Unified Security Governance

transcript

Can DemirelPublic Version V1.0.0

Agenda• Unified Security Governance• Setting up Cross Functional Team• Scope & Milestones• Analysis• Process design & Implementation• Unified Vulnerability Management• Security Operation Center

• Governance: Doing the right job

• Management: Doing the job right

• What is your job? (Not your linkedin title)

– Reports, Presentation, Budget Planning, Tracking

unsolved vulnerabilities

– Security operations, find vulnerabilities, process

design and manage processes

• Complexity has a cost.– Infrastructure

– Technology

– Design

– Process

– Analysis tools

– Supplier

Role Tasks Personal Characteristics[1]

Project Sponsor Solve project conflicts

Leadership

Top management commitment

Ensure project plan still applicable

Enterprising , Social

Project Lead Coordinate all team

Organize periodic meetings

Update project plan

Escalate problems when necessary

Conventional, Social

Technical Lead Planning technical need and assuring them

Assign tasks to technical team

Review technical team results

Realistic, Creative

Technical Team Accomplish given tasks Realistic

[1] http://sourcesofinsight.com/6-personality-and-work-environment-

types/

• Scope matters.

– Cost

– Time

– KPI

Photo credit:Bernhard Schambeck Feature China/Barcroft Mediahttp://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND-

blindfolded.html

• If you are new in the town.

– Computer Based

• Review all external/internal DNS host records

• Review all firewall rules

• Review all router/switch configuration

• Review suppliers/hosting records

• Human Based– Face to face interview to all possible business partners

including;• Company departments

• Top management

• Suppliers

• Paper Based– Review all written rules/policies/procedures about this

domain • Probably nothing is written

• Your scope is shining.

Need milestones?

• Yet another project

going to graveyard?

Page by Tom Parker http://tevp.net

• Analysis

– Penetration Tests

– Security Review

• Process Design & Implementation

• Unified Vulnerability Management

• Security Operation Center

• External pentest

• Local area network pentest

• Web Application pentest

• Web Services pentest

• Mobile Application pentest

• Wireless pentest

• VOIP pentest

• ERP/SAP pentest

• SCADA Pentest

• Code Review

• Social Engineering

• Load, performance, Denial of Service tests

• Local area network

review

• WAN/MPLS Review

• OS Security Review

• Database Security

Review

• Active Directory and

Services Review

• IPS Review

• Firewall Review

• WLC Review

• Virtualization Security Review

• Any other security platform review– Proxy, DDOS

protection…

• We need to talk and

write some papers!

http://theberry.com/2013/09/06/run-forrest-run-24-photos/

• Risk Management

• Asset Management

• Incident Management

• Access Management

• Password Management

• Project Management

• Secure-SDLC

• HR Security

• Physical Security

• Change & ConfigurationManagement

• Capacity Management

• Supplier Management

• And many more…

• Handling– Users

– Assets

– Scans

– Vulnerability Database & Correlation

– Task Management

– Cyber Intelligence

– Alarms

– Logging and Log Management

– Reports

Photo credit:Bernhard Schambeck Photography

www.bernhardschambeck.de

• Your platform should allow you to;

– Create different type users&rolees

– Create different groups

– Define assets in any type

– Define asset groups by asset attribute

– Define ownership

– Auto discover

– Define asset/asset group scan

– Manage scan&scan results in one platform

– Integrate historical scans

– Define compliance based scans

– Define and handle passive vulnerability scan

– Define your vulnerabilities in any language

– Group your vulnerabilities

– Define Manuel vulnerability and so on

– Integration to GRC

– Integration to ticketing mechanism

– Assign vulnerabilities manually or

automatically

– Assign vulnerabilities based on assets

– Track domain records

– Track SSL information

– Track information disclosure over internet

– Track social media

– Define asset based alarms

– Define vulnerability based alarms

– Define scan based alarms

– Define SLA based alarms

– Define cyber intelligence based alarms

– Collect log on your platform

– Integration to Central Log Management

• Give me’ some

nice reports!

• Make it simple!

Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html

– Create reports in desired language

– Create report templates

– Filter your report based on asset, vulnerability or

any other parameter

– Compare your reports by given parameter

Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues:

• Evebody talks

about it!

• To much

information will kill

you in the end!

• Centralized log management

• Scenario!!!

• Incident management

• Big data analysis!

• Forensics

• http://sourcesofinsight.com/6-personality-and-work-environment-types/

• IT Governance Institute, CobIT 5.0

• IS0 27001:2013 Information technology— Security techniques — Information security management systems — Requirements

• Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi

• http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why

• Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları

• https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi-zys.html

Unified Security Governance

Documents