Use SABSA to create an holistic framework to align and integrate standards

SABSA cont,•Describe roles, responsibilities, decision-making and organisational structure•Explain the integration of SABSA into a service management environment•Define Security Services•Describe the placement of security services within ICT Infrastructure•Create a SABSA Trust Model•Describe and model security associations intra-domain and inter-domain•Explain temporal factors in security and sequence security services•Determine an appropriate start-up approach for SABSA Architecture•Apply SABSA Foundation level competencies to the benefit of your organisation

ISC 2 ISSAP•Access Control Systems and Methodology •Communications & Network Security •Cryptography •Security Architecture Analysis •Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP) •Physical Security Considerations

NOTE: ISSAP capitalizes on CISSP training

Two prime ISA Certifications


The GARTNER View is EA FocusedThe GARTNER View is EA Focused

IINFOSECFORCENFOSECFORCE Enterprise Security Architecture Enterprise Security Architecture

• Information security solutions often designed, acquired and installed on a tactical basis.

• No strategic dimension

• Organization builds up a mixture of technical solutions on an ad hoc basis ‘

• No guarantee that they will be compatible and inter-operable.

• Solution is to base decisions on business requirements, including:

The need for cost reduction Modularity Scalability Ease of component re-use Operability Usability Inter-operability both internally and externally Integration with the enterprise IT architecture and its legacy systems.

Ad hoc, not integrated not planned and costly

Security is business

Source: http://www.intigrow.com/enterprise-security-architecture-design.html


Being a Successful Information Security Architect

‘” Unless the security architecture can address a wide range of operational requirements and provide real business support and business enablement, rather than just focusing upon ‘security’, then it is likely that it will fail to deliver what the business expects and needs. “

Common phenomenon throughout the information systems industry,

Being a successful security architect means thinking in business terms at all times,

You always need to have in mind the questions: Why are you doing this? What are you trying to achieve in business terms here? Otherwise you will lose the thread and finish up making all the classic mistakes.

Do not understand strategic architecture, and who think that it is all to do with technology.

Buy-in and sponsorship from senior management

Enterprise architecture cannot be achieved unless the most senior decision-makers are on your side.

Creating this environment of acceptance and support is probably one of the most difficult tasks that you will face in the early stages of your work.

Source SABSA

WHAT’S IT GONNA TAKE ?WHAT’S IT GONNA TAKE ?


ISA Situation

Onslaught of cyber attacks costing millions in damages and loss of consumer trustNumerous interpretations of ISA limit organizational success in ISAWhile improving, need more global awareness of the essential importance of “Building Security In”SABSA and ISSAP good but not good enoughStandards like NIST and PCI good but not nearly good enough

Action Plan

Bring the ISA out of the Shadows or redefine what an ISA isIndustry and government ISA punctuation greatly neededNeed to create an ISO or IEEE level standardMake it an engineering science as is an EE degreeTrades like SC, CISO, Information Week and companies like RSA, Symantec, Verizon, need to champion ISASomehow, someway create GISAA

ISAISA

ISA corundum summaryISA corundum summary


The eloquent designsThe eloquent designs

The IT and Security “Architecture” Designs …… thinking and planning

Source: http://antifan-real.deviantart.com/art/Grand-Universe-17189369


SABSA Eloquent designSABSA Eloquent design


SABSA Eloquent design matrixSABSA Eloquent design matrix


ISA Landscape by OSAISA Landscape by OSA


Source: http://www.opensecurityarchitecture.org/cms/library/patternlandscape/315-sp-026-pci-full

PCI OSA PatternPCI OSA Pattern

IINFOSECFORCENFOSECFORCE Server OSA PatternServer OSA Pattern

IINFOSECFORCENFOSECFORCE TOGAF development processTOGAF development process

Source: http://www.opengroup.org/subjectareas/enterprise/togaf


Huxham Security FrameworkHuxham Security Framework


INFOSECFORCE baselineINFOSECFORCE baseline


MAKING IT REAL ….yikesMAKING IT REAL ….yikes

IINFOSECFORCENFOSECFORCE Implementing a framework or Implementing a framework or enterprise improvementsenterprise improvements

COBIT

ISO 27001

PCI

NIST RMF

OPRA

HIPPA

UCF SOX

NIST CSF

Security Engineering

& Architecture

SANS Top 20

IINFOSECFORCENFOSECFORCE Implementation tool and designs Implementation tool and designs

Keeping it simple

System security plan that defines risk, architecture and controls

Control framework of your choosing such as NIST CSF, PCI and etc

Plan, Build, Deploy, and Operate Project Plan

INFOSECFORCE risk management analysis (process and technology gaps)

SABSA framework sheet establishing overall situational awareness

OSA patterns

High level engineering design

Detailed engineering design

Excruciating detailed test plans

Implementation plan

Policy, process and procedures

Certification and accreditation

Continuous control monitoring plan

Production security


Enterprise Security Architecture Asynchronous Planning

Information security solutions are often designed, acquired and installed on a tactical basis.

“ A requirement is identified, a specification is developed and a solution is sought to meet that situation.

Strategic dimension Not considered

Mixture of technical solutions on an ad hoc basis, each independently designed and specified and with no guarantee that they will be compatible and inter-operable.

No analysis of the long-term costs, especially the operational costs which make up a large proportion of the total cost of ownership, no strategy that can be identifiably said to support the goals of the business.

Fundamental Enterprise Security Fundamental Enterprise Security Architecture Planning IssueArchitecture Planning Issue

Source: SABSA


Development of an enterprise security architecture which is business-driven

A structured inter-relationship between the technical and procedural solutions to support the long-term needs of the business.

Must provide a rational framework within which decisions can be made based on an understanding of the business requirements, including:

The need for cost reduction Modularity Scalability Ease of component re-use Operability Usability Inter-operability both internally and externally Integration with the enterprise IT architecture and its legacy systems.

Enterprise Security Architecture Enterprise Security Architecture Planning SolutionPlanning Solution

Security Architecture Planning is the missing piece of the puzzle

Source: SABSA

IINFOSECFORCENFOSECFORCE Security Architecture ApproachSecurity Architecture Approach

Holistic Approach

mistake = believing that building security into information systems is simply a matter of referring to a checklist of technical and procedural controls and applying the appropriate security measures on the list.

Car example

A car is a good example of a complex system. It has many sub-systems, which in turn have sub-systems, and eventually a very large number components. Designing and building a car needs a ‘systems-engineering’ approach.

Architecture system approach

Do you understand the requirements? Do you have a design philosophy? Do you have all of the components? Do these components work together? Do they form an integrated system? Does the system run smoothly Are you assured that it is properly assembled? Is the system properly tuned? Do you operate the system correctly Do you maintain the system?

Are PCI, NIST, SANS Top 20,

DIACAP architectures

?


Architect/Engineer/Implement?Architect/Engineer/Implement?

Implementing a framework or a system

PLAN DEPLOYBUILD OPERATE

Define:

- Feasibility- Business case- Initial risk assessment - Requirements- Security CIA- Charter- System type- System security plan- Baseline

Define: - EA Architecture plan- System risk level- Applicable security control requirements - High level design- Detailed design- Functional design

Define: - Test, test, test- Acceptance- Procedure- Process- CONOPS- Certify and attest

Define:

- Vulnerability mgt- Pent Test mgt- Continuous logging and monitoring- Compliance plan PCI/SOX- Patch mgt- Security CIA- Change mgt- Incident response

IINFOSECFORCENFOSECFORCE SLCMP SLCMP and theand the SDLC … SDLC …“The Dance” “The Dance”

Statement of need for new business process, application or technology

Functional requirements document designed

Design and technical architecture developed

Code development

1 st phase prod testing

QA

PLAN BUILD Deploy

Pre prod Prod Post Prod

OPERATE

INFOSEC participation in feasibility analyses, no documentation required

Build the System Security Plan based on NIST 800-53 control guidelines. Preliminary risk and vulnerability assessment done. Measures requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted

INFOSEC architecture document created based on data security categorization, policy, application functionality and risk and vulnerability assessments

Integrate controls and create detailed application security test plan defining testing tools, timelines, remedial action processes and testers. Gain approval from project manager.

First phase application security testing. Once code begins solidifying, use soft tools such as AppScan or Spi Dynamics for high level testing. Feedback findings to developers for code correction

Second phase app security testing using formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area

Third phase app security test which follows phase one testing process. Used as final verification that code is stable from INFOSEC perspective

Create final risk acceptance document

Application and infrastructure penetration testing

Server cert

2 nd phase prod testing

Ongoing pen tests, vulnerability assessments, risk management

* * Security certification and accreditation should be finalized

IINFOSECFORCENFOSECFORCE The ISA does not exist after allThe ISA does not exist after all

ISA Not an architect after all

Engineer defining and implementing security requirements

Implementing the security components of an enterprise architect

solution

Integrated and symbiotic with the enterprise architecture

Security processes that run on the infrastructure and something the

business enterprise can not do without

It is a senior engineer that guides the construction and implementation of the

security components

ISAISA

Paradigm shift (ed)


Conclusion We are at war. A Security Architect can define strategies to defeat the aggressors. The ISC needs to standardize its doctrine and strategy to define the ISC view concerning what an ISA is and as such, once defined, it will be easier to define what a Security Architect is and should do to protect vital business data assets. Not only will this protect your data and business, you will implement optimized solutions for investment utilization. Organizations need to hire the right people for ISA jobs and stop confusing the Senior Security Engineers with the roles and responsibilities of an Information Security Architect. While they are complimentary in nature, the roles are different. Smart Security Architects always should include brilliant security and infrastructure engineers in developing their business’ holistic and comprehensive ISA. I am confident that if the an organization uses the simple framework I described above that it’s Security Architect will create an outstanding ISA and ISA road map.


SummaryBy including security requirements in the EA process and security professionals in the EA team, enterprises can ensure that security requirements are incorporated into priority investments and solutions. Enterprise-level security awareness and support for the security team can improve as well. Controls are services, when to use SOAP, when to encrypt


BACKUPS


Framework for Improving Critical Infrastructure Cybersecurity

The framework throws a bone at the notion of improving security by discussing gap analysis, but how to do that is well understood and documented elsewhere. The real value here is a means to both justify and compel private sector spending in a commercially competitive environment to fill the security gaps.

http://www.darkreading.com/vulnerabilities---threats/baby-teeth-in-infrastructure-cyber-security-framework/d/d-id/1204437

IINFOSECFORCENFOSECFORCE SDLC/PLCMP DeliverablesSDLC/PLCMP Deliverables

- Security control integration

- Second phase app security testing

- Third phase app security testing

Implement

- Data security categorization - Security Plan

- Preliminary risk assessment

Initiate

- Threat management

- Configuration management and control

- Continuous monitoring

- Incident response plan

Production

- Risk assessment

- Functional requirements analyses

- Assurance requirements

- Control selection

Design and develop

- Security architecture

- Functional and vulnerability

test plan

- First phase testing

- Additional planning

assignments

- Security certification- Security accreditation- Final risk acceptance document

REF: NIST 800-53

IINFOSECFORCENFOSECFORCE SLCMP DeliverablesSLCMP Deliverables

InitiateInitiate DevelopDevelop ImplementImplement ProductionProduction

- Data security categorization

- Preliminary risk assessment

- Security plan

- Risk assessment

- Functional requirements

analyses

- Assurance requirements

- Control selection

- Security control integration- Second phase app security testing - Third phase app security testing - Security certification- Security accreditation

- Threat management

- Configuration

management and control

- Continuous monitoring

- Incident response plan

- Security architecture

- Functional and vulnerability

test plan

- First phase testing

- Additional planning

assignments