Date post: | 17-Feb-2017 |
Category: |
Documents |
Upload: | tanvir-hashmi |
View: | 136 times |
Download: | 1 times |
Key Success Factor of InfoSec: o Architecture – In 3 slides
o SOC - 2 Slides
o Defense in Depth – 1 slides
o Data Centric Security – 2 slides
Confidentiality
Architecture
Law
Mgt Ops Tech
Regu
latio
n
Stan
dard
Polic
y
IntegrityAvailability
2
Public or External or Internet Firewalls (Inbound + outbound)
Zone 1 (Public Srv) DNS, NTP,, Proxy
Http, Https,
Zone 2 (Online banking)
SMTP In, SMTP out , MIME Sweeper
Zone 4- Staff Facilitation
SSLVPN, BYOD, Extranet etc.
Zone 3 (SOC)IDS admin, SIEM
adminFirewall admin,
Terminal Concentrators of
other DMZ
Internal or Intranet Firewall
Zone 4Core Switch
Zone 5 Channels
Zone 6 Mainframe
Zone 7 HRMS
Zone 8 Enterprise Backup
Key Success Fector• At minimum DMZ must be between at least 2 stage of firewalls, • NIDS and NIPS sensor placement must be across the constituency, serial terminals.• Legacy Network topologies shall also be under constituency.• SOC must be strategic and separate from Enterprise Domain controller.
Basic Security Architecture
3
Key Success Factors• If organization is offering access to sensitive data to external parties such as the general public or another
institution. The data is probably being provided through an interactive Web portal and/or machine-to-machine Web services. In either case, there are common elements to the monitoring architecture, so we must address both at the same time.
Architecture – Firewalls Deployment
I worked on Riyad Bank and Emirates–KSA firewall deployments.
4
KSF • Many SOCs tend to focus their monitoring
resources on the “front door” to their network, such as their Internet gateways. While this is usually the top priority but it’s really just the beginning.
• Further; We leverage email and Web content detonation to detect zero-day attacks from Web pages and email attachments.
• Each Zone Must have dedicated NIDS and Each Server within that Zone must have HIDS
Architecture – Sensor Deployment
I worked on Riyad Bank sensors and SIEM deployments.
5
SOC - Basic
SOC
Head
Tier-1
Tier-2Intel n
Trending SOC Admin
Engineer
(re)Act DecideOrientObserv
e
KSF• Do not break apart the five ‘atomic
SOC functions’ into disparate organizations; this will almost always work to the detriment of the CND mission.
KSF• An analyst required to maintain context
and sense of ‘what is normal’ and ‘abnormal behaviour’ on the hosts and networks, and able to respond in a relevant or timely manner.
KSF • An effective SOC should have a charter and set of authorities
signed by constituency executive(s) in order to press for the resources and cooperation
• needed to execute its mission.
I worked on HSBC, Riyad Bank SOC deployments.
6
Incident Analysis + Knowledge Base
(re)Action & Reporting
Event Generator / Sensors /Pollers
Collection
Database and formatted Message D-Box
C-Box
E- Box
E- Box
C-Box
E-Box E-Box
A-Box K-Box
R-box
SOC - SIEM
Valid
atio
n- Collect and process raw events - Determine base events of interest- Turn sensors and filter as needed-Additional analysis, as needed
Disp
ositi
on
- Add contextual data and remove false +ves- Determine if elevation needed -Provide feedback to additional tuning - Additional analysis, as needed
Resp
onse - Add incident
to final report - Alert Appropriately - Feedback to lower tiers
KSF• In order for the SOC’s SIEM installation
to succeed, the SOC must make a sustained staffing investment to leverage it effectively.
• Perimeter network monitoring.• Insider threat and audit.• APT detection.• Configuration monitoring.• Workflow and escalation.• Incident analysis and network
forensics.• Cyber intel fusion.• Trending.• Cyber SA.• Policy compliance.
I worked on RB, NCB SIEM deployments.
7
Defense in Depth Concept
Deploy Baseline
Deploy Integrity Tech
Deploy HIDS
Perform EPT
Group in NIDS
Anat
omy
of
IT sy
stem- Binary Filed
- Configuration Files- Registry Files - Services - Data
KSF• In a layered security Baseline or system hardening is the ‘last man
standing’ .• In Registry Run key is of special interest of Malware.• Service that are not need must be disabled at kernel level to down
grade attack vector.
I worked on Baselining all IT asset of NCB .
CorrectionDetectionVA,PT, SIEMPrevention
(basline , FW)
8
ClassificationPolicy
Leak Control at Mail Gateway (@xyz.co.kw)
Leak Control at Automation (USB,CD, etc.)
Leak Control at Internet Gateway (Gmail,
SkyDrive, etc.)
KSF• With the advent of perimeter blurring focus on securing
data rather end points. In enterprise network to identify gateways for end user information transfer, Hence deploy DLP technologies that best suit to organizational existing technology investments.
• Web DLP technology should read classification metatags and integrate with SSL Offloaders Technology to process monitor traffic going to (Gmail, Sky Drive, SFTP protocols)
• Mail DLP technology should read information classification metatags and integrate with mail servers.
• DLP end-user clients required to be deployed on all PCs, should read metatags and check information transfer.
• SIEM can be integrated at all gateways to monitor leakage trends
Data Centric Security
I worked on leak proofing KFH bank.
9
KSA
3rd Party
Circle of Trust
Untrusted
Circle
Partners
Federation
Circle of trust Oman
UAE
Qatar
Bahrain
KSA
xyz Inc. (Kuwait)
Org
Circle of trust
Examples of LinkedIn, Google, FB :
Data Centric Security
Policy
I worked on leak proofing KFH bank.
Data Classification s per trust range
KSF• Technology need to know the data, to know ‘How’ and
‘Where’ to manage n protect it. • The term ‘Leak’ refers to the breach of boundaries by
respective classification. • Federation also constitutes the constituency of each
classification.• Develop department specific special features.
Thank you